
An opensource alternative for the TSA’s $300k line assistant - arik-so
https://tsa.arik.io
======
solomone
I get that it's trying to be funny, but is it really no longer possible to
create a website with a single arrow that doesn't have to pull down all this
cruft ?

    
    
      <link href="bower_components/bootstrap/dist/css/bootstrap.min.css" rel="stylesheet">
      <link href="bower_components/bootstrap-social/bootstrap-social.css" rel="stylesheet">
      <link href="bower_components/font-awesome/css/font-awesome.min.css" rel="stylesheet">
      <link href="assets/css/ie10-viewport-bug-workaround.css" rel="stylesheet">
      <link href="cover.css" rel="stylesheet">
    
      <script src="bower_components/jquery/dist/jquery.min.js"></script>
      <script>window.jQuery || document.write('<script src="../../assets/js/vendor/jquery.min.js"><\/script>')</script>
      <script src="bower_components/bootstrap/dist/js/bootstrap.min.js"></script> 
      <script src="assets/js/ie10-viewport-bug-workaround.js"></script>

~~~
tcfunk
Make a thing responsive, people bitch about how many plugins you're using.

Make a thing vanilla, people bitch about how it doesn't work on their phone.

~~~
bogidon
But the app only needs to work on Mobile Safari (let's say 8 or higher?). Not
rocket science to make it vanilla.

~~~
throweway
No it needs to work in any hn readers browser. Different business requirements
entirely! The business case here is to get hn traffic to that site and start a
discussion.

------
pw
I feel like HN's nerd rage at stuff like this (the TSA expenditure) is the
same reason many (if not most) engineers make less than they could. It's a
very willful denial of a fact of how the world works (large organizations
routinely pay large sums for seemingly very simple work).

~~~
kough
Exactly. Where's @patio11 with some contract negotiation advice?

~~~
patio11
At Microconf, giving it to people running software businesses.

------
Gratsby
I have a cheaper alternative. Get rid of TSA altogether. Travelling was a
whole heck of a lot more fun in 1975. Since then it's been overreaction upon
overreaction. Nobody is going to hijack a plane in this day and age because of
the simple fact that the passengers will immediately revolt.

~~~
aurelius12
It's been all of one week since a plane was hijacked.

[http://www.cnn.com/2016/03/29/europe/hijacked-egypt-air-
jet/](http://www.cnn.com/2016/03/29/europe/hijacked-egypt-air-jet/)

~~~
wingless
According to Wikipedia there have been 6 notable hijackings in the last 5
years.
[https://en.wikipedia.org/wiki/List_of_aircraft_hijackings#20...](https://en.wikipedia.org/wiki/List_of_aircraft_hijackings#2010s)

There are roughly 100k commercial flights per day, 36m flights per year.

Therefore, the probability of your flight being hijacked is 1 in 30 million,
which is an absurdly low number. Note that only one of the 6 hijackings
resulted in casualties, so the mortality rate even lower.

~~~
kough
Most likely due to the TSA's efforts! Can you imagine how many would be
hijacked if there _weren 't_ a TSA?

~~~
chris_va
Ah, the good old days...

The history of airport security is somewhat interesting. There wasn't a TSA
for long time, and the hijackings/flying to Cuba got annoying, so metal
detectors were added.

Everything else since then hasn't made much sense.

~~~
splat
Interestingly, another approach that was seriously considered was to build a
fake "Havana airport" in southern Florida and have the planes land there
instead.

[http://99percentinvisible.org/episode/skyjacking/](http://99percentinvisible.org/episode/skyjacking/)

------
toomuchtodo
[http://arstechnica.com/tech-policy/2016/04/tsa-
spent-47000-o...](http://arstechnica.com/tech-policy/2016/04/tsa-
spent-47000-on-an-app-that-just-randomly-picks-lanes-for-passengers/)

"According to Mashable, the Transportation Security Administration apparently
spent $47,000 on an app that is essentially a random number generator—it was
briefly used to assign travelers to left or right lanes at airports.

As the website reported: “The app was used by TSA agents to randomly assign
passengers to different pre-check lines as part of a now-discontinued program
called ‘managed inclusion.’”

Such an app is widely viewed to be an extremely simple program to write. Many
are questioning why a government agency overpaid for the app.

The revelation was published Sunday evening by Kevin Burke, a San Francisco-
based developer, who received TSA documents in response to a Freedom of
Information Act Request. The documents showed a $1.4 million price tag.
However, the TSA has clarified that figure, stating that the app actually cost
$47,000."

~~~
mikestew
_Such an app is widely viewed to be an extremely simple program to write._

Writing the app, as anyone who has done any consulting work would know, is
often the easiest, least time-intensive part of a project. Anyone saying to
themselves, "$47K? I could do it in ten lines of code!" should stick to coding
and let the contract procurement folks do their job.

(I'm merely the messenger; hate-game disclaimers apply.)

~~~
nmrm2
Nail, meet head.

That said, 47k still seems crazy high. I've never done Gov't consulting
though. One hopes hardware was included in the contract?

~~~
thaumasiotes
> Nail, meet head.

The head is part of the nail. The flat part at the other end from the point.
;)

~~~
nmrm2
Yes, well, the hammers are hundreds of dollars a piece so we have to make due
;-)

------
cevaris
Lets be practical, I am sure the actual app \- Works without network
connection \- Metrics (offline syncronization) \- User logins \- Includes
price of iPads themselves? \- Involved government and IBM personal

300K sounds about right

------
blr246
The UI looks nice, but there is more to this than a UI.

This should be implemented using a cryptographically secure random number
generator. Presumably, the TSA requirements would specify some defense against
an attacker being able to predict program outputs.

~~~
reedloden
[https://developer.mozilla.org/en-
US/docs/Web/API/RandomSourc...](https://developer.mozilla.org/en-
US/docs/Web/API/RandomSource/getRandomValues) solves that. Just need to tweak
the code.

I submitted [https://github.com/arik-so/tsa/issues/4](https://github.com/arik-
so/tsa/issues/4) about this issue.

------
rajington
I actually have a solution that costs exactly $0.01, per employee. It also
works on any platform.

~~~
tacostakohashi
If you're alluding to a penny, I think you'll find that they cost more that
$0.01. Probably a far better example wasteful government procurement than this
app.

~~~
thekevan
" Probably a far better example wasteful government procurement than this
app."

Not really. If you were flipping the penny to get heads or tails and lost it,
you could easily replace that penny with a coin, a washer, a stick from
outside, a book...hundreds of things already around your home or office, many
with no use or value. You can't look around you and find a replacement for the
penny as a currency.

~~~
tacostakohashi
I just took a look around myself. I found a credit card.

~~~
thekevan
That's not a replacement everyone can find.

------
armandososa
This left me thinking what could be the simplest implementation I could do,
while keeping a good UX. I came up with this in 10mins:
[https://jsbin.com/xidefopuqe](https://jsbin.com/xidefopuqe)

It was a fun experiment and felt very old school.

~~~
russellbeattie
Nice - you saved me the effort. But after I wouldn't have been able to resist
the idea of tweaking the randomness and ended up spending the rest of the
evening trying to perfect something that felt more random than random -
including forays into Wikipedia and other searches to find prior examples...
So really you've saved me hours of work!

------
ank_the_elder
Wait for the $1M+ overhaul when they need to open a third lane!

------
mdip
The argument that will be made against something like this is "We _can 't_ use
a product that would let the bad guys see how it works!" I know it sounds
ridiculous, but in my limited experience, "Security through Obscurity" is a
_key feature_ required by _everything_ related to the (ineffective) methods
used to secure the airports in the US. I believe this fact was even alluded to
in the original article related to the justification for _why_ a PRNG hooked
up to a boolean cost USD$1.4M or USD$47,000 or whatever price over an hour's
wage of a government intern it actually cost.

~~~
hellking4u
Security through Obscurity is just not a great way of going about it. NIST
notes "System security should not depend on the secrecy of the implementation
or its components."[1]

Kerckhoffs's principle is also a relevant read.

As professor Bellovin notes :

"It helps, I think, to go back to Kerckhoffs' second principle, translated as
"The system must not require secrecy and can be stolen by the enemy without
causing trouble," per
[http://petitcolas.net/fabien/kerckhoffs/](http://petitcolas.net/fabien/kerckhoffs/)).
Kerckhoffs said neither "publish everything" nor "keep everything secret";
rather, he said that the system should still be secure even if the enemy has a
copy."

[1]
[http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123...](http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf)

~~~
geofft
Kerckhoffs' principle applies to ciphers with keys. For the threat model the
TSA is up against, security by obscurity is actually very close to reasonable.

Specifically, if you're talking about ciphers (as Kerckhoffs does), or system
software (as NIST does), or anything else, you _know in advance_ who's
authorized and who's not. You've solved the hard problem; the rest is simply
math, and we're fortunate to live in a time where the math is well-studied.
You can give the secret key to the people who are authorized, and not to those
who aren't, and your security rests on that key -- and your competence at
figuring out who should have been given the key.

The TSA has no such luxury. They have no good way to distinguish me, a random
person walking through the airport with a valid boarding pass and too many
electronics, from a terrorist, also with a valid boarding pass and many
electronics. If they could give me a key in advance, and not the terrorist,
they would. (In fact, this is basically what Pre-Check is, and that works
okay, although it only reduces the screening because they know Pre-Check can't
be perfect.) But there's nothing that reliably distinguishes me and you and
hundreds of millions of other non-terrorists from the small number of
terrorists, and there's certainly no practical way to publish a key to us
hundreds of millions, while keeping it away from terrorists.

So they rely on heuristics, because there is no better option. You cannot
build a system that satisfies Kerckhoff's principle, because there is no key
separate from the system itself. And any public, keyless system can be gamed
trivially. (Think of, say, unkeyed SHA-256 checksums attesting to software
integrity. Without a signature, i.e., without a key, anyone can tamper with
both the software and the checksum, regardless of how good SHA-256 is.) So the
system must be kept private in order for it to work at all... or we give up,
and decide that the only people who can fly are those that we can conduct
foolproof background checks on. That seems like a worse world.

It is rather like anti-spam and anti-virus. If you could just give a key to
all legitimate email or legitimate software, you would. And in fact there are
things that attempt to do that. But they can't be complete, and the remainder
of the screening works on security-by-obscurity because there is no better
option. Either we give up entirely on the ability to receive unsigned mail or
run unsigned software (and even that won't be 100% reliable), or we go with
the secret heuristics. It's not great, but it's the best we can do.

------
plcancel
Is there any transparent accounting on how much the Obamacare website ended up
costing? I think it was originally supposed to cost ~$94mil.

From 2014:
[http://www.bloomberg.com/news/articles/2014-09-24/obamacare-...](http://www.bloomberg.com/news/articles/2014-09-24/obamacare-
website-costs-exceed-2-billion-study-finds)

------
bobbylox
I'm not sure the TSA app is weighted 50/50

~~~
rosser
For all we know, it's using the camera to gauge the "brown-ness" of the
current passenger's skin, and using that as an input to the calculation. It
would be about as racially and culturally unbiased as anything else the TSA
has ever done.

~~~
tn13
Dont forget beard.

------
0xCMP
Has anyone here worked with IBM before as either: a) employee/contractor b)
Customer

And if so, are of those who would say that you didn't expect something so
seemingly stupid to happen when they read that IBM was involved?

And do any of those people have any reason to believe that IBM managed this
project well from prior experience?

I bet not, but lets see...

------
NKCSS
Small bug; your code has a small bias for right.

if (random > 0.5) { direction = 'right'; }

1 is not included in Math.Random, so it should be < 0.5 == left, >= 0.5 ==
right.

------
blantonl
Cue them up and queue them up, here come the pendantics...

------
pw
This seems like nothing more than bait for HN's irrational nerd rage, so I
flagged it.

------
halite
This app would've paid my mortgage in some parallel universe....sigh

