Piggybacking someone else’s wifi is obviously nothing new. I’ve gone wardriving in a neighborhood in a pinch a few times (and even been accosted for sitting on a sidewalk in front of someone’s house once!). But in at least one case the car was idling in front of the shop from 12 midnight until 5 in the morning. I’m struggling to think of a reason for sitting on the router for so long so late at night other than the need for anonymity for some illicit activity. I suppose it might be a group of teenagers just looking for some private place to access facebook away from prying (and possibly surveiling) parents, but that seems a stretch. Individual anecdotes are obviously dangerous to draw conclusions from, but the fact that this is happening in Memphis at my local car shop makes me wonder how common it is. Memphis is far from the cutting edge of Internet activity.

I keep my wirless network at home open on the principle that I don’t trust the network to be secure with or without transport layer security and that I’m happy to share access with anyone who wants to use it. I’ve always judged the risk of someone using the access to do something I could be liable for to be small enough not to worry about it. This encounter makes me wonder whether I, like Bruce Schneier, should think harder about securing my home wireless network.

I also find it interesting that he was able to defend himself pretty effectively from what he viewed as an attack on his computers and network. As sophisticated as the wardriving attackers may have been, his simple defense of turning off the router until access is requested is pretty effective (though I strongly advised him to encrypt the network as well as turn it on on demand). Even more effectively, the owner noted the license plate of the car on at least one occasion. So now if the police show up at his door and try to arrest him for child pornography, he’ll have a license plate number to identify the users of his network. So midnight piggybacking as an anonymity technique could in many cases be less effective than just showing up at a local coffee shop in the middle of the day. the worst scenario in that case would be a physical identification which would in most cases be much more difficult to track back to a person than a license plate number.

Note that five of the top ten searches are for a tool called email extractor lite 1.4, which is a tool that pulls emails from a block of text. In other words, it is useful for harvesting email addresses for spam. I won’t link to it for fear of google juicing it, but here’s a screen shot:

This agrees with the perception of Nigerian as the source of the ubiquitous Nigerian Scam spam, but it is surprising in that it seems to suggests that a very large proportion of Nigerian Internet users are involved in spam production. I’m having a hard time coming up with an alternative explanation of this finding. If some botnet were running email extraction on lots of Nigerian computers, it wouldn’t be bothering with a google search for the tool (and would in fact just be doing the email extraction itself). One possible explanation is that email harvesting is contracted out to individuals who are left on their own to troll the Internet for pages with email addresses. Constant searches for the email extractor page would be consistent with not very technical folks getting paid for finding and harvesting email addresses.

Also note on the results page that the top rising search currently is Oceanic Bank, which seems to be a legitimate Nigerian Bank. But the web page for the bank includes a bright red Scam Alert that warns of widespread use of impostor Oceanic Bank sites for Nigerian scams.

The data in question on the laptop included a limited amount of the online applicant’s personal information, but did not include any credit information, including credit card numbers. And it did not include the applicant’s Social Security number.

Somehow, credit card numbers have become the standard for what constitutes identity theft. I would argue that stealing credit card numbers does not normally constitute identity theft in any meaningful sense — all the credit card number does is let the holder take money from a single account in a specific way. Calling credit card number theft identity theft is like calling physical key theft identity theft. The credit card is not used for generic identification but is instead only used for access to a specific resource, as is a house or car key.

Social security numbers are used for generic identification, though it’s a whole other conversation about how horrible they are for such a use (for instance, I’m constantly asked for my social security number as identity confirmation by organization to whom I never gave the number in the first place). In any case, the breached data included “names, addresses and birthdates for people applying to the program, as well as driver’s license, passport and green card information,” the combination of which is certainly as valuable for identification purposes as a simple social security number.

In fact, the purpose of the data on the laptop was to allow confirmation of identity without access to the network, so without evidence to the contrary, we can assume that the compromised data would allow an attacker to masquerade as one of the compromised identities. This could be bad for the owner of the identity, but it seems much, much worse for the overall security of the security clearance process, allowing an attacker with the data to sail through the minimized security clearance process identified as one of the compromised identities. I can’t find reference to this vulnerability in any of the releases by TSA or FlyClear or in any of the news coverage, but to the degree that we take the air travel security clearance process seriously, this problem seems to be very serious.

In a letter sent to its subscribers (and, according to David Weinberger, folks who did not know they had subscribed) , the company claims that the data was not compromised because there were no logins on the compromised laptop while it was lost. This is a very deceptive (or ignorant) statement, because it assumes that the only way to access the data on the laptop was to start up the laptop. In fact, were I to want the data on a laptop, I would grab the laptop, take out the hard drive, copy an image of the hard drive, reassemble it, and then replace it where I found it, hopefully without anyone noticing that it was gone. In this case, the absence of the laptop was noticed, but the lack of logins to the laptop says nothing about whether the data on the hard drive was accessed.

The company also claims that the personal data was protected by “two separate passwords.” It’s not clear (sotospeak) what systems used those two passwords. My guess is that at least one, if not both, of the passwords only protected access to the operating system login and not to the hard drive. Again, there’s no need to login to the operating system to access the data, and in fact a smart attacker will avoid logging in to the operating system to avoid the risk of damaging the data. It could be that one or both of the referenced passwords were used to encrypt the data on the hard drive; in the case the data would be protected even when accessed from another computer. But the company admits that the data was not in fact encrypted, so it seems more likely that the data itself was in the clear and easily accessed simply by copying it off the drive.

More generally, the response of FlyClear to the data breach takes the tone of most of the data breach announcements — that there’s much ado about mostly nothing but that the mere fact that FlyClear is making the announcement is evidence that you can trust them with your data:

We take the protection of your privacy extremely seriously at Clear. That’s why we announced on Tuesday that a laptop from our office at the San Francisco Airport containing a small part of some applicants’ pre-enrollment information (but not Social Security numbers or credit card information) recently went missing. … We are sorry that this theft of a computer containing a limited amount of applicant information occurred, and we apologize for the concern that the publicity surrounding our public announcement might have caused. But in an abundance of caution, both we and the Transportation Security Administration treated this unaccounted-for laptop as a serious potential breach.

Notice the emphasis on the small amount of data (though it seems to have contained data highly useful for identity theft), on the seriousness of their response despite that small amount of data, on the apology for the publicity, on the fact that their response to such a minor issue constitutes an “abundance of caution.” My reaction to reading a statement like this is that they do not in fact take data security seriously at all. If they did, they would not consider it an abundance of caution to send an announcement (two weeks after the fact) to folks whose data they had lost. If my friend lent me his driver’s license and and I lost it, I don’t think he would consider me telling him about the loss an abundance of caution. In fact, if I waited two weeks to tell him, he’d justifiably be very upset and never trust me with the driver’s license (or likely anything at all) again. Doubly so if I claimed to him that he should take the loss of the license and the fact that I reported it to him just two weeks later as a sign of my abundant trustworthiness.

The 192 million passport files maintained by the State Department contain individuals’ passport applications, which include data such as Social Security numbers, physical descriptions, and names and places of birth of the applicants’ parents. Otherwise, the files provide limited information; they do not contain records of overseas travel or visa stamps from previous passports.

To test the extent of the snooping, investigators assembled a list of 150 famous Americans and checked how many times their files were accessed over a 5 1/2 -year period. Investigators found that the records of 127, or 85 percent, had been searched a total of more than 4,100 times.

The report said that “although an 85 percent hit rate appears to be excessive, the Department currently lacks criteria to determine whether this is actually an inordinately high rate.”

85%! “excessive” indeed! If you look at the criteria for celebrities (including the Fortune 50), it’s likely that the 15% of folks who didn’t meet this threshold (and note that the threshold is lots and lots of accesses to the files, rather than the more than one that should trigger an alert) are simply not of interest to the government employees.

What’s shocking about this breech is not so much the privacy of the celebrities (who have little privacy anyway), but the revelation that there seem to be no controls at all over the data other than very casual manual supervision. It’s almost certain that in addition to looking up celebrities workers have been looking up information on other folks — friends, family, lovers, colleagues, bowling league rivals — who are more relevant to their lives than celebrities. And many of the folks who have access to the data and have been guilty of the breeches are contractors. Given the shockingly lax control over the data, we have to worry about those contractors and their employers accessing the data for all sorts of unsavory business reasons (looking up data on competitors, on government supervisors, etc).

The larger lesson here is that valuable data collections like the passport database have potential value tremendously higher than their regulated power. That tension between the potential value and regulated value makes it inevitable that data will leak out from some of even the best secured of them in one way or another. When a data collection has no serious controls at all (as the passport records seems not to), such breeches will be certain and frequent.