Slashdot Mirror
TSA Paid $1.4 Million For Randomizer App That Chooses Left Or Right (geek.com)
An anonymous reader writes: For those of you who have traveled through U.S. airports in recent years, you may have noticed the Transport Security Administration (TSA) use a Randomizer app to randomly search travelers in the Pre-Check lane. The app randomly chooses whether travelers go left or right in the Pre-Check lane so they can't predict which lane each person is assigned to and can't figure out how to avoid the random checks. Developer Kevin Burke submitted a Freedom of Information Act request asking for details about the app. The documents he received reveals the TSA purchased the Randomizer iPad app for $336,413.59. That's $336,413.59 for an app, which is incredibly simple to make as most programming languages of choice have a randomizing function available to use. What may be even more intriguing is that the contract for the TSA Randomizer app was won by IBM. The total amount paid for the project is actually $1.4 million, but the cost is not broken down in Burke's documents. It's possible IBM supplied all the iPads and training in addition to the app itself.
TSA soon to be appearing in the Panama Papers...
$413 dollars in developer time to create the app and $336,000.59 in corporate overhead and bloat, the additional $1,000,000 is just for Evil
That's really stretching things. If you use something as simple as microseconds on a clock as the seed for your "random" number generation, there's "pretty much" no way you can exploit that short of hacking the device itself. It's not like people are going to stand there with a stopwatch and tell the TSA guy "OK....press the button...Now!"
ZOMG $1.4M for an app that randomizes a single bit!!! (*)
* Note that it may have actually been $1.4M for hardware, training, and app.
Seriously, how fucking asinine are these clickbait articles getting? If you can decisively say that they charged $300k+ or $1.4M+ for an app that simple, do so. Otherwise you're just full of shit.
A little harder, yes, but not by much.
I work on regulated casino software. And we use the Mersenne Twister rather than any sort of dedicated randomization hardware.
Some casinos are using actual quantum RNGs. For $1k I can get a USB RNG that emits one photon at a time and a polarized mirror with a perfect 50% chance to go through or reflect off of. 4Mbit/s of RNG. For $35 you can get a pretty strong opensource USB RNG that uses a combination of several quantum level electric, electro-thermal, and EM noise. http://www.bitbabbler.org/
Are you selling it to the federal government? [YES]
Is a random number generator used in the product? [YES]
Is the product intended for a security application? [YES]
Requirement: The Random Number Generator be CAVS certified to SP800-90A and the module within which is operates be FIPS140-2 certified.
That's $100,000 before you've got out of bed, to meet the government procurement requirements.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
It's possible IBM supplied all the iPads and training in addition to the app itself.
I know it is fun and easy to criticize the TSA, and I am in favor of replacing them entirely with any of a dozen different possibilities. That said, there is a big difference between developing an app and supplying hardware and doing testing and training. I could build the app but I have no idea what the cost would be to test it sufficiently to meet government standards, then train the staff to use them, then equip the staff with hardware to use it. The cost of the app could literally be $0 and still top $1 million after the testing, training and equipment costs.
Someone else pointed out this is typical clickbait. It's got a shocking headline but then scant details on what actually caused the scenario. If they'd instead said "TSA has IBM develop an app that IBM contributed for free in exchange for exclusive rights to train staff for $10/hr each on how to handle customer service. Additionally, IBM will supply sufficient devices to have a minimum of two for each airport line at 5% profit per device" then the headline wouldn't generate nearly so much interest and the criticisms would be much better founded.
I wouldn't be at all surprised to find out that the bureaucracy that guides the TSA spent far more than is reasonable. I just didn't see enough details in TFA to assume that is actually the case. Does *anyone* have a breakdown on what kind of training, what kind of testing, what kind of devices were purchased?
That was surprising? Have you seen a TSA agent recently?
-=This sig has nothing to do with my comment. Move along now=-
If you use something as simple as microseconds on a clock as the seed for your "random" number generation, there's "pretty much" no way you can exploit that short of hacking the device itself.
You would be surprised in just how many ways random numbers can be screwed up.
First "simple as microseconds on a clock" is good, I have seen quite a bit of "randomized" code seeded with the system time. 15 milisecond resolution is the normal case and often leads to duplicated random sequences. High resolution timers exist and are widely available today, however they have to be actually used to help. Alternatively why use a random number generator if you could just request the microsecond time for each request - the low bits should be rather random.
Second mapping the range of the random number generator to your target range without killing the distribution is often non trivial. C++11 came with a whole library to replace rand() and several presentations on the topic, including how rand() % 2 isn't a 50:50 split when the original range has an uneven amount of values.
Third you often don't want a random selection - a fully random sequence can contain long stretches of only left or only right, which can overburden the affected lane while the other remains empty. Which means you somehow have to enforce the wanted distribution over shorter sequences. A simple solution can be implemented by shuffling a list with the wanted ratio of left/right values and a reshuffle each time the list is used up, games sometimes use this to avoid long loose streaks and prevent long win streaks.
I recently read "Lauren Ipsum: A Story About Computer Science and Other Improbable Things" to my eight year old. One of the (many) interesting substories involved "fair coins." Lauren's money isn't taken in Userland because her quarters can't be guaranteed as fair. However, someone points out that you can make any coin a fair coin by flipping it twice. If both flips result in the same side, you ignore it and flip two more times. If the two flips have differing sides, you take the first side.
In other words:
Heads-Heads or Tails-Tails = Flip again.
Heads-Tails = Heads
Tails-Heads = Tails
Even if there's a bias towards one side, it will be cancelled out and the flip would be fair.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
the actual passenger-facing software was really cheap. what was expensive to develop and install is the cameras and computer detection algorithms to tell if the person is white, black or brown.