
Laptop Ban a Reaction to X-Ray Equipment Stolen by ISIS - tsaoutourpants
https://professional-troublemaker.com/2017/05/22/exclusive-laptop-ban-reaction-to-x-ray-equipment-stolen-by-isis/
======
Animats
The secrecy issue has gotten out of hand.

The classic military view of secrecy is time-limited. "Where the ship was last
week is unclassified. Where the ship was yesterday is confidential. Where the
ship is now is secret. Where the ship will be tomorrow is top secret." The
opposition will eventually find out what you're planning on doing. The goal is
for them to find out the hard way, when incoming fire starts hitting them.

The intelligence community has a longer-term view. "We know, and they know. We
think they don't know that we know they know. We hope they don't know how we
found out that they know." This protection of sources mindset leads to things
being kept secret long after all involved parties know.

The anti-terrrorism community has adopted the intelligence community mindset.
This is a problem.

~~~
dvdhnt
This is wrong.

The classification level of information is determined by confidentiality of
the information's source. This is done to protect deeply embedded or highly
technical means of information gathering.

For example, information that could have only come from the second in command
of some organization would require the highest of security classifications
whereas information that could have come from any dozens of members of that
organization would only require a confidential or secret classification.

Information is required to be classified at the lowest possible level, a
guideline that is both taught and enforced throughout most if not all of the
Intelligence Community.

source: I was an intelligence analyst for 6+ years.

~~~
tsaoutourpants
It is certainly correct that DHS, and to some extent our government generally,
is known for over-classifying things either out of laziness, desire to avoid
embarrassment, or because they believe that anything remotely security related
needs to be hidden. As an intelligence analyst, you likely didn't see the
misclassified things (I'd imagine roughly everything you did was classified
for good reason). It's the political officials who are more likely to over-
classify.

~~~
dvdhnt
That's a fair accusation - you're responsible for increasing the
classification of material if you find it to be under-classified, or request a
review in the opposite case. So, it wouldn't be surprising if something came
across the desk of a decision-maker or the IC's version of middle-management
and they selfishly raised its classification hoping it'd be lost in a
blackhole for fear of embarrassment, etc.

------
leggomylibro
>So why was the stolen x-ray equipment kept a secret? I asked my source if
there was some security reason for keeping the stolen x-ray equipment from the
public, and was told, unequivocally, no. “It’s because the mom from the
midwest planning to fly her kids to Disney would freak out. They are worried
that people would stop flying if they knew.”

Kind of ironic, because I've already stopped flying - not because I'm afraid,
but because these sorts of measures have gotten to the point where traveling
through an airport is an awful experience that I actively avoid.

If I absolutely must travel, I take a train or drive. The only reason I ever
fly is if I have to cross an ocean or if I face an emergency that requires me
to be present somewhere far away, very quickly.

And in the case of an ocean, honestly, renting a stateroom on a cargo ship
seems like a very relaxing way to go if you have the time. I've got a HUGE
backlog of books and games and writing and projects to design and you get the
idea.

~~~
jetti
"If I absolutely must travel, I take a train or drive. "

The problem with train is it is expensive and time consuming in the States. I
could take a train from Chicago to Orlando and it would take around 30 hours
and cost just as much, if not more, than a plane ticket. Not only that, the 19
hour second leg of the ride has no food car.

~~~
chucksmash
This is exactly the thought that occurred to me, except for New York to
Atlanta.

I've looked into taking the train a couple of times and balked each time at
the idea of paying the same price for 10-15x the transit time. 40 hours in
transit is going to be a non-starter for so many kinds of trips, unless you're
specifically doing something like [1] where the transit is the whole point of
the trip.

[1]: [http://www.viarail.ca/en/explore-our-
destinations/trains/roc...](http://www.viarail.ca/en/explore-our-
destinations/trains/rockies-and-pacific/toronto-vancouver-canadian)

~~~
martinald
The thing is it is way more expensive to provide a train for 40 hours than a
plane for 2. The plane could do 20 journeys in that time, for 20x the nominal
revenue.

This is why high speed rail is so good: it can actually really decrease
operational costs Vs normal rail as your train, crew, station etc does 2-3x
the volume of passengers, and therefore revenue, compared to slower
alternatives.

------
tsaoutourpants
Hi All, author of the article here. Happy to answer any questions you may have
about the laptop ban, aviation security, TSA assholery, Trump's travel-related
civil rights abuses (incl. the "Muslim ban"), or other such topics of
interest.

And, thanks for the support... HN is always one of the first communities to
upvote my work and help me share it with the world. As a computer scientist
turned almost-lawyer, I definitely appreciate!

~~~
jaclaz
While it is perfectly possible that a scanning device disappeared somewhere,
it is not the only way someone can study how to conceal hidden explosive in
luggage.

I mean are the people that operate daily these machines vetted to a level
where you can totally exclude that they (in ALL airports wordwide) can be
affiliated to whatever evil organization and do some tests after hours?

Does the same happen for all technicians that maintain/repair these devices?

Does the same happen for all designers of these devices?

Or if you prefer, do you believe that such a scanning machine cannot be re-
built from commercial parts by someone who knows their innards?

Are ALL purchases of new scanners subject to governemnet approval (and even if
yes, which government)?

~~~
tsaoutourpants
Hi jaclaz,

> I mean are the people that operate daily these machines vetted to a level
> where you can totally exclude that they (in ALL airports wordwide) can be
> affiliated to whatever evil organization and do some tests after hours?

No, although after-hours testing may set off some alarms. I'm sure their on-
hours experience would be useful, though.

> Does the same happen for all technicians that maintain/repair these devices?

No.

> Does the same happen for all designers of these devices?

Nope.

> Or if you prefer, do you believe that such a scanning machine cannot be re-
> built from commercial parts by someone who knows their innards?

Yes, I do believe that rebuilding a modern, advanced x-ray system from scrap
components is beyond the capabilities of ISIS at the moment.

> Are ALL purchases of new scanners subject to governemnet approval (and even
> if yes, which government)?

The modern, advanced x-ray systems are not available to the general public. As
to how exactly they are controlled, I'm not sure.

See also my comments to other users regarding the differences between modern
x-rays and old school ones.

~~~
jaclaz
>The modern, advanced x-ray systems are not available to the general public.
As to how exactly they are controlled, I'm not sure.

Sure they are not something that you can buy at the market around the corner,
and surely they would not be cheap, but they can surely be bought by (say)
financial institutions, banks, etc. (i.e. not only by airports, and
public/international airports).

Now, if you can be sure that no bank (or other private financial institution)
nor privately owned airport or port (or similar) worldwide may have some
connections with the "bad guys" it's all fine and dandy, otherwise my previous
note still stands.

I don't doubt that - as you report - the alarm may have been "triggered" by
the stealing (or however vanishing) of the said machine, but from this to
consider it "logic" there is a huge step.

At least the last few times I have flown (not to the US that may well have
much different and more sophisticated devices) here in Europe I saw everywhere
Gilardoni scanners (said to be among the best at least in Europe), like the
ones published on their pages:

[http://www.gilardoni.it/en_scanner-a-
raggi-x.asp](http://www.gilardoni.it/en_scanner-a-raggi-x.asp)

And are you really sure-sure that all the scanners you can find on alibaba are
tat much oudated?

[https://www.alibaba.com/trade/search?SearchText=x-ray+scanne...](https://www.alibaba.com/trade/search?SearchText=x-ray+scanner&selectedTab=products)

It doesn't seem to me like shopping for cruise missiles or the like ...

~~~
tsaoutourpants
I'm certainly not arguing that DHS uses perfectly sound logic. I'm just
explaining their reasoning, however flawed. I agree that this kind of
"reactive" security is less than comforting.

------
zkms
Read this paper as well
[https://www.usenix.org/system/files/conference/usenixsecurit...](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-
mowery.pdf) \-- the researchers who wrote it obtained (on the surplus market)
the same model of backscatter X-ray body scanner that was deployed in US
airports and proceeded to evaluate and validate various schemes for
undetectable concealment of firearms, knives, and explosives. Other research
was done, including a software implant that would selectively strip
indications of contraband from the image (when a specific signal pattern was
in the image), and a firmware implant that would disable all interlocks and
deliver an elevated radiation dose. If it is possible for a few university
researchers to obtain this sort of security scanner without resorting to
crimes, it is folly to assume that actual adversaries cannot.

We need better methods for detecting energetic materials (and not just
suspicious shapes) in luggage (detecting it concealed inside humans is harder
and would require transmission x-ray which is not currently acceptable for
airport security screening) that don't crumble when the adversary has
unlimited access to the security scanner to test concealment methods.

Concealing knives is kinda easier than concealing energetic materials -- it
is, for example, possible to machine a blade that fits perfectly inside a
blunt, innocuous "sheath" so precisely (hi, wire EDM) that they appear as a
single piece of metal. However, this is not so much of an issue nowadays, as
no amount of threatening or stabbing with a knife will make a pilot open the
cockpit door.

~~~
astrodust
Ceramic, glass and plastic knives can be extremely dangerous and yet they
probably don't show up on these machines at all. The utility of these machines
is questionable to say the least.

Bruce Schneier observed, like you did, that the heavily secured cockpit door
is one of the only real improvements made to airplane security in the last few
decades.

~~~
knodi123
> and yet they probably don't show up on these machines at all

Uh, yeah, they do. Have read _anything_ about backscatter xray machines?

The real way to defeat these machines is to hide things in folds of your
flesh. It can see through clothes, but not too much skin. In staged
demonstrations, fat people have gotten a metal pistol through, no problem.

~~~
astrodust
I've read a fair bit about these machines and seen various demonstrations back
when they were still being deployed.

Quick examples: [https://www.wired.com/2014/08/study-shows-how-easily-
weapons...](https://www.wired.com/2014/08/study-shows-how-easily-weapons-can-
be-smuggled-past-tsas-x-ray-body-scanners/)

A gun(!) is basically invisible in the scan. Is teflon tape enough to defeat
these stupid machines?

------
djmdjm
The premise is flawed. X-ray inspection equipment is easy to find - it's
regularly offered for sale on EBay and you'll find a number of teardown videos
of various models on Youtube. The stolen X-Ray equipment is not being reported
probably because it isn't particularly interesting.

~~~
tsaoutourpants
Well, not exactly. Very basic x-ray equipment is easy to find on eBay. The
more modern equipment that the TSA uses is not available on eBay...

[https://securitytoday.com/articles/2008/07/30/tsa-to-
expand....](https://securitytoday.com/articles/2008/07/30/tsa-to-expand.aspx)

"Advantages of AT X-ray include a greatly enhanced image with the ability to
target novel threat items resulting in fewer bag checks and faster throughput,
and the ability to upgrade the system with enhanced algorithms."

...and that article describes the 2008 edition of the technology!

For a more technically-specific perspective, I can say that the newer machines
take images from multiple angles and are closer to a medical CT scan than a
old-school x-ray. Owning one would allow you to practice placing your items in
a direction and location that would be least able to be seen by the operator.

------
suihkulokki
This article seems to miss the fact ISIS took over Mosul international airport
in 2014. Surely they got luggage screening machines in hand by then already.

~~~
askvictor
My guess would be that the gear at Mosul would not be as advanced as
elsewhere.

~~~
nraynaud
Not sure, because the destinations countries for the planes departing from
there have some interest (a bit like the US forcing some theater on Europe),
and there is some international help for military and security theater gear.

------
koenigdavidmj
Hey look, a security crisis that can only be fixed by requiring that we prove
our devices are functional, most likely by turning them on, logging in, and
showing that there are a few documents present. And in some cases, extra
manual evaluation will be required, entailing taking that logged-in laptop
into a back room for further inspection. They won't copy everything onto a
disk of their own---honest!

~~~
rtkwe
Even forcing people to turn on devices doesn't really fix it. Just keep three
(for proper voltage so you don't have to add any boost circuitry) of the cells
in your battery bomb and it'll be more than enough to pass their screening.

~~~
koenigdavidmj
Whether this actually helps security is irrelevant.

------
squarefoot
Everyone seem to have missed the opportunity here to push for standard power
connector/polarity/voltage/maxcurrent requirement for all laptops while
fitting a power cable (with short circuit protection in every seat. That will
also discourage from producing laptops not working if a battery isn't plugged
in. Having say a 12VDC/3A plug in every seat will force most manufacturers to
make at least one airline-friendly laptop, and/or implement on faster models
things such as turning off cores and keeping CPU speed low to stay within that
current limit.

edit- and push to get a standard for battery pack sizes to reduce the number
of form factors, then implement a service where you give your used one at
departure and get a new one at arrival.

Regulations like that one stink badly, but necessities drive progress and I
see an opportunity here.

~~~
JadeNB
> edit- and push to get a standard for battery pack sizes to reduce the number
> of form factors, then implement a service where you give your used one at
> departure and get a new one at arrival.

Or we could implement the Indian system, where you turn in your new batteries
at departure and are given used ones on arrival. (Mysteriously, despite the
assurance that they are the same batteries, they have sometimes changed brand,
too.)

------
tsaoutourpants
Hi Everyone, author of post here with an update for you. The most modern x-ray
systems in use by the TSA at airports to screen carry-on bags can indeed see
through lithium batteries. It also differentiates densities, and it seems to
me that the latest tech should therefore be able to indicate the difference
between a battery and C4 in a battery-shaped box. So is it that the airports
subject to the laptop ban have the older tech? Well...

Read more: [https://professional-troublemaker.com/2017/05/22/update-
newe...](https://professional-troublemaker.com/2017/05/22/update-newest-tsa-
carry-on-x-rays-can-indeed-see-through-laptop-batteries/)

------
leroy_masochist
Q for the author: how valuable would an actual proprietary airport X-ray be,
in terms of designing devices (as compared to another X-ray of similar spec)?
Does having access to the actual X-ray for purposes of product testing really
make that much of a difference to a technically gifted bomb-maker?

~~~
tsaoutourpants
Yes. See my comment below to djmdjm, but also, I'll add one more thing. Take a
knife out of your kitchen drawer and hold it in your hand in front of you such
that the sharp side of the blade is on the left and the dull side is on the
right. Easy to see. Now rotate it 90 degrees such that the sharp side is
facing you and the dull side is facing away. Much harder to see, especially if
you can imagine what it would look like on an x-ray, and how you could further
conceal it by carefully placing other items between the "camera" and the item.

~~~
15155
Angle-shifting units make this harder, but the obvious blindspot is the
conveyor belt entrance/exit holes (they cannot have imaging equipment in
them).

~~~
tsaoutourpants
Exactly. Imaging devices all have blind spots, which is how I was able to
defeat the TSA's body scanners in 2012.

------
fpoling
As lithium batteries are opaque to X-Rays, perhaps a ban on laptops with
batteries should be considered. This will surely push for standard swappable
batteries and standard power supplies so the laptops could be used on board
without batteries.

~~~
tsaoutourpants
What? No, that's a wholly unnecessary solution (though more standardization of
batteries would certainly be nice). Swab the outside of the laptop for bomb
residue, which would be especially difficult to clean from a laptop because
the stronger solvents to clean with (like acetone) would mark the plastic. Or
hire more dogs. Or make a "puffer machine" for laptops (blasts with air and
then samples the air for explosive trace). Or come up with another solution --
this is HN! :)

~~~
borplk
Is the puffer machine a thing? Or you just came up with it?

~~~
mikeyouse
Nope, they're a thing:

[https://en.wikipedia.org/wiki/Puffer_machine](https://en.wikipedia.org/wiki/Puffer_machine)

> _The machine operates by releasing multiple puffs of air at a passenger who
> is standing upright within the machine. This will flush out any particles on
> the person inside the machine then analyze and identify them in seconds.[6]
> According to an article in the 16 June, 2005, New York Times, it is capable
> of screening up to 180 passengers an hour.[7] This sample is then analyzed
> using IMS or MS technology to search for specific explosive or narcotic
> compounds. If a substance of concern is detected, the security personnel are
> notified by a visible and /or audible alarm._

------
syphilis2
It seems to me that if an X-Ray scanner was stolen from an airport, that
information would reasonably be considered SSI due to its relation to
screening passenger luggage. I wouldn't be comfortable spreading news that
stolen equipment is available, that there's a security vulnerability allowing
equipment to be stolen, that ISIS is in possession of the stolen equipment, or
any vulnerability assessments of the equipment. The unnamed source seemed
convinced that any security decision was made to avoid scaring "mom from the
midwest," but that comment appears short-sighted if anything more than
conjecture.

------
ryanlol
>By forcing all these batteries into the cargo hold where a fire cannot be
rapidly detected and contained, DHS would be countering any deceased risk of
terror with an increased risk of fire.

Everyones always been telling me that if I want to bring down a plane I should
set the cabin on fire, not the cargo hold. Have I been living a lie?

------
jperras
Correct me if I'm wrong, but wouldn't a relatively benign way to fix this
simply be that the TSA agents randomly reorient/flop some carry on luggage
items in the bins before they go through the scanner?

~~~
tsaoutourpants
That would definitely help. Or, simply re-run bags where there is opaque stuff
that the screener is unsure about, oriented in a new direction. But, that
wouldn't necessarily solve all the problems, as laptop batteries are opaque in
all directions, and so if you got a lead metal box and filled it with
explosives, it may look much the same.

------
Frenchgeek
So instead of creating new measures in order to fix the security problem, they
chose to flood the system with false positives...

------
AJ007
Reduced airline travel, tourism, and global trade -- sounds like a good action
plan for countering global warming.

------
knodi
ya right, fuck off TSA. They're just trying to pretend they're relevant.

