lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1100774810.6639.13.camel@localhost>
Date: Thu, 18 Nov 2004 10:46:50 +0000
From: Joel Merrick <joel@...vicestyle.com>
To: Jason Coombs <jasonc@...ence.org>
Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: Re: Airport x-ray software creating images of phantom weapons?

On Tue, 2004-11-16 at 05:08 +0000, Jason Coombs wrote:
> My flight into Midway airport, Chicago, just sat on the runway for nearly two hours tonight because of a potential security breach in the terminal, described here:
> 
> http://www.nbc5.com/news/3921217/detail.html?z=dp&dpswid=2265994&dppid=65194
> 
> A Transportation Security Administration representative at Midway airport confirmed for me that the suspicious object displayed on the computerized x-ray machine may have been a phantom image similar to the one in Miami on November 13th:
> 
> Software glitch in security scanner at Miami airport 'projected the image of a weapon' that didn't exist
> http://abclocal.go.com/ktrk/news/nat_world/111304_APnat_airport.html
> 
> Why are we replacing perfectly good analog video displays with computer-generated displays for security-related data??
> 
> Haven't enough people learned yet that whenever you digitize something you render it unreal and vulnerable?
> 
> Stupid, stupid, stupid.
> 
> If the devices create phantoms by design, why would they not also obey commands to display arbitrary replacement images when some non-TEMPEST-hardened component is blasted with RF from within the x-ray scanning chamber?
> 
> Do such transportation security technologies really benefit from technical obscurity? Why not publish the design, specs and source code for analysis and for all to see?

He he, there's about as much chance of that as there is the voting
machines getting their 'specs' published.

Maybe it'll get leaked on the net and we'll find out they use a hard
coded DES key that I could crack with my casio watch ;)

> 
> Security improvements in such devices are presently limited to those companies that have the contracts to build and deploy them, or infosec firms that audit and pen test them in secret.
> 
> Like electronic voting machines, this is a misguided, unnecessary, and counter-productive “innovation for the sake of change or profit” and it makes no sense. But of course it isn't going to stop, and the security vendor with the best technology is as likely to win contracts in transportation security as in any other industry. (Not)
> 
> If quality is the true objective, then perhaps we should adopt exceptions to intellectual property laws to force into the public domain any creative work that has the capability to impact the “security” of anything important...
> 
> Regards,
> 
> Jason Coombs
> jasonc@...ence.org
-- 
Joel Merrick




Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ