ChaosPad V1.1
Full screen

Server Notice:

hide

31c3-talk-6332 Latest text of pad 31c3-talk-6332 Saved Jan 13, 2021

 
Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!
Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!
======================================================================
 
 
Thank you. So before I get started, I just wanted to say that this project ran for about a year and a half. It was a large collaborative project between University of Michigan, Johns Hopkins University and the University of California, San Diego. We have a lot of coauthors listed here. We also got a lot of support from people who were did not end up being coauthors who are acknowledged in the paper that I'd like just to mention again, before I go on and actually talk about the technical content, I'd like to observe that full body scanners produce naked scans of the human body as part of their operation. And as much as TSA would prefer that we forget that fact. The talk I'm going to give will necessarily involve explicit images, and so I'd like to warn everybody so that if you need to leave or text your friends to come over here, if they're in front talk, just be aware right now. All right. So with that, if you've flown anywhere in the last five years, especially if you've flown into the United States and Canada, you have interacted in some way with full body scanners, sometimes called naked scanners, porno scanners. TSA calls them advanced imaging technologies, which sounds very positive and and future looking. There are two of them that are widely deployed. The one on the left with the rectangular boxes is the Rapiscan Secure One Thousand, which uses backscatter X-ray technology to produce its image. The one on the right, the L3 provision 8D has sort of a spending component and its uses millimeter wave technology to produce its images. Both of them work by producing a naked image of the subject, being scanned in the hopes of detecting contraband hidden on the subject body in an airport context that contraband would be, say, guns or knives or explosives or detonators or bottles of water, any of these things that are really dangerous to airport security. I'll give you a quick timeline. Body scanners were first deployed in the United States as a secondary screening te
chnology. So if the metal detector went off, if something was funny, you could be routed to the special other lane where your body could be imaged. And then the move for making these be secondary technology to turning them into a primary screening technology happened with a lot of deliberation and foresight. What happened was that in December of 2009, there was a failed bombing, the so-called underwear bomb that had the bomb hidden in the subject's clothing, where it was not detected by metal detector. And as a result, within a week and this is between Christmas and New Year's. So that's when a lot of important government decisions normally happen within a week. TSA announced that full body scanners would become the primary screening technologies used in airports. So when you go into an airport now in the United States, still you go through one of these. It's full body scanners. We managed to get one of these machines to study. I'll tell you how in a minute. In November of 2012, it arrived in our lab and then in that machine happens to be of the Rapiscan. We're very interested also in the millimeter wave, the provision. We don't happen to have one. If we get our hands on one, we'd love to study it, too, but we got the Rapiscan one. And those Rapiscan ones happened to have been removed from airports for unrelated reasons that I'll talk about later, also in May of the next year. So we actually had the machine in our lab for about seven months while they were deployed at airport. And many of the results that I'm going to tell you about and that Eric is going to tell you about, we actually already had during the time that they were at airports. They're not in airports right now. Now, these devices touch every third rail, every controversial topic that you can imagine in the context of airport security. They use ionizing radiation, which potentially could cause cancer to produce naked images of people's bodies in order to search for the kinds of things that could be used
 in terrorism against airplanes. So every kind of hot topic that you could imagine is involved in these machines. And as a result, they unsurprisingly generated a great deal of public debate. And the public debate was around three topics. First, do these things cause health issues to the people being scanned or more likely to the operators who have to stand next to them for hours at a time on their shift? And there was a letter by prominent scientists at the University of California, San Francisco, which is a medical school, questioning whether the dose to the skin may be higher than the manufacturer claimed. There are also concerns about the naked images that were produced by these scanners and whether, for example, TSA employees were taking advantage of the capabilities of producing these images to steer, say, attractive people into where they could be scanned and observed. This is a report from the flier talk community where people claimed that that the TSA employees were using the walkie talkies to warn others that a cutie was coming through, that they might want to. Look at and then maybe most germane. There was also a question of whether these things would work at all, we might be willing to take some health risks. We might be willing to take some privacy losses if we protected airports. But if we're not even doing that, then it seems pretty clear that the other debates are not even worth having. And there was a lot of questioning about whether these things actually did their job. And there was a blogger. This is a video that he posted to YouTube called Jonathan Corbett, who claimed that, in fact, there were techniques by which he could get contraband past these scanners. And he claimed that he actually tested these techniques against real deployments at real airports. And this got some press coverage. The TSA wasn't pleased. They actually and this is quite remarkable. They actually called up reporters and they said we would really prefer that you not cover th
is blogger's claims and some reporters didn't as a result. But this public debate, this public debate around safety, around privacy, around the efficacy of the devices was not informed by facts from the manufacturer or from TSA, which was running these machines. And their response was, in general, trust us, we have done these studies. We have evaluated these devices. These devices are safe. They protect your privacy. They're effective. And no, you can't find out why we think that. And when TSA hand was forced through, for example, the Freedom of Information Act to reveal something about the operation of these scanners, what you got back was something like this where a whole bunch of information about the workings of the machine up through the the potential on the X-ray tube inside it was redacted. And so what you had was you had a debate around really important things that was uninformed by the manufacturer, uninformed by TSA, uninformed really by facts. It was speculation instead of facts. So as computer scientists, we did what computer scientists do in that situation, which is we turn to eBay and we found that these machines were all of a sudden available to purchase from a seller on eBay. Now, this seller happens to be in Germany. And he bought the machines at a surplus auction in Europe from a United States government facility that was selling new old stock, so they just put them up for surplus sale. He bought them, put them up on eBay. And we were very excited and we shipped them back to the United States at, frankly, great expense. I think they got a first class ticket on Lufthansa and and we got them into our lab. And our hope was that by having access to these machines to test, by performing an independent security evaluation of these devices, we would be able to take that public debate and inform it with facts and we would be able to ask and to answer. First is the secure one thousand, the Rapiscan secure one thousand radiologically safe. What is the actual
 dose in normal operation? What is the dose that can be delivered by somebody who tampers with the machine software with the machines, hardware? What are the implications for privacy of the machines operation, both with respect to the actual operators of the device and with respect to anybody else who might be able to get access to the images? And how effective is this at actually protecting airport sterile zones from the kinds of contraband the TSA claim to be concerned about when they deploy these machines? So as I've said, we bought this on eBay and this machine showed up in our lab in these in these crates here, and we got to work taking it apart, reverse engineering it, seeing how it worked and what made it tick. And the first thing you have to know about how these machines work is a little bit of background on x ray physics. So this machine does produce x ray photons, which are essentially high energy photons. The energy is actually fairly low for x rays. It's a 50 electron volts, which is around half or so of what you receive at, say, a dentist or something like that at five million amps. And these photons are ionizing radiation so they can interact with electrons and strip them off of nuclei. And they tend to interact with these electrons in two main effects, the photoelectric effect and the constant scattering in the photoelectric effect. The electron is hit by the photon and it absorbs it and just goes along its way. And there's no emitted x ray in Compton scattering. However, the photon hits the electron and sort of bounces off. An electron goes one way in the scattered photon goes another way in a random direction. That's the main cause for backscatter. And which of these two interactions happens? Most depends on the materials effect of atomic number. So, for example, dense metals and things made out of iron ore or lead absorb these photons and don't really backscheider at all. They undergo the photoelectric effect. However, organic compounds that have l
ots of carbon or oxygen in them undergo constant scattering more. And so they do back scatter. And it's through this mechanism that the machine is able to detect different materials in the subject by how much x rays are back scattered for a given spot. The machine actually works in a backward camera or a backward restor camera. And the idea here is that instead of having a large sensor or something like that that has a bunch of pixels or something like that, you have an x ray tube that's generating a bunch of x rays and sort of unconsummated beam and it goes through a narrow slit. So only a narrow slit sort of plane of x rays goes through. Um, here is the X-ray source. It goes through the slit and then it passes through a chopper. We'll know to be here. The chopper also has radial slits on it and it's spinning around. And so combined with the previous slit, there's only sort of a single colonnaded beam that's going through at any given time and that scans across the subject horizontally. This whole apparatus then moves vertically. So you essentially get a horizontal scan lines vertically up the subject. When these scan lines hit the subject, they undergo the previous phenomenon and either backscatter or are absorbed. If they back scatter, they will be received by photomultiplier tubes, which are essentially very sensitive photon detectors for x rays marked D here. And so from watching the sort of series and synchronizing this with the scan lines and the rise rate of the of the x ray tube, you can essentially reconstruct an image of the density of materials and effective atomic numbers of a subject as you scan it. So here it is in action in a fairly low quality video. I apologize for but you can see here, this is the chopper disk it's made out of brass is very thick and very heavy and takes a little bit of time to spin up. Um, eventually it spins up. And then this whole apparatus with the X tube behind it will rise vertically and scan across the subject and perform. 
Uh. And they could scan. But of course, that's kind of scary to look at if you are being scanned. This is the very fast moving disk and there is fifty thousand volts behind it and x rays are spewing out of it. That wouldn't be very pleasant to look at if you were being scanned. So they had the presence of mind to put a nice soft sort of front on it. But you can't see any of this and you just stand in front of this box and all of that happens behind something that x rays can easily pass through. So this is what the image looks like when you reconstruct it, um, it's fairly revealing. You can see two things of the subject. First, he's definitely packing and he's also carrying a gun. So he probably should undergo some further screening. There are some other things that you can note here in this image, though. So, for example, you can see shin bones, bones that are very close to the skin are actually visible through this through this backscatter because they do the X-rays penetrate the skin to it to a small degree. You can also see the zipper on the subject's pants, the rivets on their jeans and in the chest, the subject's dosimeter. So going over our results, starting with radiation safety. To evaluate radiation safety, we obtained a sort of dummy phantom, which is a radiological phantom, which is used in medical testing. This is radiologically identical to humans. Interesting note. It actually contains a real human skeleton inside of it, which is kind of weird. And it's covered by a synthetic material that is sort of supposed to approximate human flesh. So we use this throughout our testing testing and we apply dosimeters to it, performed a number of scans at the using the machine. And we found that each scan deposited a relatively low dose, about 70 to 80 nano sieverts of radiation. For those of you who don't know the sievert scale, this is about twenty four minutes of background exposure or about the same radiation that you would receive eating one banana. So relativ
ely safe. And this this result was actually confirmed by another result from the American Association of Physicists in Medicine in twenty thirteen, simultaneous to our result. Looking at sort of the safety of the system, is it possible for this machine to, say, malfunction and produce more radiation than than it otherwise should or would under normal circumstances? We found that there were safety controls on the radiological output. Um, for example, when when the the x ray tube is on, there are hardware interlocks that are measuring things like is the chopper spinning? Is the vertical head moving in the sort of the speed that we expect? And as the voltage and current in an x ray tube in intolerants. Um, note, however, these are not security controls because the the rom the embedded controller of the system actually has the ability to override all of these safety checks. So if the software running on this on this embedded system is evil, it can override some of these. However, there is a pretty simple modular design that makes some of these attacks, say, trying to irradiate someone too much, much more difficult. For example, the stepper motor that drives the vertical assembly is its own system and has preprogramed routines, essentially their scan up or scan down. And the embedded system doesn't have any fine grained control to say, OK, go up only halfway or something like that. So this simple modular design actually makes it much more difficult to overrate skin subjects without replacing the software that's inside of this machine. So moving on to privacy, we wanted to again evaluate the implications of the system as it pertains to privacy and as you've probably seen, it produces naked images. These naked images are fairly revealing. Um, you can see parts of the subject here that the subject might not want you to see. Um, some subjects might not mind, but this is not the point of privacy. And there's a number of questions here of what are the procedures surrounding th
ese images and what can say a TSA agent do to say, save these images or or send them to their friends or show them or something like that. Um, and while we didn't have the software that TSA had and was using at the time, TSA was claiming that these machines could not save, they were incapable of saving these images to a desk. However, our version of the software delivered, which we believe came from the manufacturer, had a save option. You could actually save it to, in this case, a floppy disk attached to the computer. And you could export these. And that's actually, you know, clearly we were able to export these images, as you can see them here. There's another interesting privacy implication that these machines have that sort of follows from how they work. So because the x ray is back scatter in all directions and it's not sort of a big sensor inside of the inside of the machine, any adversary that's nearby with their own photomultiplier tube can essentially reconstruct the naked images as this machine scans over the subject. So we perform this attack using sort of relatively simple PMT that was just laying around, I guess is not really optimized for this attack or anything. But we were still nonetheless able to reconstruct an image. And this is nowhere near as good as what the machine is reproducing. That is in part because the machine has eight photomultiplier tubes located all around the edges of the machine and we only have one in this case. And so you can see that it's much brighter toward the side that the photomultiplier suit is on. And but nonetheless, a larger photomultiplier tube or a more sensitive one for this radiation or perhaps some additional image processing could clean this image up substantially. So finally, we want to look at the efficacy of this of this machine isn't able to detect contraband. Um, like this guy. So the first attack that we looked at is an attack where the threat model is an adversary, has access to the software running on the 
console, and this is what the software running on the console looks like so that you can see the naked images on the left and the operators sort of options on the right. They can scan, they can assume they can save, as we mentioned earlier, to floppy drive. And we wanted to ask what would happen if, say, someone were able to replace the software, could they attack the system? And we implemented a pixel perfect representation of this program here. I'll show you it now. It's actually the same and indistinguishable. However, our version of the software they call their version of software security, except ours was called insecure. And our version of the software had malware in it. And this malware essentially looked at the image coming back, the true image coming back from the backscatter machine. And if it noticed that there was this pattern, this sort of secret knock, which we made is just a sort of square outline with another square, like a QR code corner, which you can easily make by putting red tape on someone's shirt and then concealing it under another shirt. We found that when the machine sees this or when when the malware sees this, it replaces that image with a benign image. So in this way, someone colluding with someone that's that's put this malware on the machine can sneak past contraband. Um. We also wanted to look at a threat model where the attacker does not have access to the console. What if they can't change the software? All they can do is sort of understand how these machines work, walk up to the machines with some contraband and try to sneak it through. And we thought about this for a bit. And we have a few attacks in this in this area. The first one that we we thought of was that if you look at a gun, it's absorbing the x rays and the backscatter and the skin is reflecting it and then back scattering back. But the background is sort of it's not even the X-rays. You're just going off into space and not coming back. So given that the background and 
the gun are both black, what happens if we just place this black gun over this black background? And this result was surprisingly effective. This is a fairly naive attack, but this subject here is carrying a 380 pistol. I invite you to try to guess where on this subject this is carrying this pistol. And we had to actually look back at our notes when we made these slides to figure out where he was actually holding this pistol. It turns out it's right above this right kneecap here. So this attack is surprisingly effective for concealing metallic objects like firearms. It's also works for for knives and other things like this. In this picture, we have a lead tape, arrows pointing to where the knife is to make it even easier to see that the subject is carrying this knife. There is one mitigation that you can do for this type of attack, which is to scan from the side and it becomes very obvious that the subject is carrying something they shouldn't be carrying. However, we don't know of anyone that's performing these additional scans or we're performing these additional scans at the time that these machines were deployed. But of course, these machines were not intended really they weren't designed to detect metallic threats, that was something that metal detectors already did. The purpose of these machines was to detect plastic explosives or nonmetallic devices as the as the TSA said. And so scene here is actually a as a simulant of C4. This is a one pound brick of simulated C4. It's again, supposed to be radiologically identical to the real C4. It surprisingly also costs the same amount as C4. But I don't know I don't know if we tested if it was actually just C4. So and you can see that in a in an early send, a sort of test of this, you can see some of these blocks if you naively strap these these these bricks to you, you can see them outlined here in sort of two blocks here and two rectangular blocks. But you'll note that the middle of these blocks is sort of the same c
olor as the skin of the subject here. And it's really only the outlines that you're that you're seeing here. And in fact, what you're seeing is the shadows of the edges of this of this of this block. So we looked at this and we wondered, can we find some way to exploit this to to to hide the nonmetallic threat these machines were designed to protect against and thinking adversarial instead of taking a brick like this and thinking, well, it's called plastic explosives, probably because it's plastic. You can mold it, you can shape it, you can remove sort of taper it down and and flatten it. And so we took this we took this technique and we said, OK, let's let's try to make a thin pancake essentially of of the simulant and try to smuggle it past. And we were able to do so. So in this image, one of these subjects is carrying two hundred grams of C4 simulant and one of them is not. So one of these subjects should be let through and the other should be questioned or have a have an additional screening take place. Again, I invite you to to to guess which one. Um. It turns out this one has two hundred grams of C4 over the stomach. This is again, a pancake, a very thin one centimeter pancake, sort of flattened over the belly. It looks almost indistinguishable from the normal belly of the subject. However, we had two issues that when we did this originally, the first issue was that there was no belly button because this covered up the sort of normal dark spot that showed up as a belly button. And the second problem was that we had no way, you know, if you were trying to attack the system, you'd have to sneak some metallic detonator past the checkpoint as well. We saw both of these problems by placing the detonator where the belly button is. Thus solving those problems. So in conclusion, our results show that sort of imply that our adversaries can conceal a number of contraband, including metallic threats like knives and firearms, but also the plastic explosives and detonators
 that they were designed to detect in the first place. A number of these attacks were predicted by people that did not have access to these machines, however, with access to these machines, you can refine these attacks and make them much more effective and and successful. All right, I'd like to take a step back now and think a little bit about what the implications are of our findings for these systems, for airport security more generally and for screening systems that have computerized components in them. Before I do that, though, I'd like to note that any time you're studying and finding and speaking about vulnerabilities in deployed security systems, you have to think about the ethics of disclosing versus not. And our decision to disclose our findings was made much easier by the fact that after we started studying these machines, they were pulled away from airports. So Artax that we disclosed could not then immediately be used to target airports. Even so, we were careful three months before talking publicly about our findings at all to reach out to the manufacturer, to Rapiscan and to DHS, which the Department of Homeland Security, which is the umbrella department that that includes TSA about our findings. And we know we that they received them, for example, because TSA had a press release ready when our paper actually came out. But we didn't really get a lot of engagement otherwise, except I got an email from at the higher up asking basically, what were you thinking, whose idea was this and who funded it? And that was a fun email to respond to. One thing we did as part of our disclosure is that we also tried to come up with the best procedural mitigations that we could come up with. If you had these systems, you needed to rely on them for security and you wanted to avoid some of the flaws that we had uncovered. We suggested some procedures, notably these side scans that Eric talked about are really important. We also think that since metal detectors do a fine jo
b of finding metal, that these should be used in conjunction with metal detectors as opposed to the way that TSA currently does, where you either go through the metal detector or through one of these. But never both of and these mitigations were in our disclosure to DHS on the manufacturer. Right. So given that these devices are no longer at airports, I think it's fair to ask why anybody should care about the fact that they don't work as well as people claim they did. And I think there are three answers to that question, and I'd like to address each of them in term. First, our results shed light on the development process that TSA and the government more broadly and its suppliers use to develop systems that we rely on every day for critical infrastructure. Second, backscatter scanners are not gone. Even if they're currently gone from airports, they're still being used and they may be used again at airports. So our findings matter there. And third, we learn some lessons that we think have broader applicability to the design of secure systems. So I'll take each of these in turn. Before I do that, though, some of what I'm going to say is based on a report that came out of the office of the inspector general a month after our paper came out. And this is a really interesting report that looks at how TSA dealt with the machines once they were taking them out of airport. I'll give you two random facts that I found interesting in the report. If you've ever seen the Raiders of the Lost Ark, where the Ark of the Covenant is put away and some sort of government warehouse, this is the government warehouse, I guess, actually a contractor warehouse where at the time one hundred and six of these no longer used Rapiscan machines were stored. The OIG folks visited this warehouse on March twenty seventh of this year and took this photo. Any guesses for when this nice fence was put up? That's right, March twenty crap people are visiting another fact from this report, TSA claims, and t
hey claimed in their press release that their machines have special software and that this special software is not available to anybody else and not given to anybody else who has these machines. VOA found that at least one of the machines was not properly wiped and that it was released to the state of North Carolina in September of 2013. And then for I think eight months, was sitting in a warehouse there with the software. And I found this. And a week later, some TSA folks flew out in a panic with a copy of the bomb to go wipe the hard disk. All right. So based on that report. There are two models for how security systems get deployed. They either get deployed in public so that there is public availability, public testing, public reporting, public bounties, things like Ponton, even if the source isn't necessarily available, you can still buy the thing, poke at it, study it and tell people about what you found. And that's a model that gets used for a lot of things. But it's not a model that gets used for a lot of systems that go in airports and other kinds of critical infrastructure. That model is secret. Everything developed in secret, evaluated in secret, deployed in secret. Does this work? Shirt works. Trust us. And if we're pragmatists, we think that both of these models are fine if they produce secure systems. And the question is, do they? Now, we have a lot of evidence about how well the public model works, but not a lot of evidence about how well the secret development model works because, well, it's secret. So one way to look at our results is to say that, well, this is a data point about how well the secret development model produced airport scanners. And it doesn't seem to have done a super great job. And frankly, there's really two alternatives, and we don't know which one of these is the case. We need some more transparency to find out. Either the TSA process didn't find the flaws that we were able to in about a year and a half with under two hundred K of
 budget and some graduate student time, which is kind of bad, or they found the same flaws and they went ahead with deployment anyway. And that's kind of bad, too. But neither of these makes the model look particularly good. And we're very curious which it is, but we don't know and TSA isn't saying, in fact, these these departments are doubling down on secrecy. I was talking with a reporter who had spoken with a spokesperson at a TSA like agency in a different country. They said, oh, yes, we have evaluated these machines, too. We have our own findings about how they work. Reporter asks, Will you release those findings? Will you release that report? And the spokesperson just left. Right. So. That either works or doesn't. What we need to do is either to have more third party audits of these devices, if you can get them on eBay, if you can get your hands on one of these provision, 8D, the millimeter wave scanners, please call us. Billy Rios had to talk at Black Hat this year where he studied some of these other devices. They also didn't do so well. Or we think that a different model in which the agencies reach out to to academics, to security experts in the community and try to get an independent, rigorous evaluation is really valuable. And one model for that is California's secretary of state's top to bottom, Deborah Bowen's top to bottom review of voting machines and use in California in 2007, which produced reports that really helped push the debate around voting machines forward quite a bit. Now, TSA should make clear pulled the machines out because the manufacturer wasn't able to produce what's called automatic target recognition software that worked. And the idea behind automatic target recognition is that the naked image is not shown to the operator directly. Rather, it's interpreted by software. And the software says go investigate the left arm. And because of that functional requirement that the manufacturer was not able to reach, these machines were pulled ba
ck. That means two things. It means, one, that if the manufacturer is able to come up with that software later, they could come back to airports. It means to that TSA made these machines available to other government agencies on the model that these things work. And if your functional requirements are different from ours, then you might want to deploy them. And the OIG report actually gave the details on where these machines went. TSA had 250 fifty one of these machines, which they bought at a cost of about 40 million dollars. The total cost of the program is well over a billion dollars. This is just to purchase the Rapiscan hardware. Two hundred fifty of those two hundred fifty one machines were at airport at one point or another. They were all pulled back by June of 2013 and by the end of August, TSA had gotten rid of about one hundred and sixty five of these, one hundred sixty one of them to state and local governments. Where did they go? Well, they went to a bunch of sheriffs offices. They went to a bunch of states to distribute. They ended up, by and large, at courthouses and jails. And frankly, I think that whether somebody can get a gun into a courthouse or a jail still matters. So our findings still matter in that respect. Finally, TSA also has a contract with other manufacturers looking to provide new cities that also use backscatter X-ray technology to do the imaging. And these might still end up at airports. All right, so taking a step back, some more, talking about the broader lessons that we learned of. First thing we learned is that you can't ever do better than what's coming out of your sensors. So the way that these machines are operating their sensors, all they get is a brightness per pixel, dark or light. And there's no way for them to distinguish between dark metal and background where there's no backscatter and there's just nothing they can do to improve on that. There's other X-ray scans, for example, for baggage that use a different model and d
o do better, but the physics doesn't matter if the software that mediate between your sensors and the operators view has been compromised. And we were able to do that with physical access to the machine and show a proof of concept that is a problem with every kind of scanner. But it's not a problem that based on the public messaging, at least TSA or the manufacturers seems to have understood. Second, procedures really matter, you deploy a system not just on its own, but as part of a bigger system with humans operating it and procedures are something that you can lose. You can know today that you should be doing side scans that send your report from nineteen ninety one said that you should be doing side scans and then by the time the system gets deployed, that's gone. In fact, the way that the UI of the system is set up, it discourages operators from doing both side scans on front and back scans. It really wants only two scans per subject instead of four. And that's really unfortunate because it nudges the operator away from doing this thing that would actually be safer next. This is not the crowd that needs to be told this, but thinking like an adversary really matters in whether you end up producing a secure system or not. Another thing that really matters is how simple, how modular, how carefully separated all the parts of the system are. And this is unfortunately somewhere where I think we're seeing somewhat of a regression because the systems that were designed in the 80s and 90s with discrete logic and very simple protocols seem to do much better than systems that are more commonly designed today, that have a lot of integration and very capable S.O.S. And then finally, it's not really clear that the secrecy with which TSA and the manufacturer treated these systems actually kept people from coming up with attacks that would work. So I talked earlier about Jonathan Corbitt, the blogger, who said, well, I bet you could just place this to the side of the body and i
t would just be invisible. And I tested it and it seems to work. He wasn't the only one. There are physicists even earlier who in that infuriating physicist way that physicists who looked at the images that were published and said, well, the machine must work this way, and therefore we hypothesize that metal to the side of the body will be invisible. And we further hypothesize that a pancake of explosive shaped to the to the stomach should be invisible against the skin. And both of these things were right. And neither of these groups had access to the machines to test on. So the fact that the details of the operation of these machines was kept secret didn't keep people from coming up and publicly disclosing attacks that would work. It kept the public from being informed and participating in a meaningful debate. One thing that we did find out that we were a little bit surprised by is how much better our attacks got once we had access to the machine to test on. So we had things that we were sure would totally work. And then we'd put them up against the machine and they'd be very visible. And we had to go through a process of iteration and refinement until we came up with something that actually was, as you saw, quite invisible. And we were able repeatedly to to get things past the machine. So one defense that might actually work is to keep these machines out of the hands of people who might want to actually mount attacks. Now, unfortunately, if that's what you're going to do, you probably shouldn't sell these machines at surplus auction in Europe to any random old person. You probably should control a lot better who gets access to these machines as part of their jobs. And frankly, it's not really clear at all that this is that this is a feasible control because I used to be able to keep track of all these other machines that were available to sale on auction. I lost track. I believe that as of a couple of days ago, you could buy one of these machines for four thousand
 dollars. And the seller even claimed that it was an exact model with both of the unit side by side as opposed to ours. So the one kind of secrecy that we think might actually be valuable in practice does not seem to be being used. And with that reassuring note, I'll stop and take any questions that you have. Thank you for this very interesting talk. First of all, do we have any questions from the Signal Angel? Yes, no, maybe, yes, please. Yes, we have three questions. The first one is with the scanner, detect explosives that are hidden inside a human body. Have you tested it? We did not get a subject willing to test that particular attack. We don't know is clear that the the scanner does see a little bit into the body. You could see the shin bones, but I don't know that we can speculate about any particular other placement. OK, one more from the police. OK, thank you. Um, another question was, would it be helpful to have a check, check up pattern in the background of the scan people to distinguish the the outline better? So is the question that having a pat down, in addition to the advanced imaging, I think I think the question is, could you have some sort of background behind the subject that was some sort of checkerboard pattern or something like that, where it wasn't all it wasn't all clear. The problem is that you do need that to be pretty. So there was a wall behind us, our subject. It was just far enough away that the the x rays didn't come back to register substantially. So you'd need this to be much closer to the person. Now, if you look at the TSA model in order to save time, they have two of these units facing each other in the subject in the middle. So it's not really clear where you could place that to to get a useful background. You might also be able to use the external PMT attack to determine what that pattern is and then figure out where to hide your contraband based on that. OK, let's take one question from microphone three, please. Hi, first, than
ks for the talk. It's really good. You mentioned that the secrecy model doesn't work so well. I don't believe that we can get rid of that. It's just human nature. Just as a manager in charge of I'm not. But just thinking of a manager in charge of implementing a system, the idea would be that I get a lot of people from the outside to try to break my idea of my project in order to make it secure. And that requires a lot of backbone and that I don't want to insult anybody. But managers tend not to be very big boned, strong, but more like, you know, weaseling around. And so I don't believe that you get rid of the secrecy model that just my opinion said it is is. I I think that there is a difference between secrecy and sort of keeping, say, closed source or something is as a as a model for keeping things secret. So, as I've said, the public model could include proprietary software, proprietary solutions being evaluated in the public versus sort of a trust us. This is this is secure. You don't even need to look at this. You shouldn't be looking at this, um, sort of model. I've been working in professional software, and I know that you build something and, you know, it's flawed. You just hope nobody finds out, uh, and you don't want to try to try and get a direction attention to that and tell people, just look at that and tell me my project is busted. So pessimistic way, but. OK, just a quick note, if you have to leave in between, please be quiet. If you can, please remain seated. It's not going to take that long. And I think the discussion has been very interesting so far. So let's take one question from my friend to please. Do you know about the publication of the TSA software? It was to able to save images, too, from one of the machines that went to a courthouse. And some journalists got to know of it and asked the Freedom of Information Act of this courthouse to release those images. And then I think the if published, some of those redacted. Yes. So so other sites in o
ther deployments definitely have shipped to the field with software that allows saving. TSA swears up and down that there's is ship to the field with software that doesn't allow saving. But it's pretty clear that if that software were replaced or somebody put, you know, a figure captured dongle or any of these other kinds of things, smuggled a cell phone into the room where the images are inspected, that these these images are not necessarily as ephemeral as TSA claims. OK, thank you. Do we have any more questions from the Internet? Now, OK, then, let's go back to Microfit three, please. Firstly, great, OK, guys, thanks for coming to us. From what I gather, it seems like this the sensors are basically a skin sensor. It's telling you where there is skin and where there's not skin. So what's stopping you? Or in fact, have you tried using, say, a sheet of pigskin, which you can buy for about 20 bucks from the butcher and concealing contraband underneath that? And if the skin is thick enough, then I mean, we can see the shin bones because the skin there is quite thin. But if you get a thick piece of big skin, you could put practically anything under there. From what I gather, from how this how this works, has this been tested by yourselves or anyone else? So one of the problems with testing with pig skin or, you know, steaks is that you end up having raw meat, which gets very messy. Um, so I think I think I agree that those sorts of techniques could mask. But again, they do have to be fairly thick. And the other thing that you have to keep in mind is that they have to taper down to to to sort of match your skin, because if there is sort of a gap between sort of a thick slab of meat that all of a sudden just ends, you'll see a shadow. And, um, so I'm, uh, my family's Italian and I've worked with pigskin quite a lot. And you can actually really shape and type of this stuff and contour it. So and it doesn't it doesn't sort of drip blood like like a steak would. So I would 
recommend perhaps trying to work with this. I mean, it's it's ten bucks. Give it a go, guys. It's. I will say that right now I think our best our best answer for how do you smuggle, say, a gun on a person as opposed to off to the side of the body is, as you wrap it up, real nice in plastic explosive, because that's easier to get than a piece of thick skin. Well, it turns out you just call up or you call up this company and you say, I'd like some simulant, please. And they say, OK. That's scary. And we did test. We tested before we put the detonators next to the simulant, but it's not it's not real explosive. Thanks for that. OK, let's get back to the microphone to please. I wonder if it would be possible to hide something even with the side scan sonar, maybe the idea would be maybe between the eyes that the scan from the front and behind it would be between, uh, against the background and for the side scan. But maybe the knife would be shielded by the by the by both sides for themselves that that might be possible. I think, um. So the procedure for the side scan is actually sort of an offset legs and offset arms to try to counter that. But yes, there could still be you could sort of fake it. No, I didn't hear you sort of. I don't mind maybe with you with the arms. I think they were not right. No one got a completely, completely straight up. OK. Microphone three again, please. So there were X hundred million flights per year in countries that deploy these things were deployed, these things, and each person gets a banana or two. Have you thought the entire model to figure out the number of excess deaths? Well, so we have looked at, uh, worked with the medical department, um, uh, a little bit to sort of look at that and see one of the problems is that the the levels of radiation here are so low that the models we're not confident that the models can actually accurately reflect, um, sort of an accurate picture of a large number of very, very small scans. Um, but given t
he models that we do have, I think that the the increased number of deaths is still below one. OK, so. OK, we have one more question from the Internet, thank you. The question is, how do the scanner perform the leather? Kloth. I am sorry to report that we're not cool enough to have tested that maybe the. OK, again, microphone number three, please. I, uh, thanks for the very interesting talk, if I think I've once read and a cyber crime novel or something like that, that someone used glass weapons like a glass knife, or would you be able to conceive that an x ray scans? Like, would that even show up in a just normal skin without hiding it? So glass specifically will it reflects back as much like skin. However, you can sort of put it over skin. And if it's the right thickness and everything, then it might look very much like skin. Similarly, ceramic materials could could also be used. I think ceramic is brighter than so than skin by default. You see it as a as a bright spot on the skin. I don't know how glass looks. OK, if there are no more questions, please give our speakers another warm round of applause.