I want to go back to the TSA scanner story for a minute

First, I neglected to point out something, well, Gibsonian:

In addition to their physical attacks, the researchers also experimented with more inventive digital ones. They found that they could infect the scanner with malware—most practically for an attacker by picking the lock on the scanner’s cabinet and physically installing the malware on the PC inside. Once installed, that malware could be programmed to selectively replace the scan of any passenger with a fake image if he or she wore a piece of clothing with a certain symbol or QR code…

A similar approach is used in Gibson’s Zero History, wherein special T-shirts are printed up that, when seen by London’s security cameras, cause the wearer to be erased from the footage.

Second, note this: the security researchers had a very hard time finding machines to test with, because “security.” Security through obscurity is a terrible idea, and never does very well, but the entire process makes it clear that effectively NO adversarial testing has been done with these machines at all. That’s impossibly stupid, and further proof their acquisition was little more than a boondoggle. If you’re going to put in a security system, it makes sense to have someone who knows something about security probe it for weaknesses. That clearly was not done here despite the enormous costs of the machines.

Comments are closed.