Hacker News new | past | comments | ask | show | jobs | submit login
The TSA Randomizer App Cost $336k (inburke.com)
486 points by andrewguenther on April 3, 2016 | hide | past | favorite | 248 comments



Let's assume a hefty markup for the long sales/BD time for a government contract like this: $336k * 0.60 = $200k

Since this deals with national security, could probably justify higher rate resources staffing (security clearance required?). Ballpark $250/hr @ 8 hr/day so $200k buys you 100 days of capacity.

Project breakdown:

* UI/UX Design: 10 days (lots of stakeholders+approvals needed, maybe field testing with TSA agents, accessibility audit)

* Development: 15 days (this is very conservative but might be some business rules that aren't being shared -- remote monitoring, analytics, auditing, static analysis, etc)

* Project Management: 25 days

* QA: 15 days (multiple devices, high perceived security exposure)

* Third-party security audit/pen testing: 5 days

* Technical writer for documentation and training materials: 5 days

Total: 75 days of capacity spent.

Math doesn't work out exactly and some of these numbers are pulled from thin air, but it seems like it's at least in the right ballpark.

Do you folks really know people that are doing government contract work (for the TSA no less) for less than $100k?


> Do you folks really know people that are doing government contract work (for the TSA no less) for less than $100k?

We have done recently. (Not TSA - not even US govt...)

And, in spite of our "mid 5 figures" price for the iOS+Android apps for a fairly simple app - the whole program of work the government department included this in, and hence the media reporting of "what the app cost" came to 1.3million dollars.

Now I get people asking me "How on earth did it cost over a million dollars for that app? Surely that's practically fraud!"

If the only requirement is "an arrow that randomly points left or right when you tap the screen" - I suspect _anybody_ who reads HN could whip up a provably-correct solution in under 30 mins just using html and javascript. I _strongly_ suspect there's a +lot_ of other requirements and costs we don't understand here. (But cynically, a lot of those costs could well be high paid consultants writing Powerpoint decks justifying why the only requirement should be "an arrow that randomly points left or right when you tap the screen". That'll be $325k thanks - here's our recommended outsourcing partner who can deliver the app for $11k.)


> And, in spite of our "mid 5 figures" price for the iOS+Android apps for a fairly simple app - the whole program of work the government department included this in, and hence the media reporting of "what the app cost" came to 1.3million dollars.

You're absolutely right. They didn't buy an app; they bought a solution (of which the app was a small part).

Because it's not just the iPads; it's setting up the management structure for the iPads. How to procure them, locking them down so agents can't install Candy Crush, modifying existing IT processes to be able to manage device breakage/reloads/provisioning, etc...

None of this stuff is all that difficult, but nothing in business is free. So while any moron could write the app itself in half an hour, designing an end-to-end system that serves the needs of the customer (can be operated by someone with a GED; doesn't break down often; has simple workarounds for confusing scenarios; etc.) can cost a lot more than that. The software is just a piece of it.


Also, at the beginning of this process, did they know that what they wanted as an end product was an iPad running an app that made an arrow point left/right?

Or did they have a problem they wanted solved, and specing out a way to do it, was just one part of the job? Because often, the output of the contracts I work on, is the just the final step of testing out many possible solutions or version, and actually shipping the one the client finally agreed to.


Have you considered that maybe it's the government's fault that the media reported it in this way because - as in this example - the government intentionally obscured both how much the app cost and what was actually being supplied for the figure they stated.


Maybe, but then again the media has zero incentive to report this truthfully - "bad government wasting taxpayer money" is what sells.


To be quite honest, "bad government wasting taxpayer money" is more than newsworthy.

To your other point, we have in the past seen the media reporting these types of things in incomplete ways for fear of irritating their sources and losing reporting access.


> To be quite honest, "bad government wasting taxpayer money" is more than newsworthy.

If its true. In contemporary journalism the truth doesn't matter. Things can have perfectly reasonable explanations and be working as intended, and the only thing required to turn them into scandal is to omit those explanations and add a clickbait headline instead.

There's plenty of examples for that in Europe in the way journalists paint perfectly reasonable EU directives as utter nonsense handed down by stupid bureaucrats.


Things can also have perfectly reasonable explanations and be working as intended and still be an example of waste and scandalous. Just because you can see how it happened and why it happened doesn't mean you have to agree that the why and how are necessarily good reasons.


"Perfectly reasonable explanations / working as intended" and "example of waste and scandalous" are mutually exclusive IMO. You're right in principle, but what I see in practice is something completely different. Reasonable situations can be - and are - painted as ridiculous with proper application of journalistic freedom. It'd be better if people were thinking more critically about what they read, but outrage seems to be a pretty good mindhack the media learned to exploit. So I believe it is their moral responsibility not to abuse the gullibility of the readers.


It's also likely that government accounting departments only report costs at the project level and not at the line-item level -- it is common practice to just report on CapEx vs. OpEx because there are so many variations as to how things can be bought and sold, especially on technology projects (no idea if CapEx and OpEx make sense in the context of government work since they're primarily for tax purposes, but you know what I mean).

I doubt any company in America can tell you exactly what an app cost them to build. They can tell you what the product cost to develop, but the app itself is kind of beside the point: you don't get an app without the up-front work of determining the requirements, so why bother to separate the costs? Some projects have complex requirements and simple implementations, others have simple requirements and very complex implementations. The project cost is what everyone is concerned with anyway; and while the project manager should have the line-item information for the project, it's often not rolled up higher than that because the reconciliation would be nearly impossible.


Except these are iPad apps. Why the hell would you be doing that with HTML/Javascript?


Ever heard of UIWebView?


Doesn't change the question. Why would you be implementing this in HTML instead of doing it as a regular app?


Because if - as suggested - the _only_ requirement is "an arrow that randomly points left or right every time you tap the screen", the solutions is so simple that it _can_ be done in HTML/JS - quite probably written, tested and delivered for less than the yearly Apple Dev subscription required to do it as a native app.

If I had a friend who needed that functionality and had a decent reason but no budget, say for an art project or a non profit event, I'd certainly offer to build them an HTML/JS thing for nothing. I'd think twice about starting an XCode project, dealing with App Store submission requirements, needing to deal with people asking how they install it on their Android tablets, etc.

At least for me - sometimes the stupidly simple HTML version of a thing is a perfectly good solution. (For the TSA, there are without doubt more requirements than the stupidly oversimplified one proposed here...)


So you're going to make it a web page. How are you going to secure it? How are you going to make sure the website can't go down? How are you going to make sure that the only thing that device is running is the web browser, and that the only page it's allowed is the one to your app?


For my friend's art project? I'm not gonna care about any of that. (Not _quite_ true, I'll "care" about the webserver part by making it an HTML5 offline app - mostly to remove any chance that webserver problems make my phone ring while I'm asleep or out drinking).

You're inventing requirements which, while no doubt genuinely part of the TSA's requirements, go way beyond my single simple requirement as discussed.


"For my friend's art project?"

Your friend's art project is not what we're discussing.

"You're inventing requirements which, while no doubt genuinely part of the TSA's requirements, go way beyond my single simple requirement as discussed."

I am not; as you yourself admitted, these are likely part of the TSA requirements, which is what we're discussing.


Sure, except this subthread starts out with a response from me to which you're objecting saying:

'If the only requirement is "an arrow that randomly points left or right when you tap the screen" - I suspect _anybody_ who reads HN could whip up a provably-correct solution in under 30 mins just using html and javascript.'

In the context of the proposal to do this in HTML/Javascript, I've been explicitly discussing a obviously oversimplified single requirement - not the "likely" requirements for the TSA project about which we can only make assumptions, since we've not seen them.

Sorry if we've been talking at cross purposes here.


Honestly... this doesn't sound that expensive.

I think those who don't work at a tiny four-person startup but don't generally touch the money should spend a bit of time at this site: https://tobytripp.github.io/meeting-ticker/ But rather than using it as a meeting ticker, use it to show how quick a team of 5 or 10 reasonably-well-paid people burn through the money over the course of even a day or three. Business is generally a lot more expensive than I think people often realize. I've sat through "all hands" meetings that clock in distressingly close to $350K by that calculator's reckoning (though rather a lot of engineering is really only half-listening and still working...). If you think about the expense all the time you can end up paralyzed but if you never acknowledge it you can end up with very skewed priorities.

To make this line of thought appealing to those who are probably the ones reading this, when your manager asks you for that stupid-ass feature that's going to take two or three days to implement, you've actually got a really big stick if you work the math and give them the numeric figure on what that's actually going to cost. Managers themselves often don't really think about this properly either. You can help them. If you happen to do it, shall we say, a bit "selectively", well that's their own darned fault for not thinking that way themselves more often....


At a few places I've worked, I asked for average salary figures for the engineering team by function so that I could produce weekly reports that tallied up the cost of various projects based on the time people reported they'd actually spend.

What I found bizarre was that each time I've had to explain why I needed the numbers, and people were surprised at receiving a report of what the staff budget went. You'd think that would be expected, not something unusual. But permanent staff is not treated as a cost during day to day work, even though their time is a limited resource.

It's quite fascinating to see how quickly priorities change when the cost breakdowns make the rounds and someone higher up starts asking critical questions about why we spent $50k of staff time on feature X that no customer had asked for.


You have me wondering now.

A big problem I've always had is getting hardware to improve productivity. Most of the time the management chain can't grasp why it's worth a $3k machine and maintenance costs to save each dev an hour a week in development time.

I think this goes to just how often people I management like the title and the power but don't understand that they're supposed to be in charge of strategy. I don't think most of them would know strategy if it walked up and bit them.


I've found that the time itself is less valuable than articulating the workflow changes it can bring about. Saving an hour a week is great, but if you can save 30 seconds at the right time, it can have a much bigger impact.

For example, if I can spend a day tweaking my project's build scripts and CI workflows to get it from taking 30 minutes to build/test/deploy down to 30 seconds, I've dramatically altered my team's workflow.

Also, there are very few reasons to buy your own hardware anymore -- cloud services are better at almost everything unless it's a low-latency operation (or you're in Australia - the speed of light is still too slow, sorry mate). Obviously there are exceptions, but with the scale of GPGPU build-out all the big public clouds are deploying, the benefits of anything else are rapidly disappearing.

Most managers aren't swayed by the argument that 1 hour = ($annual_salary / 2000). They know that if you give people an extra 5 minutes a day, they'll probably just spend it drinking coffee or socializing. Those certainly aren't bad things for employees to do, but unless your team is already running well beyond capacity, giving them more time to do things doesn't really improve productivity. Improving process (by, say, removing a manual step through automation) really gives you more bang for your buck.


> Also, there are very few reasons to buy your own hardware anymore -- cloud services are better at almost everything unless it's a low-latency operation

Cost. I've yet to see a cloud service that get anywhere near as cheap as owning your own hardware (fully loaded with financing costs, full staff costs etc.) for anything that runs more than ~8 hours a day.

Cloud services have plenty of uses, especially for brief capacity spikes. Need to run an experiment for a few days that requires 20 extra servers? Go nuts. But even with reserved instances, if most of your servers run 24/7, you're throwing money out the window.

(And you don't need to own hardware - you can go for rented dedicated managed servers and still get ~80% of the savings)


A little measurement goes a long way. It's remarkable, but there's a lot of inertia even in otherwise successful organizations.

And keep in mind salaries are just a fraction of the costs of staff time. Payroll taxes plus benefits can add up to almost 20% of base salary and that's not counting occupancy and equipment costs.

Bottom line: people cost a lot. It's smart to think carefully through the ramifications of planning decisions.


Your analysis sounds pretty spot-on.

It's government, so you'll likely have a 508 compliance audit (accessibility) as part of the project as well. Figure a work-week of that.

Security clearances are almost a definite "yes". Extensive background checks at a minimum -- and we're talking three days of paperwork, fingerprinting, calls to your third grade teacher, etc.


Exactly. I wouldn't be surprised if things on the airport have to meet weird regulations, and that the IBM will have to take some responsibility as a result of possible damages.


Great point on the accessibility audit, added that to UI/UX section.


This proves that similar absurdities are common practice within large corporations, and breaks down nicely how they are justified. I doesn't, imo, prove the price isn't absurd.

The point about field testing is fair, but shouldn't account for a huge chunk of the price. The invisible-to-the-public features point is also fair, but there's no way to estimate that cost of those.

The rest of the points, though, while fairly reflecting the way enterprise works, just show how utterly dysfunctional the process can be, and imo bolster, rather than refute, the position in the original article.


I'm not seeking to refute anything. I agree that it sucks that software costs are so expensive and that taxpayer money was spent on this, but if you don't try to understand the process that is broken I don't think there is much chance to fix it.

"That is literally a hello world ipad app, how could it possible cost $300k?!?" -- I attempted to provide an answer that goes a bit beyond "shrug govt" or "shrug consultants".


It's like the $10,000 dollar hammer, but this is far worse.

With the hammer, government apologists claimed it was to "secretly move money for DoD"... which really means it was the DoD and military just giving themselves a shit ton of money.

The US is very corrupt. The DoD dodged a bullet when 9/11 happened because that was the day they were going to be put under investigation.

Sadly enough, nothing happened at all, and this type of political graft is very common among the military and their politicians.

A recent case for example is the head of University of California who does not even belong there and is completely ill qualified to lead a college. Her only real experience is as a _spy chief_ for the military and DHS.

This type of political graft resulting from military connections is going to be far more common and invade further into civilian infrastructures. It's not like the NSA's complete treasonous behavior in spying on the US citizens they're supposed to protect isn't bad enough... that isn't even the tip of the iceberg, I'd wager. Before that of course was the CIA funneling drugs into cities to fund their own pockets and programs. Or even the joke of the "war on drugs" which all it was meant to do was control the profit flow of illegal street drugs.

These styles of military programs, also known as soft power projection, directed at the US population and citizens is getting far more common and invasive. These days, it is almost considered the norm.


> It's like the $10,000 dollar hammer, but this is far worse.

> With the hammer, government apologists claimed it was to "secretly move money for DoD"... which really means it was the DoD and military just giving themselves a shit ton of money.

No, it was a $15 dollar hammer with $420 of project R&D costs averaged out and added to it: http://www.govexec.com/federal-news/1998/12/the-myth-of-the-...

The $435 price was then inflated to $600 by the media and finally $10,000 by you.


Likely your security / approval estimate is low [edited]- typically you can write an app like this quickly but the ATO / certification and the BAs and PMs filling out paperwork and sitting in meetings will add weeks / months.

Also I agree the overhead of current T&M contracts likely doesn't make contracts under 100K worth pursuing especially given the huge amount of competition for some of this work and (unless an incumbent) a pretty low win probability.

Fingers crossed the TechFAR and some of the micro auction steps being taken make this a more dynamic market.

EDIT2: Here's the spending on that Contract by task order (as up to date as USASpending can be anyway) https://www.usaspending.gov/Pages/AdvancedSearch.aspx?k=CIO5...

EDIT: If the re-compete was done under OASIS then maybe we can get a lot of information out of this line by line transaction from USASpending: https://www.usaspending.gov/Transparency/Pages/AwardSummary....


PM would be higher than that. There'd also be a Manager above the PM scheduled some days as well.

And the security, analytics, and monitoring are probably all smaller specifics days for individual experts.

Point is though, you're thinking the right way on it. Very reasonable.


Good point, added a couple more line items.


Your math is (relatively) sound but I don't think you understand how trivial the work required for this would be.

It's pretty universally known that engineers are horrible at estimating their tasks but this particular app is so simple as to be impossible to overestimate. It literally would take less than a day for a (half)-competent engineer (and maybe 1 designer/artist) to do the work for this (I won't give you the task breakdown but I'll say the task list is short).

So the answer is probably more in line with the other associated costs as you mentioned. Another just as likely (and as simple) answer; they charged some know nothing bureaucrat a ton because that's how it works in DC.


Yeah clearly this ui http://elliott.org/wp-content/uploads/IMG_6317.jpg required 10 days to design.

Why would this require more than a few days? Simple UI, then just generate a secure random number and draw an arrow. Bam. Give me 200k.

I mean the largest expense would almost certainly be third-party pen testing and QA. And why would it take a technical writer 5 days to document this? It has 1 function.


That's one screenshot, are you prepared to submit a legally binding quote for the project with that little information? Are there more screens? I don't know. Did the client require multiple designs and iterations -- each stamped with the approval of several stake-holders? I don't know.

Judging the final output without any consideration for the process is akin to asking why it took a week to fix that hairy bug. It was only one line of code that changed, how could it possible take you all week to fix it?


Sure, since, in government contracts, "legally binding quote" doesn't mean you actually start losing money or have a judgment issued against you that you're personally liable for if there are time or budget overruns.


You need to be on site with a Secret clearance, a DUNS number, and about three months of paperwork, never mind the cost of the proposal hours to get on the multi award BPA to have the opportunity to win this task order for the work which was 1000 pages and half a year of capture and messaging. The market has a huge cost to enter which makes it sound insane to anyone that's ever posted something to Fiverr


Fair enough. I imagine that the paperwork and app verification is where most of the cost was generated.

Sometimes bureaucratic inefficiency just really gets under my skin.


It is a good and understandable instinct. It is the bane of my existence, which is why I've also devoted a solid chunk of my life to unscrewing it. :)


Don't forget you have to write your arrow direction choices to a database, so that we can prove that over time it was random. And that on August 18th at 10:27, it showed "left" when the person-of-interest (we don't call them suspects anymore) went through the line. This would require a couple of reports be written against the database.


One change may take weeks to sign off on - it's not just one person giving their OK, it's many layers of project/contract managers giving their OK. Each of whom has to account for their time and each of whom has to be paid for that same time.

There are processes that have to be followed, no matter how ridiculous they are, because they exist.


UI/UX 10 days?

Yeah right.. The recoloring of the arrow itself I'm sure took 10 days...

I'm working with a bank right now trying to just get them a UI for an authentication page. We've struggled 2 weeks trying to figure out what the hell they want for the FAQ page... Between the design-spec they provided and where we are now, I'm not sure why they have designers in the first place..

Our first product was according to their spec, which they scrapped instantly and stated they expected X,Y,Z instead, which weren't in the spec (Page should have an accordion, the accordion should have buttons, all buttons should have certain looks and sizes. The spec didn't even have borders, much less an accordion and no buttons in sight..) and when we produced whatever they stated they wanted they threw out half of it and flipped things around (now the buttons shouldn't be arrows, they should be + signs that become - signs when clicked on...)

I'd hate to think what the UI/UX process is trying to get through multiple layers of governmental bodies....


That plus we know little about the actual scope of this project. Sure it looks like a randomly jumping arrow - but does it have a backend? Does it have all the 'settings' and 'technician modes' that usually bloat projects x10 than the MSS scope?


And unless it was a dedicated government services vendor, all those people needed to submit background checks, get security clearance and be US citizens or at least permanent residents all of which costs a bit extra.


I'm going to file this analysis as 'Breakdown of the cost of bureaucracy'. Considering that the process could have been solved with a common sense email that might have identified an existing free app.


[flagged]


I live in this world, and have been in the upper levels of all sorts of these discussions regularly.

I've never seen a direct bribe. If you want to call lavish dinners, drinking, and entertainment bribes, okay, that happens constantly. But a bribe?

No... You don't need bribes. It's quid pro quo all of the time, but bribes?! No...

Maybe you can get hired at a higher pay scale/job title from your work getting someone a deal. There are certainly perks.. but not bribes...


If you know [government] people getting wined and dined and not covering costs - report them, please. In my experience this line is not crossed very much but agency cultures can vary.

As for the job thing - I would like to see more emphasis on curbing potential abuse for awards that lead to jobs with a contractor. This kind of thing can be hard to prove especially at large firms but needs to be locked down for anyone in a procurement / review board role.


What? It's literally constant... Just go to any conference if you want to see it.

I mean, I don't even know how to react to something like this.

Edit: I am talking specifically about general business, not governmental business.


This absolutely not does not happen in government - at least, the federal government.

Every employee in an office with contact with federal government officials will fill out a disclosure form every year.

Every official will do the same.

I remember we had to figure out the value of free google lunch because they were not allowed to eat for free.

The federal government employees take this very very seriously.

State, no idea, they all have different rules (but most companies just apply the same "no gifts of any sort" policy to them anyway)


I can't remember who told me, but I recall a story of people working for the federal government declining a cup of coffee when visiting an office for similar reasons.

It's applying the rule beyond reason, but that sure beats the alternative!


I work for a company that takes federal contracts. We're allowed to accept basic coffee, but not doughnuts. I'm serious. And frankly, I don't have any problem with that.


Perhaps the incident I heard of may have involved a fancy coffee, like a latte. ;)


We used to hand around a small basket into which the government people would drop their $10 for lunch... Gave an absurd mental image of an offering basket being passed around a church. The image was probably not helped by the fact that my company was non-profit.


Of course, in general business this happens all the time. I interpreted your "I live in this world" comment to mean "government" - apologies. Government contracting is extremely specific to the point that most systems integrators / mid to large businesses don't even allow you to buy coffee for someone because they want to avoid any perception issues. As for "general business"? Go nuts! :)


>I've never seen a direct bribe. If you want to call lavish dinners, drinking, and entertainment bribes, okay, that happens constantly. But a bribe?

Those are rarely seen by those that aren't supposed to be seen. That's kind of the whole point (hence "under the table").

E.g.:

http://www.theage.com.au/interactive/2016/the-bribe-factory/...


Expensive dinners and entertainment can definitely count as bribes. In certain sectors of government, decision makers are required to disclose things like when vendors take them out to dinner or pay for fancy seats at ball games.


> In certain sectors of government, decision makers are required to disclose things like when vendors take them out to dinner or pay for fancy seats at ball games.

I used to work in this space. Not only what you are saying is wrong but it's very illegal. I was lectured for offering a government representative lunch from a cheap place we were all going to (have to give them the opportunity to pay).

There are so many rules around this that the type of bribery you're referring to just doesn't happen.


I used to work in a city IT department and the department head would allow future prospective and already existing vendors to take them out for meals "if we weren't currently soliciting bids from that specific company for work."

Yeah, like they are taking you out because you are buds and they never plan on submitting any bids or extending contracts in the future?

A lot of what I saw in the government when I worked there was borderline illegal but certainly ethically wrong.


Yep, exactly. It's all about exploiting loopholes and wink-wink-nudge-nudge type stuff.


This is true for government. I'm talking generally about non-governmentally agencies, in which case it's the norm.


the company i work for doesnt allow us to provide dinner/entertainment for clients/vendors, nor can we accept offers to be taken out for dinners/entertainment.

if we do go out somewhere, we pay our own

we deal with govt and large healthcare corporations, the same policies are the norm among them.

we also get these policies hammered into us quarterly through Anti-bribery/corruption and code of ethics training which is mandatory for all 30k employees regardless of role.


great points.


You forgot the mandatory Oracle license the tender no doubt called for.


We do ton of govt work for state agencies, transportation agencies, local govt, etc. That price is messed up.


And of course I get downvoted. Nevermind that 70% of my MRR comes from govt. Whatever.


I worked at a company that had to resell its software through a disabled, veteran-owned sole proprietorship so that the TSA could find budget to purchase it. The way it was described to me was that a portion of the budget is earmarked for these businesses, so if the primary technology purchasing budget runs out, you can still sell to the TSA if you resell through one of these businesses. Essentially, the reseller took a cut for doing nothing, and fleeced the American taxpayer for a few hundred thousand dollars. I'm sure this happens all the time.


It's not just the federal level, I frequently bid on work in the city of Detroit where minority-owned business requirements are built into all sorts of contracts at the state and local level. The same thing happens as a result: a single person of the correct ethnicity will bid on the contract and sub it out to you for a not-so-modest fee.


I wanted to make a comment on your "person of the correct ethnicity" remark.

These requirements, sometimes they're mandatory and are called set-asides, sometimes they're not mandatory and are called aspirational targets, or they might have any number of other names. They all serve a worthwhile purpose; they help combat years or decades of preferential treatment by procurement officers to pick people of "the correct ethnicity".

Like, by now it's been pretty well-established that people tend to hire people that look like them, i.e. one of the factors that contributes into the disproportionate representation of various groups in the tech industry we often talk about.

Same thing has been happening in purchasing for a long, long time, and what you end up with is a situation where minority-owned firms will have been largely excluded from government contracting. When this happens for very long, it becomes self-reinforcing and self-perpetuating; there's no institutional knowledge in ethnic community A that passes from one generation to the next about large-scale project bidding or management, and you end up with this sort of disproportionate representation and the ensuing economic effects.

The set-aside or aspirational target is at least a start at countering that. Like everything, it gets abused by the people with the power and the money (which is where you get the minority contractor who acts as a pass-through to give the real work to the majority-owned firm; that minority contractor isn't building any business of their own, certainly nothing they could pass onto their kids or whatever), but it's better than what we had before, which was a system that perpetuated an even more unfair system for a lot of people.


I think we can all agree the goal is a good one. Many would disagree this an effective way of solving those problems.

As you say, this doesn't even counter the problem. The "minority" is just skimming the "take" not building a business or anything else useful.


The "minority" is just skimming the "take" not building a business or anything else useful.

In same cases? Maybe. In many cases (including my own MBE/DBE-certified business) we are using those projects to build a business (2 bootstrapped partners to 8 employees and national recognition in 4 years) and to use some of that revenue & expertise to help folks that normally couldn't afford our services. And there are any number of businesses I can point to that are achieving similar success (of course there are also failures, but that's true of businesses in general).

With regard to Frondo's claim "where you get the minority contractor who acts as a pass-through to give the real work to the majority-owned firm" - at this point I'm pretty sure that's the exception rather than the rule. The various state MBE/DBE certifying agencies are extremely diligent at policing this behavior and will slap down firms found to engage in it. Primes and subs are audited, contacts are reviewed, MBE/DBE subs are interviewed (included onsite visits) etc. MBE/DBEs must submit annual sworn financial statements, along with examples of contracts, invoices and evidence that firm can conduct the work it's contacted for (resumes of principals, references, list of equipment, and so on).


Oh it's absolutely the exception, and not the rule, the minority contractor who's a pass-through. It's just an inevitable byproduct of the people who have the money and power having found a way to abuse the set-aside/aspirational target system. I didn't mean to suggest that it was common (though I can see how I could have been clearer on that point!).

Also, congratulations on using the MBE/DBE certification to build your business! That's excellent, and I'm quite happy for you.


Oh, but overall this system works very well as a way to give purchasing managers an incentive to look at these historically disadvantaged communities in their buying decisions. The abuse of the system I noted (the minority contractor acting as a pass-through) is not the common case at all.

Buyers still have a challenge in finding qualified minority/woman-owned firms, but there are pipelines in place to help build those firms up. The set-aside/aspirational target system can support that, too, by favoring prime contractors that work with minority/woman-owned subcontractors. A lot of primes have mentorship programs that target minority/woman-owned companies to help them grow their businesses.

In the government purchasing world, this stuff is all pretty non-controversial because it generally achieves its stated goal. I was just trying to say that abuse happens here too, but abuse of any system happens wherever there is a system.


Buyers still have a challenge in finding qualified minority/woman-owned firms, but there are pipelines in place to help build those firms up.

Of course, in the real world, what happens is that the company owner/CEO gives his wife or another female relative 51% of the company, and/or the title of CEO or managing director.

This dubious practice obviously doesn't scale up to large/publicly-held organizations, but it's widespread in the "small/disadvantaged business" community.

It turns out that it's awfully hard to do the right thing by doing two wrong things.


When you say it's widespread, I'm curious where you're getting your information.

The purchasing managers I talk to all seem pretty keen on doing right by their aspirational goals, and the firms that try and cheat the system that way, well, it's known that they're trying to cheat the system.

Furthermore, all this stuff is public record--all the purchasing decisions, awarded contracts, etc., and I know that the local papers here in the Pacific Northwest periodically sift through that data looking for signs of abuse. They do report it when it comes up, too, but it simply isn't prevalent, and I'd be quite surprised to see any interpretation of the data that would let you characterize it as "widespread".


Personal experience in electronic test/measurement and components sectors.


Fair enough, I won't contradict your experience in the electronic test/measurement sector.

I would like to mention, though, that I've literally never seen a contract issued by a state agency or local unit of government to purchase electronic component testing services or equipment (either directly or a larger contract with a subcontracted piece for that).

That's not to say it never happens, just that most of the contracting dollars I see spent are on construction and personal services (counseling and social work, IT services, and the like).

I would suggest that your experience probably isn't reflective of the disadvantaged business community as a whole, and I suspect any empirical evidence we could unearth (i.e. the public purchasing records, and so on) would support that claim pretty unambiguously.


But doesn't this prove the point?

Either nobody was willing to bid lower: the system works.

Or someone would be willing to bid lower but its a team filled with white guys: the system works. Maybe these other companies should think about their hiring practices considering that they exist in an area with a large minority that doesn't seem present in the team.

I don't know the details though, maybe there's some capital requirements or something that's pretty hard to match


The point is that the team of white guys is still performing the work. The only people making a return here are the well-connected minority/woman/veteran contractor and the politican or friend/family thereof who gets a cut of the action.


Doesn't the point still stand? If they want 100% of the money (instead of 80% or whatever), they could get it by hiring minorities into their team (hell, higher the guy doing the subcontracting as a "business developer"!).

Some people have commented in other threads that just subcontracting can get you into a lot of trouble if caught though.


If you think the point is to help minority businesspeople, then no.

The legit business people who aren't just patsies often get screwed by these arrangements. They end up holding a massive short term liability that the big contractor (IBM, Oracle, EDS, etc) wants paid NOW, but the receivable is mired in some crazy 120 day late pay hell with the government.

If we want to hire minorities to improve their lot, just hire them. Or require actual bids on contracts that a small business person can grok instead of blanket purchase arrangements that require Fortune 50 sized legal/contract teams to bid on.

Of course, if the point is to generate extra income for the spouses of corporate execs and campaign contributions, than sure, these programs are uber successful.


"Or require actual bids on contracts that a small business person can grok instead of blanket purchase arrangements that require Fortune 50 sized legal/contract teams to bid on."

At the local level, at least in the Pacific Northwest, this is exactly what happens. Local agencies have targets of anywhere from 15-30%, for how much they'd like to spend directly on contract dollars awarded to minority-owned/woman-owned firms.

Most are hitting between 5-15% now, but I'd say probably 4 out of 5 purchasing managers wants to do better and actively encourages their staff to do outreach to the minority/woman-owned small business communities.


I used to work in an industry and area where a huge portion of the support services (custodial, labor, etc) were provided by tribal contractors with predominantly Native American employees, providing huge employment to these often struggling communities because of preferential selection. So there are definitely anecdotal success stories to these programs. There is also the opposite, though.

There are some controls in place. For example, my understanding is that in the federal government, contractors that are preferentially selected for various reasons must perform a majority (at least a technical majority, e.g. 51%) of the work in-house, although I don't know a lot about how that is measured or supervised so I'm not sure how effective it is. I have certainly seen cases that looked like abuse.


It good to get small business involved, but as it's been said before many times, many people including myself object to the idea of giving advantages to people based on their skin color or genitalia.


I don't buy it. The government runs plenty of social programs, but procurement isn't one of them. Procurement should be about getting the best deal for the taxpayer, period. This isn't a game, it's other people's hard-earned money that they've been told is being spent on their defense or other essential service, but is instead being spent on a social agenda. And then when the time for fiscal belt-tightening comes around, we end up cutting more-worthwhile expenditures because this waste is entrenched in a supply chain of government-privileged middlemen.


Well, the thing is, you'd never want the government to make purchasing decisions entirely on price, so what is it that makes the best deal? Price, quality, timeliness of delivery, these are pretty easy to pick out as parts of "the best deal".

These days it wouldn't be a stretch to add "better for the environment" along the lines of "what is the best deal," since that is also a decision that affects everyone in the community, whether the company you hire pollutes more or less. Favoring contractors that pollute less seems uncontroversial.

Adding "addresses systemic racism that we have in the past committed and that has hurt a part of our community (who are also taxpayers, just like everyone else)" also seems pretty uncontroversial--unless you don't think racism exists or should be addressed.


"Addressing systematic racism" is quite the euphemism for an outright racist policy, choosing winners and losers over what long-dead people with the same skin color did before we were born. The best way to "address racism" is to treat people like individual human beings with equal dignity, agency, and responsibility. The now-pervasive victimhood narrative is one of the most socially destructive forces in America. It's an us vs. them, rich vs. poor, black vs. white narrative that feeds on that insidious emotion, envy, and pits people against each other.

And there's this often-explicit assumption that the biggest thing holding back minorities is the white man. Nothing could be further from the truth today. The biggest problems faced by poor minorities are outrageous levels of violent crime among themselves, widespread illegitimacy, family collapse, and broken cultures that value the wrong things. Many groups have thrived against all odds throughout history, and they sure didn't get ahead with victimhood politics. The story of the Jews always comes to mind. Persecuted for over two thousand years, they not only survived but thrived in some of the most hostile environments possible, like repeated mass expulsions from different European countries, culminating but not ending with the Holocaust. When they got Israel, they quickly made it the richest, freest, and most powerful country in the region, by far.

I also want to reiterate my point from my earlier comment, which I don't think you responded to, that this kind of feel-good policy-making comes back to bite us. It hurts the taxpayer today by using up more of his money to provide the same service, and it hurts him tomorrow by obscuring what the real costs are and perpetuating bad decision making. The creeping inefficiencies become a permanent dead weight on our ability to invest elsewhere or weather a debt crunch.

If we want to have social programs that give minorities a leg up, then let's vote on those and forthrightly decide what portion of our national income we are willing to put that end. Hidden welfare for well-off minorities isn't the right way to do it.


It's funny, I can tell that you obviously feel very strongly about this. But there's also so much in your posts on this stuff that is ahistorical, afactual, or in some cases just total nonsense.

I have relatives like you, too, who come out with something ridiculous like "the moon landings were faked!!" or "cancer's all a scam by Big Pharma to keep us doped up!!" and we used to go back and forth for hours about it. I eventually stopped engaging because these were people who were just carrying around a worldview in their heads that wouldn't allow them to have an honest discussion, and obviously bore no relation to reality.

So you go on thinking all the things you do. I don't think I or anyone would ever persuade you that you had some information wrong or some history wrong or some principles in your thinking wrong. I'm not even going to try, because I know what it's like arguing with folks like you.

Best of luck, and carry on!


Wow, you really just tried to dismiss arguments by throwing up a moon-landing conspiracy theorist straw man. Amazing.


> Adding "addresses systemic racism that we have in the past committed and that has hurt a part of our community (who are also taxpayers, just like everyone else)" also seems pretty uncontroversial

When do we start addressing the systemic racism which systematically discriminates against business owned by people of the wrong colour — when that colour is white? I.e., addressing systemic racism by applying systemic racism seems pretty foolish.


It isn't foolish, though I will agree that a very shallow analysis will make these processes seem that way.

In a perfect world, minority-owned and woman-owned businesses would never have faced any discrimination at all. In a perfect world, everyone would have competed on an even playing field since the beginning of government buying. That is not this world.

And the real-world consequence of those decades of discrimination is that minority communities had another barrier placed in front of their ability to build wealth in their communities--not the only one, of course, but still a real one and one that's definitely done lasting damage to those minority communities.

After all this time, and all that damage done, saying "well, we won't discriminate now but you still need to somehow catch up from decades of discrimination, and we won't do anything to undo the damage we did," if you think that's appropriate, then that's fine, you can think that. But it's only foolish if you don't really think at all about the history of the situation and the accumulated effects of that long history of discrimination.

You'd even be in good company if you wanted to take that shallow view--a lot of people I talk to don't seem to want to acknowledge that racism ever existed, or if it did it isn't a problem now, or if it is a problem then someone else should do something about it, and on and on and on.

(And, you know, all these aspirational targets, like spending 20% of our dollars on minority-owned firms, they're not hard-and-fast rules. If there are no qualified minority firms, then the work still goes to a white-owned firm, and after decades of discriminatory procurement practices there aren't necessarily a lot of minority-owned firms with the capacity to manage government contracting projects, so it's not like white folks are suffering in any way in the government procurement space.)


> it's not like white folks are suffering in any way in the government procurement space

Except, y'know, for being ineligible for certain government contracts.

What's worse is that those people are being penalised without having been guilty of anything. This is utterly inimical to a free and health society.

Yes, there are some lingering negative effects from past racist discrimination: but there are also ongoing negative effects from current racist discrimination. You don't fix racism with more racism: you fix it by not being racist.


Yes, and for decades minorities would be penalized and effectively rendered ineligible for government contracts just because they were minorities.

And that has done long-lasting damage to their communities. And they weren't guilty of anything, either! You're absolutely right, decades of systemic racism were utterly inimical to a free and healthy society, and minorities bore the brunt of that for a very, very long time.

Systemic racism created a very un-free and un-healthy situation. A lot of blameless people suffered through no fault of their own, generation upon generation.

Couldn't agree more, racism is bad, &c &c.

This small attempt to undo that--preferring minority-owned businesses for a certain amount of government dollars spent--doesn't really seem to be affecting white-owned government contractors, and it does seem to have a pretty positive effect at starting to undo the effects of all that (utterly inimical to a free and healthy society) discrimination.

Again, you can cling to that flag of "all racism is bad!!!" and that's fine. I'm at least somewhat satisfied that you went so far as to acknowledge that there has been discrimination in the past--a lot of people who sound like you are reluctant to even admit that there's ever been a problem. So, well done you.

In terms of outcomes and fairness and justice, however, there are probably better principled stands to take than the one against minority-owned/woman-owned contracting preference programs.


A capitalist is a capitalist, regardless of minority status- they're still agents of exploitation.

EDIT: #yolo


American Indian tribes/nations have this down too. Chickasaw is booming here in Oklahoma. That doesn't count all the casinos where money is flowing out the back doors as well.


Why was the fee not-so-modest? Common sense would dictate that since it's a good that's both easy to obtain and also completely commoditized, the amount you could charge would decline to the cost of production.


Isn't this basically fraud? Did you not report it?


To be fair, if the taxpayers are going to be victims of bureaucratic inefficiencies, I'd prefer that the beneficiaries be disabled veterans vs. that money going to Boeing or Raytheon or Palantir or whoever.


Keep in mind that the definition of "disabled veteran" for the purpose of government contracts, while often involving actual disabled veterans, can also be very different, as in the case of Braulio Castillo, who legally obtained hundreds of millions of dollars in disabled-veteran contracts because he once injured his ankle playing football at a military prep school, despite having never served in the military at all.


Having sleep apnea diagnosed while you're in the military also gets you a disability rating by the VA so you're considered a disabled veteran.


I still can't believe someone named a company Palantir. In Lord of the Rings, the palantíri fell into the wrong hands and were used to do literal, honest-to-god evil. It's like naming a company Death Star.


It's like naming a company Death Star.

Or like making a mission patch that's an octopus with its arms around the earth, with the tagline "nothing is beyond our reach"?

It's all about audience, right? Palantir used to have t-shirts that said "save the shire" on the back -- dunno if they still make those.


The Palantir were "good" objects in The Lord of the Rings. (As opposed to the Ring, which was inherently evil) The Palantir were used for thousands of years to protect the kingdom. Even during the time of the books, when being used by the most powerful evil bad guy, the right good guy could take back control of the Palantir "network".


Soylent belongs in the hall of shame for bad names too.


These policies do not affect the revenue of Boeing or Palantir, who are able to arrange whatever exceptions they need to do business. Usually, minority purchasing rules come into play when a government is purchasing commodity/low-differentiated products and services.


Unfortunately, that's usually not how it works. Boeing et al will just subcontract to the veteran-owned small business and the net effect is a slight increase in price for the government, a slight increase in paperwork all around, and some profits for the small business owner for being a small business owner.


Boeing, Raytheon, and Palantir are not bidding on $300K projects. That's just background noise. I can't even figure out why IBM was interested; things must be tighter there than they used to be.


Those companies could more effectively redistribute or reinvest that wealth than an individual ever could.


Why? The money is ultimately just going to pay some individuals - they can be upwardly mobile elites from good schools (Palantir), stodgy defense establishment types (defense contractors), or groups that traditionally get less of this kind of attention. Why not?


Are the down votes because of the content or style of my comment? Ultimately, it's a matter of the capital those companies have invested. These companies can more efficiently allocate the extracted wealth toward research and other projects that there is demand for. I'd rather have an efficient organization running off with my tax money than an individual who might go buy a yacht with that money. A corporation has little incentive to spend money the same way an individual would.


If by redistribute the wealth, you mean lavishly pay the AE, then yes.


I've done some federal contracting and the issues seem to be cultural. The government hands out what they call "prime" contracts which are then subcontracted out to multiple other firms. The primes tend to be stodgy old companies filled with lawyers and MBAs that can win the contracts, who then view the engineers as replaceable cogs. You then interact with multiple other contractors that own particular parts of the stack, for example an independent testing contractor and another for infrastructure. It wasn't uncommon to have 5 project managers for each engineer on the project.

Coming from tech startups this was completely shocking, I was so used to an engineer driven culture. That developers couldn't write their own tests, or manage their own infra, or deploy multiple times a day was super frustrating.

There sounds like there are some great initiatives to change this old approach, but until then I can't imagine many talented devs would put up with the bureaucratic bullshit.


I worked in the past on an IBM project with the TSA, and they were indeed the prime on a large software contract. About half the team was IBM, the other half medium to small sized subs.

Honestly, most of the wasted time wasn't the engineering teams being slow, but anytime something had to be run by the government, it halted. It was utterly depressing.


This was my experience as well, it was mainly the arbitrary road blocks. When I'd be on a call and realize there was finally another dev on the line I'd immediately get in touch via email or chat and back channel while the swarm of project managers talked about who knows what.


I was at an agency and worked on the website for the Bureau of Engraving and Printing when they were releasing the new $20 design. The contract was for $88M - and our parent company was the prime contract and simply sub-contracted all the work to various sister companies. The agency I was at was in charge of the website part of the contract and we were literally just another cog in the wheel - we were certainly being billed as high end talent, and we had to undergo a minimal security clearance to work with high-res images of the $20 bill, but we were severely underpaid and overworked - and we were offered no recognition for our efforts.

No regrets leaving the agency world.


> That developers couldn't write their own tests, [...] was super frustrating.

I can see advantages to having someone else write tests for the developers.

And I don't see how they stop you from writing tests for personal use, if you want to.


In the aerospace industry (commercial and defense are similar here because the software for commercial has to be written according to government rules, see FAA DO-178B) it's actually verboten. Testing independence is part of the flight certification of the software if I'm not mistaken.


This has all the enforceability of prohibiting your workers from thinking about what they're working on, or practicing in their spare time.

Tests you write for your own benefit are not a deliverable. They're part of your work process.

As I said before, it's not ridiculous at all to require that deliverable tests be written by some other party than the developer whose code needs to pass them.


Actually I think this is one of those things that sounds so obvious, and yet isn't right in practice.

I'l roughly segment projects into those that can fail a bit and those that can't.

Now obviously, for things that can't fail even a little you can't just take someone's word. But why can you take the word of two people, or ten? The failures (in programming and code review) are absolutely correlated. If one person fails at something another likely will fail in the same place or when reviewing it. When people die if there's a bug, or you're even losing a lot of money, you should not be trusting best-effort human anything. This is where imperative programming against a test suite breaks down and just can't cope. You need to switch out your internals for something provable in its domain. (eg, the math to land a space shuttle in a fixed-time infrastructure (ie before it lands itself)).

And for everything else, it's a $/$ calculation. How much do you want to spend to have some unknowably smaller amount of risk? And usually the best value for the dollar is having the original engineering team work on the tests, with outside oversight and good metrics. If an integrated team is having problems getting full branch coverage (the only worthwhile coverage metric...) in a given method, they rewrite the method. External teams have to test what's given (or waste a ton of time in communication delays) and that usually ends up with suboptimal tests and suboptimal coverage. What you can't do though is simply ask a developer if their work is properly tested and trust their answer. You need real metrics and to know what they mean for you. (Like benchmarks.)


The tests are written independently of the original code. If someone has made a logic error or misunderstood some part of the spec, there is a good chance that the independent test implementation is not going to have the identical error. It's definitely a higher chance of finding bugs than having 1 developer write both, as long as the testing is written independently based on an API.


There's a difference between code tests though and spec verification.

Spec verification is (should be...) black-box integration testing. And yes, this is a good chance to get a second set of eyes on the spec to make sure nothing was missed in the implementation. (unit-tests can't catch missing code!)

Code tests should be more white-box and should be measured against line/code coverage instead of spec coverage. These are what I think the original devs should write, and should be 95%+ of the total test volume.

The problem with expecting testing to pick up spec errors is that it takes comes at the end of the design/build phase instead of the beginning when you can make changes easily.


Well you're not going to pick up spec errors with same-developer unit tests, so either you have someone else write those spec tests or you wait until the customer picks them up on initial delivery / QA.


> Code tests should be more white-box and should be measured against line/code coverage instead of spec coverage. These are what I think the original devs should write

Nobody's stopping them.


Sure, if those testers actually know what they're doing, which wasn't clear if they actually did. A bunch didn't even know how to use git and didn't have commit access to the repos to begin with.

I have no problem with other people testing my code, but that there wasn't a culture of engineers writing their own tests at all was surprising and troubling.


These companies need to just be fired. Seriously. Send them back to the real world for a while. Makes me think of the Vogons from Hitchkiker's Guide to the Galaxy.


And yet there's good code written in the midst of it sometimes.


I've also been there. It's a really poor environment for quality. Forget engineering driven.


"..that a beginner could build in a day.."

Yeah... the clue is that an entire bureaucracy is required before even the first line of code was written. This thing probably took months and months of meetings with tons of people before the prototype was written.


Yep. You have the AE, and then the AE on a large project has another AE with him. Then you have a solution captain. Then you have the COE that comes in that actually knows something. Then an architect to design the thing. Then you have others who actually do the thing. Then you have a PM to schedule meetings, and bitch at the doers to do the thing.

Then you have all the daily meetings to communicate to all of those people the messaging. Then you have the meetings to clarify all the wrong messaging that went in some of those meetings.

Then you have the meetings for the customer facing communication. Then you have the customer communication.

I'm not even close to done...


What would happen if, some fraction of the way through the long stretch of bureaucratic meetings, someone just coded a prototype?

If they sit on it and whip it out the moment the green light is given, then what?

If they whip it out at the next red-tape meeting, then what?


I can tell you what happens. I worked at a very large telco.

We went through months of daily meeting with 10+ very expensive execs, PMs and Business Primes from all over the business.

One day the only other coder in the room leaned over to me and said "Are we still talking about <x,y,z> that you or I could code in 10 minutes?"

Yes, we were.

I coded it and showed my managers and so forth. I was completely ignored, and the meetings rolled on. In a place like that, there are so many people that have job titles that have nothing to do with "getting it done", which in a funny way makes them less interested in getting it done. Their job is to analyze, plan, document, process map, etc. etc. so that's what they're going to do, no matter how trivial the thing is.


Ha! My favorite Telco story was when I was hired to come in and do performance improvements on an enterprise application. Day 1 I figured out what the problem was, and I could have the solution in place by the end of the day.

The manager who was in charge of the application thought that a quick solution would make him look bad. I was explicitly ordered to sit on my thumbs for six weeks.

The thing is, once you know the solution every other action is senseless. There are people who are perfectly happy being a billable body for a living. I'm not one of them.


Exactly! I would argue it creates MORE red tape and work to do that, than less. I've done it, I've seen it, it actually makes your life worse, not better.


When I stopped trying to make that place better (I'm banging my head against the wall) and started just going with the flow, I knew it was time to leave.


This happens all the time. People aren't stupid, and often do this. I will seriously answer your question of what happens.

They will be told to shut up, because they haven't listened to the requirements. No one will want to hear it on that call. They will be told it's the wrong audience.

If they push forward, they'll have a conversation with a lot of people after the meeting about how they aren't being helpful.

They'll be told to have a separate meeting with others to validate it. Then in that meeting, those people will rip it to shreds, and indicate that it needs to conform to X Y Z... The PM will then work with you to go through when what actions will be done...

Then they'll schedule new meetings. On and on.. Nothing will change.

I've tried it, and seen it tried. It doesn't work.

You go through the process, or you create even more bullshit red-tape for yourself, and you're seen as a loose cannon no one trusts.


Their manager will have a stern talking to them about how 'this isn't how we operate' and 'you broke protocol' and 'made everyone look bad'. They'd be reassigned to the most boring and menial tasks until they quit.


They would probably get in trouble for performing work which the government representative (Contracting Officer) had not authorized.

The larger issue is that the government is not setup to move quickly, and for the majority of things the government does oversight is a good thing. That level of process does make it hard to do things like this efficiently, but it's all about trade-offs.


Actual developers do bot go to these meetings.

But if you actually did that, you'd be told off by your manager for wasting resources.


Sometimes they do.... and they will stop going immediately if they don't follow the script.

You either understand and enable the other people to accomplish what they want to accomplish, or you're not being invited ever again.


Project managers don't spend 1290 hours to plan a 1 hour implementation.

If you did that, your contract would be terminated and the PMs would find someone who knows how to turn that 1 hour prototype implementation into 3000 hours of work.


Do you know how many bike sheds they could have painted with the man hours?


Exactly. I used to work with a government contracting company. The simplest piece of software took many thousands of dollars in lawyer fees and compliancy.

A beginner dev could build many simple web applications in a day. However, it will probably have security holes and spaghetti code.


>security holes

It's an arrow that points in one of two directions. I can not think of a single way this could be made insecure. Even if someone was able to influence the direction the arrow was pointing, everyone is still going through the same ineffective screening process.


One way it could be made insecure would be if it didn't use a good source of randomness, so the arrow direction could be predicted. A worst case example would be if the app just cycled through a fixed table of "random" choices like "L R L L R L R R", then the attacker could just watch the pattern and position himself in the line appropriately to make sure that his buddy Joe is the one to screen him. repositioning is easy, just dig through your bag and say to the guy behind you "I can't find my passport, you can go in front of me".


That problem would be solved by making the app very unstable and require constant restarts ;)


A worst case example would be if the app just cycled through a fixed table of "random" choices

Not even a newbie programmer is going to do this. Every language out there has a Random() function.

Seriously, all these worst case scenarios and we're still well within the land of what even a middling iOS developer could crank out in under an hour.


> Not even a newbie programmer is going to do this.

I wouldn't bet on that. I've seen all sort of horrendous monstrosities that students and new grads have come up with.


You'd be surprised what programmers will do. Sometimes due to incompetence, sometimes it's an "optimization", sometimes it's a simple mistake, yet there is some very bad code out there and it's not discovered until it causes a problem.

For example, even a newbie wouldn't trust a remote client to tell you the size of a string they are sending you so you can echo it back to them, yet we still had Heartbleed and it sat there for a long time, undiscovered.


Which usually isn't cryptographically secure. So now you need to audit the random number generator and make sure that it has no known holes, including obscure edge cases. And then you need to confirm that any implementation is correct and audited.

That quickly takes you down a rabbit hole, which may be why the contract was so expensive.


This is iOS we're talking about. The CSPRNG provided as part of Swift or Obj-C's standard library has likely already been audited for use on other govt. projects.

http://stackoverflow.com/questions/9234686/generating-random...


Great point. Thanks for the link!


Oh you need a cryptographically secure RNG? Assuming the app is written for android just replace Random with SecureRandom. Here's your $100,000 invoice.


And all of this trouble to achieve.....what exactly?


To achieve a "screening" carried out by a co-conspirator, through which weapons, etc. could be passed.


1. The TSA is ineffective at preventing weapons from getting past their security checkpoints.

2. Everything required to make a bomb can be bought past the TSA checkpoint.

3. It would stand to reason that if a terrorist organization can get a conspirator to infiltrate the TSA, they could get, I don't know, two?

4. There's more than one person involved in the screening process.


The fewer people you need to get into the right places at the right time, the more likely your plot is to succeed.

It's not like TSA agents haven't already been caught letting people smuggle contraband past them:

http://www.foxnews.com/us/2015/12/19/tsa-agent-accused-smugg...


What if the device with the arrow leaks EM radiation which can be used to reconstruct the random seed, thereby allowing an attacker to predict which way the arrow will point after n presses? Then, you can just time your place in the queue to get the result you want, as long as you can discreetely measure the device from a distance.


I can't tell if you are joking or being serious. I hope this is a joke.


I am "joking" in the sense that I don't expect even this 300K design to have taken that sort of vulnerability into account. I actually agree that most of it probably went into meaningless overhead. I am not joking in that I think that if you are designing a formally specified security-sensitive cyber-physical system, there are reasons why even very simple things are hard to get right.

I don't actually much care about the security of TSA hardware (my view is that it is all expensive security theater in any case). However, if you told me you spent 300K designing a very simple control interface for say, a critical component of the electrical grid, and the argument you gave me for the cost is proper security engineering, I would buy that. I certainly would prefer it to a $30 USD solution developed as a HackerRank project, even if the nominal functionality is the same.


They could hack into the iPad to make it display this: http://www.thecleverest.com/countdown.swf

High chance somebody gets shot.


That's a lot of hacking to display Flash on iPad :)


I don't think lawyer fees imply anything about the code quality. See: HealthCare.gov fiasco.


I think OP meant that bootstrapped code, written as quickly as the developer feels like writing it on a weekend, has its own flaws as well.


Though an app showing a randomized arrow veers closely into, well, not Hello World, but an intro example for developing a mobile app. There's not going to be a lot of code to spaghetti-ize.


In Enterprise software? You'd be surprised...


It implies that you know who to sue if code quality isn't up to scratch. This is important to large organizations for some reason.

Even though it may be cheaper to just do it 10 times over with cheap one person shops and throw out the worst 9.


And who was sued in the case of the Healthcare.gov debacle?

I get the feeling this "knowing who to sue" saying is a bit of a myth.


I suspect that the myth is that anyone will follow through on it. The ass covering is probably real.


Honestly, for a custom app from one of the largest corporations (IBM), for the largest of organisations (US Govt), $336k is pretty reasonable!


Seriously. 336k is absolutely nothing. Think about how fast that gets used up adding up the numbers of the per hour of those involved, and how many people it is (not just the developer who does it)

You can argue that you don't need that many people, and certainly for a start up that's often true.

But in enterprise software, you actually do need a ton of people because of the expectation.

I'm in the Business and came from start ups. I'd VASTLY prefer to do things in small groups to just get things done.

But even though I want that, no one else does, including the customer. They want all the bells and whistles of a ton of people. It makes no sense at all.

Hell, one of my current projects has about 20 people on a phone call, and 4 that actually understand anything going on. Think about all the money wasted in all of that, and yet... It's the way business "works".


The $336K appears to be just the cost of one installment. The total project costed $1,444,315 Here are the rest of the transactions under the same contract: https://www.usaspending.gov/Pages/AdvancedSearch.aspx?k=HSTS...

TSA spends most of it's budget through a provision called "Other Transaction Authority" which is essentially a vehicle to make purchases with barely any oversight from congress. http://time.com/4134368/tsa-price-of-security/ (Paywall)


I'm glad you brought this up, because this comment represents a misunderstanding in how government contracting is typically done. My previous job was working for a government contractor, and we did multiple discrete contracts for several branches of the government. However, every single one of them would have shown up exactly like this, all bundled under one contract.

Why? Because writing and signing a contract is expensive, for both the contractor and the government. So contracts are typically written in a way to make them very easy to extend, and existing contracts are often used as vehicles to tack on additional funding for new contracts. The original contracting agency would also usually charge a fee to the other agencies for use of their contract in this way.

So, this kind of glance at individual awards under a single contract is really too simple a view. A lot of these funds could be (and from my guess, probably are) going to completely independent projects from the randomizer.

TL;DR: Having multiple awards under a single contract is typically a sign of the government working around bureaucracy and attempting to save costs.


Yeah -- you are correct.

TSA later reported that the actual cost of the randomizer was around $47k. The total figure I had mentioned earlier was part of a larger contract with IBM. I saw the generic "IGF::CT::IGF MOBILE APPLICATION DEVELOPMENT" note on the award and assumed it was all for the same project.

It's also weird that TSA's response to OP's FOIA request cited a different and higher figure (~$340k) for the randomizer app -- I'm guessing they were grouping in other projects under the same award here too?

Besides, $47k seems like a reasonable amount if that figure includes training and deployment costs.


The government would be a lot more efficient if everyone who worked for them was a little more tech literate. I don't think the lack of education is entirely the US government's fault. Tech moves so insanely fast it can be a full time job just keeping up with the changes. My point being, this is not the price of building a tiny app. 336k for a randomized arrow is absolutely ridiculous. This is the price for making a change in a government run security system. A change built on technology that government officials don't fully understand.


I've actually gotten to the point that I think the speed at which software tech moves (and we're all expected to move with it) has become a negative on the industry. No one has time to hone their craft when everyone making the architecture and language choice decisions has shiny new object syndrome. It used to be that people who worked at their jobs for 20-30 years or more became "elders" in an organization and were able to use that experience to guide the younger generation and avoid the same mistakes and design pitfalls. There are some good design practices that still do carry on, but having to learn a new language every year (plus all the frameworks that go with it) is not a pleasant or rewarding experience, nor does it allow for much time to become an expert.

Note, I do understand that sometimes new ways of doing things allow one to solve a problem such it would have previously been near impossible. However, most of the problems that need solving aren't these situations. I.e. if you think you have a big data problem, you probably don't, etc.

I think this especially detrimental in the government sector because the folks buying the services don't always understand the technology or the maintenance requirements that come with it. Then we all foot the bill (through taxes) for a lot of OJT for said new tech.


They're hiring. Good people needed. Please consider it. Quite an opportunity to actually embed a solid tech culture in some places that really need it: https://www.whitehouse.gov/digital/united-states-digital-ser...


This assumes all inefficiency is accidental, or done out of a lack of knowledge.


Don't attribute to malice what can be attributed to ignorance


A few things.

1. Kevin you may want to block out your address in the attached letter.

2. I'm missing the part where this amount is tied directly to the creation of this application and this application only. From my read this is a T&M contract for mobile development there's nothing specific to this application. It could span multiple engagements and apps. Considering this contract went into place over 2 years ago this could likely be the case.

3. This is a cap not an invoice. They could have billed 60k.


Some details of past IBM wins here via UsASpending: https://www.usaspending.gov/Transparency/Pages/AwardSummary....

This may be the preceding contract but very similar scope and line items if you want more details, no FOIA required.


I suspect that one secret feature of this app is a discreet way to override the randomizer and send a passenger to the "intrusive search" lane. That is, if the screener suspects someone, he or she can swipe or click in a clandestine way to guarantee that the passenger gets the annoying search.

The passenger can't complain about being targeted or profile or singled out, because, hey, it's random.

(The actual rationale of the randomizer might have been to avoid accusations of profiling, while still being able to do profiling. Leaving the bad guys off balance is simply a benefit.)


Notice this is also T&M (time & materials) which is not just a fixed priced bid.. so that means someone "used" the actual working hours and materials for the $336k bill.

(Contract negotiation, etc is not explicitly built into these, they're reflected in a higher billing rate.)


No, this is just the contract, which would be based on IBM's cost estimate. Since it's T&M, the actual total cost and hours will only be reflected on IBM's invoices.


Yo app got a $1,000,000 from Andreessen Horowitz, so they kind of got a deal if you think about it that way


The PDF contract the author shares doesn't make it clear what deliverables it covers. Perhaps we can assume that if the FOIA process worked it is in fact the contract that covered that app... but it's not clear from the document itself, nor is it clear that the 'TSA Randomizer App` was the only deliverable of the contract.


Yes, it was unfortunate I didn't get more data/information back from them :(


Before we even go into line item mode we really need to ask ourselves if this is a $336k problem in the first place. They could have just asked the military how they handle this sort of problem, and the solution they would have been given is this: a $2 hand tally counter. Establish what the desired flow rate is, divert every nth person, reset the clicker, anybody in line observed shifting position gets diverted. Unless the TSA can't even trust their people to count, or their real objective is adding some weirdly alienating layer of technology between the employee and the traveler.


"every nth person" selection is just too predictable. You could try to prevent people shifting in line, but in a crowded airport you will never be able to control that effectively at current staffing levels. The cost of effectively enforcing that rule would rapidly add up to more than $300k and cause serious inconvenience to travelers.


If they aren't watching the line then they aren't doing it right, inducing a predictable behavior in an adversary is half the point. Remember all the hubbub several years ago around TSA behavioral profiling? I don't think I've ever seen the link drawn in the media, but that was around the time that technical failures were being uncovered in the detectors and scanners. Also, and I'm well aware of the fact that this makes me sound crazy, that is when the TSA employee that checks IDs and marks boarding passes started calling me by my first name. So they're watching the line.

Anyway, with the level of uncertainty already high in queue fill rates - I don't think anybody is going to feel confident enough that they'd alter their diabolical plans. Oh and I just remembered something that renders all this pointless, the functionality for randomly alerting is already built into the metal detectors... undoubtedly a contract requirement for a feature that is never used.


Yes, preventing shifting in line doesn't help if your attacker can just count the length of the line before they get in it. You really want a random element. Anyone familiar with Dungeons and Dragons should be able to name the obvious solution there....


The uncertainty already inherent to the existing process is high enough in my opinion, either the software or the hand counter would equally meet the real objective here: providing a point to audit for reportable metrics.

While a dungeon master presiding over a hopeful throw for critical hits would be a solution, I don't think the TSA wants to make security theater entertaining - it makes the accidental nature of the whole endeavor obvious.


But Mike, what good would Polymorph do in this scenario?


If you can't figure that out on your own, then you're obviously unqualified to be a TSA officer.


Haha, bummer.


Or roll some dice. 1-3 = left, 4-6 = right. If one lane starts getting backed up a bit, shift the numbers by one. 1-2 = left, 3-6 = right


Once again, contracts are rarely for just development. It likely included design, development, deployment, testing, training, accessibility testing, analytics.


They could have used a magic 8 ball with similar outcomes


Dice app that could support even 6 lanes - free.

https://play.google.com/store/apps/details?id=tobi.wuerfel&h... [1]

[1] Not affiliated or tested. It was the first I found without inapp purchases or ads.


But as a service it isn't controlled. What if someone took control of it, and then used it to game the system. Security is shot.

Not that I really think that matters at all, but that would be shot down in the first meeting it was discussed immediately, and you'd be considering insane if you kept pushing it.


But could it support 7 lanes? (This is a somewhat serious question)


Try http://äppärät.com . It uses a REAL die. And you can look at it on an iPad.


Or even a coin.


For the money, they could have given every TSA employee a silver dollar to toss.


For that matter, they could tell odd parties to go left and even parties to go right.


I doubt this was meant seriously, but it's worth noting this actually doesn't work. You need each left/right decision to be independent so that positioning yourself at a certain place in line doesn't allow you to choose left/right.


So you're saying this app operated by TSA agents is meant to defeat attackers looking to be screened by cooperative TSA agents? I can't help but feel something is lacking in this threat model.


I'm not sure I understand this. If I were to observe the pattern before I reach the agent, it would be easy enough to let someone go ahead of me while pretending to finish a phone call or something. It doesn't require the cooperation of the TSA agent.


Defense in depth is a real thing.


More and more it seems to me that there is no replacement for correctness, and you have to squint to tell this apart from theater.

Perhaps I'm exaggerating. It would certainly raise costs to the attacker to recruit an additional collaborator, and to wait for a serendipitous scheduling. But I'm not convinced it raises the difficulty by $300k.


Nah because the whole idea is that the system needs to be unpredictable.


I'll bet you an Airbus that if we managed to FOIA the source code it would use an LCG seeded from the system clock.


But that isn't manipulable by someone standing in line, so it is effectively random. You can't determine exactly when the tsa person will press the button.


If that was the only requirement the TSA agent could direct you however they pleased as long as you couldn't predict it. The reason to use a software solution, one imagines, is to protect from corrupt TSA agents. Corrupt TSA agents know when they turn their iPads on.

Additionally, by observing several passengers being directed this way or that, you could brute force the seed and the system becomes deterministic.


Couldn't find in the contract if the hardware was provisioned or not.


Why is there a ?lobsters qs on the submitted url? Seems to load fine without:

https://kev.inburke.com/kevin/tsa-randomizer-app-cost-336000...


I submitted it to Lobste.rs with that on the end of the URL, and someone must have submitted the URL without stripping that :)


If this is truly the price to develop such simple software, it's going to be very bad for the government's reputation to be releasing code like this under open source licenses.


Theyve already said they won't if there's a security or privacy risk, and you can find one of those in any code.


No invoices against the contract? This is only part of the picture.

It's a time and materials contract which means the contract award is the "ceiling", but you have to perform work billed against it to get paid any of that.

Plus, the second page details several extension options that could increase the ceiling to $1,176,280. Were those options exercised?


We don't know; I've amended the post to reflect this. Thanks.


One-sided negotiation is a cost riser. The last thing a client should be able to tell is that the payer has very deep pockets; if I know you can afford billions, I might ask a ridiculous price and expect you to not know any better or not care about paying it.

An excellent use of secrecy technologies would be government contracts: partition problems into pieces that don’t necessarily reveal the final purpose or customer (e.g. “choose uniformly between A and B” is too vague to be guessed as a requirement from only a government agency). Then, anonymously ask for bids. That way, you might actually get the developer who offers a measly price for a trivial task, and only finds out later that his check is from the government.


What is WAY worse is that they probably purchased 10,000 ipads to run this stupid app.


Less worried about that and more worried about the fact that baggage scanners only scan from one angle combined with reality that they don't do material differentiation.

Z-effective scores...findable.


But no one got fired for choosing IBM


I came here to say this.


Pfft! Yet another cliché slinger


The page (2 of 8) that had the unit prices censored (exception (b)(4))[0], claims the total award amount was $1,176,280.72.

Really, what we need is IBM's invoices and TSA's pay statements.

Also, you shouldn't need to file an FOIA request to get this information. Shouldn't all bids and contracts be public?

[0] Exemption (b)(4): Records that contain trade secrets and commercial or financial information obtained from a person that is privileged or confidential.


Unit prices are trade secrets. If they published that, then someone else getting a higher price could point to it, and say they only charged X for them.


A coworker and I were laughing about this at the airport one day. I literally wrote the app in the flight home and almost put it up on the App Store.


Ya well, that's 10K development, 30K profit and 290K meeting time and paying people to fill out forms. Sounds about right.


Why does this surprise anyone? Forget an app. Just a normal computer that government buys ends up paying 1.5 of what you will get on Amazon.com. This is because government does not pay on time, there is a lengthy and resource consuming process in selling something to the government.

The app was probably $10k, rest was the compliance cost.


It was 300000 for lobbying grease to land the contract, 30000 profit, 6k for hardware and 500$ for one intern to write it.


Funny but ultimately wrong.

The real distribution of where the money goes on projects is certainly funny from a sane persons perspective, but in a different way than this :)


Why not just have TSA agents flip a coin, or buy a bunch of Trouble board games, and repurpose the dice rolling bubble?


The trouble bubble is not only a perfect solution for this, but an apt metaphor for the whole process.


We're talking about the app with 1 arrow on the screen that responds to a press anywhere on the same screen? 1 icon, 1 tap target, hooked up to 1 secure random algorithm.

I don't know how anyone can look at this situation and not see the government is wasting a lot of money in their pursuit of not understand technology.


Hmmm... at the current rate of bureaucratic growth, I estimate in a 100 years or so, this app (or it's modern AR equivalent) will cost 20% of the entire federal budget. No worries though, 10% of all U.S. workers will be involved in its digital-paper-pushing development.


With a reference to another recent hackernews story: https://news.ycombinator.com/item?id=11415747

Can we expect to see the source code for this application pretty soon?


It seems a bingo spinner with two colors of balls would do just as good of a job.

https://www.google.com/search?q=bingo+spinner&tbm=isch


A little bit tangential: when you go to the slower lane and they swab you with those silly machines, can they actually detect anything?


fyi, this is not a time to apply science.


It'd be interesting to hear what do "materials" can entail. It might be that they actually delivered iPads to the airport.


If this is what it seems then that is ludicrous.


What I want to know is does it still work if they turn on the rotation lock and hold the iPad upside down?


If you're a consultant or freelancer, and you're not charging that much to build an equivalent app, you are undercharging.

This is a completely reasonable price. Honestly, it seems cheap.


random rand = new random();

int tsaNumber = rand.nextInt();




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: