There has been a lot of hype recently in Tampa Bay about the “Here Comes the Bus” app. This is system that allows parents to see when their kids have gotten on a school bus, and where the bus is. Some parents are concerned that systems like this one could let malicious users, or government agents track their children. So I’m going to give a quick overview of how systems like these work, and why they are not dangerous. We will also look at what parents SHOULD be concerned about.

How it works

The system is fairly straight forward. Students have either a barcode or a passive RFID chip printed onto their “Bus Pass” – which is just a card they carry around. This card is scanned once the student boards the bus, either with an RFID reader or a barcode scanner (basically the same technology used at grocery stores and clothing shops).

The barcode or the RFID chip carries a simple ID number. This number does not represent the student in any identifiable way – it’s just randomly assigned. The RFID scanner is connected to an internet-enabled device and sends the ID number securely to a server.

Keep in mind, if any data is intercepted up to this point, it is of no use to an attacker. The attacker would at best get a random number that means nothing.

On the other side of the system is the parent’s app. This app is connected to Here Comes The Bus‘ servers, which lets them know that their child is on the bus. The bus also has a GPS tracker on it, which connects to the internet and lets the Here Comes the Bus‘ servers know where the bus is.

That random ID number is then looked up in a database which lets the application know which child has been assigned that ID number. The parent’s device securely requests that information, and it is provided securely down to the app.

It is possible the data coming down to the parent could be intercepted by an attacker. However, as this technology is very secure and is commonly used in almost every piece of software these days (from your health systems to banking apps), it is HIGHLY unlikely.

Could you track kids using their cards?

Some of these bus passes contain a chip, and that sounds scary right? Well, you don’t have to worry too much. These chips are passive RFID chips, the same type of technology that is imprinted in clothing labels to stop theft. Passive means that they need to be picked up by a powered scanner. In order to track a child, you would need to know their ID number (the randomly assigned one), and then set up expensive, high-powered scanners all around town. So it is possible, but there are WAY cheaper and easier ways to track someone. So this seems incredibly unlikely.

Could you track kids if you hacked into the Here Comes the Bus servers?

So the one thing that COULD happen is the Here Comes the Bus’ servers could be hacked. An attacker could break into the database and potentially be able to work out where a child has been, but this does not necessarily mean they will be able to find information on a particular child either. This data is hopefully encrypted, or linked to the school’s secure systems. I can’t speak to how this system has been secured and architected. My best guess is the system was designed with the understanding that this is sensitive data, and great care should be taken over the security. There are also a number of regulations in place that govern the usage and security of student and child data. The Children’s Online Privacy Protection Act of 1998 (COPPA) provides strict regulations regarding a child’s data. The Family Educational Rights and Privacy Act of 1974 (FERPA) gives parents certain rights with respect to their children’s education records. These two regulations will have been taken into account by the developers and the school board when evaluating this software.

Should I be worried about this?

No system is perfect and inherently has its risks, but these risks need to be balanced against the rewards. I think that the safety aspects of this application far outweigh the highly remote possibility of the system being misused. There are WAY easier ways to track people than trying to exploit a system like this.

So what should I be worried about?

There are real threats and issues out there for you to be worried about. Kids download all sorts of things to their devices, and these downloads represent real, actual threats. Malware embedded in games, social media apps, and even downloaded backgrounds can track your exact GPS location, leak your phone number, show inappropriate content, or steal personal information.

Instead of worrying about the government tracking your kids while you send them to a Public school, take a look at your kids’ actual devices. Install something like Norton Security Online and Norton Security for iOS or Android, or Malwarebytes. Also talk to your kids about what apps they’re using, and listen to hear for anything strange about their data usage, or content that is coming up unexpectedly, or unusual phone calls they’re getting. These are indicators of real threats to kids’ information and of valid concern by parents.

Previous Article
I help cruise lines turn their technical ideas into reality. I'm experienced in all stages of innovation and technology management. I've also been programing since I was 8 years old, and have somehow retained the ability to have normal human interactions. Occasionally I speak about how Industrial Psychology and Neurophysiology can be interrogated with IT and systems management, because I spend a lot of time thinking about the subject, as strange as that may seem.

Leave a Reply

Software Development Teams: Build vs. Contract

Almost every business is technology-enabled in some way these days. Hair salons do their scheduling online, powerline workers train in VR, and pharmacists use AI systems to check for contraindications. There are very few businesses out there that could not be made more efficient and profitable — or provide better services for their customers — through technology.

In most situations, buying software and customizing it makes the best sense. You need a word processor and an accounting system, but it would show boldness to the point of lunacy to build one yourself. Quickbooks and Microsoft Word are worth the few hundred dollars a year. They might not be perfect, but the cost to build and maintain your dream accounting software could run into the millions.

However, in many situations, businesses invent new ways to improve their internal operations or their customer experience. While a comparable off-the-shelf solutions may exist to fit those needs, a custom built product is likely the only way to deliver the required features and processes the company is looking for. Features like these become competitive advantages. Organizations want to own the intellectual property behind their competitive advantages. You don’t want to license these types of systems if your competitors can license them just as easily.

That leaves companies with one choice: Build your own custom software. But the question is whether you should try and build your business-changing application in-house or outsource it to a development agency.

Cost vs. Time

Most decisions in the professional space come down to the project management triangle. If you want to build software of any decent quality, you can pick two of the three corners to move: cost, time, and scope (the number and robustness of features the project has). If you want fast and cheap, you have to shrink the scope. If you want robust and cheap, you’ll have to wait a long time.

The decision to hire an agency or build a team hinges on these three corners. In business applications, scope is usually the non-negotiable — the requirements are the requirements. Building a team takes a lot of time and costs money. Hiring an agency will drastically reduce the ramp up time by comparison, but potentially cost more. If you are worried about quality, remember that you get what you pay for.

Management Structure

Deciding to build out your own development team is not for the faint of heart, but it can have serious benefits.

To build a basic, but healthy and functioning, software team you will need the following:

  • A CTO or CIO to handle strategy and management.
  • A Director of Engineering to manage the team, build out processes, etc.
  • A Software Architect to design the system. (This can be a senior developer for small teams.)
  • A couple of DevOps engineers to manage the environments.
  • At least one QA expert. (No, developers can’t check the work themselves, I’ve tried.)
  • Developers, including full-stack, frontend, and backend developers if you’re building out a product. A good mix of senior, mid-level, and junior developers would be my recommendation to make the team robust.
  • A product owner. Preferably someone with management experience
  • A scrum master (if you’re following Scrum/Agile).
  • UX expert. I cannot understate this role enough! (They can be outsourced if you have to, but are much better to have on the team.)
  • A visual designer. Depending on the product you are building, this is the one optional role.

This is the biggest reason to hire an agency. If you want something built well, you really need a team that looks like something similar to this. Depending on your budget and experience, it could take years to put a team like this together.

However, if you have highly technical and experienced upper management there are benefits to in-house teams.

But We Are a Lean Startup

That’s great! Then you don’t need any of the stuff I listed above. But if you are purely a technology startup, then you (I’m guessing you’re a founder), need to be building the tech yourself, or at least have a co-founder building the tech. As the company scales, you can bring on additional help and you will almost certainly start looking like the organize above.

How Long Does It Take To Build a Team?

It depends on if you’re talking about a good team, or just any team. Building an organization from scratch takes time. You need to recruit, hire people, onboard them, manage them, weed out the good, let go of the bad, hire replacements for those let go, etc. You also need to invent, document, and enforce the systems and processes that will lead to the best outcomes. You will need to build a culture of caring, accountability, and quality. So, basically it will take a long, long time. This is a lot easier to do if you have a top rated CTO or a Director of Engineering in place already. Someone who has gone through this process before will be able to get you up and running much more quickly. They will also be able to oversee all stages of the team building from recruiting to delivery.

Recuiting may be the hardest piece of all of this. Good developers don’t want to join companies without histories of good development practices. So if you don’t have someone for new hires to look up to, you’re going to be stuck with coders who are just looking for a job, and they don’t write good code.

In-House vs Outsourced — Conclusion

Unless you are going to go with the lowest bidder, there probably isn’t that much difference between a good internal team and a good agency. Well-run development studios partner closely with their clients and eventually start to act as part of the same company. The developers in agencies like this feel as much ownership in what they are building as full-time employees would — sometimes more.

Price is not going to be dissimilar either. Once you count things like benefits, office space, management scaffolding, training, hardware and software tools, payroll, HR, etc., etc., etc., it’s unlikely that in-house could be done cheaper than even the large agencies.

The real difference comes down to the level of control you want over the team and the type of product you’re building. If you are a small technology startup you would be crazy to hire a big agency unless your product needed to be really good from day one. If you plan on becoming a technology company, you might want try a hybrid of agency and in-house. Finally, if you are a small- to medium-sized company whose existing products or services are not predominantly tech-focused or delivered, I would suggest not doing development in-house.