Slashdot Mirror
TSA Paid $1.4 Million For Randomizer App That Chooses Left Or Right (geek.com)
An anonymous reader writes: For those of you who have traveled through U.S. airports in recent years, you may have noticed the Transport Security Administration (TSA) use a Randomizer app to randomly search travelers in the Pre-Check lane. The app randomly chooses whether travelers go left or right in the Pre-Check lane so they can't predict which lane each person is assigned to and can't figure out how to avoid the random checks. Developer Kevin Burke submitted a Freedom of Information Act request asking for details about the app. The documents he received reveals the TSA purchased the Randomizer iPad app for $336,413.59. That's $336,413.59 for an app, which is incredibly simple to make as most programming languages of choice have a randomizing function available to use. What may be even more intriguing is that the contract for the TSA Randomizer app was won by IBM. The total amount paid for the project is actually $1.4 million, but the cost is not broken down in Burke's documents. It's possible IBM supplied all the iPads and training in addition to the app itself.
TSA soon to be appearing in the Panama Papers...
for a "true" randomizing device. seed(0) is real, yo.
$413 dollars in developer time to create the app and $336,000.59 in corporate overhead and bloat, the additional $1,000,000 is just for Evil
What, how to press the "flip coin" button?
I have practical and fool-proof system that requires no electricity or internet connection to operate.
I can sell it to you for about $5 per TSA agent. Actual cost to me is $0. Just tell me where you want me to ship this jar of pennies.
The question is whether it is truly random or not. If they spent $1.4M and got a truly random result, fine. It's absurdly pricey, but it works. If they spend $1.4M and got the rand() function, then terrorists might be able to exploit it to escape random searches.
TSA is good.
"as most programming languages of choice have a randomizing function available to use"
You mean has a psudo-random function that is not that hard to predict.
Casino Level Randomization is a little harder.
Who wants to buy my coat hanger bridge it's going cheap... Left over from a Aprils fools joke now I have no place to store it!!
I'm just happy to know that my most favorite of government agencies is spending my tax dollars wisely.
--There are two kinds of people in this world. I don't like either of them.
I have a system that is:
- Analog
- Does not require electricity
- Durable
- Ambidextrous
- Gender neutral
- Made in the USA
It is called a flipping a US quarter. For $1.2M dollars, I will provide 1 case of 2000 quarters and a training video on how to flip coins.
A simple micro-controller, a button, and two LEDs would work just as well for just a few bucks.
The TSA's employees need training on an app that randomly tells people to go left or right?
ZOMG $1.4M for an app that randomizes a single bit!!! (*)
* Note that it may have actually been $1.4M for hardware, training, and app.
Seriously, how fucking asinine are these clickbait articles getting? If you can decisively say that they charged $300k+ or $1.4M+ for an app that simple, do so. Otherwise you're just full of shit.
He means precisely instances like that. One needs to find a more idiotic view: the app tells TSA person which way to show the finger. If anybody wants an example of fraud, waste and abuse: this is it. We could listen ad nauseum to TSA explanations, saying that app needs to be secure, or that they have to follow the procedures, or they needed many licenses.... blah blah blah
The point is that if airport security would be private that kind of nonsense would not exist by definition. Now it is public money that were spent.
This is not the only software that uses random function. There is another software that randomly selects passengers for additional screening. Here is how Israel does it, does it for free and very effectively: they let the screening agents to pick and choose any passenger that they want or have a hunch. So fare they are very effective in preventing bad dudes in boarding their planes.
It's called a penny and your thumb!
Perhaps it snaps a picture of the person, analyzes it with deep neural learning, and decides whether or not the person looks suspicious.
This is one of those things that sounds like it could be tricky to actually get right. Still they could just do what that secret service does when choose travel options for the President; you flip a coin with one agent calling it in air and the other doing the flipping. Seems reasonable free from exploits.
FWIW I don't think this about cryptographically secure random and more about a system that by design can't be hacked and such that you'd need to bribe an entire team to get through the line you want.
Peace, or Not?
If the random number generator used in the algorithm came from the National Institute of Science and Technology (NIST), it might not be as random as possible.
In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
Nobody ever got fired for buying from IBM.
Honestly having worked with government, it sounds about right probably a 1000 hours of meetings to choose the colours, shape, discuss the randomizing algorithm etc. prob took no time at all to write.
Is having an app that could make a more reliable guess as to who may be trying to get away with something wrong.
Or sense either for that matter...
Are you selling it to the federal government? [YES]
Is a random number generator used in the product? [YES]
Is the product intended for a security application? [YES]
Requirement: The Random Number Generator be CAVS certified to SP800-90A and the module within which is operates be FIPS140-2 certified.
That's $100,000 before you've got out of bed, to meet the government procurement requirements.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
I read stuff like this and it makes me question having ethics and conscience.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
"If they spend $1.4M and got the rand() function, then terrorists might be able to exploit it to escape random searches." Like lining up sequentially with 2, maybe 3 people?
Please help metamoderate.
Come on now, what could go wrong? Well, OK
http://www.footballzebras.com/...
In this thread you will find out why it is unusual to find a software developer that can start a successful software development business.
Do you have any idea how difficult it is to make a system that appears random even under scrutiny, but still does its job, which is to "randomly" select people who look like terrorists?
One dollar for the chalk and $336,412.59 for knowing
where to put the X.
Build a device with a small radioisotope source, detector, poison vial and cat. Calibrate the source to provide a 50% probability of a particle emission for the average passenger rate. Open the box and check the cat. Cat alive: Right lane. Cat dead: Left lane, reset vial, replace the cat and proceed.
Have gnu, will travel.
A fool and his money are soon parted.
The TSA ended the managed inclusion program for which this app was built and deployed.
They ended it when a notorious felonwas allowed to go through the pre-check line.
rand() & 2; Where is my money?
#include
#include
int main(int ac, char* av[])
{
srand(time(NULL));
while( 1 )
printf("%s\n", (rand() RAND_MAX/2) ? "Left" : "Right" );
}
http://dilbert.com/strip/2001-...
...they used a die.
This should fall under the government's recently published commitment to publish publically financed software. I'm thinking this should be one of the 1st pieces of software we get to see and criticize. Eh? https://news.slashdot.org/stor...
Seriously, 80%-85% of the bid covers dealing with the US government. Multiple thousand-documents over the course of years, flying back and forth for pointless meetings, and maybe you eventually get paid.
Here are my rates as a developer , for similar software delivered:
Order online, by submitting my order form: $159
Email me and discuss: $500
Meetings to discuss, demo (local businesses): $1,500
Local government bureaucracy: $8,000
Federal government: $400,000
The rates I mentioned above for "similar software" meant for software of the kind I write (network security), not the TSA app. For a random left/right app like the TSA wanted, prices would be a bit lower. Not much lower for the federal government though, they'll require a thousand man hours of BS for the simplest application. I used to work at a place that did federal contracts.
Frankly, for $1.4million, I'd at least expect it to sense movement (you know, like the sensors on the automated doors about 5 meters away from the people in this video that cost a few dollars each) and automatically tell people left or right, without requiring an actual human to stand there and press the screen to randomly change left to right when they feel like pressing the screen (which is random, how??).
Or if they insist on an iPad, at least use the camera to determine someone is there and then say left or right. How is it that this "random" system requires a human to press the screen to change the arrow. In what way is that random?
http://dilbert.com/strip/2001-10-25
Department of Homeland Pork, Transportation Pork Administration
Why is Snark Required?
Why IBM?
Wouldn't the Rand Corporation be a better match for once?
Initial estimate article: $336K
Revision: $47K
6 hours later.
Slashdot: OMG GUYS $1.4 MILLION DOLLARS!
Good Old IBM.
Ha ha
finally some fucking intelligent comment!
-
But maybe they pay a premium to not have to put up with Asperger-like social deficiencies and racism.
Table-ized A.I.
If there was any trace of intelligence left in the TSA employees this randomizing shit took that away. Looking for a needle in a haystack with stupidity does not make it any easier or better. These stupid airport screenings are at best ineffective and a setup for the next big hit. Penetration testing is not welcome, as it would show how ineffective these screens are. As lame as these screenings are, as management well knows, shows how small they believe the real threat really is. For years knives and handguns was picked up in droves, and how many escaped we don't know, but surely if this was a big problem we would undoubtedly heard about it.
Packing a plastic razor, 3 ounces of some liquid, or a cork screw does not make a person into a rabid killer. Screening should happen before the ticket is bought, outside of and well away from any airport.
Article makes it sound like a simple random number generator. There is probably more to it. There may be a server component and other parameters and who knows what else. I work with IBM on a daily basis and go to many Google and Oracle events as well. Of the 3, the technical IBM dudes and dudettes know their stuff much better than the Google or Oracle peers (even though they aren't seen as cool). Yes the TSA paid a lot but Oracle or Microsoft may have charged more (knowing them quite well as well). IBM may also have thrown in security so that the app is not hackable and support for new devices... but yes I am sure they overcharged, so will all the vendors unless the TSA chose a startup (hopefully a real one and not one of the fakes).
So yes, overcharged they probably were (and by a LOT), but not by as much as everyone is thinking when you factor in more reality. And hopefully they got the good IBM engineers to make it and not some intern.
But maybe they pay a premium to not have to put up with Asperger-like social deficiencies and racism.
Not to mention people who use "Asperger-like" as a derogatory term?
Please, continue calling out racists as you just did, because they do deserve to be called out, but be careful of the insults you choose.
They're obviously paying for true random quantum tard powers.
How hard would it be to flip a bit every millisecond and have someone push a button to make the choice? No need for random number generators needed or any computation/ipads or whatever. At all. The case of such a device would far outstrip the size of such a circuit.
Well I suppose you might want to use some type of computational device for record keeping to see if someone deliberately passed someone into the wrong lane, but I have serious doubts someone could time it a choice to even a millisecond. Might as well make it microsecond, just to be sure.
Its as simple as pushing a button and the random part comes from a human. I defy anyone to say that they can pick even or odd in such an environment.
A TSA dungeon master. How much do you not want to go into that basement?
Mersenne twister (MT), having good statistical properties, is not a bad PRNG, but it's slow, needs a lengthy initialization, and is not cryptographically secure (CS): someone observing the output for a while can reconstruct the internal state and predict the next outcome.
For an online casino, you'd want a CSPRNG. For computer simulations that need to draw trillions of numbers from the PRNG, you'd want a fast PRNG with good statistics, such as a multiply-with-carry (MWC) or xorshift. https://en.m.wikipedia.org/wik... . I don't really understand why MT is used so much.
Avantslash: low-bandwidth mobile slashdot.
TSA RFP: "Inviting Random() Price Quotes from Developers for Searching Travelers in Pre-Check Lane". To which IBM responded with $1.4 million (selected from a uniform random distribution).
When you get to customs in Mexico you press a button, if the light goes green in you go, if it turns red then you get flagged for further checks. Fast, and easy... Like all of your moms!
Fine, we BOTH have it, now fuck off!
Table-ized A.I.
Get a bloody great tombola wheel. You could even have prizes to relieve the boredom - bag of candy, jump the line, trip to Gitmo...
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
The fact that people have to pay to join the quicker security / border control programmes show that it is all about getting money in to the agencies, rather than being a factor in providing better security.
If you wanted to provide a better service, you would use historical data of people moving through airports (e.g. how frequently people are flying), in order to invite people to join expedited programmes to manage the balance of throughput and security, and absorb the cost doing so into the general cost of providing security services (which we are paying for as supplements on our flights anyway)
Yeah maybe it is a coin toss app and IBM are laughing at the stupid government procurements process. Or maybe there is other stuff which at least partially justifies the price.
Department of Homeland Pork, Transportation Pork Administration
Your post just made me realize why the muslims hate us so much....
>Left or right
Just how much training do you need? What kind of people do the TSA employ?
I was just in Washington D.C. and the security at EVERYTHING is airport crazy. Touring the house/senate galleries involves a backscatter X-ray machine, the Smithsonian museums have x-ray machines and metal detectors.
Yet there is no security AT ALL at the Lincoln or Jefferson memorials, and they're open 24/7. Really? The symbolic value of these targets is enormous.
I also wonder why shopping malls in the US haven't been targets, especially on the weekend after Thanksgiving. It would achieve a huge terror result as well as having a huge economic cost. Is our security that good against evildoers, or is there something else at work there?
There's a lot of discussion here about the random number generation aspect, and how much it'd cost. I'd be interested to see how the costs were split between the software functionality, and the hardening of the software and device against external interference
Why, jealous they can't eat pork? Bacon is delicious I admit...
You may find better elsewhere, but you'll never pay more!
No, to get the best results in this particular quest, you search everyone. Anything less will perform more poorly.
I've fallen off your lawn, and I can't get up.
If this is an app meant to avoid bias, then it would have to have some sort of logging and back end system so that the TSA could respond to specific accusations of bias in random searches. I think there are probably some additional requirements that we are not discussing that account for some of the complexity of the system.
Of course, the issue isn't the implementation it is the fact that TSA exists in the first place. That is the multi-billion dollar issue.
[Tinfoil] It's not a real randomizer app, it's an advanced layered neural network program (IBM...Watson?) that automates racial profiling so that TSA workers are in the clear, they can say the machine made the decision for someone to go through heightened security, "at random." Teaching the program to pick out the right minorities took a lot of work. [/Tinfoil]
"When information is power, privacy is freedom" - Jah-Wren Ryel
According to TFA, "The TSA, which asked Congress for a $100 million cut in its 2015 budget..."
So the real story here is that they can't spend fast enough. This likely just reflects a broken or understaffed procurement organization.
Oh, I'm sorry sir, I thought you were referring to me, Mr. Wensleydale.
It would have been cheaper to give them all a quarter with L and R on each side and train them to flip it.
I could implement these simple standards in less than a day - just because it says "SP800-90A and the module within which is operates be FIPS140-2 certified." does not mean it costs 100,000.00 to develop.
It sucks there are so many retarded niggers in the united states government, including yourself
It costs real money to certify regardless of how cheaply you develop it.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Besides the troll statement at the end, you don't know what professional means.
I worked on a printer "driver" (more like an LPR filter) for several UNIXes, to talk to one of a family of laser printers. This was back in teh day where a color laser printer cost more than your car.
If i changed a single line of code, i had a testing matrix of N UNix platforms, both on GUI and command line, to go to X printers (this one has color, we need to test that it works B/W as well. this one has duplex, this needs to not show it has duplex,...)
Each one line change caused at least 6 hours of testing. Obviously we bundled a lot of our code changes, or you'd go nuts. This is what being a professional and properly testing means.
taught the TSA agents how to flip a coin.
Maybe that was too hard for the agents?
Or maybe the 'randomizer' is not random on purpose?
... for $5
Somebody's missing something here.... the idea is not to take a random sample of fliers to determine what percentage are carrying bombs, is it? Because I would have thought the idea was to catch all bombers. Therefore, the only way to do that is to search everybody.
Star Trek transporters are just 3d printers.
I can make a random number generator and assign odd numbers to one direction and even to the other... Geebuz Gripes.
http://www.virtualcointoss.com...
Why are they going after $1.4M contracts? It most cost them more than that to enter it into their accounts!
If there are fewer than N people in the pre-check lane, grab the next passenger (or group) from the regular lane. You can adjust N based on local conditions including number and experience of agents, etc.
Sure, you could game this system if you really practiced and worked at it. But doing so would be harder than just blowing up the screening line anyway, so no one would bother.
Nope, no sig
You can? If so, (no sarcasm) that's an incredible and lucrative skill you've got there! You know, if you show an employer that you are able to get an app certified without the project costing $100,000, they'd probably be happy to employ you for like $250,000 a year! Oh..wait, I found the flaw.
> which is incredibly simple to make as most programming languages of choice have a randomizing function available to use
That's not quite true. Most programming languages have pseudo-randomizing functions, not what is considered 'true' randomization, where the predetermination is not known. Usually they use systems based on quantum physics to generate random numbers where when used for real world security applications (which requires specialized expensive hardware).
However that being said, I didn't go look at the details to find out if they simply used a clock based random seed or if they integrated special hardware into the mix.
Gee, I thought the Germans perfected that in WWII...
I just created a JS app in about 2 minutes that does the same thing.
Click here to get started:
https://jsfiddle.net/nutswgm4/
Click the "Which direction?" link. Every time you click it, it will give you a randomized right or left.
That'll be $1.4 million please!
See subject & this link: You shouldn't talk with your mouth full eating your words, you troll https://slashdot.org/comments.... when you're always starting things with me & I finish you with your own pitiful stupidity.
APK
P.S.=> As to "what I've become", it's MANY TIMES your superior on any front imaginable... & you know it - you can't demonstrate ANY work you've done, let alone work that's good enough to be praised by our fellow /.'ers... apk