HackerTrans
TopNewTrendsCommentsPastAskShowJobs

neuralzen

no profile record

comments

neuralzen
·7 年前·discuss
Really, if you're producing something that is reliably accurate, I would expect that would be all anyone would expect, along with proper training, verified updates, and audited software/firmware, etc. In the case I cited above it was more an issue with the lack of accuracy of the product, and sloppy follow through from the vendor, with money and political pressure thrown at the problem - something which the police departments themselves likely have less influence on anyway.
neuralzen
·7 年前·discuss
I admire what you're doing, and hope you can adhere to scientific integrity while developing and selling your product, but that simply isn't true. At least in Washington state. A few years ago Washington State purchased a whole bunch of Draeger 9510 (alcohol breathalyzer) units without ever having tested them. After two years of sitting unused, the warranties were going to expire and they finally got around to testing them, and purchasing extended warranties at that point. However their initial tests failed multiple accuracy tests to the point that the state's lab halted testing, since it was so off. A few months later Draeger patched the firmware and OS application (the breath/alcohol measurement firmware being written by a single contractor in Texas, and versioned as 0.7) and while testing looked better, it still wasn't accurate and they just pushed it out the door for deployment...they had already bought them, after all. I'll link the records below...they didn't even have the correct versions of the software and firmware accounted for and signed off, which led to other problems (and Draegar has had other problems of accuracy in other court cases, such as Florida, but that's a side tangent).

My point is, a lot of state governments (at least in the US) spend money first and verify later, and 'verify' can be a damnably loose term. Loose enough to violate WAC 448-15-020 (in Washington state's case) which requires a 'reasonable degree of scientific accuracy'.

EDIT: Apparently the original link (below) is no longer available in WSP's records, which is interesting. You can view the document via archive.org, here

https://web.archive.org/web/20170211114622/http://www.wsp.wa...

original (defunct) http://www.wsp.wa.gov/breathtest/docs/webdms/Draeger/Valid_D...
neuralzen
·8 年前·discuss
PCI DSS allows for "Mitigating Controls" if you need to deviate from specified requirements, provided it is well documented and is equal to or greater in security. Doing teardowns to review circumspect hardware, and applying one's own tamper protection deal (and with accompanying documentation and tracking/logged information) would very likely be sufficient to maintain complaince.