Discussion on:
View:
Show:
And it's not just the PM. It's the business leaders in general. Pretty much the gist of my comment, but much more concise.
If I had a dollar for every time a PM rushed me through code, caused functionality issues/bugs and then blamed me for it, I'd never have to work again! The last one I worked with my boss had to come by and tell him to leave me alone. Working from home for the rest of the week ********!
This is precisely the point Slayer. This would give you the legal right to put it in writing to the Software Application Manager or Director of the flaw and the instruction to ship the software with a known late discovery and REFUSE to bundle the software for final delivery. If you do, you (or any software engineer who does) guilty of unsafe work practices.
The issue of litigation on broken software extends far beyond just code...
The issue of litigation on broken software extends far beyond just code...
Sounds like a field day for mumbo jumbo boys that.
No way this is going to be as clear cut as working from heights without a harness, or being told to forgo it in the interest of making a deadline.
There is no safe working practice for coding, I'm not sure there could be one, and attempting to legislate for one is lunacy.
On top of that it totally and completely ignores that fact that business people don't listen to software engineers, until they themselves get penalised. All you are doing is giving the people who make the decisions a ready made scapegoat.
Sort yourself out.
No way this is going to be as clear cut as working from heights without a harness, or being told to forgo it in the interest of making a deadline.
There is no safe working practice for coding, I'm not sure there could be one, and attempting to legislate for one is lunacy.
On top of that it totally and completely ignores that fact that business people don't listen to software engineers, until they themselves get penalised. All you are doing is giving the people who make the decisions a ready made scapegoat.
Sort yourself out.
is too vague for me. I've writen enough code (hobby and profession) to realize there is no such thing as bug free code. It gets worse as time progresses and underlying hardware change introduces things that you never dreamed of testing for...
for flaws and vulnerabilities KNOWN at the time of release or if you fail to take action to fix a vulnerability when it's found.
What if my code has a vulnerability, I make a patch, its exploited before a user applies said patch? Can they hammer me because I didn't hand deliver the patch on a silver platter? Or I did and they didn't apply it? Or they claim I didn't? And that's at least a case in which it could go 50/50 on a fairly clear cut set of possibilities and assuming said Judge has had his/her wheaties this morning.
Look at the patent wars ala Apple vs. Samsung (yeow!) Do you really trust judicial oversight on technology that turns over every 18 months?
See this is where burgers, bridges and locks have it over software. Those cases are complex too, but you can minimize the finger pointing because the sum of parts and expertise about parts has chronological weight. Engineering - thousands of years. Cooking - tens of thousands of years. Locks - hundreds of years. Software - less than two years? How do you find expert in such a venue? How do you go about vetting them? As the lawyer for a defendant (or plaintiff for that matter) I could easily point a finger at said expert and say he has no experience with (insert dead computer language/programming paradigm) your honor!
Now I'm all for holding folks accountable, but I want it to be fair, measured and consistent. I am afraid based on my observations above that it can't be done at this early stage of a profession that has been around for less than sixty years.
Hell, even the above article has started backpedaling on holding developers responsible if they volunteer their time to open source. Since when do we give passes to folks who cause harm, because they received no benefit from it?
Look at the patent wars ala Apple vs. Samsung (yeow!) Do you really trust judicial oversight on technology that turns over every 18 months?
See this is where burgers, bridges and locks have it over software. Those cases are complex too, but you can minimize the finger pointing because the sum of parts and expertise about parts has chronological weight. Engineering - thousands of years. Cooking - tens of thousands of years. Locks - hundreds of years. Software - less than two years? How do you find expert in such a venue? How do you go about vetting them? As the lawyer for a defendant (or plaintiff for that matter) I could easily point a finger at said expert and say he has no experience with (insert dead computer language/programming paradigm) your honor!
Now I'm all for holding folks accountable, but I want it to be fair, measured and consistent. I am afraid based on my observations above that it can't be done at this early stage of a profession that has been around for less than sixty years.
Hell, even the above article has started backpedaling on holding developers responsible if they volunteer their time to open source. Since when do we give passes to folks who cause harm, because they received no benefit from it?
will depend on how the legislation is written, and don't forget, in the USA the law makers are owned by the big corporations now days, so it's doubtful they'll come down too heavy on the software corporations.
I was thinking based on what I saw that we elected morons who have the mindset as you. Officials making laws in areas they cannot explain or define. Maybe you should campaign?
But why go that far? If it's broke, they're guilty, lazy, or under-qualified.
Execute them, darn it!
Execute them, darn it!
The term in play would have to be "negligence". The part of the debate I'd like to take part in would be "is mere ordinary care" required, or "is a bailment created"? I'd like to see the software industry held to the stiffer "bailment" requirement. We get paid a lot of money because clients foolishly trust us. Until that expectation of rock-solid quality is changed, I say bring on the bailment.
We have a company providing web apps whose developers each time they fix a bug the create one elsewhere in the code which is not caught until it has been delivered to the government's testing server and is undergoing testing by the subject matter expert. I sorry I always believed that software needs to pass through complete testing before it is delivered to the customer. You need to make sure your bug fixes don't break working parts of the application.
So while there is no such thing as bug free code, this should be newly discovered bugs not stuff that was working and has been broken. If you carried out a proper test instead making a cursory examination then this should never happen.
So while there is no such thing as bug free code, this should be newly discovered bugs not stuff that was working and has been broken. If you carried out a proper test instead making a cursory examination then this should never happen.
You've made it abundantly clear that these avoidable security flaws are always known by every programmer everywhere. They are out to get you and so am I.
Us programmers carry the mark of the beast. You're just trying to hold us back, and rightfully so. I say sue the underpants off the college kids giving away free software. Sue the high school developers and lock them away for life (I don't want their Star Wars collections anyhow). Sue the pants of every web developer (they all suck - just look at how many sites are broken into every day. Look at Sony for instance).
Forget the whole suing thing. Why not euthanasia? They knowingly pack your software full of bugs. What if a doctor knowingly packed loads of bugs into their patience heads? Wouldn't they get euthanized?
Us programmers carry the mark of the beast. You're just trying to hold us back, and rightfully so. I say sue the underpants off the college kids giving away free software. Sue the high school developers and lock them away for life (I don't want their Star Wars collections anyhow). Sue the pants of every web developer (they all suck - just look at how many sites are broken into every day. Look at Sony for instance).
Forget the whole suing thing. Why not euthanasia? They knowingly pack your software full of bugs. What if a doctor knowingly packed loads of bugs into their patience heads? Wouldn't they get euthanized?
Should software providers be sued. Well you can try, you could sue them for low quality in other respects as well.
Of course, there's a wee assumption in this debate. As a customer you are prepared to pay for quality....
Of course, there's a wee assumption in this debate. As a customer you are prepared to pay for quality....
That's a very good point Tony! Like if you buy a cheap suitcase made of cardboard, you couldn't sue the manufacturer or retailer if rain got in and ruined the contents, could you? But if you paid for a god quality suitcase that let rain in or failed in some other way. you would have the right to complain under Trading Standards (or whatever it is called nowadays).
So if you decide to buy a much cheaper alternative to say, Microsoft Office rather than fork out a hefty sum for the real McCoy and it causes problems, can you really expect that vastly cheaper alternative to perform as well as MS Office?
But if you took sensible precautions, like trying out any new software in a safe environment before running it on your main system and if you backed up your system before installing that software, surely most of the danger that might be caused by bad code would be greatly limited? So I don't think that software developers should have to take all the blame or be sued just because there was there was some bad code in their software: I think end users must also take responsibility for deploying the software safely!
So if you decide to buy a much cheaper alternative to say, Microsoft Office rather than fork out a hefty sum for the real McCoy and it causes problems, can you really expect that vastly cheaper alternative to perform as well as MS Office?
But if you took sensible precautions, like trying out any new software in a safe environment before running it on your main system and if you backed up your system before installing that software, surely most of the danger that might be caused by bad code would be greatly limited? So I don't think that software developers should have to take all the blame or be sued just because there was there was some bad code in their software: I think end users must also take responsibility for deploying the software safely!
What you both say about getting what you pay for is applicable ONLY when you have a choice available to you without having to go through major loops to find there is a choice.
Now look at how the IT industry operates for the average user:
Want a computer you go to the store, the majority of stores sell vendor systems with only Microsoft Windows and the other software the vendor has agreements to load you up with. So the choices are down to a few options of which version of Windows and what level of hardware do you want. Your other choice is to take the time to find and visit your local Apple store and get the same very limited choices.
You want software, you go to the stores and browse through the limited range of packaged software they have available. A few may even know to check a few web sites for on-line stores and be confronted with the same limited range of choices.
As IT people we KNOW there are other choices out there, but they are NOT available in the stores, but that does NOT apply to the average user. Should they go unprotected because they aren't IT experts? I don't think so.
Even when people buy cheap cardboard suitcases they should be able to get them without having them supplied with several holes in them.
Now look at how the IT industry operates for the average user:
Want a computer you go to the store, the majority of stores sell vendor systems with only Microsoft Windows and the other software the vendor has agreements to load you up with. So the choices are down to a few options of which version of Windows and what level of hardware do you want. Your other choice is to take the time to find and visit your local Apple store and get the same very limited choices.
You want software, you go to the stores and browse through the limited range of packaged software they have available. A few may even know to check a few web sites for on-line stores and be confronted with the same limited range of choices.
As IT people we KNOW there are other choices out there, but they are NOT available in the stores, but that does NOT apply to the average user. Should they go unprotected because they aren't IT experts? I don't think so.
Even when people buy cheap cardboard suitcases they should be able to get them without having them supplied with several holes in them.
I'm far from sure this sort of legislation is thebest way to introduce real competition (prices fairly similar, so competiton is on quality). Wouldn't surprise me if certain types viewed being fined as a price they are prepared to pay to keep their monopoly...
various compensation payouts for lost court cases, then add on the cost of the litigation and the fines.
If I build someone a website that has a security flaw, it's not the flaw in itself that does the harm. It's the (presumably criminal) exploitation of that flaw by a third party that results in harm. This is an important distinction. To return to the burger analogy, I would be suing a burger joint because someone (another customer) slipped poison into my burger after I purchased it. The burger joint should not be liable for that.
equipment made with known faults?
protecting us against ID theft. An clothing companies for not protecting our valuables... those pockets are a known security hole...
Because my dookies still stink!
Sue the world! Power to the people!
Sue the world! Power to the people!
they have been fairly successful pointing the finger back at drivers as a defense during litigation. Very similar to software shrink-wrap waivers except the lawyers don't get a cut with vendors being upfront like that...
What is a documented bug? A feature!
What is a documented bug? A feature!
The situations I'm talking about are not ones where the car companies can put the blame elsewhere - I seem to remember a 1960s or 1970s Ford that had a fuel tank that caught fire when the car was hit from behind - Ford paid out a lot of compensation on that because they knew about it before it was released, but didn't fix it.
The same basic principles apply to every other form of engineering, but some seem to think it should NOT apply to software, while some software developers do apply it and manage well, and it was the only way to write software in the days of mainframes only. The only differences today are some companies are spending big money to convince people to accept crap, and if all the current known vulnerabilities were dealt with at the baseline code level, the majority of the trojan and virus attacks wouldn't work.
The same basic principles apply to every other form of engineering, but some seem to think it should NOT apply to software, while some software developers do apply it and manage well, and it was the only way to write software in the days of mainframes only. The only differences today are some companies are spending big money to convince people to accept crap, and if all the current known vulnerabilities were dealt with at the baseline code level, the majority of the trojan and virus attacks wouldn't work.
that no matter how hard you try your software will contain bugs and vulnerabilities. Not purposeful but simply scale of complexity and lack of maturity of compilers, testing toolsets, et-al.
So if that is the case 99% of the time what then?
P.S. even in engineering we don't hold E.I.Ts accountable. Only P.E.'s get their ass kicked personally for faults. If the software development field had some sort of rigor attached to it for developers (and they were paid appropriately like P.E.'s) then we might have some baseline on which to pass judgement. This would allow rookie developers the safety to make honest mistakes while learning their craft under the supervision of something like a P.E.
What is being proposed here is akin to shooting horses as a training method. It works but you go through a lot of potentially good horses.
So if that is the case 99% of the time what then?
P.S. even in engineering we don't hold E.I.Ts accountable. Only P.E.'s get their ass kicked personally for faults. If the software development field had some sort of rigor attached to it for developers (and they were paid appropriately like P.E.'s) then we might have some baseline on which to pass judgement. This would allow rookie developers the safety to make honest mistakes while learning their craft under the supervision of something like a P.E.
What is being proposed here is akin to shooting horses as a training method. It works but you go through a lot of potentially good horses.
are totally unknown at time of release, and I have constantly said so. What is amazing to me is that software used to be bug free and fully tested as a matter of course, but isn't now and people are objecting to having it done. The only reasons I can see for being against doing it right and being held accountable for making sure KNOWN problems aren't in it are either laziness, lack of skill, or deliberate intent to provide shoddy or vulnerable code.
Bug free back then. But the folks who taught me software engineering "back then" were the ones who beat it into my head that there is no such thing as bug free code. Even working on a machine with 4K of core, bugs were introduced. Hell the term bug goes back to Mark II days.
So if your whole thesis on punishing folks is based on them writing code with bugs it fails. I'm with you if they did so out of laziness or with ill intent, but you have to prove that in a court of law. In a field where bugs cause billions in loss don't you think that would be tried more often if it were easy? And software developers don't even have methods to evaluate how they do such as engineering. We're all about cutting edge not tried and true.
So if your whole thesis on punishing folks is based on them writing code with bugs it fails. I'm with you if they did so out of laziness or with ill intent, but you have to prove that in a court of law. In a field where bugs cause billions in loss don't you think that would be tried more often if it were easy? And software developers don't even have methods to evaluate how they do such as engineering. We're all about cutting edge not tried and true.
UNKNOWN bug. The difference is that today companies put out software with bugs and vulnerabilities that are known about prior to release - that should NOT be allowed. If a bug is known about or found prior to release they should fix it prior to release of be open for litigation for selling a known faulty product. Is that so hard to understand?
We've had a few software code writers post about being told by management to ignore problems found during the development, well the company and those managers should be held liable for giving such orders.
Not all software code writers are working the cutting edge, much of the stuff being released is all about doing things that are well known or have great globs of the well known with just a little new added. Hell, even the bulk of the latest games are mostly known and established code.
We've had a few software code writers post about being told by management to ignore problems found during the development, well the company and those managers should be held liable for giving such orders.
Not all software code writers are working the cutting edge, much of the stuff being released is all about doing things that are well known or have great globs of the well known with just a little new added. Hell, even the bulk of the latest games are mostly known and established code.
If we don't know all the bugs in the universe, and we don't commit them to mind, and of course, these are common knowledge, then we are lazy and unfit to be programmers.
Then you say that bugs are variations of other known bugs and exploits (only thing you've said that's true), and that we should be able to code perfectly against those as well.
So... follow me on this one now...
If every exploit is a variation of every other exploit, and every programmer should code against every exploit and every variation, then shouldn't the programmer code against every exploit and known bug?
So essentially, besides this back-peddle, aren't you effectively saying every programmer should program bug free?
Logically, if you combine your statements throughout this thread, I think you'll find you are.
"Hey Vern, you think if we sue enough people, we'll create a perfect race of people?"
Then you say that bugs are variations of other known bugs and exploits (only thing you've said that's true), and that we should be able to code perfectly against those as well.
So... follow me on this one now...
If every exploit is a variation of every other exploit, and every programmer should code against every exploit and every variation, then shouldn't the programmer code against every exploit and known bug?
So essentially, besides this back-peddle, aren't you effectively saying every programmer should program bug free?
Logically, if you combine your statements throughout this thread, I think you'll find you are.
"Hey Vern, you think if we sue enough people, we'll create a perfect race of people?"
What I hate about this industry is that we have completely unqualified people calling themselves "software engineers" -- no licensure, no rigor, no periodic testing. Absolutely: license all of us except those in training. Software costs will go up, so will quality standards. Do it. Make automation go from a "no-brainer" to something you'd damned well consider from a cost/efficiency standpoint. Perhaps the equation changes now?
Esp. paying people more money to take those risks as a licensed professional. I don't disagree with the premise of holding people accountable for their work BTW.
Before comparing developers to doctors, lawyers and engineers we had damn well better get that rigor/salary in place prior to issuing beatings.
That would answer my nagging question regarding complexity and rate of change too. If a professional body of knowledge/practice doesn't hold still long enough to build a licensure framework, we can't get a handle on disciplinary actions through evaluation.
Before comparing developers to doctors, lawyers and engineers we had damn well better get that rigor/salary in place prior to issuing beatings.
That would answer my nagging question regarding complexity and rate of change too. If a professional body of knowledge/practice doesn't hold still long enough to build a licensure framework, we can't get a handle on disciplinary actions through evaluation.
Best not look at the income of a Young Doctor working in the Public System so that they can make a name for them self and then work their way up to get the Big Bucks.
Like everyone else beginners tend to work for businesses who carry the responsibility and pay their "New Comers" accordingly.
Not all Doctors are paid as the Top End Specialists and not all developers get the money that The Woz gets.
Col
Like everyone else beginners tend to work for businesses who carry the responsibility and pay their "New Comers" accordingly.
Not all Doctors are paid as the Top End Specialists and not all developers get the money that The Woz gets.
Col
Hey, give me a piece of your work. Me and some of my buddies at 4Chan want to see a master-mind development.
And I've committed them all to mind. If I don't let at least 50 slip on purpose, then the devil, my cohorts in the development community, and I haven't done our job. >:)
That would be like suing the developer who made it - suing the company that was the vendor, that's like suing the restaurant - the analogy was off right off the bat.
Your claim would be that someone made your software MORE vulnerable to attack following its release? How's that work again? Or is this a "guns don't kill people, people kill people" argument? Either way, remember what's at stake: peoples' savings, their livelihoods, their identities -- there is no way you can afford these things too much security. And if you've failed to test, you've just abused that trust. I guess we could always go back to paper-based banking. Kiss your market and your paycheck good bye.
it's hard to fathom the degree of disconnection from the real world you have to be to push such a notion.
maybe one day, perhaps, this industry will have matured - its tools, its technologies, its communication stacks, its programming languages, its test suites, its learning/training/certification structures - to where a finger can legitimately be pointed to a specific party if an end-user suffers material loss due to a security vulnerability in software.
but my Deity we are SO FAR from that possible reality now, in fact further from it than we've ever been, that i just shake my head at how blind Dr Richard Clayton must be to be pushing this notion so hard for so long.
Before Microsoft even launched Vista, they touted it as "the most secure Windows ever". well, maybe it will be, maybe it won't. but we won't know in reality until it's been out there a while. cue surprise, it was little or no more secure than XP (64bit versions suffered slightly less exploits). Same with Win7 three years later.
Adobe, one of the most targeted software vendors, has been hacking & slashing its way through its code for years trying to stop being the world's security vulnerability punching bag. Reader/Acrobat X & Flash v11 with their fancy new sandboxing technology were supposed to stem the deluge of exploits. well they did, a little, but read the news in the last month to see how not-100%-effective that's turned out to be.
even some of the oldest, most 'peer reviewed' open-source code has had shocking security vulnerabilities discovered earlier this year.
writing unexploitable code is not equivalent to making a safe hamburger! making a safe hamburger has been a perfectible process for more decades than i've been alive.
writing code without bugs, let alone without the ridiculous subtleties that come into play when it comes to exploitability is several orders of magnitude more complex than making a safe hamburger, and we simply haven't ANYWHERE NEAR mastered the tools, techniques and training needed to get to the litigious utopia espoused by Dr Richard Clayton.
maybe one day, perhaps, this industry will have matured - its tools, its technologies, its communication stacks, its programming languages, its test suites, its learning/training/certification structures - to where a finger can legitimately be pointed to a specific party if an end-user suffers material loss due to a security vulnerability in software.
but my Deity we are SO FAR from that possible reality now, in fact further from it than we've ever been, that i just shake my head at how blind Dr Richard Clayton must be to be pushing this notion so hard for so long.
Before Microsoft even launched Vista, they touted it as "the most secure Windows ever". well, maybe it will be, maybe it won't. but we won't know in reality until it's been out there a while. cue surprise, it was little or no more secure than XP (64bit versions suffered slightly less exploits). Same with Win7 three years later.
Adobe, one of the most targeted software vendors, has been hacking & slashing its way through its code for years trying to stop being the world's security vulnerability punching bag. Reader/Acrobat X & Flash v11 with their fancy new sandboxing technology were supposed to stem the deluge of exploits. well they did, a little, but read the news in the last month to see how not-100%-effective that's turned out to be.
even some of the oldest, most 'peer reviewed' open-source code has had shocking security vulnerabilities discovered earlier this year.
writing unexploitable code is not equivalent to making a safe hamburger! making a safe hamburger has been a perfectible process for more decades than i've been alive.
writing code without bugs, let alone without the ridiculous subtleties that come into play when it comes to exploitability is several orders of magnitude more complex than making a safe hamburger, and we simply haven't ANYWHERE NEAR mastered the tools, techniques and training needed to get to the litigious utopia espoused by Dr Richard Clayton.
they should be held accountable if they include KNOWN security flaws or don't do proper testing, the same as all other manufacturers are.
A software product like Windows must be *at least* 1000 times more complex than a car. Are you prepared to pay for the vast level of testing (and liability insurance) that would be required in order for software developers to be held to the same standards as other manufacturers.
Windows Vista had 50 million lines of code, any one of which or combination *might* cause a security vulnerability. When we see a car with 50 million components, then we can talk about holding software developers to the same standards.
Windows Vista had 50 million lines of code, any one of which or combination *might* cause a security vulnerability. When we see a car with 50 million components, then we can talk about holding software developers to the same standards.
organisations already pay for programs with such well written and tested code - Dunn and Bradstreet's Millennium accounting program is one example I know of. The Unix and Linux communities seem able to manage it without adding on a huge extra charge for putting out good tight code without KNOWN faults and for quickly fixing any new faults found.
I doubt it''' be a huge expense to do it the right way. However, those who have huge piles of faulty code will have to spend a lot to fix it up, but that's what they get for being lazy in the first place.
I doubt it''' be a huge expense to do it the right way. However, those who have huge piles of faulty code will have to spend a lot to fix it up, but that's what they get for being lazy in the first place.
Quick. Work that in to a legal document it and patent it. We shall hereby sue any individual producing "mush."
Aren't there already laws to hold developers accountable that utilize KNOWN security flaws? I think we call them hackers... 
in their products, but when someone hacks a system and uses a flaw and can be traced they can be dealt with - which is another matter entirely.
anyone, anytime, anywhere here in the states for anything (civil court). That includes developers, their cat and their little dog too!
And most US states do have criminal cyber laws which are geared towards a very specific type of software development e.g. malware, virus, worm et-al.
You keep pounding on developers writing code with KNOWN security problems and that jives with cyber-crime (e.g. back door trojans on top of that cool free game.) I don't know of any other type of software developer that would KNOWINGLY write code with such flaws.
E.G. All I see is criminal behavior on the part of Mom in [lehnerus2000]'s xkcd.com link. She became a cyber criminal as soon as she acknowledges 'sanitizing input'. To say the school is stupid, implies ole Mom there is malicious as well.
And most US states do have criminal cyber laws which are geared towards a very specific type of software development e.g. malware, virus, worm et-al.
You keep pounding on developers writing code with KNOWN security problems and that jives with cyber-crime (e.g. back door trojans on top of that cool free game.) I don't know of any other type of software developer that would KNOWINGLY write code with such flaws.
E.G. All I see is criminal behavior on the part of Mom in [lehnerus2000]'s xkcd.com link. She became a cyber criminal as soon as she acknowledges 'sanitizing input'. To say the school is stupid, implies ole Mom there is malicious as well.
committing cyber crime - just check out how many KNOWN vulnerabilities are the first to be patched in each new version of Windows because the faulty base code has been carried across instead of being corrected in the base code.
Under civil law, you need to show either malicious intent - what we're talking about is laziness on the part of the coder.
As to the joke, in my view both are at fault, the mom for what she did and the school coder for crappy work.
Under civil law, you need to show either malicious intent - what we're talking about is laziness on the part of the coder.
As to the joke, in my view both are at fault, the mom for what she did and the school coder for crappy work.
limitations on revision control or code base maintenance? I've only heard "maim the developers" in the article.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
