Topic(s): Data Protection
Defendants in Minnesota are fighting (http://info.doc.state.mn.us/publicviewer/Inmate.asp?OID=213249 ) are
fighting the use of the Intoxilyzer 5000 breath-testing device requesting a full review of the source code to validate if the code is defect free, if it is tested for defects and what exactly does it do to accurately determine the level of alcohol detected in ones breath. As we all know, most all code is not defect 
free. CMI, the company who manufacturers the device refuses to allow anyone to review and analyze the source code since it is considered intellectual property. Now this has been going on for quite some time now and over 20 states use the device. It is an easy and cost effective method to determine if the subject is intoxicated or not. The subject of drunk driving is not a funny subject but the idea that no one anywhere is allowed to review the source code is a bit ridiculous. Consider that source code for some very sensitive computing devices developed by most all major IT companies and Security firms is written in China, India and Russia amongst other places and CMI is worried who is going to view their IP source code? The code could be tested on site in Owensboro, Kentucky at CMI headquarters (assuming it is written there) using bit level and post compilation tools to validate that the code is defect free and that it measures accurately. In addition, a study could be performed that measures the Intoxilyzer 5000 against blood and urine tests. This ‘clinical’ study would either validate or invalidate the tool.
fighting the use of the Intoxilyzer 5000 breath-testing device requesting a full review of the source code to validate if the code is defect free, if it is tested for defects and what exactly does it do to accurately determine the level of alcohol detected in ones breath. As we all know, most all code is not defect free. CMI, the company who manufacturers the device refuses to allow anyone to review and analyze the source code since it is considered intellectual property. Now this has been going on for quite some time now and over 20 states use the device. It is an easy and cost effective method to determine if the subject is intoxicated or not. The subject of drunk driving is not a funny subject but the idea that no one anywhere is allowed to review the source code is a bit ridiculous. Consider that source code for some very sensitive computing devices developed by most all major IT companies and Security firms is written in China, India and Russia amongst other places and CMI is worried who is going to view their IP source code? The code could be tested on site in Owensboro, Kentucky at CMI headquarters (assuming it is written there) using bit level and post compilation tools to validate that the code is defect free and that it measures accurately. In addition, a study could be performed that measures the Intoxilyzer 5000 against blood and urine tests. This ‘clinical’ study would either validate or invalidate the tool. 
What is quite interesting about the Intoxilyzer 5000 is that there is an upcoming users conference in Las Vegas (great place to perform the clinical tests – I bet the users would volunteer; at least by 2AM each morning). You should go just for the hotel prices since $79.00 at the Luxor is not to shabby.
It takes a week of training to learn how to use and maintain the tool at least at a basic level http://www.alcoholtest.com/training.htm. Some interesting things about the tool is that it stores the information on a low level memory chip; the procedures for calibration are quite specific; and there is zero mention of any protective measures or controls outside of procedures protecting the device. In fact, you can hook it up to a phone line and voila; access is made available.It may in fact be quite a solid tool but just like any device that uses software and includes the lives and livelihood of people; it should be checking, validated and verified. You at least want to make sure it is not spaghett code! At this point, much like voting machines, all such devices need to have their software and associated security controls and calculations fully tested. Based upon some evidence http://www.planodwilawyerblog.com/2008/06/as_i_have_reported_here.html it looks like the testing is needed. Either that, or just get the attachment and software for the iPod - we all know how secure the iPod is - yup, there's an app for that...
