[Full-Disclosure] Re: Airport x-ray software creating images of phantom weapons?

[James Davis]

On Tue, 16 Nov 2004, Jason Coombs wrote:

> If the devices create phantoms by design, why would they not also obey
> commands to display arbitrary replacement images when some
> non-TEMPEST-hardened component is blasted with RF from within the x-ray
> scanning chamber?

A few years ago I met someone who worked on the development of X-ray
machines. One problem in the operation of the machines is that weapon in
luggage are extremely rare and it's difficult to motivate a human operator
into concentrating fully on the display for months on end without ever
spotting anything. They literally are looking for needles in haystacks.

The machines plant images of weapons into the display in order to keep the
operator alert. I suppose the system is configured in such a way that a
button press will remove imaginary weapons. Operators failing to spot the
imaginary weapons will fail to press the button, revealing problems in
training.

Normally it would be difficult to discover these problems before it's too
late as you'll never learn about real weapons that have passed through
without being spotted.

I imagine that the systems are well shielded from any interferance that
the X-rays machine causes.

> Do such transportation security technologies really benefit from
> technical obscurity? Why not publish the design, specs and source code
> for analysis and for all to see?

I suspect the problem was either a glitch in the software or, perhaps more
likely operator error?

James

--
"You're turning into a penguin. Stop it"
http://jamesd.ukgeeks.co.uk/





___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Airport x-ray software creating images of phantom weapons?

[David D.W. Downey]

 

> -Original Message-
> From: Jason Coombs [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, November 16, 2004 12:09 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Airport x-ray software creating images of phantom weapons?
> 
> My flight into Midway airport, Chicago, just sat on the 
> runway for nearly two hours tonight because of a potential 
> security breach in the terminal, described here:
> 
> http://www.nbc5.com/news/3921217/detail.html?z=dp&dpswid=22659
94&dppid=65194
> 
> A Transportation Security Administration representative at 
> Midway airport confirmed for me that the suspicious object 
> displayed on the computerized x-ray machine may have been a 
> phantom image similar to the one in Miami on November 13th:
> 
> Software glitch in security scanner at Miami airport 
> 'projected the image of a weapon' that didn't exist
> http://abclocal.go.com/ktrk/news/nat_world/111304_APnat_airport.html
> 


OK, let's stop here for a moment. Before we get to the digitizing of pictures,
let's look at something here. According to the story, the man's bag had the
image of a grenade in it. Yet, he was able to move away from the screening
area, sit down at a set of seats _with_ his bag, then move away from there to
the food courts with a friend all without being stopped, watched, tailed, or
any other security measures taken regarding him. 

During this time, the security forces protecting the airport are informed of
the potential threat, start their sweeps and find the gentleman in the food
court. Let me ask a couple questions, having spent many years as a soldier,
that bother me to the extreme regarding this situation.

- WHY was this man allowed out of the screening area in the first place? 

- WHY was there no security force on either side of the mouth of the opening
out of the security checkpoint? 

- WHY was the security force not immediately alerted to the potential threat
BEFORE the man left the checkpoint?

- WHY was this man allowed to move to a set of seats _having passed the
security checks_ where this supposed 'ghost image' was seen? 

- WHY was this man then allowed to roam freely _within_ the airport to the food
court? 

- WHY did the security forces NOT have a monitoring device or similar human
presence watching this man?


Notice nothing of what I have said touches on the electronic technologies used
to examine baggage, personnel, or passengers, such as what caused this apparent
ghost image. This is purely monitoring, notification, response, and crisis
management that I'm speaking of. We have numerous holes within the security
protocols at this airport that this man slipped through without even touching
on the original gist of this thread.

Add on the complaints Jason brought up and we have a much larger security issue
in this country than most people suspect. Is it cause for panic? Hardly. Is it
cause for a very serious review and a VERY firm set of response policies
created? Yes, definitely.

Just my 2 cents. :-)

--
David D.W. Downey

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Airport x-ray software creating images of phantom weapons?

[Joel Merrick]

On Tue, 2004-11-16 at 05:08 +, Jason Coombs wrote:
> My flight into Midway airport, Chicago, just sat on the runway for nearly two 
> hours tonight because of a potential security breach in the terminal, 
> described here:
> 
> http://www.nbc5.com/news/3921217/detail.html?z=dp&dpswid=2265994&dppid=65194
> 
> A Transportation Security Administration representative at Midway airport 
> confirmed for me that the suspicious object displayed on the computerized 
> x-ray machine may have been a phantom image similar to the one in Miami on 
> November 13th:
> 
> Software glitch in security scanner at Miami airport 'projected the image of 
> a weapon' that didn't exist
> http://abclocal.go.com/ktrk/news/nat_world/111304_APnat_airport.html
> 
> Why are we replacing perfectly good analog video displays with 
> computer-generated displays for security-related data??
> 
> Haven't enough people learned yet that whenever you digitize something you 
> render it unreal and vulnerable?
> 
> Stupid, stupid, stupid.
> 
> If the devices create phantoms by design, why would they not also obey 
> commands to display arbitrary replacement images when some 
> non-TEMPEST-hardened component is blasted with RF from within the x-ray 
> scanning chamber?
> 
> Do such transportation security technologies really benefit from technical 
> obscurity? Why not publish the design, specs and source code for analysis and 
> for all to see?

He he, there's about as much chance of that as there is the voting
machines getting their 'specs' published.

Maybe it'll get leaked on the net and we'll find out they use a hard
coded DES key that I could crack with my casio watch ;)

> 
> Security improvements in such devices are presently limited to those 
> companies that have the contracts to build and deploy them, or infosec firms 
> that audit and pen test them in secret.
> 
> Like electronic voting machines, this is a misguided, unnecessary, and 
> counter-productive “innovation for the sake of change or profit” and it makes 
> no sense. But of course it isn't going to stop, and the security vendor with 
> the best technology is as likely to win contracts in transportation security 
> as in any other industry. (Not)
> 
> If quality is the true objective, then perhaps we should adopt exceptions to 
> intellectual property laws to force into the public domain any creative work 
> that has the capability to impact the “security” of anything important...
> 
> Regards,
> 
> Jason Coombs
> [EMAIL PROTECTED]
-- 
Joel Merrick





signature.asc
Description: This is a digitally signed message part

RE: [Full-Disclosure] RE: Airport x-ray software creating images of phantom weapons?

[Esler, Joel - Contractor]

I am reading between the lines here...

"TSA improperly identified a weapon in a fliers bag.  Instead of taking
responsibility for the accident/misidentification, TSA is blaming it on
the equipment."  Yeah.  What he said.



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David D.W.
Downey
Sent: Wednesday, November 17, 2004 10:35 AM
To: 'Jason Coombs'; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: [Full-Disclosure] RE: Airport x-ray software creating images of
phantom weapons?


 

> -Original Message-
> From: Jason Coombs [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, November 16, 2004 12:09 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Airport x-ray software creating images of phantom weapons?
> 
> My flight into Midway airport, Chicago, just sat on the
> runway for nearly two hours tonight because of a potential 
> security breach in the terminal, described here:
> 
> http://www.nbc5.com/news/3921217/detail.html?z=dp&dpswid=22659
94&dppid=65194
> 
> A Transportation Security Administration representative at
> Midway airport confirmed for me that the suspicious object 
> displayed on the computerized x-ray machine may have been a 
> phantom image similar to the one in Miami on November 13th:
> 
> Software glitch in security scanner at Miami airport
> 'projected the image of a weapon' that didn't exist
> http://abclocal.go.com/ktrk/news/nat_world/111304_APnat_airport.html
> 


OK, let's stop here for a moment. Before we get to the digitizing of
pictures,
let's look at something here. According to the story, the man's bag had
the
image of a grenade in it. Yet, he was able to move away from the
screening
area, sit down at a set of seats _with_ his bag, then move away from
there to
the food courts with a friend all without being stopped, watched,
tailed, or
any other security measures taken regarding him. 

During this time, the security forces protecting the airport are
informed of
the potential threat, start their sweeps and find the gentleman in the
food
court. Let me ask a couple questions, having spent many years as a
soldier,
that bother me to the extreme regarding this situation.

- WHY was this man allowed out of the screening area in the first place?


- WHY was there no security force on either side of the mouth of the
opening
out of the security checkpoint? 

- WHY was the security force not immediately alerted to the potential
threat
BEFORE the man left the checkpoint?

- WHY was this man allowed to move to a set of seats _having passed the
security checks_ where this supposed 'ghost image' was seen? 

- WHY was this man then allowed to roam freely _within_ the airport to
the food
court? 

- WHY did the security forces NOT have a monitoring device or similar
human
presence watching this man?


Notice nothing of what I have said touches on the electronic
technologies used
to examine baggage, personnel, or passengers, such as what caused this
apparent
ghost image. This is purely monitoring, notification, response, and
crisis
management that I'm speaking of. We have numerous holes within the
security
protocols at this airport that this man slipped through without even
touching
on the original gist of this thread.

Add on the complaints Jason brought up and we have a much larger
security issue
in this country than most people suspect. Is it cause for panic? Hardly.
Is it
cause for a very serious review and a VERY firm set of response policies
created? Yes, definitely.

Just my 2 cents. :-)

--
David D.W. Downey

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Airport x-ray software creating images of phantom weapons?

[Valdis . Kletnieks]

On Thu, 18 Nov 2004 10:46:50 GMT, Joel Merrick said:

> Maybe it'll get leaked on the net and we'll find out they use a hard
> coded DES key that I could crack with my casio watch ;)

No, ROT13 is way leet strong crypto as long as nobody knows it, as
Skylarov found out... ;)


pgpG2hTqU9Pd6.pgp
Description: PGP signature

Re: [Full-Disclosure] Re: Airport x-ray software creating images of phantom weapons?

[Adam Jacob Muller]

Rot 13 may not be strong but rot12 is. I once posted a string that I 
only rotated 12 chars to my blog and it took a month before anyone 
figured it out that probably says more about the iq of the people 
reading my blog than the security of rot13.

Adam
Where is it written in the Constitution, in what article or section is 
it contained, that you may take children from their parents and parents 
from their children, and compel them to fight the battles of any war in 
which the folly and wickedness of the government may engage itself? 
Under what concealment has this power lain hidden, which now for the 
first time comes forth, with a tremendous and baleful aspect, to 
trample down and destroy the dearest right of personal liberty? Who 
will show me any Constitutional injunction which makes it the duty of 
the American people to surrender everything valuable in life, and even 
life, itself, whenever the purposes of an ambitious and mischievous 
government may require it? . . . A free government with an uncontrolled 
power of military conscription is the most ridiculous and abominable 
contradiction and nonsense that ever entered into the heads of men.
-Daniel Webster

On Nov 19, 2004, at 3:30 PM, [EMAIL PROTECTED] wrote:
On Thu, 18 Nov 2004 10:46:50 GMT, Joel Merrick said:
Maybe it'll get leaked on the net and we'll find out they use a hard
coded DES key that I could crack with my casio watch ;)
No, ROT13 is way leet strong crypto as long as nobody knows it, as
Skylarov found out... ;)
On Nov 19, 2004, at 3:30 PM, [EMAIL PROTECTED] wrote:
On Thu, 18 Nov 2004 10:46:50 GMT, Joel Merrick said:
Maybe it'll get leaked on the net and we'll find out they use a hard
coded DES key that I could crack with my casio watch ;)
No, ROT13 is way leet strong crypto as long as nobody knows it, as
Skylarov found out... ;)
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Airport x-ray software creating images of phantom weapons?

[Raj Mathur]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

> "Adam" == Adam Jacob Muller <[EMAIL PROTECTED]> writes:

Adam> Rot 13 may not be strong but rot12 is. I once posted a
Adam> string that I only rotated 12 chars to my blog and it took a
Adam> month before anyone figured it out that probably says
Adam> more about the iq of the people reading my blog than the
Adam> security of rot13.

I use ROT26.  Most people have trouble comprehending that too ;)

- -- Raju
- -- 
Raj Mathur[EMAIL PROTECTED]  http://kandalaya.org/
   GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
  It is the mind that moves
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 

iD8DBQFBntKXyWjQ78xo0X8RAtBwAKCInb9sgpr3mZQYT9UVX0Bb0lgUuQCeJHCv
ywOshNdkExFhOjFJAP8qPkc=
=hxxX
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html