Thursday, August 20, 2009

Strange Sense of Security

MCPS recently announced it wants a security system for the elementary schools. RFP (Request for Proposals) 4248.1 "Elementary Schools Access Control Systems" is publicly available at the Parents Coalition web site in an article by Louis Wilen.

I decided I'd have a look. What I found was astonishing.

The RFP starts out reasonably. The request sketches out the idea of doors that use access-control cards. As a past elementary-school parent myself, I could see this makes sense for school staff who are regularly going in and out. The kids themselves don't need access cards because they're only using the doors during brief periods (i.e., school day begins, recess, etc.) when an adult is stationed at the door.

But after hours, I would regularly encounter doors propped open with a rock or chair so that parents could enter. And sometimes I would encounter a locked door and a crowd of angry parents banging on the door, unsuccessfully trying to raise the attention of a school staffer.

The MCPS proposal provides for cameras so conceivably a parent could get the attention of someone in the office to have the door opened remotely. Indeed, the cameras could be viewed offsite so it wouldn't even be necessary to have someone watching them in the school itself. They could be viewed at MCPS HQ or anywhere on the internet.

Sounds good so far. So what's the problem?

The Problem

For starters, there's a lot in the RFP that's unnecessary. Consider this section:
2.2.4.m The EAC/SMS System shall have a fully integrated Environment Security Module (ESM) with the capability of detection and identification of toxic gases, Chemical Warfare Agents including Soman, Sarin, VX, Mustard, and Lewisite. The Environmental Security Module shall include a suite of sensors integrated with the EAC/SMS System capable of detecting over 1,000 chemical and gas compounds with ...
Is this for real? Since when do we need chemical warfare detection systems in our elementary schools? (Answer: We don't.)

I'm thinking that this RFP was written with the idea of applying for grant support from some federal security program. That seems to be the way half of these new security policies are justified these days - because there's money waiting for them. (The other half? Hyperbole-driven paranoia.)

Speaking of paranoia, how come there are no metal detectors? How is the system supposed to stop people entering with guns? Knives? (Atomic weapons?) How are we supposed to sleep at night? Seriously - why such a weird focus?

Next Problem

Another class of problem is that the specs are a hodgepodge. Plenty of the requirements have no thought to functionality but dwell obsessively on irrelevant technical detail. For example:
3.6 ... shall incorporate a 32-bit 100 MHz RISC processor ...
Besides the unnecessary use of the vague term RISC, why would someone specify a maximum speed? Normally, if you have a specific processor in mind, you'd say 100 MHz or faster but this spec means faster chips aren't acceptable. That's absurd. But realistically, so is the idea of even giving processor speeds for a security system. Function is what counts, not processor speed. An example of a functional spec: System must recognize a face 95% of the time within 2 seconds. Who cares how fast the underlying processor is?

So why might someone write specs this way? Answer: When they have a prior arrangement with someone looking to dump a bunch of obsolete equipment on some sucker.

The circle was closed once I reached section 5.2 which referenced James Gompers as the consultant to the project. Gompers has been a security consultant for MCPS before. Writing in the Parents Coalition Blog, Louis Wilen says (May 1 2009):
[MCPS] Security Director Hellmuth was so impressed by Gompers that he hired him to select millions of dollars of video cameras and computer-based visitor tracking systems for our schools. Hellmuth had so much confidence in Gompers that he even disregarded the MCPS procurement procedures and state laws that require that competitive bids must be solicited for large purchases. Even the selection of Gompers, Inc. as the security consulting firm was made on a "no-bid" basis by Hellmuth.
The PC Blog raises a number of concerns regarding Gompers, his business practices, his relationship to MCPS and the disregard for their own policies that MCPS appears to be taking in this relationship. I encourage you to read their blog for more details.

More Problems?

Building on the Gompers relationship, I'll mention just one more peculiar technical aspect of this spec. First note that one of Gompers' achievements was selecting a particular line as the standard for MCPS security cameras. According to the press release of the company (IQinVision) whose products (IQeye cameras) were selected, Bob Helmuth (Directory of School Safety and Security for MCPS) said:
For what we wanted to accomplish at MCPS, the IQeye cameras was the best choice for us. We would go with nothing less than megapixel cameras both for image quality and for coverage.
Sure enough, the RFP does specify IQeye cameras just as MCPS standardized on. However, the RFP says:
8.3.14 The video will be 640x480 resolution
8.3.15 The video will be at up to 2 images/second
But 640x480 is much less (roughly 70% less) than the "megapixel" cameras that MCPS Security Directory Helmuth said are now required. (Remember: "We could go with nothing less than megapixel cameras.") And the particular model IQeye732) isn't even listed in the IQeye website product line-up. (Nor could I find it anywhere on the web with google.) Presuming it's an unannounced upcoming model, if it follows the IQeye naming conventions, the 732 will be a 2-megapixel model. But because of the way the RFP is written, it's a waste of money because the video will be at 640x480. No more, no less.

Oh, and the video will be at "up to 2 images/second." Again, a really strange way of phrasing because it specifies a maximum rather than a minimum. And again, that's a fraction of the camera's ability. So once more, it's wasted money to buy such a camera. And frankly, 2 images/second really sucks. Even the cheapest IQeye cameras can do 30 images/second. (And the Gompers-specified cameras are far from the cheapest.)

And that MCPS standard (for which MCPS paid Gompers) for IQeye cameras and their megapixel cameras? That was a waste of money too. I don't know how much MCPS paid Gompers but it wouldn't surprise me if it was in the range of $50K - $100K.

By the way, according to MCPS Superintendent Jerry Weast, " All of our technology partners know they are not permitted to use MCPS testimonials in advertising." This is a quote from a January 2009 memo of his (see answer #9). This is otherwise known as MCPS Policy BBB. As can be seen with the press release from IQeye, this policy is clearly being ignored. Writing in the Parents Coalition Blog, Janis Sartucci described this in detail along with several other failures of the policy. It is an eye-opening read.

Bottom Line

Although I've picked out just a few examples, the entire proposal has more. Some of them are harder to explain but equally laughable. Browsing the proposal is not for the faint-of-heart but if have a bit of technical expertise, give it a read. Post a comment describing the absurdities that you find. (Here's one to get you started: Search for Linux and Windows.)

So what's this going to cost? Because it sounds incredibly expensive. Add up all paraphenalia in the RFP (chemical warefare detectors?!), new software (that we get to debug), labor costs (one-time, maintenance, training), etc., and we're talking millions of dollars. And that's for a system that has no functional guarantees that it will actually stop anyone from entering the school and, for that matter, even detect a knife or gun.

At my own workplace, we have card-based entry systems that are regularly bypassed. Two people approach the door at the same time, the first swipes the card. The second walks through while the door is still open. So much for million-dollar security. We could spend less (and lower the unemployment rate) by employing people to stand at the doors all day. Better yet, let's pay these people to stay home. It would be an equally effective system and a whole lot cheaper.

Sunday, August 09, 2009

FIOS schedule for Rockville and Gaithersburg

Verizon's construction schedule has expanded significantly from the last time I checked it. Their Maryland FIOS schedule suggests that Verizon is cruising through Rockville. Gaithersburg, too. Gaithersburg approved its franchise this past May and predicting complete coverage by the end of 2009. Bets, anyone?

Both Rockville and Gaithersburg have information pages on their individual websites for cable TV and telecommunications (Rockville, Gaithersburg) but they are pretty skimpy - and in the case of schedules, just referring the reader back to the companies. Don't hesitate to contact your local officials if you have questions.