Airport x-ray software creating images of phantom weapons?

To: full-disclosure@xxxxxxxxxxxxxxxx
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Airport x-ray software creating images of phantom weapons?
From: "Jason Coombs" <jasonc@xxxxxxxxxxx>
Date: Tue, 16 Nov 2004 05:08:48 +0000 GMT
Importance: Normal
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

My flight into Midway airport, Chicago, just sat on the runway for nearly two 
hours tonight because of a potential security breach in the terminal, described 
here:

http://www.nbc5.com/news/3921217/detail.html?z=dp&dpswid=2265994&dppid=65194

A Transportation Security Administration representative at Midway airport 
confirmed for me that the suspicious object displayed on the computerized x-ray 
machine may have been a phantom image similar to the one in Miami on November 
13th:

Software glitch in security scanner at Miami airport 'projected the image of a 
weapon' that didn't exist
http://abclocal.go.com/ktrk/news/nat_world/111304_APnat_airport.html

Why are we replacing perfectly good analog video displays with 
computer-generated displays for security-related data??

Haven't enough people learned yet that whenever you digitize something you 
render it unreal and vulnerable?

Stupid, stupid, stupid.

If the devices create phantoms by design, why would they not also obey commands 
to display arbitrary replacement images when some non-TEMPEST-hardened 
component is blasted with RF from within the x-ray scanning chamber?

Do such transportation security technologies really benefit from technical 
obscurity? Why not publish the design, specs and source code for analysis and 
for all to see?

Security improvements in such devices are presently limited to those companies 
that have the contracts to build and deploy them, or infosec firms that audit 
and pen test them in secret.

Like electronic voting machines, this is a misguided, unnecessary, and 
counter-productive “innovation for the sake of change or profit” and it makes 
no sense. But of course it isn't going to stop, and the security vendor with 
the best technology is as likely to win contracts in transportation security as 
in any other industry. (Not)

If quality is the true objective, then perhaps we should adopt exceptions to 
intellectual property laws to force into the public domain any creative work 
that has the capability to impact the “security” of anything important...

Regards,

Jason Coombs
jasonc@xxxxxxxxxxx

Prev by Date: Re: Skype callto:// BoF technical details
Next by Date: [ GLSA 200411-23 ] Ruby: Denial of Service issue
Previous by thread: [ GLSA 200411-24 ] BNC: Buffer overflow vulnerability
Next by thread: [ GLSA 200411-23 ] Ruby: Denial of Service issue
Index(es):
- Date
- Thread