dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
26
share rss forum feed

globus9991

join:2004-11-14
Argelia
reply to globus9991

Re: CIPPIC is watching DSLReports

Then we have the issue about "who" is the *real* witness in this whole affair.
Canipre screwed-up. Whatever the people of Canipre swore in the affidavit it is irrelevant, actual, probably perjurious.

The *only* witness that matter is the "system" that Canipre has in place. Since it is this "system" that did all the work.

A person cannot declare that such-and-such movie came from such-and-such IP since it is the *system* that obtained that information.

For example, if you get a ticket for crossing a red light with a camera, you will notice that the ticket says that Joe Drone from the Municipality XYZ "believes" that you have crossed a red light on such-and-such day and time. This is correct, because the camera system IS the witness, not Joe Drone.

This is not the case here. In the affidavit, the people of Canipre is placed front and centre as the witness, which is a blatant error.

Any accused person has the right to confront its accuser. Since in this case the "accuser" is a system, the accused must be entitled to confront the accuser. Since this is not possible (we cannot subpoena Canipre's system to the bench to be interrogated), the Judge must allow to explore the quality of Canipre's system. Which is the only way to ascertain its credibility.

And herein lies the pickle.

I can pretty much bet you anything that Canipre's systems are not up to snuff.

The basis of Quality Control is that quality can only be build-in, not tested-in. Testing will only marginally verify that the system is doing what the system is supposed to be doing and not more or less.

So, how do one build-in Quality into a system? By following a Quality Process such as ISO 9000 (or equivalent). If you do not have such a process, you are SOL. Why? Simple, in a computerize system such as Canipre's, each IT and human piece are *UNIQUE* when dealing with the evidence. By unique I mean there is NOT an alternate process to collect, assemble, review, etc. the evidence. The software may be cloned, but it is still the same software.

Hence, if Canipre's so-called "evidence" is depending on a chain of processes, is this *complete* change that must have the required Quality. If only *one* of the processes is faulty, then the entire chain is worth zilch!

This is akin to the "chain of evidence" that police needs to maintain.

So, how is a lawyer to proceed with such a legal argument? A lawyer would have to request an "evidentiary hearing" in order to ascertain the "credibility" of the witness.

What Canipre needs to provide is substantial evidence that they "system" is in compliance with a recognizable Quality Assurance process. Fat chance!

Now, so that we are clear, when I am talking about a "system" I am not only talking about which software was used. That's a miniscule part of all of it. A system involves people following written processes and procedures that must be in place *before* and *throughout* the entire process of selecting, installing, testing and using the system.

Oversimplifying, this is what Canipre should have in place (assuming no coding was done - if there was coding,... well.. the whole thing just grows exponentially):

1 - A Quality Plan
2 - User Requirement Specifications
3 - System Requirement Specifications
4 - Design Specifications
5 - Installation Plans and Reports
6 - System Tests and Reports
7 - Training Procedures - Training Logs - Qualifications of involved personnel
8 - Recovery Disaster Plan (tested - including backup procedures)
9 - Audits (of critical software and hardware)
10 - Quality Remediation Processes and Procedures
11 - Quality Report

(this is just a sample)

I can pretty much guarantee, that NONE of this was in place. Why? Simple, it is *quite* expensive to do and to maintain. NO IT shop will do something like this unless it is extremely well funded and has an extremely strong regulatory presence. Canipre? Fat chance!

It boils down to this: The "system" that Canipre used has been used without any standard (i.e. meaningful) Quality built-in it. Hence, its "credibility" is zilch.

Note: this topic is a "niche" topic in IT. Not too many people understand ITQA. A programmer is NOT and ITQA expert by any stretch of the imagination. A Quality System is composed of people following procedures and systems performing as expected. This is far... far more than "just" releasing the code.


A Lurker
that's Ms Lurker btw
Premium
join:2007-10-27
Wellington N
I don't know enough about ITQA (my background is mfg QA/QS/QMS), however, the collection software should have some type of verification testing done. ie. someone should have specifically tried to fool the system with a spoofed IP. When building a piece of manufacturing and/or assembly equipment it's not unusual to try and make a bad part on purpose. This allows you to prove to everyone involved that you can't pass a discrepant part (or to make adjustments to get there).

The problem here is that Canipre wouldn't necessarily want to show holes in their system. In a good manufacturing system 'problems are good' since if you don't define the problem you can't fix it. It is however unlikely that they would want to do any testing that showed less than 100% accuracy. If it gets to the court case level someone would have to verify the accuracy of the system.

globus9991

join:2004-11-14
Argelia

3 edits
said by A Lurker:

I don't know enough about ITQA (my background is mfg QA/QS/QMS), however, the collection software should have some type of verification testing done. ie. someone should have specifically tried to fool the system with a spoofed IP. When building a piece of manufacturing and/or assembly equipment it's not unusual to try and make a bad part on purpose. This allows you to prove to everyone involved that you can't pass a discrepant part (or to make adjustments to get there).

Yes, but false positive as well as false negatives are just a microscopic part of it all. People have the tendency to get hunged-up on software testing, and actually, software testing is about 20 to 30 % of an entire ITQA process. Remember, it is a *system* that is composed by many, many parts that has to work OK for the result to be credible. That system involves (typically), network componenets, server components, OSs, apps, AND people. ALL of them must work OK, otherwise it is garbage. That's precisely why it is SO easy to punch holes if you audit an IT system. Most people focus on software only, if even that...

said by A Lurker:

The problem here is that Canipre wouldn't necessarily want to show holes in their system. In a good manufacturing system 'problems are good' since if you don't define the problem you can't fix it. It is however unlikely that they would want to do any testing that showed less than 100% accuracy. If it gets to the court case level someone would have to verify the accuracy of the system.

That's precisely why an "evidentiary hearing" is necessary. The lawyer is basically questioning the quality of Canipre's evidence and is asking for Canipre to "ponny-up". But, even before that, it is possible to request access to such evidence for review.
In ITQA that's what User Requirement Specification and System REquirement Specification documents are for. One tests against them where all the functions are defined. So, you end up with only three possibilities:

1 - All the functions were tested and are 100% OK (we loose)
2 - Not all the functions were tested. We can see this by comparing the Testing against the URS and SRS (we win) since there is no evidence to show that Canipre's systems perform as expected.
3 - All the functions were tested and are not 100% OK (and Canipre went ahead anyways) then we probably win, but it depends of the criticality of the function.

Even in the likely case that Canipre does not have a sound QA system in place , could they simply lie to the Judge? Sure. However, I think it would be pretty much suicidal. Why? Because the other party will request the documentation to prove so. And believe it to me, you *cannot* fake that amount of info in such a short period of time.


HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:21
Reviews:
·TekSavvy DSL
·TekSavvy Cable
reply to A Lurker
said by A Lurker:

I don't know enough about ITQA (my background is mfg QA/QS/QMS), however, the collection software should have some type of verification testing done. ie. someone should have specifically tried to fool the system with a spoofed IP. When building a piece of manufacturing and/or assembly equipment it's not unusual to try and make a bad part on purpose. This allows you to prove to everyone involved that you can't pass a discrepant part (or to make adjustments to get there).

I think it has been proven in the US that an IP was manually added to the swarm that belonged to a networked HP LaserJet printer.

That in itself shows how inaccurate this shit is.
--


globus9991

join:2004-11-14
Argelia

1 recommendation

said by HiVolt:

I think it has been proven in the US that an IP was manually added to the swarm that belonged to a networked HP LaserJet printer.

I knew it! I knew it!
Machines are getting *really* intelligent!
One torrent today, the world tomorrow!!


HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:21
Reviews:
·TekSavvy DSL
·TekSavvy Cable

1 recommendation

This isn't what I was talking about, but there's an oldere example of these notices and laserjets, hehe

»www.eff.org/deeplinks/2008/06/la···le-crime