Two years ago, a blogger named Jonathan Corbett published a YouTube video that seemed to show a facepalm-worthy vulnerability in the TSA’s Rapiscan full-body X-ray scanners: Because metal detected by the scanners appeared black in the images they created, he claimed that any passenger could hide a weapon on the side of his or her body to render it invisible against the scans’ black background. The TSA dismissed Corbett’s findings, and even called reporters to caution them not to cover his video.
Now a team of security researchers from the University of California at San Diego, the University of Michigan, and Johns Hopkins plans to reveal their own results from months of testing that same model of scanner. And not only did they find that Corbett’s weapon-hiding tactic worked; they also found that they could pull off a disturbing list of other possible tricks…
The study itself, published today, notes that, “In an incident widely reported in the press, Jonathan Corbett suggested that firearms hanging off the body might be invisible against the dark background , an attack we confirm and refine in Section 3.1.”
Well, isn’t that nice. 🙂 Off to send a copy to the courts… [Edit: Done!]
Hi Jonathon. Great to see this story. I wrote about it and referenced your blog. I also suggest you think about a qui tam case. Here is the piece. Retweet and share if you like.
Defective X-Ray Pornscanners. You Can See Sideboobs But Not Sidearms
Qui tam cases have a high bar — I have to show not just negligence, but actual fraud. I would also have to retain an attorney, as qui tam cases can’t be filed by non-attorneys. If you know of one who wants such a case, let me know. 🙂
Actually I might. I’ve contacted one of the law firms that does qui tam cases. They did a lot of work proving fraud in companies working on the “Star Wars” programs. Drop me a line at
spockos email at gmail . com best way to contact you.
Hi again Jonathon: I have talked to a qui tam lawyer out here in California who is interested.
drop me a note at spockosemail at gmail com
>Two years ago, a blogger named Jonathan Corbett published a YouTube video that seemed to show a facepalm-worthy vulnerability in the TSA’s Rapiscan full-body X-ray scanners:
I bet there were a lot of facepalms in Arlington that day. 😉
I’d like to see this same study done on a MMW, which is what is now in airports. Curious though, what does this mean to all the backscatters that were redeployed to places like federal buildings and jails? I’m thinking that they may need to rethink that.
I appreciate this info very much- thanks for all your persistence and hard work!
Hi Jon – Damon Poeter from PCMag here – any chance you have a minute or 20 to talk about your findings, your case with TSA etc. on Friday? If so, ping me at Damon_Poeter@pcmag.com … ! Thanks!
Privacy Alert: TSA Wants To Know Which Prescription Drugs You’re Taking!
Thanks John. This is great!
Btw thanks for your moral and ethical views John. In my view a free society cannot exist if the populace and especially the government immoral and unethical.
U.S. Gov’t Claims It’s “Not Appropriate” For A Court To Conduct Its Own Independent Review Of State Secret No-Fly List:
It is “not appropriate” for a court to conduct its own independent review of evidence that the government asserts is protected by the state secrets privilege, attorneys for the government argued last week.
They were objecting to an order that was issued in a lawsuit challenging the constitutionality of the “no fly” list in the case of Gulet Mohamed v. Eric Holder. On August 6, Judge Anthony J. Trenga of the Eastern District of Virginia ordered the government to submit for in camera review a copy of all documents and testimony relevant to the case that it asserts fall under the state secrets privilege.
Instead, government attorneys asked Judge Trenga in an August 22 motion to reconsider his order “on the ground that the required submission [of assertedly privileged material] is not appropriate or necessary for evaluation of whether the state secrets privilege should be upheld or whether dismissal is necessary, in light of the information already provided to the Court on those issues.”
“The Government has provided… a thorough description of the harm to national security that would result from the disclosure of the privileged information. The additional submissions ordered by the Court would not assist in that determination,” they added.
DOJ Pretends No Fly Guidelines Haven’t Been Leaked, Claims ‘State Secrets’ To Avoid Revealing Them To The Judge:
Back in July, we wrote about the Intercept releasing a leaked copy of the US law enforcement guidelines for putting someone on the no fly list. There have been a series of lawsuits recently concerning the no fly list, and the government has basically done everything possible, practically to the point of begging judges, to avoid having those cases move forward. So far, that’s failed miserably.
“I don’t want a unitary, unfakeable identity.”
Dan Geer’s keynote speech at the Blackhat security conference earlier this month (video, transcript) included an important discussion of the often-misunderstood “right to be forgotten” and the larger context of why it matters: the threat posed by compelled identification, and how we can defend ourselves against that threat:
Privacy used to be proportional to that which it is impossible to observe or that which can be observed but not identified. No more — what is today observable and identifiable kills both privacy as impossible-to-observe and privacy as impossible-to-identify, so what might be an alternative? If you are an optimist or an apparatchik, then your answer will tend toward rules of data procedure administered by a government you trust or control. If you are a pessimist or a hacker/maker, then your answer will tend towards the operational, and your definition of a state of privacy will be my definition: the effective capacity to misrepresent yourself…
The Obama administration’s issuance of a National Strategy for Trusted Identities in Cyberspace [NSTIC] is a case in point; it “calls for the development of interoperable technology standards and policies — an ‘Identity Ecosystem’ — where individuals, organizations, and underlying infrastructure — such as routers and servers — can be authoritatively authenticated.” If you can trust a digital identity, that is because it can’t be faked…. Is having a non-fake-able digital identity for government services worth the registration of your remaining secrets with that government? Is there any real difference between a system that permits easy, secure, identity-based services and a surveillance system? Do you trust those who hold surveillance data on you over the long haul, by which I mean the indefinite retention of transactional data between government services and you, the individual required to proffer a non-fake-able identity to engage in those transactions? Assuming this spreads well beyond the public sector, which is its designers’ intent, do you want this everywhere?…
I conclude that a unitary, unfakeable digital identity is no bargain and that I don’t want one. I want to choose whether to misrepresent myself. I may rarely use that, but it is my right to do so. If that right vanishes into the panopticon, I have lost something and, in my view, gained next to nothing. In that regard, and acknowledging that it is a baby step, I conclude that the EU’s “Right to be Forgotten” is both appropriate and advantageous though it does not go far enough. Being forgotten is consistent with moving to a new town to start over, to changing your name, to a definition of privacy that turns on whether you do or do not retain the effective capacity to misrepresent yourself…. A right to be forgotten is the only check on the tidal wave of observability that a ubiquitous sensor fabric is birthing now, observability that changes the very quality of what “in public” means….
And they are just now figuring this out ? You are a hero Jon.