TSA Fails to Secure Its Own PDFs

parody TSA logo

I think I have mentioned before the danger of “redacting” PDF files by just drawing black boxes over the words you want to keep secret.  Many of you already know that doing this isn’t safe because people with advanced document-forensics skills, like cutting and pasting, can easily see what’s under the boxes.  Probably someone somewhere at the Homeland Security Department (“Security Is Our Middle Name”) is aware of this, but if so, he didn’t pass it on to the Transportation Security Administration (“Ours Too”).

TSA personnel do know about this now, but only because they posted a “redacted” PDF of the TSA airport-security-screening manual on the Internet, and that sensitive document has now been un-redacted and widely circulated.  This has caused some embarrassment for those in our nation’s crack security apparatus, in particular the officials who are being asked by the Senate about it this morning.

The TSA said on December 7 that the document was “outdated” and generally not that big a deal.  Of course, it was marked as “sensitive security information” released only on a “need to know” basis, and then they redacted parts of it on top of that, which makes it at least seem like a big deal.  And it was posted on a website used by contractors bidding on federal projects, which makes it seem like it should be current.  The TSA also claimed that this particular document was never issued to employees, although again it is hard to see why it’s being used to solicit bids if it isn’t real.  And, presumably, something a lot like it was issued to employees at some point, or else why bother to write it in the first place?

Now, most of this document does not seem especially controversial or interesting, and to that extent the main story is that our very expensive security forces cannot successfully secure a PDF, let alone an airport.  I did find the extensive “definitions” section a little disturbing, though, because it includes some definitions like this:

Explosives – Military, commercial, or improvised compounds characterized by their ability to rapidly convert from a solid or liquid state into a hot gaseous compound with a much greater volume than the substances from which they are generated.

Yep, that’s what they do all right – rapidly convert into a form with a much greater volume than they had just a second ago.  Is that useful?  If it’s really even necessary, given some of the TSA screening personnel I’ve encountered I would suggest this instead:

Explosives – Things that blow up.

I was also concerned by this definition:

Threat Image Projection (TIP) – Computer software that allows fictional images of threats to be digitally displayed in the image of passengers’ bags onto the x-ray monitor.

I assume that’s for training purposes, but why not just toss a gun in a bag and see if your people can find that?  Unless you are training them to look for fictional threats.

The previously sort-of-redacted material in the PDF also included, among other things, depictions of the security badges of federal air marshals, CIA officials, members of Congress, and ATF agents, which seems like the sort of thing that would be handy to the wrong kind of people.

You too can see what was once redacted, by following one of the links below.  You might be committing a federal crime by doing so, but if you were prosecuted for this it would just be another example of our security obsession backfiring on citizens rather than hampering those who want to attack us with compounds characterized by their ability to rapidly convert into another one with a much greater volume.  And isn’t that what we should be focusing on?