But as a service it isn't controlled. What if someone took control of it, and then used it to game the system. Security is shot.
Not that I really think that matters at all, but that would be shot down in the first meeting it was discussed immediately, and you'd be considering insane if you kept pushing it.
I doubt this was meant seriously, but it's worth noting this actually doesn't work. You need each left/right decision to be independent so that positioning yourself at a certain place in line doesn't allow you to choose left/right.
So you're saying this app operated by TSA agents is meant to defeat attackers looking to be screened by cooperative TSA agents? I can't help but feel something is lacking in this threat model.
I'm not sure I understand this. If I were to observe the pattern before I reach the agent, it would be easy enough to let someone go ahead of me while pretending to finish a phone call or something. It doesn't require the cooperation of the TSA agent.
More and more it seems to me that there is no replacement for correctness, and you have to squint to tell this apart from theater.
Perhaps I'm exaggerating. It would certainly raise costs to the attacker to recruit an additional collaborator, and to wait for a serendipitous scheduling. But I'm not convinced it raises the difficulty by $300k.
But that isn't manipulable by someone standing in line, so it is effectively random. You can't determine exactly when the tsa person will press the button.
If that was the only requirement the TSA agent could direct you however they pleased as long as you couldn't predict it. The reason to use a software solution, one imagines, is to protect from corrupt TSA agents. Corrupt TSA agents know when they turn their iPads on.
Additionally, by observing several passengers being directed this way or that, you could brute force the seed and the system becomes deterministic.
