Evidence from a Black Box
A recent count case in Minnesota poses an interesting question. In summary, a man accused of impaired driving says he should be able to review the source code of the breathalyzer used to gather the evidence against him.
On the surface, the man’s request seems reasonable. As I understand it, the primary evidence against him is that he exhaled into a box and it displayed a number. And that number was too big. In fact, everyone who drives, impaired or not, presumably has an interest in the accuracy of the device.
But the manufacturer, CMI, Inc., and the State of Minnesota apparently disagree, and they have convinced both the trial and appeal judges that handing over the source code would be “unreasonably burdensome.” So unless the defendant launches another appeal — or perhaps buys one and sends it to a lab for analysis — he appears to be out of luck.
I’m inclined to believe that the accused is simply looking for any possible way to have the evidence against him excluded. But that’s the way the system works. To be convicted, the accused must be proven guilty beyond a reasonable doubt. He has the right to cross examine human witnesses, so it simply doesn’t make sense that he’s not allowed to examine the functioning of the machine that says he was over the legal limit.
What could go wrong
There are a number of things that could go wrong with an electronic breathalyzer. Presumably, aging or failing components that change the readings would be picked up during calibrations, so there are likely some procedural safeguards. But what if the developer made a mistake or took shortcuts? Converting the output of an optical sensor into alcohol in the breath into blood alcohol levels must involve some math. What if there is a bug in the math libraries that hasn’t been discovered?
Then there are issues such as version control. Did the right software get loaded onto the device? Has it been upgraded? Can the vendor reproduce the exact code loaded onto devices sold several years ago? Has it been modified?
The last question should send shivers down a Judge’s spine. The device is in the custody of the same person who laid the charges and, therefore, has an interest in seeing a conviction. While the vast majority of police officers play by the rules, we are obliged to ask the question: What checks and balances are in place to stop that one bad apple from tampering with the device? Without appropriate safeguards, you too could be just one firmware mod away from a criminal conviction.
What should be done
An objective third party can examine all aspects of the software development life cycle, the software, the hardware, field maintenance and related security controls. If the manufacturer has done its job, the third party report will depict a reliable and trustworthy device. In fact, if the manufacturer has done its job, it should welcome the notion of an objective third party doing just that. On the other hand, if the manufacturer hasn’t done its job, we’ll all know that, as well.
According to Bill Collins, sales manager at CMI, the product was thoroughly tested by the National Highway Traffic Safety Administration, part of the United States Department of Transportation, prior to sale to law enforcement agencies. Individual States also test the device and it has been subject to other third party examinations prior to being generally accepted by the courts. He made another very good point: Source code is only one part of the device and, to draw a meaningful conclusion, one would have to examine the entire device including both hardware and softwar.
Preserving defendant rights
While I sympathize with the company and understand its desire to keep the proprietary source code confidential, impaired driving is a crime and a conviction can have major implications, including restrictions on employment and travel. Criminal defendants must be allowed to examine the evidence against them. Intellectual property concerns are a red herring – courts have long had procedures in place to allow the examination of sensitive information in a controlled manner.
If a defendant wants to retain an expert to conduct such an analysis, he or she must be allowed to do so. If the product is solid, defendants will quickly find out that they are simply throwing their money away. Some American states including Florida agree and have upheld the defendant’s right to examine the code.
In the words of English jurist William Blackstone, “Better that ten guilty persons escape than that one innocent suffer.” Allowing any black box to produce evidence is a slippery slope that we can’t afford, and product vendors should take note. It won’t be long until other devices like digital recorders are subject to the same scrutiny. Until we illuminate inside, outside and around the box there is no justice.
Criminal and negligent
The net is buzzing about Republican Vice President candiate Sarah Palin’s email account being hacked, and if you somehow missed it, this Wired blog post is a good starting point.
I won’t engage in spreading rumours about who might have done it. The bottom line is that he or she, at best, did something dumb. While there still appears to be a cool factor surrounding the commission of high tech crimes, the result is really no different than breaking into somone’s home, office, or car. And doing it to a VP candidate is just pain dumb. Given the high profile of this case, the authorities will make an example of whomever is responsible, resulting in a disproportinate sentence. It’s too bad that the perpetrator thought about the FBI after the fact, instead of before.
But this story is about much more than that. It’s about weak authentication, poorly designed password recovery, poor business practices and a negligent Governor.
Security professionals have been telling people for decades that passwords are a bad idea and that they suffer from numerous weaknesses. People choose passwords that are easily guessed, they are all too often rapidly obtained through technical and social attacks, and many password systems have serious, fundamental technical flaws. But we continue to use passwords because they’re easy and cheap.
We can choose complex passphrases that are hard to crack, but doing so also makes them harder to remember, especially for those of us with dozens of them. So, to help users, companies like Yahoo provide automated reset mechanisms. The problem is that these are, for the most part, weaker than the password itself, as was clearly demonstrated in Palin’s case. Many of these systems are fundamentally flawed and fail to take target familiarity into account.
As threat levels and asset values increase, so does the need for stronger security controls. Those in the spotlight are explosed to a larger threat, and information such as their email has a higher perceived value to potential attackers. However, because it is generally easier to obtain person information about such people, password reset mechanisms that rely upon personal information provide a lower level of security. In other words, they protect people like Palin less than they protect you and me. They fall clearly into the “really bad idea” category, and surely the security people at Yahoo know it. These flawed password reset systems make it significantly easier to reset and obtain the password of someone you know than a random stranger. And let’s face it, an email account belonging to your boss, ex, or another kid as school is far more interesting than a strangers. Shame on Yahoo (and others who do the same dumb things) for implementing such a poor security system.
Perhaps Yahoo and hundeds of others will wake up, smell the coffee and fix their reset mechanisms. But until they do, there is a solution for users: When providing “answers” to password reset questions, don’t “answer” the question they ask. For example, you might be asked the first school you attended or your first pet’s name. Be funny, be silly, be random. Make something up, and write it down if you have to. If Palin had simply answered that she met her husband “UnderThePinkOakTree”, her Yahoo account wouldn’t be in the news.
Of course Governor Palin shouldn’t have been using a free Yahoo email account to conduct government business in the first place. Not only is it a well-known way to dodge information retention and access legislation, but free email accounts, as this incident demonstrates, simply don’t provide the level of security required for government business or political campaigns. Palin and her handlers should have known better. In fact, according to news reports, she has previously been criticized for conducting state business via her personal email account, so I think it’s safe to say that not only should she have known better, but she in fact did know better and continued to do so.
So where does this leave us? A dumb criminal, a negligent Yahoo, and a VP candidate that doesn’t learn from her own mistakes, none of which bode well for the American voter.
Keep in Touch
Kudos
Recent Comments