reddit
reddit is a source for what's new and popular online. reddit learns what you like as you vote on existing links or submit your own!
"Can I have your badge number and the source code to your breathalyzer?" (arstechnica.com)
278 points posted 1 day ago by cangiano

(log in to vote on this article, comment on it, or share it with friends)

info comments related details

sort by

style

vagif 29 points 18 hours ago

Anything that is used by government should be opensource.

Companies that make products for government should be aware of that.

permalink
sjs 17 points 17 hours ago *

People in general should have the code for software they use, especially the government. If the government uses programs that affect the public, such as the one running the breathalysers, then it should absolutely be mandatory for that code to be open to public scrutiny. Furthermore there should be a way to ensure that the code running on the individual devices has not been modified. For all we know the first night someone is sitting in their cell the cops could just change the code on the device they used to bust them.

I know that most cops are trying to help us and are good people, but shit happens and there are bad people in the world. Some of them happen to pursue noble careers.

permalink parent
jonknee 5 points 14 hours ago

How about anything used to prosecute people? It doesn't make sense that every government employee could not get access to mainstream tools and devices. But you shouldn't lock people up with secret binaries. Same thing with classified material, it should have to be handled with tools at least the handling agency has the source code for.

permalink parent
IMesh -5 points 15 hours ago [comment score below threshold] show comment
tjg05 1 point 9 hours ago

I don't know why you are getting downmodded, to my knowledge modern breathalysers are based on IR spectroscopy. It would be quite simple to verify that the machine accurately reports ethanol concentrations of standard vapour samples. Obviously you wouldn't want to test a different machine as you stated, but the one that was actually used to breathalyse you.

If the machine passes these tests I don't see a need to release the source code, it's not reasonable IMO for every forensic science lab to release source code to all of their analytical apparatus that could potentially be used to convict someone.

permalink parent
Shaper_pmp 4 points 5 hours ago

Maybe you missed this part of the article:

One of the common criticisms... of breath devices is that the "state-certified" models are updated even after they are certified . The companies that manufacture the machines make tweaks, bug fixes, and even add new features, but the machines are not generally recertified after every single source code change . This means that any given machine could potentially be running non-certified code, code which may or may not have errors . And as voting machine software has shown, assuming that such source code is rigorously locked down and tested can be a a bad idea .

The problem isn't that "spectroscopy" might suddenly stop working or anything stupid like that.

The problem is that some random programmer's uncertified accidental code fuck-up might send me to jail for years.

permalink parent
tjg05 2 points 5 hours ago

I see your point, but then surely a recertification of the machine would prove that the machine is working correctly, unless you're arguing that the code may contain random bugs that may or may not present themselves during testing.

permalink parent
Shaper_pmp 2 points 4 hours ago *

There are two issues here:

First: yes, recertification would be better than no recertification at all.

Second: yes, ability to inspect the code would be the best alternative of all.

Given how easy it is for bugs to be present in any non-trivial system, I'd be highly surprised if there weren't unknown nasties lurking in this kind of embedded system. Given how often these systems are used, and how often "proprietary" is used as a cover-all excuse to hide all sorts of inadequate, buggy or broken code, ability to defend myself by checking the code for bugs seems only fair.

Basically, if someone's testifying against me I reserve the right to question them as well and see if their story holds up.

If it's a machine testifying against me I reserve the same right to try to find out if it's lying, crooked or just mistaken.

Against the possibility of wrongly convicting an innocent, the minimal business interests lost in giving NDAed access to the code seems so trivial it seems positively offensive for companies to refuse.

permalink parent
jonknee 4 points 4 hours ago *

From Wikipedia:

Breathalyzers assume that the subject being tested has a 2100-to-1 partition ratio [7] in converting alcohol measured in the breath to estimates of alcohol in the blood. If the instrument estimates the BAC, then it measures weight of alcohol to volume of breath, so it will effectively measure grams of alcohol per 2100 ml of breath given. This measure is in direct proportion to the amount of grams of alcohol to every 100 ml of blood. Therefore, there is a 2100 to 1 ratio of alcohol in blood to alcohol in breath. However, this assumed "partition ratio" varies from 1300:1 to 3100:1 or wider among individuals and within a given individual over time . Assuming a true (and legal) blood-alcohol concentration of .07%, for example, a person with a partition ratio of 1500:1 would have a breath test reading of .10%—over the legal limit.

http://en.wikipedia.org/wiki/Breathalyzer#Homeostatic_variables

So they correctly measure things, but then take the results and multiply them by essentially an average value that can vary widely depending on the person and the time tested. Which means the results should never be trusted, especially for close calls like blowing a .08 on the dot.

permalink parent
jonknee 9 points 14 hours ago

Or that it's just easier and cheaper to do than a blood test and courts accept it. They get more convictions with less cost. Breathalyzers by definition aren't accurate because they don't use blood but try to calculate blood alcohol content. It's all a guess. With criminal charges attached.

permalink parent
pythor 1 point 6 hours ago *

The problem, which is stated in the article, is that certification like that only happens once for the machine. Patches to the software are regularly applied, and the machine is not then re-certified. So if the latest patch had a bug that turns 0.01 into 0.55, how would you know it? Having the current source is the best way to look for this type of thing.

*edit spelling In addition, I agree with the other posts that anything the government uses to convict should be open source. It's the principle of being able to face your accuser. In this case, the software itself is the accuser.

permalink parent
westsan 14 points 17 hours ago

"For all we know, it's a random number generator." hahaha... How do you know they QA'd it??

permalink
ryanx27 4 points 9 hours ago

It's based on D20, and I guess the guy didn't have a good enough Sobriety saving throw.

permalink parent
seanodonnell 12 points 18 hours ago

There where a bunch of cases thrown out in Ireland at one stage on the same grounds. Someone asked to see the source, the state didnt have a licence to it and the judge threw the case out.

permalink
deeperror 4 points 15 hours ago

would have to compile the code and check against the binaries on the breathalyser? I can give you source code all day but if there isn't anything to compare it against it is useless.

permalink
SteveAM1 31 points 20 hours ago

Although the defendant was probably just trying to get out of a DUI, it does seem fair that he has access to it.

permalink
washcapsfan37 -11 points 19 hours ago [comment score below threshold] show comment
SteveAM1 15 points 14 hours ago

The Breathalyzer is essentially a witness. The defendant should be able to "cross examine" it.

permalink parent
washcapsfan37 4 points 8 hours ago

And you can't do that simply by taking the unit as a whole and running a set of controlled tests with it?

permalink parent
dcormier 7 points 18 hours ago

The state isn't sure that it has the rights to the source code, though the agreement between CMI and the state does appear to give the state the necessary control of the source code.

If that's true and the state does have "the necessary control of the source code," then as a tax-paying citizen I think it is fair that he have access to it.

permalink parent
gid13 16 points 16 hours ago

The state should be forbidden from using closed-source equipment as evidence to prosecute people. In other words, either he should have access to the source code, or the trial should be thrown out.

permalink parent
washcapsfan37 -1 points 18 hours ago

I guess it depends on the legalities behind the company giving control of the source code over. The state may only had control of it for testing and certification purposes. There could also be a clause in the contract stating the state isn't allowed to give the source code out to anyone. If that isn't the case, I would see no harm.

permalink parent
pjdelport 3 points 13 hours ago

There could also be a clause in the contract stating the state isn't allowed to give the source code out to anyone. If that isn't the case, I would see no harm.

Not being able to give out the source code is the harm.

permalink parent
washcapsfan37 -1 points 8 hours ago

Wouldn't being able to take the unit as is and running your own set of controlled experiments on it be sufficient?

permalink parent
xtra_sharp 2 points 7 hours ago

No.

permalink parent
jbert 3 points 6 hours ago

Patenting something is the opposite of keeping it secret. In order to patent something you must publish it so everyone can see it.

This is supposed to be the trade-off - you contribute to the general body of public knowledge, but get a time-limited monopoly on some specific applications (and/or can license those applications to people).

One problem (not the only one) with software patents is that the software and IT businesses move sufficiently quickly that the time period of the patent is "too long".

In geneeral, companies are allowed to try and keep things secret. But finding out such things (as long as you break no other laws in the process) is perfectly legal.

Whether a company's attempt to keep things secret should be allowed to trump the public interest of someone accused of a crime is what the court has just given a view on - and come down in favour of the public interest.

permalink parent
kudzoo 9 points 18 hours ago

I would tend to disagree. The tools used are patented to commercial companies that rely on being able to keep their company secrets to be able to compete in the marketplace. This seems like a quick and easy way to get all the know-how for a competing company.

Too bad. Any unique features of their product can easily (some say too easily) be protected by patents. Trade secrets, algorithms that haven't been vetted, and so forth have no place in a product that acts as de facto judge and jury as these devices do.

Yes, yes, I know that the world of breathalyzers isn't exactly overflowing with corporate espionage, but it's more of the basic principle. If the government has certified the device I think it should be sufficient -- but, like they bring up in the article, if newer versions of the product are in use without certification that could be grounds for dismissal.

Why do I care about Government certification? Most of these certifications are banjo playin', porch sitting, toothless, products of an incestuous bureaucrat-corporate partnership. If you lean towards conspiracy rationale there exists the undeniable fact that the Government is more than happy to convict as many people of drunk driving as possible. Keep those dollars rollin' in. Certainly a defendant has the right to ensure that these electronic marvels of our age represent a true and accurate representation of their intoxication level.

Another aspect of this would be suppose you were trying to hack into a government computer system and we caught when the network's IDS logged your attempt. Does that mean you should get the rights to the IDS source and possibly the OS it was running on (assuming it wasn't already open source)?

I think so, yes. Certainly the detail and quality of the IDS logs and how the logs are/were handled should be in question. At least by a good defense attorney. The difference is once the IP is logged typically a warrant is obtained and the recovered computers further incriminate the suspect. Requesting details of the OS is somewhat irrelevant in such a case, sort of like requesting the service records of the cop car that busted you running away from a bank robbery. It is sort of beside the point.

permalink parent
washcapsfan37 -2 points 17 hours ago

So if someone attempts to gain access to a classified government system and gets caught, he should be allowed to have access to that very system so he can validate the logging mechanisms and any other security aspects of the system?

... anyone else see something wrong with that?

Requesting details of the OS is somewhat irrelevant in such a case, sort of like requesting the service records of the cop car that busted you running away from a bank robbery. It is sort of beside the point.

Uh, no. The OS logs many things itself. Therefore it would be part of the security measures. Attempted failed logins, user accounts accessed, file permissions changed, etc. All handled by the OS.

permalink parent
jrockway 0 points 10 hours ago

So if someone attempts to gain access to a classified government system and gets caught, he should be allowed to have access to that very system so he can validate the logging mechanisms and any other security aspects of the system?

Yes, exactly. What's to say that the evidence against you isn't being generated by "echo 'guy-i-hate: breakin attempt' > log"? You need the source to verify that the data is being collected correctly. Otherwise, the data is worthless.

permalink parent
washcapsfan37 1 point 8 hours ago

The logs won't tell you how the entry was created. I can just as easily fake a log entry by appending something to the log file manually as by letting whatever program writers to it do it's job. Just as someone who's good at system intrusion knows to go into these same files and remove the entries that shows they were there.

permalink parent
ubernostrum 4 points 16 hours ago

So if someone attempts to gain access to a classified government system and gets caught, he should be allowed to have access to that very system so he can validate the logging mechanisms and any other security aspects of the system?

Fallacy: red herring. Someone breaking into a classified system is not in the same situation as someone who has been charged with a crime and wishes to confront the witnesses against him while mounting his defense, and hence your argument fails for lack of a convincing or even relevant analogy.

As for the merits of this ruling: the device and its software are -- in this case -- "witnesses" providing evidence against him, and the defendant has a constitutionally-guaranteed right to examine those "witnesses" and to compel their appearance in court as part of his defense.

Being as it is a part of the US Constitution, this absolutely trumps any and all claims of protection which might be raised on the basis of copyrights, patents or trade secrets. Case closed.

permalink parent
decagon 14 points 18 hours ago

The tools used are patented to commercial companies that rely on being able to keep their company secrets to be able to compete in the marketplace.

They aren't patented. Patenting a method makes a description of the method publicly available.

permalink parent
detlev409 -1 points 18 hours ago

Trade secret then?

permalink parent
decagon 12 points 18 hours ago

Sure, but I still think the responsibility of companies that provide forensic tools to demonstrate that their products work outweighs their right to protect trade secrets.

permalink parent
jbstjohn 2 points 11 hours ago

Yes, but this could be done without making it open source. He, his counsel, and expert support could sign an NDA, and then get to look at the code.

I don't what grounds a company could use to resist that.

permalink parent
detlev409 4 points 17 hours ago

I can agree quite readily with that. Anything that has the potential to cost a man his freedom should definitely be verifiable.

permalink parent
washcapsfan37 -3 points 17 hours ago

So if someone tries to hack into a bank's mainframe and is caught, they should be allowed access to all the security mechanisms utilized by the bank that caught him? Guess he won't be making the same mistake twice...

permalink parent
2pac2pac2 1 point 6 hours ago

Worst. Analogy. Ever.

permalink parent
oska 14 points 17 hours ago

The tools used are patented to commercial companies that rely on being able to keep their company secrets to be able to compete in the marketplace.

We're talking about software. Up until very recently the consensus was that you couldn't patent software methods. You still can't patent a piece of actual software. You can only claim copyright.

If the government has certified the device I think it should be sufficient

Some people don't consider blind trust in government being sufficient when their liberty is at stake.

This is evidence being used in court to procure a conviction. The technical methods used to create that evidence must be examinable.

Finally, I'd like to state that I support random breath testing and that if you drink and drive then you're a bloody idiot.

permalink parent
washcapsfan37 -1 points 17 hours ago

You're assuming the breathalyzer even has software components. I'm betting if it does it's a few kilobytes on a EEPROM chip. Most breathalyzers I've seen don't look that complicated.

Some people don't consider blind trust in government being sufficient when their liberty is at stake.

Very true, especially considering the way this administration is heading. But at some point you have to trust someone to tell you it's OK unless you yourself understand the technologies.

permalink parent
jonknee 5 points 14 hours ago

If there has been a huge fuss about turning over said software, it's safe to say it exists.

permalink parent
jbstjohn 2 points 11 hours ago

You have to consider that because of efficiency reasons, the state has somewhat abdicated its oversight role -- the article states that numerous updates, patches, etc., are made without a re-certification process. So you really have no way of knowing what code was running when you were charged, nor does the government.

permalink parent
washcapsfan37 0 points 8 hours ago

I think they might be making a mountain out of a molehill personally. I can't imagine there being that many patches/upgrades to a breathalyzer... unless it somehow runs Windows.

permalink parent
2pac2pac2 1 point 6 hours ago

Or Oracle :-)

permalink parent
clerywang 0 points 13 hours ago

haha, valued page to view

permalink
cryofan -3 points 21 hours ago

"assume the position, punk. You going to jail."

That would be the response down here in Texas to your request.

permalink
dibblego 7 points 20 hours ago

I found Texas police to be very polite when I visited the US 5 years ago. But then, I only have our Australian authorities to compare it to.

permalink parent
911was_an_inside_job -13 points 19 hours ago [comment score below threshold] show comment
schizobullet 1 point 18 hours ago

Looking at your posts you appear to be satirical. Pretty sad that this isn't obvious.

permalink parent
awj 6 points 18 hours ago

Oh no, it was obvious to me, it just also wasn't funny.

permalink parent
911wasnotaninsidejob 4 points 16 hours ago *

No there wasn't and no it wasn't. Go to sleep peopleep!!

permalink parent
Prysorra -2 points 14 hours ago *
           
            ____________________________________
         |                ____                |
         |    \        / |    | \        /    |
         |     \  /\  /  |    |  \  /\  /     |
         |      \/  \/   |____|   \/  \/      |
         |                                    |
         |            YOU HAVE WON            |
         |                                    |
         | The Weirdest Counter-Troll Award!  |
         |____________________________________|
           
          
permalink parent
JesusLovesMe -2 points 18 hours ago

Off topic. Banhammer!!

permalink parent
JesusLovesMe -7 points 18 hours ago [comment score below threshold] show comment
Darkmeerkat -4 points 20 hours ago *

But the real question is, Does It Run on Linux?

permalink
kindall 0 points 18 hours ago

Imagine a Beowulf cluster of those!

permalink parent