
Schneier on Security: Software Problems with a Breath Alcohol Detector - hko
http://www.schneier.com/blog/archives/2009/05/software_proble.html
======
jws
The analysis sounds suspect to me.

 _2\. Readings are Not Averaged Correctly: When the software takes a series of
readings, it first averages the first two readings. Then, it averages the
third reading with the average just computed. Then the fourth reading is
averaged with the new average, and so on. There is no comment or note
detailing a reason for this calculation, which would cause the first reading
to have more weight than successive readings._

The code is computing an exponentially weighted mean. Read that last sentence
of the quote again, the analysis has it backwards. The _last_ sample carries
more weight, not the first.

Now, type "uptime" at your unix prompt. Those last three values are computed
the same way and have been for decades. (There are three different weighting
factors used in them instead of the 1:1 implied in the text here.)

The exponentially weighted mean is useful when you care more about the most
recent values and when processor resources are highly constrained. It may be
what was intended, or maybe not. Generally you would use a weighting factor to
make the earlier factors not fade into oblivion as fast as these do, but I'm
not going to take the word of someone who can't correctly describe the
algorithm in his report.

And the bit about turning off the illegal opcode interrupt... the premise is
that some sort of failure would alter the program memory in such a way that
one of the opcodes became illegal, yet the program would continue to function
but produce erroneous results. I'd have to say the probability of this is
vanishingly small, in fact, given valid opcode density for microprocessors,
much smaller than an instruction being mutated to a legal opcode that somehow
allowed the program to still run but produce erroneous results.

I guess I should complete with my doubts about 3. Just because the A/D reads
12 bits doesn't mean you have 12 bits of data. If the 8 low bits are noise
there is no information loss in dividing by 256. You have to understand the
machine to know if this is a problem.

~~~
jerf
While I am for software transparency when it matters, I do have to say I'm
much less excited about the software being gone over by lawyers (or
programmers in the pay of lawyers).

Give me a page of C code, and I can find ten faults. I can complain about
variable naming schemes, I can complain about indentation I don't like. I can
complain even if it's actually my preferred indentation, because you won't
even know better. I can _always_ complain about architecture because there are
always pros and cons, which means I can play up the cons and ignore the pros,
along with ignoring the fact that we have to use _some_ architecture and
"perfect" was never on the table. I can say this other architecture should
have been used instead, and get you involved in a battle of pro and con
analysis that is a perfectly good engineering discussion but will sound like
dissembling on the witness stand. I can complain about the bug fix for an
issue that _I_ can't imagine how it comes up, but came up in testing. I can,
basically, complain all day long, even if it is literally the best C code ever
written.

Now, I grant that history suggests I'm unlikely to encounter the best C code
ever written in one of these contexts, but my point is that since _nothing_
can survive lawyer scrutiny, lawyer scrutiny is actually information-free.

The solution to "Not having any software standards" can't be "Requiring
absolute, unattainable perfection", because the only sane response to _that_
is to stop writing software.

The _real_ question is not "Is this software perfect?", but "Did it function
correctly?" And I'd be a lot more comfortable if somebody took the source code
and the hardware and actually showed a case where it is wrong by physically
producing that case, and not just theorizing about how the software might go
wrong.

All that said, for all I know this thing's a pile of crap. Certainly if I had
to lay money, that's the way I'd bet. My point is more that this writeup
doesn't meet my standard for determining that it's a pile of crap, and as much
fun as it may be to pile on law enforcement, if the price is letting the
"lawyerly-perfection" standard pass without comment, that price is not worth
paying!

~~~
ckinnan
Bill of Rights, Sixth Amendment:

"In all criminal prosecutions, the accused shall enjoy the right to a speedy
and public trial...and to be informed of the nature and cause of the
accusation; to be confronted with the witnesses against him..."

------
blahblahblah
If the readings are, in fact, averaged in the way described by the article,
the device is useless and should not be allowed as evidence since such a
scheme permits a single outlier reading to produce an erroneous result.

------
HeyLaughingBoy
Computer Operating Properly interrupt: anyone else think this sounds like a
National Semiconductor processor device? ISTR they had an interrupt labelled
COP.

When was the last _decade_ National made a processor, anyway?

~~~
joe_bleau
Motorola called their watchdog module a COP in the 8 bit lines.

National still makes MPUs (<http://www.national.com/appinfo/mcu/>) and IP
(<http://www.national.com/analog/compactrisc/architecture>)

I've never seen a natsemi micro in the wild, however.

------
mlLK
_This is an excellent lesson in the security problems inherent in trusting
proprietary software_

This sentence made my day, given who is using it and how often it's being
used.

------
old-gregg
This should be applied to SaaS as well: something needs to be done about GPL
parasites hiding "in the cloud".

If you're building on top of GPL, users of your cloud software should be able
to download your code, examine it and modify/deploy on their own servers.

~~~
KirinDave
Wait, this article had nothing to do with the GPL. The GPL is almost entirely
unrelated to the notion of code audits and transparency. Lots of code licenses
and business models allow for (or even promote) that approach.

Why did you bring the GPL into this?

~~~
old-gregg
You are right, I got carried away a bit here.

The article reminded me of reddit storing my password in plain text, which
wouldn't go unnoticed if their code was open. [yes, I know they eventually
released their code, which was very kind of them]

