Monday, 28 January 2008
Analyzing the Analyzers: Looking at Source Code for Breathalyzers
« The Checklist | Main | They Set the Wii Free »For as long as there have been breathalyzer machines, DUI suspects have been looking for creative ways to beat them (see newspaper clipping below.) The latest trend is to go after the source code. Here are three recent cases:
- August 2007: Minnesota Supreme Court rules that source code must be revealed.
- December 2007: Source code analysis in New Jersey class-action breathalyzer case.
- January 2008: Kentucky appeals court rules that source code must be revealed.
My favorite anecdote so far comes from the New Jersey analysis. One of the teams used Fortify to analyze the code, and lo-and-behold, they found a buffer overflow vulnerability! This raises the possibility that if you mix just the right cocktail at just the right time, you could craft an exploit. (Dream on.)
The real lesson here is that our legal system is waking up to the importance of code. If the code isn’t trustworthy, the outcome isn’t trustworthy either. (Electronic voting machine vendors, you might want to read that last line again.) If the code provides evidence that the programmers weren't being careful, that's going to be bad news for the vendor.
[Trackback URL for this entry]
