Slashdot Mirror

← Back to Stories (view on slashdot.org)

Court Orders Breathalyzer Code Opened, Reveals Mess

Posted by timothy on from the take-a-sober-look-at-this dept.

Death Metal writes with an excerpt from the website of defense attorney Evan Levow: "After two years of attempting to get the computer based source code for the Alcotest 7110 MKIII-C, defense counsel in State v. Chun were successful in obtaining the code, and had it analyzed by Base One Technologies, Inc. By making itself a party to the litigation after the oral arguments in April, Draeger subjected itself to the Supreme Court's directive that Draeger ultimately provide the source code to the defendants' software analysis house, Base One. ... Draeger reviewed the code, as well, through its software house, SysTest Labs, which agreed with Base One, that the patchwork code that makes up the 7110 is not written well, nor is it written to any defined coding standard. SysTest said, 'The Alcotest NJ3.11 source code appears to have evolved over numerous transitions and versioning, which is responsible for cyclomatic complexity.'" Bruce Schneier comments on the same report and neatly summarizes the take-away lesson: "'You can't look at our code because we don't want you to' simply isn't good enough."

31 of 707 comments (clear)

  1. But does it work? by will+this+name+work · · Score: 4, Insightful

    Poorly written code is one thing, but does it ultimately work?

    1. Re:But does it work? by Jason1729 · · Score: 4, Insightful

      Does it matter? The real question is "Can a prosecutor convince a computer illiterate judge beyond reasonable doubt that it does ultimately work?".

    2. Re:But does it work? by Yold · · Score: 5, Insightful

      I read the report earlier, and there are some very valid issues with the source. The first is that in incorrectly averages readings taken, assigning more weight to the first reading than the subsequent ones. It also has a buffer overflow issue, where an array is being written past its end, and even if this results in an error, it goes unreported.

      You would have to be a fricken moron not to have a problem with mis-averaging, however in my experiences with law-people, they can be even worse than PHBs.

    3. Re:But does it work? by gd2shoe · · Score: 4, Insightful

      Good question, but it needs to be reworded. Does it always work for all inputs?

      Also important, if it's a poorly written mess, why is the company claiming that it works? I see no indication that they've done due diligence for a device used to convict people. Just because they've never observed it to fail, doesn't mean a thing.

      --
      I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
    4. Re:But does it work? by mea37 · · Score: 4, Insightful

      My first thought as well.

      Of course, with poorly written code, it's hard to show whether or not the code ultimately works by examination of the code.

      Then again, proving that the code works (which should be the standard when the code is analyzed in court) by code examination is very difficult even for well-written code.

      Perhaps a better approach would be documented, repeatable testing of the device. When I challenge a radar gun, I get to ask about its calibration documents, but I don't think I get to debate the blueprints from which it was built.

      My personal opinion - and before getting on an "innocent until proven guilty" kick bear in mind that I'm not a part of the court system in this case - is that the defense realizes that almost all software systems look awful and are trying to game their way out of a conviction they've probably earned.

      That said, if for no other reason then to eliminate such gaming, there should be standards for testing and documenting the proper function of these devices. Any device that can't be calibrated and tested with sufficient certainty should be banned from use as evidence in court. If the device passes the test, then exactly how it does it shouldn't really matter.

    5. Re:But does it work? by MozeeToby · · Score: 4, Insightful

      I'd be more interested in their test plan and test results than their source code if I were trying to convince a computer illiterate judge of something. Find a missing test case or an uncovered corner condition and you might have a decent case, code that doesn't pass static analysis and is ugly... well that pretty much defines 99% of the code out there.

    6. Re:But does it work? by vertinox · · Score: 4, Insightful

      Of course, with poorly written code, it's hard to show whether or not the code ultimately works by examination of the code.

      Of course it works because it gives an end result instead of an error message.

      The question every should ask is "Does it work accurately?" or "Does poorly written code skew the results?"

      Can the defense prove that the code was written so haphazardly that it ignores some data or does it round incorrectly like Excel does? These things do and can happen with sloppy code.

      That said, if the code is just poorly commended and indented correctly (*wink*) but does the math right and makes sure there isn't a sampling or rounding problem, then it isn't a problem.

      --
      "I am the king of the Romans, and am superior to rules of grammar!"
      -Sigismund, Holy Roman Emperor (1368-1437)
    7. Re:But does it work? by plague3106 · · Score: 4, Insightful

      code that doesn't pass static analysis and is ugly... well that pretty much defines 99% of the code out there.

      It's more than ugly, it's difficult to maintain. Also, this point is largely irrelevent; 99% of the code out there isn't spitting out a number that says you're guilty of a serious offense.

    8. Re:But does it work? by internerdj · · Score: 4, Insightful

      Also it looks like their out of range error scheme was to set it to the closest legal value and report it if it was recurring and continuous. Assume for a moment you took a test right after the last good reading, you took 32 samples. It would only report an error if all 32 samples failed. Otherwise 31 of the 32 will report the maximum legal extreme closest to that reading. Couple that with the fact that the averages were taken incorrectly, this isn't just reasonable doubt it is worse than using a RNG to find if they are drunk.

    9. Re:But does it work? by Carnildo · · Score: 5, Insightful

      Perhaps a better approach would be documented, repeatable testing of the device. When I challenge a radar gun, I get to ask about its calibration documents, but I don't think I get to debate the blueprints from which it was built.

      Calibration and testing won't reveal all the edge cases that might cause errors. Consider a radar gun designed to take the average of five samples. You've got a car moving away from you at 70 MPH, and a duck flies into the beam for one sample, moving towards you at 5 MPH. This gives the following five samples:

      70 70 70 -5 70

      I can see a way that badly-written code would turn that into an average speed of 106 MPH (storing a signed char as an unsigned char, which would turn the -5 into a 251), and yet it would pass calibration and every test someone's likely to perform.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    10. Re:But does it work? by fracai · · Score: 5, Insightful

      Presuming it's the same summary that I read, it contained a mistake.

      Readings are Not Averaged Correctly: When the software takes a series of readings, it first averages the first two readings. Then, it averages the third reading with the average just computed. Then the fourth reading is averaged with the new average, and so on. There is no comment or note detailing a reason for this calculation, which would cause the first reading to have more weight than successive readings.

      This actually places more weight on the final reading, not the first.

      --
      -- i am jack's amusing sig file
    11. Re:But does it work? by JCSoRocks · · Score: 5, Insightful

      I'm not generally someone that insists everything needs to be open source. However, in a situation like this, where this device makes the difference between a life changing conviction and exoneration, it's pretty obvious that people should have the right to examine it. The court was able to order it opened here, but it makes you wonder how many people have been screwed by this.

      Sadly in the majority of cases where evidence based on something like this (DNA, hair analysis, etc) is shown to be based on someone or something that's not good - nothing comes of it. I saw a blurb about a "forensic expert" that would give the prosecution any testimony they wanted. The state he was based in refused to reexamine the cases he was involved in even after he was shown to be a liar.

      It's depressing but it's one reason I steer clear of the law as much as I can. As much as we Americans like to think of our legal system as dispensing justice, the sad fact is that it frequently doesn't.

      --
      You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
    12. Re:But does it work? by sexconker · · Score: 4, Insightful

      Show me a programmer creating "perfectly engineered code", and I'll show you a programmer building up its resume.

    13. Re:But does it work? by DeadCatX2 · · Score: 5, Insightful

      You are correct. In the biz, we refer to this as an exponentially-weighted moving-average-filter. Recent samples are weighted more heavily than older samples.

      y(n) = alpha*x(n) + (1 - alpha)*y(n-1)

      The alpha value controls how much of the current input makes it to the output and how much of the old output stays. i.e. with an alpha value of 0.5, half of the new value is added to half of the old value. With an alpha of 0.1, 10% of the new value gets added to 90% of the old value.

      This filter is nice because it doesn't require you to remember all the values that you want to average together, but it's a horrible way to get over the inherent noisiness in sensors.

      --
      :(){ :|:& };:
    14. Re:But does it work? by pjt33 · · Score: 4, Insightful

      This filter is nice because it doesn't require you to remember all the values that you want to average together

      Why would you need to remember all the values? As long as you remember the number of values and their total you're fine.

    15. Re:But does it work? by bcrowell · · Score: 4, Insightful

      Like most first time offenders, I took a plea deal to avoid significant jail time and paid the ridiculous fine and took alcohol awareness classes. The whole thing was a farce, intended to make money.

      When you use words like "farce" and "ridiculous," it makes it sound like you don't want to take responsibility for your own actions. I don't think DUI laws are "a farce, intended to make money." I think they're intended to protect people like me from getting killed by people like you.

      --
      Find free books.
    16. Re:But does it work? by Grishnakh · · Score: 4, Insightful

      Our legal system and government are about as non-corrupt as Mexico's. Ours just isn't quite as blatant about it.

    17. Re:But does it work? by decoy256 · · Score: 4, Insightful

      No, our system doesn't dispense "justice", which is why I'm a defense attorney.

    18. Re:But does it work? by 0100010001010011 · · Score: 4, Insightful

      The majority of crashes and deaths aren't caused by people that blow a 0.086. They're habitual offenders who blow .25s.

    19. Re:But does it work? by ppanon · · Score: 4, Insightful

      You can think that you're doing fine because you've gotten good at compensating. For instance, dancers and figure skaters can learn to compensate for inner ear/balance issues from spinning at speeds and duration that would have most people nauseous or throwing up, but the spinning doesn't affect their reflexes. However you don't have to have your cochlear sense of balance feel impaired for intoxication to be affecting your ability to drive. It doesn't take much alcohol for your reflexes and cognitive response to be impaired enough to cause an accident, even if it's not obviously apparent. While there is some variation, the acceptable BAC levels were based on correlation with average results from testing for significant reflex and attention deficits.

      You might be one of the outliers, but the odds are much better that you might are one of the myriad of people who delude themselves into thinking that they are outliers because their judgement is impaired. Unless you've actually personally undergone reflex/response testing by a third party in conjunction with BAC testing to judge your personal susceptibility to alcohol, your judgement on the subject after alcohol consumption is unreliable. However your ability to compensate for impairment in normal driving conditions wouldn't save you from an accident in an unexpected situation the way unimpaired reflexes would.

      The small restriction on the few outliers is not a high price to pay for the safety of innocents. Nobody says you can't drink or drive, just that you have to exercise some level of personal responsibility and not do both (or for that matter, drive and consume any other drug that impairs your ability to drive safely)

      --
      Laissez lire, et laissez danser; ces deux amusements ne feront jamais de mal au monde. - Voltaire
  2. Code by Quiet_Desperation · · Score: 5, Insightful

    not written well, nor is it written to any defined coding standard

    Ah, so it's like most of the code in the world.

  3. Re:Coding Standard by kailoran · · Score: 4, Insightful

    Because the output is used as evidence in court?

  4. Good! by SanityInAnarchy · · Score: 4, Insightful

    Ok, I'm not happy that some people almost certainly were measured inaccurately by these things. I'm not happy that this company was allowed to pull this kind of shit -- when you do government contracting, the government should own what you do.

    However, I am very glad that the precedent has been set.

    And I am especially glad that not only is there precedent, but there's a real live example of why we need this stuff to be open.

    --
    Don't thank God, thank a doctor!
    1. Re:Good! by Red+Flayer · · Score: 5, Insightful

      when you do government contracting, the government should own what you do

      But they weren't doing government contracting. The produced a good that was purchased by the government. There's a very big difference.

      The key here is not that the government, or anyone, should own what they produced -- it's that when what they produced is used to convict someone, that person has the right to examine the methods used.

      It's not about openness, at all. It's about the right to a fair trial; openness is just a side effect.

      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  5. No surprise by infinite9 · · Score: 4, Insightful

    80% of the code in business fits this description. With 20 year old legacy code written by 50 consultants, then upgraded in India, then ported from one platform to another to another, and a database engine switch or two. Code gets senile. What do they expect? Good thing we're all just commodities... human lego bricks easily replaced with cheaper plastic.

    --
    Disconnect your television. Do your own research. Draw your own conclusions. They're probably lying. Don't be a sheep.
    1. Re:No surprise by legirons · · Score: 4, Insightful

      80% of the code in business fits this description

      how much of that code is given police powers to arrest someone?

  6. Just remember by captnbmoore · · Score: 5, Insightful

    This will not stop the state from using this to make a felon of you.

    --
    The Navy Motto "IF it ain't broke Fix It" "A day is wasted if you don't learn something new"
  7. Re:not written to a coding standard? by SanityInAnarchy · · Score: 5, Insightful

    Did they find any coding bugs,

    Yes. RTFA.

    2. Readings are Not Averaged Correctly: When the software takes a series of readings, it first averages the first two readings. Then, it averages the third reading with the average just computed.

    There you go. It's also inaccurate:

    The A/D converters measuring the IR readings and the fuel cell readings can produce values between 0 and 4095. However, the software divides the final average(s) by 256... Further, because of an attribute in the IR calculations, the result value is further divided in half. This means that only 8 values are possible for the IR detection...

    And, if there were a catastrophic bug, you wouldn't know it, you'd just keep getting readings:

    An interrupt that detects that the microprocessor is trying to execute an illegal instruction is disabled, meaning that the Alcotest software could appear to run correctly while executing wild branches or invalid code for a period of time. Other interrupts ignored are the Computer Operating Property (a watchdog timer), and the Software Interrupt.

    This belongs on The Daily WTF.

    --
    Don't thank God, thank a doctor!
  8. Re:No. by Ohio+Calvinist · · Score: 5, Insightful

    The problem in a lot of states is that .01 can make a huge difference between a DUI, a DUI with a "high BAC kicker", a wet-reckless, or nothing at all. It has to be accurate to at least a few 9's or for those "on the bubble" cases do have a severe level of doubt. Because driving with a .07 is not illegal (for the most part), but .08 is. The question in court is not "were you drinking tonight", but "how much did you drink" which is a very specific very objective, very deturminable piece of information.

    As states lower their legal limits to the point where they intersect with non-impaired drinking drivers, especially with a .01 or more margin of error, you're going to get a lot of overzealous cops in cities with revenue shortfalls taking innocent people in for DUIs and hopefully more and more of these "border cases" will bring these devices into question more than the over-the-top blacking out, pissing his pants multiple-offender does in court.

    --
    Forgive my spelling from time to time. I'm often posting during short breaks.
  9. A pyhrric victory for open source and code review. by Darth_brooks · · Score: 4, Insightful

    The good: This particular breathalyzer has been proven to be the unreliable POS that it apparently is. This unit, and others like it, will finally start being held to a stronger coding standard.

    The bad: every sleezeball, ambulance chasing, "call lee free", douchebag of a lawyer will use this case to attack the credibility of any and all breathalyzers made in the past, present, or future, spreading enough FUD to juries everywhere that an unacceptable number of drunken idiots get the God given right to keep their license until they finally end up killing someone.

    As a person, I think groups like MADD spend most of their time trying to scare monger politicians into pushing us as close to prohibition as possible. I believe that alcohol can be used responsibly. But I also know that this case is going to result in DUI's getting overturned for people that damn sure don't deserve it. Borderline cases will get knocked down, cases will get thrown out, and the people that broke the law, that did something wrong, will walk out of a court room 'vindicated.' They didn't do anything wrong when they had six beers and drove home, it was that confounded *machine* that *said* they broke the law. The *machine* was busted, ergo they didn't break the law. In short, this case is going to make a lot of O.J. Simpson's. The jury said they didn't commit a crime, so they didn't. No harm no foul. Technicality? Bah! They're as innocent as the sweet baby Jesus.

    I'd like to think things will wash out in the end. This case will probably end up making it harder to get off on this particular technicality in the long term. In the short term? Here come the appeals. Maybe the state is partially at fault for buying shoddy equipment. (Or maybe not. Did they do a code review? Do they have the resources to one? Probably not. Did you do a code review of the 3com switch in your server room? Their selection criteria can certainly be questioned, but it probably doesn't change the fact that someone drank enough to blow a .22 then decided to drive home.)

    But in the end, the drunks are still going to be drunks. And tomorrow some of them will probably get to file appeals, and some of the ones that shouldn't be on the road, or even in public, will get to slip out of this brand new loophole. I'm not sure that that deserves a cork-popping celebration.

    (and yes: We all handle our booze differently. Arbitrary limits that determine "drunk" may or may not be the answer. Hardcore drunks will keep driving even after losing their license. DUI's are as much moneymakers for the States as speeding tickets. Yadda yadda yadda.)

    --
    There are some people that if they don't know, you can't tell 'em.
  10. Re:Is this 1968? by DeadCatX2 · · Score: 5, Insightful

    With an attitude like that, it's obvious that you have little experience with embedded systems...

    --
    :(){ :|:& };: