Slashdot Mirror
Holding Developers Liable For Bugs
sebFlyte writes "According to a ZDNet report, Howard Schmidt, ex-White House cybersecurity advisor, thinks that developers should be held personally liable for security flaws in code they write. He doesn't seem to think that writing poor code is entirely the fault of coders though: he blames the education system. He was speaking in his capacity as CEO of a security consulting firm at Secure London 2005."
I will admit that I have seen a lot of bad programmers and bad code over the past few years, but let's step back and think about this. Programming jobs are rapidly being sent overseas to India and China. This is not going to create much of an incentive to keep such jobs in the States, nor does it create much of an incentive for people to go into the field. Holding companies accountable, as suggested in the article, might be a slightly better solution, but again it's somewhat complicated when you start trying to hold an overseas company accountable. (It's more doable than holding an overseas individual accountable, but still not a simple task).
As for the article's last point about CMM environments: It's not at all an indication that software has been developed by quality developers, all it means is that the code was developed using a reasonable development framework. CMM level 3 means that you document your processes, and typically have peer review. Bad peers means peer review is worthless - it does not guarantee good programs. CMM Level 4 involves"quantitative quality goals" by which productivity, quality and performance are to be measured. This is a bit better, but again it's a matter of where the bar is set. CMM Level 5 is about continual improvement, and is extremely strict. I think that CMM Level 5 is the only environment where one can actually be assured of reasonable quality code. I've seen way too much bad code come out of CMM-3 and -4 environments to give them much credit. If you've got great people, then a CMM-3 environment typically produces great results. For -3 and -4, what you put in is what you get out - not guaranteed greatness.
About this little thing called "the mosquito" which we received as part of Earth v1.0....
...and gun manufacturers should be responsible for murder.
>>Howard Schmidt, ex-White House cybersecurity advisor
:)
I can see now why he's the EX-advisor. Even Dubya thought his ideas were dumb.
Whatever happened to holding the people who exploit vulnerabilities responsible?
steampunk web design
You need proper code reviews, etc. if you want to find security flaws. The company writting the code should be responsible for organizing such things.
Facts do not cease to exist because they are ignored.
Wouldn't that be like holding a car manufacturer liable for mis-use of a vehicle?
TT
Remind me not to work for this guy.....
Why not make CEO's personally liable for not putting the code through proper QC channels and selling it over-promised.
Made to sell, not to use? Who's fault is that?
B-)
A friend will come and bail you out of jail, a true friend will be sitting next to you saying, "damn that was fun!"
That proposal sounds fine, but then we should hold government leaders personally responsible for wrongdoings of government.
I'd love to see the some jail time or a fine for Mike Brown after Katrina, or how about some jail time for Bush after the false pretences of Iraq?
Want me to pay 10x more attention when I code?
Pay me 10x more. And don't be in such a hurry for your product to get completed.
It's usually poor management that forces the product to be out the door 6 months before it's ready. Either keep your job and release a buggy product or stick to your guns and get fired. I think it should be the company, not the individual developer held accountable. How the company handles things internally is up to them.
---
Programming is like sex... Make one mistake and support it the rest of your life.
Sure, let's sue the pants off anyone who does anything wrong. Let's make it impossible for anyone to create anything new or different. Cradle-to-grave protection, ensured by armies of well-intentioned and socially-responsible attorneys -- that's the sure way to economic success!
that this guy is a PM, and read something somewhere?
While I agree that accountability is a good thing, liability without major restrictions seems like a dangerous thing. I am a software developer myself and I give my clients the guarantee that all bugs they discover within 6 months will be removed free of charge. Since I have no knowledge of how much losses they will claim as a result from even trivial bugs (yes, some clients are greedy), accepting liability is not something I'm going to do.
see a Text Widget
You can as well ban "software development" as a trade. After all - WTF? You get what you pay for. I say that your average "in-house" enterprise software system has complexity no less than Toyota Camry or something. The difference being that software would be developed by 1-10 men during a year or two whereas any other _industrial_ design costs (both in $$$ and "man/hours") much, much, much bigger. But who cares? Get back to coding, you idiots!
CMMI doesn't guarantee good practice any more than membership in the Better Business Bureau guarantees good business. But I'd rather work in a shop that has CMMI in place than one that doesn't. It's insurance against the sort of death marches that create slapdash practice, shoddy product, and security holes in the first place.
I am currently the Development Lead / System Architect at my company. In my experience, the majority of "issues" and or "bugs" that I have seen crop up have been directly tied to poor requirements gathering by our "Business Analysts".
Often, it turns into a real pissing contest between the two groups. Usually, after testing reveals that the grand vision of the BA is a crock we will usually revert back to the original recommendation of the development group.
Yeah, let's blame the developers for the problems. That's the ticket.
When you die, on your deathbed, you will receive total consciousness. So I got that goin' for me, which is nice.
I didn't catch the ex- part the first look and thought "whaaaat?" as I know the current White House occupation force is very Microsoft Friendly and would never endorse such sentiments.
A feeling of having made the same mistake before: Deja Foobar
Gun makers should be punished if they make a gun which isn't safe for the *user* of that gun. As a matter of fact, I think they already are liable in that circumstance.
your analogy is like suing jon jonson if i use decss.
It's not always a question of the coder, and a bug is not always a bug. In the example in the article, for all we know the specification called for a plain-text transfer, and the coder did exactly right.
So we'll have yet more wrangling over specifications, more walls between users and developers, and more CYA behavior. That'll be fun.
-Jeff
Please learn the difference between a dissenting opinion and a troll before you moderate.
This is an example of someone looking for someone else to point the finger at. While I would love to see more developers take their coding very seriously, the systems in question are way too large and typically developed in way-too-tight a schedule to every expect developers to monitor their implementations as cautiously as to personally be responsible for security vulnerabilities. And maybe the GAT testers should actually test their contractors' software instead of pushing it through.
He doesn't seem to think that writing poor code is entirely the fault of coders though: he blames the education system.
You know, I don't think it's entirely his fault that he's an idiot: I blame the education system.
Look at it this way. There are already laws on the books that say I can sue company X for giving me a POS. Why go after the poor slob who works for the company. If I have a blowout on a tire on my car should I track down the guy on the assembly line that was working that day or go after they company whose prosess stinks?
TT
So should we hold construction workers who help build a house that gets burglarized be held personally responsible?
If we are supposed to hold developers responsible for security flaws, why don't we hold politicians responsible when they give us false reasons for going to war, responding to disasters and evaporating budget surpluses?
In the world of corrupted politics today, it is hard to find ANYONE accountable for ANYTHING. Why should it be different for everyone else?
Just a thought.
He who knows best knows how little he knows. - Thomas Jefferson
The only thing that's happenening here is a nice sound bite that's engineered to sound good to the clueless masses but, ultimately, isn't meant to go anywhere or do anything. Basically, it's politics in action. "See? I'm tough on problems! I'm a go getter! I want to hold the developers personally responsible for the bugs they write!" Whatever.
While individuals can make stupid mistakes, the real problem is in the system and managers are ultimately responsible.
As a simple example, take a web application. The web people believe (reasonably or not) that the form fields will be cleaned up by the backend people. How do they know what's dangerous anyway? The backend people believe (reasonably or not) that the data will be cleaned up by the web people. How do they know the various encoding schemes used, etc.
Then some **** adds a cross-scripting exploit and compromises sensitive information.
Who's responsible, the developers or the managers? Even if the developers are paranoid, what about the errors introduced as everyone tries to handle conditions outside of their sphere of knowledge? What about the new security flaws introduced by that?
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
This is just what the software industry needs: Another business guy who has never written a line of code trying to tell the rest of us how to do our jobs. For all of the whining and crying about bad software you'd think they'd actually put the developers in charge for once. I can't speak for the industry as a whole but from my perspective 70% of the problems in the development world come from business types setting impossible deadlines and failing to listen to their developers.
How would this affect OSS projects? Would the development community be liable for damages caused by bugs in software? I have seen alot of free software that comes with a disclaimer waving all responsibility of the author, would that still hold up?
Hold the vendors responsible. They are responsible for 100% of all problems that are not the fault of the customer.
The vendor then holds the devloper responsible. They are responsible for 100% of all vendor bugs that are not the responsibility of the vendor.
The developer then holds the programmer responsible. He or she is responsible for 100% of all developer bugs that are not the responsibility of the developer.
It's the way it works everywhere else. If you have a faulty product, you take it back to the shop. They then take it back to the manufacturer and if it's a fault caused by a specific individual, they either sack him or train him properly. The purchaser would generally not sue the guy on the production line or the designer, even if it was their fault.
There are good reasons for doing things this way. It preents people from passing the buck. It means each entity along the line is wholly responsible for ensuring quality.
Nonsense.
Cheers,
Ian
Few people on this planet can afford software developed to such a standard.
There will always be a market for "cheaper" software that is not guaranteed to such a level, and with support contacts instead, where developers will try a moderate ammount to fix problems as they arise.
From another perspective, the market is demanding of cheap software - not good software, which is why there is so much of it.
Sam
blog.sam.liddicott.com
No one is responsible for security flaws in software products. It says so in the EULA.
Fast, good and cheap. Pick 2.
Fast and good= Expensive
Fast and cheap= Buggy code
Good and cheap= you better be patient
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
I could kinda/sorta see holding someone liable for foreseeable events when he put out a piece of code as commercially usable (e.g., sells it). However, security attacks are basically not predictable, and are statistically fantastically improbable data patterns as random or mistaken inputs. Makes no more sense to hold a designer responsible for falling victim to this than it does to hold a building designer liable if someone fires artillery at the building and the building is damaged/destroyed.
Yes, there is an art of fortress design, but that has never been considered exact science. There are too many new ways people invent to attack fortresses. Same holds for code.
The kind of proposal here is a measure of the intelligence and understanding of the fed involved: low.
Developers, or rather their company, should be required to produce a security statement of somesort. This would set out the level of confidence they have that their software is secure. It would set out the development practices that they used to ensure security, and would incorporate a simple risk assessment.
It would then be up to the customer to decide what level of security they require. If the developer says "I don't care about security and wrote the software with that principle in mind", then a customer has no right to complain if they purchase the software and security issues arise. Alternatively, if a developer says that they develop with security in mind and adopt principle x, y, z and testing strategies a, b and c, then if a security bug arises that should have been caught by one of those activities the customer has a legitimate grievance.
In the same vein strong penalties should be imposed on customers who insist on having a lot of features added to a product at the last minute.
My sig is too lon
Thank you for you insightful comments regarding security flaws in code. As a well regarded member of the 'cyber-security' community, I find your perspective to be quite fascinating.
No doubt, in your long years as the former head of security with this community's favourite software development company, Microsoft, you gained much valuable experience in developing secure code.
I am not entirely clear how you envisage this 'personal liability' working in practice. Should we perhaps lien a programmers personal property, dwelling and car as soon as he or she begins development of software? This will no doubt have the beneficial effect of attracting many new recruits to this fun and exciting industry.
Might I also suggest, whilst we consider matters of personal responsibility, that we hold politicians and their appointees personally responsible their actions. There is the small matter of the US national debt, that I am sure we could sit down and discuss at some length.
Kind regards,
Anonymous Coward
But... You no longer get to dictate any kind of timeframe for completion. It will be done when I'm certain that it's perfect.
Deal?
A previous poster suggested that he wanted to hold companies responsible, however the way I read it, he wants to hold the individual developing the code personally responsible. Am I reading this correctly?
As I read it, Company A can still maintain their blanket "No Responsibility Whatsoever" EULA, and we'll just hold Joe Schmo (or Ackmed in this case) responsible.
Secondly, as a previous poster states. Most of these jobs are being shipped overseas, I'm not so sure that India or China is going to cooperate all that much if someone is trying to hold one of their citizens personally responsible for bad code.
Awesome!
To put the entire blame on the developer misses the point.
While programmer ignorance, incompetence and/or laziness certainly plays a role in the problem, there are other factors that should be considered:
(1) Death-march-style deadlines imposed by management, leaving no time for proper design, threat modeling, or testing.
(2) Security flaws in the underlying infrastructure (operating system, network, etc).
(3) Malice/stupidity of authorized users to bypass established safeguards.
Security is the responsibility of everyone involved in the creation, management, and use of a system, not just the hapless developer.
This from a guy who thinks Pheonix University is where you can get that training... Hehe...
Sure.. hold the developers responsible but first we need some provisions in the law.
Let us beat him.
I was going to bitch a little more, then I thought about it. He has a point, albeit a small one. The software industry on the whole does has a very tolerant attitude towards flaws in products. However that's just the free market at work - fixing bugs adds cost to product, to compete we cut costs, buyers don't mind bugs in most software, and software being a low personal-investment product for most people (not us), they won't shop hard to select for/reward bugfree software.
I've heard stories about how space shuttle software is proved, line-by-line, and therefore is completely bug-free but 20 years out of date and prohibitively expensive. There's a tradeoff involved. The real question is: should we be at the current tradeoff point? The free market doesn't always produce the optimal solution...
Certainly there might be a case for putting some blame on the coders, but I'm not going to argue the value of finding a scapegoat here. However, how about adding to this list...
1. The customer with constant requirements changes
2. The manager that expects the job done with an unrealistic budget or schedule.
3. The systems engineer that screwed up the design
4. The QA guy that didn't properly test, and find the bug.
5. The folks that all signed off on the formal inspection of that code
6. etc.
If you want rock solid code, you're going to have to pay for it with both schedule and budget. When people
Just another day in Paradise
2. What about laissez-fair management that ignores any such processes that are in place so to ship code on some arbitrary market-driven deadline?
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I think this is a superb solution and it should be implemented immediately - after CEOs are held responsible for any wrong doing by their company...
...but wait it would appear they'd also be responsible for their coders producing bugged code... oh, dear. Perhaps this isn't such a good idea after all?
Long term health issues
Pollution
Corruption
Payola
Poisoning
Bodily harm
A hundred and twenty characters ought to be enough for anyone...
YHBT, YHL, HAND
Everybody's a libertarian 'till their neighbour's becomes a crack house.
What about holding politicians or managers liable for their misjudgements and mistakes? Or maybe hold journalists/reporters liable for their spelling and grammar mistakes?
If the software is in some sort life-endagering system, that is already the case. But for a security breach? That would be like sueing a lock-maker for not being able to produce an unpickable lock.
If someone were obviously negligent, we could talk about it. But for a bug? People make mistakes. Software is more complex than any other tool ever invented. Combine those two, and it is inevitable that mistakes occur, unless you spend A LOT of ressources for testing and/or prooving the code correct. And that does not proove the design and requirements to be correct, only that the implementation matches the design.
Keep open minded - but not that open your brain falls out...
Nuf said!
This is absolute bunk! Most often, programmers would have a 5-10% stake in responsibility when compared with the mountainous bureaucracy above them. Consider how often a non-technical exec overseeing a software development project will agree to a contract that is nigh impossible to complete on-time. The customer holding that contract begins squeezing testicles, placing pressure (by extension, through the bureaucracy) on the entire development process. The exec says, "You mean there isn't a programmer writing or debugging code this very instant!? What a crime! You're not doing your jobs properly!" The truth of the matter is that ~30% of the project timeline should be research and design. Without a good design, and resources on-hand, bugs creep in. It is impossible to test quality into software, it must be designed in.
Programmers don't draft contracts, they don't set deadlines, they don't make budget decisions, and certainly aren't responsible for failing to keep bugs out of a system that was (due to poor decision making in the aforementioned areas) designed to have bugs.
I pity the foo that isn't metasyntactic
... The pointy hair types that change requirements at the drop of a hat for no apparent reason. When the impact is explained to these pointy hair types, their eyes glaze over and tell you to do it anyway.
But since when has logic ever been a factor in anything a politician(ex in this case) says or does?
Prof. Farnsworth - "Oh a lesson in not changing history from Mr I'm-My-Own-Grandpa!"
...automobile enginners personally responsible for break failure ...building architects personally responsible for a collapsing foundation
Poor software doesn't just belong to one developer or even a small team of developers, it involves a poor business structure. This includes a lack of source control, poor time constraints, lack of a testing environment, etc. This guy is clearly nuts.
Development notes at http://devscribbles.blogspot.com
I think I agree with the British Computing society moreso than with Mr. Schmidt. I think coders should be held responsible, within a company, for poor code that they write, but overall the company should be held liable for bad code that it ships. If a company fails to have proper QC, then it's the company's fault, not the fault of a lone coder who might have written an insecure subroutine. Most companies don't have single coders, and rarely is there a single coder who has full (100%) knowledge of the other 10,000,000 lines of code in the product. I think proper education, as stated in TFA, is a better idea. Why not send the employee to a security class if the coder continually writes insecure code? That'd solve the responsibility issue and the education issue. Then, the company would produce more solid code and everyone wins; especially the consumer.
Men occasionally stumble over the truth, but most of them pick themselves up and hurry off as if nothing ever happened.
I write financial reporting software for my company. Before anything is installed, even the most minor one-line bug fix, I have to sign a Sarbanes-Oxley statement of compliance. There are criminal consequences for not performing these steps properly. My QA person also has to sign this. My CIO is also held personally responsible, in that he/she could go to jail if something I wrote caused inaccurate financial reports to be released.
I suspect many people who write software, like myself, are already personally responsible. And so we should.
You almost have to look at where the bugs come from before you can make a judgement of liability. Some projects have bugs that come from the design criteria of the project, others possibly because of budget constraints by the customer. Also, in the example of an E-commerce site that uses the typical apache/php/mysql mix, what if your a developer and create a site using these tools, and there is an exploit in one of these other software's, or even the OS your running on. Does that make you open to a lawsuit as the developer? Do you then have to turn around and go after the creater of every library you use? Where would it end?
There's nothing quite as awful as unconstitutional laws. The burdens of overturning one are immense, especially when you think "legal fees" for "burden." Politicians who write, vote for, or enforce such laws should be held accountable: make it a prosecutable offense, not just something to be corrected at the next election.
And it could be extended to appointed positions that have any say in introducing invalid regulations or other enforcement-style activities. Just to keep advisors in mind and not be completely disassociated from the story here... :)
(For those of you without a sense of humor: I'm not being entirely serious here, as "more lawsuits" is seldom an answer to an overabundance of suits &c. It's just a look at the flip side for anyone out there who hasn't programmed much...)
Processes can aid in ensuring consistency, but they aren't strictly necessary.
I worked as a development/support programmer in a fairly critical application area for a major airline for over ten years, and we had a small tight team of a dozen fairly experienced developers and only a few formal processes in place. The software that was written and loaded in production was generally of very high quality, mainly due to a good culture of informal peer review, testing (involving users and programmers alike), heavy use of a test system to let changes simmer a bit before release, etc., but there really wasn't a formal "metholodogy" in place, just common sense practices that everyone there had agreed to follow.
For larger groups or in development environmments where software is released in bursts (e.g., a new version is released to external customers every few months) it might make more sense to put more formal processes in place, but when working on a living system that has to change from time to time in a few days (or even hours) I'd rather put my faith in a couple of experienced programmers who know the system and the expectations of the end users.
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
You know for an administration that claims itself to be Republican, this is shockingly statist rhetoric. Even worse, for an administration that is trying to eliminate frivolous lawsuits, this would open the pandora's box.
The right solution is to give people what they pay for and to make it easier to shop for the right solution.
This means an end to EULAs that forbid discussion about a product, including, but not limited to:
benchmarks,
security advisories,
interface design
Also means that there should be limits placed on NDAs and non-competes so that a software product can be discussed.
If someone makes a shoddy security product, then don't buy it.
This is my sig.
The Romans always held their architects accountable if their buildings were to collapse. If a building collapsed and somebody died as a result, the architect was then sentenced to death.
a) requirement of proffessional certification in order to work in the field,
b) salaries would go to $200K (in US) average real quick,
c) no one sane would outsorce to 3rd world countries.
While this would be beneficial to some (self included), it would wreak havoc through the system. It would certainly slow down computer systems development as only big and rich could afford it.
All after all, it will happen some day but not yet. Computer science engineering is still stone age as compared to other professions like engineering and architecture. We need some more turbulent development to get there.
>> thinks that developers should be held personally liable for security flaws in code they write
I'm a Software Developer with 25 years experience, and also a hiring Manager. I came from Europe to the USA about 5 years ago. I'm amazed at how difficult it is to find good Software Engineers in the USA, because the job market is flooded with people who have apparently very little skill or even intuitive ability.
I'm guessing that this is largely a side-effect of the dot-com era, when everyone and his dog decided that software development was the place to be.
I see this 'personal liability' thing as a Good Thing(tm) if taken with a dose of common sense. It should at least help to sort out the men from the boys and 're-professionalise' our industry.
Fine. Pay developers like CEO's. If developers are the ones shouldering the risks then they should be the ones receiving the rewards. I think I can afford malpractice insurance on an eight million dollar a year salary.
Given that there are and have been software projects geared to being bug-free and hack-resistant and that they have been successful, it lends stongly to the idea that quality and stability is possible.
... before object orientation caught on. I recall my thought process while coding and when processing input, I always always ALWAYS made every effort to ensure that bad data or other error conditions did not cause me embarassment. And when "stock" routines didn't serve, I ended up writing assembly code routines to make it happen the way I needed. Those were more simple days, but I cannot imagine how complexity changes those fundamental rules.
So where does the fault lie? That's a tremendous problem. Is it the coder of the project? Is it a fault of the libraries that the coder has made use? Is the code misusing the libraries? Blame can be shuttled back and forth ad-infinitum. And what about project managers pushing for release before something is ready? How much of the blame rests there?
But ultimately, I beleive programming practices are not what they should be. I've never coded a "large" project, but I have coded and patched in the early days
It's called Engineering, before any type of responsibility for the flaws in software are established, or perhaps at the same time as, you would need to create a formalized professional engineering board for software.
This is not a small task, you would only be able to hold professional software engineers liable for the result of their software designs. The good news is that the liability would have to come with an equal increase in pay or no one would accept the liability, of course, the U.S. government would then have to pass some laws to require that certain critical software must be designed by software engineers.
Some people are going to howl that this is the end, but it's not, it's just a sign that software development is growing up. This is the same type of rules that a design for a bridge or a nuclear power plant has to undergo. We may want to make sure that the software that the operates that plant is held to the same professional standard as the physical design of the building.
One upside is that these steps would prevent "software architect" type jobs from being exported to third world nations, and the company would be liable for correctly creating the design laid out by the software engineer.
Personally, I think that's where we're going to end up. Whether it will be sooner or later, though, is the question.
Fanatically anti-fanatical
It's interesting to watch the erosion of personal responsibility in the design fields. Before the large corporations paid for their exemption, it was all personal liability. As a professional engineer, I am both corporately and personally liable for any errors in my work. The corporation does nothing to sheild me. Now, if I were in manufacturing, there are special exeptions that were bought from the legispatures which allow those engineers to shirk their responsibilities. This is the same thing - it's just that someone with a loud voice is pissed off enough to say we should return to where every designer must be resposible for his or her actions.
Can you imagine how products would be different if a single human in charge of a product/project would have to sign his or her name personally that it was done correctly, with proper safety standards in place and checked? There are some down side to this, don't get me wrong (longer cycles, higher costs), but its one thing to get something out the door, its another to put your name, reputation, and financial means on it before it goes.
Before I finish, I should mention that most engineering laws require engineering firms to be owned (usu at least 51%) by registered professionals, and it is common practice that the name on the design paperwork is an owner. This reduces the liklihood that a bean-counter will be an owner and require an incomplete project to go out the door in the name of finances alone.
Is it just my observation, or are there way too many stupid people in the world?
Seriously. This would push every developer out there to either quit the field or take on massive amounts of liability insurance, just like doctors have to do now. The result would be a two to three-fold increase for developer salaries. Anyone else willing to work for less will be doing so at their own legal peril... somehow, I don't see many folks lasting that way for long.
Some how, I think good old-fashioned corporate shielding and the current "work for hire" laws are here to stay.
So much for leadership. "Hey, I just give the orders around here, my staff is responsible!" The boss sets the schedule, allocates the resources, sets priorities, etc but he/she isn't the one liable?
Based on his logic can we make CEOs personaly responsible for corporate debts and violations?
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
"The buck stops just before it gets passed to me."
Sheesh, evil *and* a jerk. -- Jade
He doesn't seem to think that writing poor code is entirely the fault of coders though: he blames the education system.
To hold programmers responsible for software failures is downright irresponsible. Programs are not bridges. Whereas bridge engineers can use known procedures and practices to ensure bridge safety, the same is not true of software engineers. It is impossible to guarantee the reliability of complex algorithmic software. This much has been shown by Frederic Brooks. But, regardless of what Brooks claimed in his famous No Silver Bullet paper, the reason has nothing to do with complexity (there are many good examples of reliable yet highly complex systems in nature), but with the algorithmic nature of our software. Switch to a non-algorithmic, signal-based synchronous model and the problem will disappear. See the link below for more on this important subject.
Project managers should be responsible, these are often the people who push the developers into writing things fast. QA Managers should manage the test process properly to ensure a release of software is free of defects.
Designers should create the best designs, then the coding is more trivial. Testers can use the designs to ensure the software works according to the specifications. When will people learn?
This got me thinking. Compare a CS degree to an English degree. With an English degree you come away with a good understanding of the language, grammer rules as well as history of other writings and in general the ability to write very percise sentences or elegant sentences to fit the needs of any given situation. Most English majors could immidentily write a reasonably readable book. I couldn't say any of this about the average CS major.
..didn't read TFA (of course), however the developer who actually writes the code is probably pressed by his Project Manager (or his local equivalent in case the particular function is outsourced overseas). The Project Leader is probably under a lot of pressure from his peers to push out the money sapping project to shipping so the company can start earning money and the company owners are probably sweating bullets because they know that this might cost their bonuses if the shareholders get pissed by the expenditure/delays.
So think: Ship, ship, ship. Get the shit out of the door and packaged, we can always Service Pack it later (and that way we get free testing by our customers).
Security problems and bugs are so commonplace in todays software that no company (save NASA, their bugs tend to cost lives in spectacular ways) takes huge PR-hits because they have to release ServicePack nr. 2 HotFix 53 for their flagship product.
1. Do you want the project to be finished in time?
2. Do you want it done in budget cost frame
3. Do you want good quality
Choose two alternatives. Anything else is just bullshitting yourself / your workers / your shareholders.
Simple - politicians make laws to hold people accountable. Of course they are gonna exculde themselves!
the homeowner's insurance company. Which is another good analogy. What happens if companies (and individuals) start buying insurance against losses due to bad software?
Best Slashdot Co
1. You cannot become a doctor without long theoretical and practical training, intermixed with hard exams. All this is heavily regulated. To become a coder, you just have to pass a job interview. Software engineering certifications are optional and generally regarded worthless.
2. Doctors are insured against malpractice. The costs are high, and generally passed on to patients.
3. Doctors can choose not to operate (administer drugs, etc.), if the action constitutes malpractice. In software industry it's "use this braindead tool, or get fired".
4. Malpractice. Ok, today's revolutionary therapy, maybe tomorrow's malpractice (or vice versa), and experts might disagree about some practices, but there is some sort of general agreement on what constitutes malpractice. I'm not sure whether IT is mature enough to speak of "malpractice" here.
To sum it up: yeah, you can make developers liable for their mistakes, but the consequences would be huge. The costs of IT would skyrocket. Are you ready to pay for that?
Just this weekend, I was having a similar conversation with my father, who is a PE (Professional Engineer). He retired for a while but came out to work on a new project. As part of that, he had to reinstate his lapsed PE license. This involves making sure he has taken enough training and what-not to stay up-to-date.
Talking about this, I pointed out that in software, there is absolutely no such licensing hoo-haa, and suggested that it was directly tracable to the "AS-IS" disclaimers on each and every software license that has ever been written. An engineer who designs or builds a building has to be licensed and has to sign-off on drawings and what not because they are more-or-less eternally responsible for the things. You can't just get a clean compile and kick it out the door.
Eliminate the total liability waivers in software licenses and you will see a) software quality go way up, b) the amount of available software go way down, c) professional licensing requirements pop up for software people, d) fewer software jobs, and e) more job security for the people in those jobs.
Is this desirable? Who knows. I'll do fine in either case.
You will note that nobody is complaining about architect and mech-e jobs going overseas. Those stay close to the project because of the professional licensing issues.
According to this CEO, if I am paid $50K to write an application that makes $1MM; then the company keeps all the profits.
But, if I'm paid $50K to write an application for which the company is sued for $1MM; then the company accepts none of the risks.
Sure, that seems fair - but only to a CEO.
what do you expect to recover?
Of course, I realize that lots of GPL'd software is sold but then it's no different than commercial software in that sense. But if you paid nothing for software and youhave problems, what's the difference between that and someone who finds a free recipe on the net for muffins a, makes them and they taste bad ?
It is so amusing to read the knee-jerk reaction around here over a idea that make a lot of sense. Oh, the typical slashdot crowd is more than ready to blame the "suits" for all the ills of modern software development, but developpers themselves? Asking THEM to face the music? Blasphemy! It could endanger their whole hacker culture and power trip attitude. So pathetic...
The retort that "developper can't garantee good softwares if management keep pushing them" is even more ridiculous. If developpers were compeled to produce bug free software *by law*, you can be sure it wouldn't take long for the software industry to make the appropriate changes. These kinds of issues have been tackled before, you know. Coders could be insured by their employeer for example. Have you ever seen a bridge engineer do a sloppy job and them blame his employer for assigning irrealistic deadlines? Or a medical doctor? These people can also be sued over malpractice, and they handle it pretty well.
I'm sick and tired of having to write crap code all the time. I want to write really nice stuff and am always pressed to get things working right now even with bugs present.
If we all were liable for bugs present we'd make sure to let everyone know it would take time. Engineers aren't told to build bridges in 10 days, from inception to coat of paint. Why should developers be hurried to do important code?
The mainframe environment where I work does not easily allow things like buffer overruns or the executing of data to happen -- data areas are marked non-executable, memory is assigned to applications in discrete blocks and managed by the system (not the applications programmer), and the system generates a hard error whenever the IP walks outside the predefined memory area initially granted to a given process.
In an environment like that, many of the errors we hear about in a typical UNIX/C environment (e.g., buffer overflows causing input data to be executed, etc.) simply do not exist.
Good practices are a good start, of course, but there will still be the potential for serious problems as long as the platforms we use allow for an applications programmer to step on other programs and/or execute areas of memory which were not explicitly marked for execution at process start time.
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
So long as I can bill you $500/hr and I'm given 16 billable hours for each line of code I write to make sure there are no bugs.
Doctors make a boatload of cash because
A) Expertise
B) If they make a mistake, people can die or become sicker, etc.
C) High Probability of lawsuits if they make a mistake
D) High Risk, High Return.
Personal liability for coders working for companies is not productive. A requirement for sharing reported of software defects would be more of an incentive to develop better engineered software. For automobiles, aircraft, and consumer products safetry defets are tracked and reported. Of course, most software is probably not directly safety related. There are also some consumer measures of auto defects, e.g. quality surveys, maintenance estimates, etc. The consumer measures of quality not perfect, but they are more accessible to the general public than the software versions of the same. As a software consumer, counts of bugs reported, bugs vs units sold, etc would be useful in making purchase decisions.
If anyone is personally liable for damages, it should be the owners of the company, not the employees.
But isn't the whole point of a corporation to protect the owners from personal liability in situations like this? This is why the corporation has been granted "personhood" under our system. (A bad idea, in my opinion, but that's a different topic.)
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
Lookie here. Mr. Schmidt is Microsoft's Securtiy Officer, besides being the ex-cyber security advisor to The White House. 'So?', you ask?
If devs were personally liable for bugs, open source development would be hurt big time (If you volunteer code with bugs you get a financial hit), and closed source companies would have another ax over thier developers heads.
This is all very 'interesting', coming from a closed source executive. No conflict of interst there, nope, no way...
Soko
"Depression is merely anger without enthusiasm." - Anonymous
I'm not averse to personal responsibility in computing.
But if politicians are going to foist this upon us, then the same must apply to them. For each and every failure of policy and implementation and leadership and foresight, they must pay the price of what their failure has cost the nation. They'd better have deep pockets.
Likewise for professionals in the police and judicial systems: for each and every failure to provide actual and verifiable justice, judges and magistrates and lawyers should pay and suffer personally. Especially the lawyers. (:-) And for each burglary and killing that they have not prevented or solved, the police must bear personal responsibility and be prosecuted accordingly.
Can this fly? Of course not. And nor can developer responsibility for correct software operation in a mathematically intractible world.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
How much would you charge for a piece of software for which you were liable to this degree? I think I'd be looking for a cut of the company's profits with that kind of liability.
Dammit!
I'm so fscking SICK of these people who treat as if it's something that can be permanently gained by doing A, B, and C.
BULL!
Security is about understanding your platform.
It's about knowing the strengths and weaknesses of said platform.
It's about maximizing the strengths and limiting/minimizing the impact and exploitability of the weaknesses.
It's about doing A, B and C, to get going. Then next week, you do D and E. Then think about implementing F. But make sure that it doesn't conflict with B.
Also, they need to understand that security is NOT about keeping people out of the system. Face it. If someone wants to get into your systems bad enough, they WILL get in. Regardless of your protections.
It's about making it so difficult to access it in an unauthorized manner that:
A: The invader gives up and moves on to easier targets.
B: Spends so much time trying to gain access that he gets noticed eventually.
C: Has to utilize truly heroic (and traceable and wildly obvious) means to gain access that he gets noticed right away.
So please, people! STOP with the damn pipe-dreams about "totally secure" systems already!
The only "totally" secure system is one that's been rendered down to shavings and disbursed in random geographic locations via wind, water, and other means of distribution.
Chas - The one, the only.
THANK GOD!!!
I think that the Sarbanes-Oxley (S-OX) bill takes the right stand on this topic. Even though this bill does not specifically target code security, it does aim to hold the executives of businesses responsible (as a result of Enron-type scandals). As an IT professional, we were deeply impacted by this as our executives scramble to make sure we had the proper security and control processes in place so we could be S-OX compliant. This should be the goal of any company or organization that develops code in which a security hole could comprise the company and the customers. Don't hold the developer responsible for a lack of proper process and controls. This is how these Enron types get away with this crap. Just let the sh@! roll down hill. Meanwhile, developers are left holding a turd sandwich.
Do what is right and let the consequence follow
Is it possible that he's just outsourced his entire operation and he's preparing for the inevitable meltdown by shifting blame overseas?
1. We can pass the blame to any bugs in libraries or other peoples code that we use to them or if there is a bug in the operating system, because we followed the specs of the 3rd party tool but the 3rd party tool is not working up to specs.
2. We get paid for the full development cycle, and no pressure to get it done on time, or even close.
3. If the Specs for the application never changes from the writen specs of the application before it is written.
4. We are not responcible for any flaws that happen in old versions when there is a newer version out there.
5. The Latest version of the Application is younger then 3 months.
6. The application went threw full debugging and testing for 2 years with at least 10 people per line of code.
7. The application doesn't try to keep compatibility with an older system.
8. Is used on hardware the specs were approved in and were created before the release of the application.
9. And if the developer wants to support it.
When developing a Car or builing a house, there is a lot more prework that goes in they know what they want and how it works before they build it. Programming right now is not setup like that because it is to expensive for a single application or a custom application. Plus it will make more people decide not to be a programmer if they are responcible for every code they ever wrote.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Just wait until companies have to insure themselves against this type of liability. Who gets to sue MS when there's a bug? Everybody? Yeah, that's a good plan. Making an individual (or a small team of individuals) responsible is an even better idea. Developers would have to insure themselves just to work in the field. But hey, if you want building a multimedia player to be as expensive and drawn out as building a bridge, then by all means, let's tighten those screws.
Or maybe we could just accept that software is extremely dynamic and complex, let companies patch their problems as quickly as they can, and let consumers vote with their wallets on how important security is to them.
It's not a bug, it's an undocumented feature!
Famous quote, yes, I know... but could this be an angle of defence against developers being liable for bugs?...
What IS a bug anyway?... if it wasn't defined that the system SHOULDN'T do something that is being described as a bug, then it's not something that you can complain that the system shouldn't do!
----- Concentrate on promoting more than demoting.
I posted this comment on another article, but it is also relevant to this one.
The comment:
Perfection is atteinable -- abeit difficult.
-dZ.
Carol vs. Ghost
to justify suing Microsoft for more money. After all, they are responsible for a lot of bad code out there today thanks to that monstrosit... er high level language (VB).
Not programming really, but there was a case of the military blacking out classified text in a PDF document and releasing it. Later they found out that placing black boxes over the text does not erase the text from the document. Reminds me of people that do "?username=foobar" or javascript authentication. Stupid things like that should not be tolerated. If you don't know the medium well enough to provide basic security, you should not be working with it. In the case of bugs? They happen to even good programmers, it's not negligence.
Holding developers liable really means hiring more lawyers and filing more lawsuits which I think is not the way to go.
Qaulity software is probably more likely to come about as a result of competition and free market forces and many of the most infamous security breaches for the average user were a result of security flaws in the OS not the programs. Why not break the single OS monopoply and encourage competition as a way of enhancing security? Let the consumer vote for the the most secure software with his pocketbook.
My first reaction was: I wonder which lobbyist of a Large Software Company helped put this one through?
The programmer is personally liable, but the big corporation who employs him/her profits from the work? Wasn't the whole point of creating a corporation to put a degree of separation into liability?
Also, even if A Large Software Company promised to protect their own employees (some liability insurance as part of the benefit, say), this would still be bad news because it discourages independent programmers and coerces everyone into joining A Big Corp.
A better idea would be to make it optional, like certification by a licensed Software Engineer. Just like, for example, how you could build your own toolshed with wood and hammer, but to build a house, you have to get a Licensed Inspector or be a Licensed Civil Engineer or something. (Details fuzzy, but you get the idea.)
Okay, now to go RTFA.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Personally, I would be happy to guarantee my code, if I was ever involved in the deciding how much time was given to a particular module and not having unrealistic time restraints forced upon me.
In the real world however, it is often very hard to pin down exactly who is to blame for a certain failing. I think following a route of personal responsibility will ultimately end up with even more money being given to lawyers.
Your title is wrong, but your description is right. You don't hold the programmers or the managers responsible. You hold the organization responsible.
When I got my PE license, I remember an interesting discussion of liability. Basically, engineers are human and allowed to make mistakes. As long as it's not gross negligence or intentional or anything, they probably won't be held accountable. The company, on the other hand, is expected to check their work and is not allowed to make mistakes. The individuals are fallible, but the system needs to account for that to make things safe.
This makes far more sense when you realize that many bugs don't come from one coder. Often they come from the interface between two or more coders.
Rather than deal with the problems that lead to insecure code (usually management based) most companies will take out insurance. And this has worked so well for Medicine...
Table 2. The four levels of software immaturity. Level Description Characteristic 0. Negligent Indifference Failure to allow successful development process to succeed. All problems are perceived to be technical problems. Managerial and quality assurance activities are deemed to be overhead and superfluous to the task of software development process. Reliance on silver pellets. -1. Obstructive Counter Productive Counterproductive processes are imposed. Processes are rigidly defined and adherence to the form is stressed. Ritualistic ceremonies abound. Collective management precludes assigning responsibility. Status quo über alles. -2. Contemptuous Arrogance Disregard for good software engineering institutionalized. Complete schism between software development activities and software process improvement activities. Complete lack of a training program. -3. Undermining Sabotage Total neglect of own charter, conscious discrediting of peer organizations software process improvement efforts. Rewarding failure and poor performance.
This has been an issue forever. A mechanical engineer builds a bridge and signs off being made responsible for it. So, my comment is that if you want code made to the same level it should be written by a qualified software engineer in the same vein as other engineering professions. This would make for software, which would be guaranteed under certain operating environments/conditions.
The EULA could then specifically state there is a warantee/guarantee, unlike the standard we're not responsible for anything even though we made it clause.
"The difference between stupidity and genius is that genius has its limits." -- Albert Einstein
Quit being human and program perfectly, goddammit.
So, on behalf of all developers, I petition that QA teams throughout the world should be held responsible with violators to appear at public trials and stockaded on street corners. All the while, people will shoot Nerf darts at them while walking by.
> I think I just had a vision of Utopia. ;-)
You are in a maze of little twisting passages, all different.
My point being that, when actions like this are taken to beat down the guy who obviously was forced to complete development on an application in 2 weeks instead of 2 months because of budget constraints because we're involved in a war we shouldn't even be in right now.... it make's me realize why that could be true.
Be sure to remember the Programmers Prayer
Is a doctor liable when someone shoots one of his patients?
IS an architect liable when someone bombs a building or bridge or some such?
No. Deliberate attacks are too unpredictable and there is no science to predict them. There are arts of war and fortress design and such, but they change unpredictably based on inventiveness of the adversaries, and nobody expects them to be foolproof either.
Don't be fool enough to believe otherwise.
Most code is developed by organizations, not individuals. If you hold the programmer who wrote the code accountable, you should also hold accountable the tester who missed to bug, the designer who designed the flaw into the software, the manager who oversaw the process that resulted in flawed product, etc. It isn't a bad idea to hold people accountable for their work, though. They'd be more careful if each bug cost them money out of their own pocket. And if software developers are financially liable for the mistakes they make, everyone, down to the lowliest janitor, should be held responsible for the mistakes they make, too. Everyone could pay into a gigantic disaster relief fund to fix their screwups.
Howard Schmidt, ex-White House cybersecurity advisor, thinks that developers should be held personally liable for security flaws in code they write.
Is it any surprise this man is no longer in the White House. The software lobby *cough*MS*cough* probably saw to it he was removed as soon as they learned his view.
This is just plain silly, new security exploit vectors come out, best practices get updated, now you are liable for all the old code you've written? The practical application of anykind of law like this would be next to nil. In court the "at the time this was written we had no idea about the XYZ exploit vector". Hence I cannot be held liable for code written that at the time followed best practices. Furthermore, Who's best practices are we going to follow.... you see, the practical enforcement of anykind of law like this is unmanagable. Imagine a new type of expliot coming out, forcing the entire world to patch every version of all software to eliminate lawsuits. yeah right
--anon_at_work
Producing good code is a complicated process, not something one person can do.
:-)
There are dozens (if not hundreds) of examples out there of high-quality code being produced by a single standalone programmer, some of them fairly complex applications/utilities, and that is true not only in the DOS/Windows shareware and open source software environments but also in the corporate mainframe environments where I've worked.
Yes, such folks will generally have other folks to testing over time, but often the concept, design, coding, and initial testing stages are all handled by a single person who has the technical skill, vision, and determination to create the initial solution and whip it into workable shape. Once that basic foundation is in place, feedback from others is solicited.
A person who doesn't care about quality or who isn't technically adept enough to avoid problems is probably going to produce a bad piece of software in the end regardless of the processes in place unless everyone else in the development chain holds his/her hand.
A person who is obsessed with clean code and who has a clear vision, on the other hand, can often perform amazing feats with little more than a single PC or terminal, a pizza delivery service, and a few hundred gallons of coffee (or Mountain Dew) at his or her disposal.
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
Blaming people will not solve the problem. Humans are flawed (in the sense that they are not perfect) and hence everything a human does is inherently flawed (again, as in not perfect). Programs contain bugs because they are made by humans. It is impossible to show that a program is free of bugs. One can only show that a program is free of the types of bugs the applied test cases would have found. Since complete test coverage is not possible without (practically) unlimited resources, perfect (as in bug free) programs are a matter of chance.
I don't know what everyone is so concerned about... I don't see any bugs... they're "Features"
"If all the world's a stage, I want to operate the trap door." - Paul Beatty
Let's do it right after we,
hold lock manufactures, alarm companies, door manufactures, and window manufactures accountable for all break ins.
Gun manufactures for all shootings.
Tobacco companies for lung cancer and heart disease.
Car manufacturers for all crashes.
And slashdot for all dupes.
But first we must hold all lawyers accountable for all frivolous law suites!
How about this. Any lawyer that brings a class action law suit can only collect the same amount as the "members" of the class get.
So if every person gets 35 cents that is what the law firm gets.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
People always trot out the "car manufacturer responsible" line when this sort of thing comes up. But how many people are willing to spend thousands of [insert currency of your choice] on a copy of Windows? And what's the development time for a car compared with Windows?
(Cue for someone to post the "If Microsoft made cars" joke)
Ergo, politicians are not people!
Try to see a doctor here in US. The last thing we need is to have to wait a month to see a programmer with an urgent problem, have to pay an astronomical price to cover his liability insurance and then have him poke all kind of unnecessary probes into backdoors of your computer to cover his ass in case you have a rare security condition.
Better just break up Microsoft and let competition take care of different people's security needs. If you buy an $20 game, don't expect it to be top-grade code. If you are willing to pay thousands and tolerate probes in your backdoors, somebody will be willing to accept liability if you have a break in.
Can I hold our business analyst responible when he continually asks for new featurelets, without giving extra project time, so that testing is compromised? Can I hold managers responsible for this?
My Karma: ran over your Dogma
StrawberryFrog
Hold the entire business liable - sink or swim as a team, management included.
"We are all geniuses when we dream"
- E.M. Cioran
The work of Politicians has changed, it's no longer to work for their voters, but to work for their sponsors. Corporations have much more power in government now then any person. we know this. Attacking a Corporation because of security flaw gives that Corporation a bad reputation, and puts it on the news. In turn, the company crashes, and now there are a handful of companies wondering if they're next. To avoid this, the talk to their buddies in on the Hill, change the laws and have the summer student making 4.50 an hour slapped with the lawsuit, and taking all the blame. The Corporation simply ditches the kid, and most people think the problems has been fixed.
Smart move really, from a corporation's standpoint. You have to remember who Politicans are really looking out for... the middle-income programmer, or the multi-million dollar companies.
I think there's too much of a tolerance of sloppy code writing practices. I've seen far too much code where people don't check values they get from the user, don't bother to do encoding (to avoid cross site scripting, for example), use sprintf() with fixed size buffers, etc. These are not things which take any significant amount of time to avoid when writing the code, but can be a nightmare to track down later, and are a sign of either developer laziness or incompetence. At the worst, I've seen people think connections were secure because they called the remote host 'secure.', or carefully encrypt data from the web server to the back office systems, but leave it in plaintext across the Internet.
I'm not saying programmers should be financially liable for their code, but I think a lot of companies would do better if they ensured their coders knew what they were doing, in terms of security, and fire/move to the Freecell project any coders that show a consistant inability to write secure code.
This is an old discussion. As far as I recall, the main points are:
Yes, the zero liability that software enjoys is unhealthy. Like other products, there should be some liability that you can't drop by EULA or contract.
No, a general, personal liability is not the way to go, because it will be the death of most software. Software differs from other products because it is infinitely copyable.
It is a tricky thing, especially if you consider Free Software. How do you pay for damages if you didn't earn a buck in the first place?
Assorted stuff I do sometimes: Lemuria.org
I don't think I've ever felt more afraid than this suggestion that developers be held accountable. Bad hiring practices and bad QA are responsible for bugs. Not one single developer. If you want to hold someone accountable, blame the CTO. He or she is the one that is ultimately in charge of giving the OK to releasing the software. This is just another pathetic excuse by executives to try and pass the buck to someone else. This must stop.
How about requiring all code to be independently audited/checked? Sure it wont get rid of all bugs/flaws but it will reduce sloppy coding.
If companies are held responsible for flaws in their software, I'd bet the EULA will get a lot more complicated, requiring ALL installed software to be fully patched and 'Recommended Configurations' to get a lot more specific.
Running firefox.. ahh but out software was only approved for use with IE.
Using 512mb of ram.. our software was only approved for use with 1gig or more.
Companies will just find a way to shift blame to someone else (probably the user).
I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
I call for our local carpenter to be held personally responsible when someone crowbars their way into my house. After all his door should have been 100% secure. Absolutely secure. It should have stopped a tank getting in.
that's all
ascii art
If this could be rolled into a law that would be GREAT
Speaking as a thourough and security minded developer who has developed some high profile , high traffic, high hack factor sites and come through it unscathed, I would LOVE to see this implemented Why ?
Think about it for a minute, suddenly all the half wits that call themselved developers and flood the marked get hung out to dry, Inscurance like malpractice inscurance is created, and only the Top Notch developers who are willing to stake their reputation as well as personal finances on the line are coding
Can you IMAGINE what the salary would be for someone who survived the initial shakeout and run ? 200k + EASY
"We need individual accountability from developers for end-to-end solutions so we can go to them and say: 'Is this completely secure?'," Schmidt said.
You can ask them that today! Have them sign a damned contract w/ the answer or if they work for you and they lie, fire them on the spot. Why does the government need to get involved? The answer is... they don't! This guy is just another meddeling politician trying to find a platform to build his career of taking money from special interest groups and the talk circuit.
It's not much different than designing/building a building. There is no way to fully test a building, and 99% of the time it will be under low-stress conditions, never testing the limits it was designed for. It rests on a foundation which is extremly variable, with a material which is pooly understood at the designer level, and is subject to hidden flaws. And yet we weem to have a handle on liability issues, and who'e responsible for what. You speak of viruses and hackers, I speak of arsonists and stupid car/truck drivers that run into building columns.
I'm not saying its easy, but there should still be some responsibility for product qualtiy, and right now there is no accountability.
Is it just my observation, or are there way too many stupid people in the world?
Well said. Just today, a British government minister has been found to have broken the law. And this isn't the first time - this administration seems to have no regard for the law. But of course, no minister is ever prosecuted, or even censured for their wrongdoing. They are hypocritical scum.
Accountability if good if it works both ways; and saying "we're liable already -- we get voted out" is the same as a coder saying "we're liable already -- we get fired".
Is the sign of a profession as opposed to a trade or a craft. If we want software 'engineering' to become a true discipline we need to hold software 'engineers' accountable. In every other engineering profession insurance for errors and ommisions is required to practice, basically malpractice insurance. Even contractors, plumbers and electricians often must be licensed and/or post bond. Why not programmers?
Any company reselling software in the US developed overseas would carry the liability and there by apply the same rules to overseas programmers (e.g. an offshored CPA must still pass a CPA exam or selling that person's services as a CPA is fraud).
In addition, development of and adhesion to best practices would have to then be done by companies or they would never get SE's to work for them. The liability issues would be too great, and this would force companies to actually develop best practices and processes.
It would make sense to do this.
putting the 'B' in LGBTQ+
I think part of the problem here is that there are alot of programmers who have to work off of specs designed and written by someone else. Programmers tend to be stuck in a tough situation, their job requires a number of skills, yet they tend to be thought of at the bottom of the totem pole. Also alot of programmers are using lower level libraries built by someone else, usually third party (such as Microsoft Active-X controls, etc) that provide the actual loopholes in security and exposure.
"22 astronauts were born in Ohio. What is it about your state that makes people want to flee the Earth?" Stephen Colbert
Holding companies accountable, as suggested in the article, might be a slightly better solution, but again it's somewhat complicated when you start trying to hold an overseas company accountable. (It's more doable than holding an overseas individual accountable, but still not a simple task).
That is especially true in places like India and the PRC where justice is to a large extent dependent on who you know or manage to pay off as opposed to the USA and the older EU member states (the newer EU states still have alot of work to do) where justice may cost alot of money but at least corruption levels are a lot lower. Even Italy gets a higher rating in that survey than India and the PRC.
Only to idiots, are orders laws.
-- Henning von Tresckow
I'm surprised that no one has mentioned the current typical EULA that certifies that the software is guaranteed to do nothing except consume HD space and that if it climbs out of your computer and devours your offspring, the software company disclaims all liability. When we've been clicking through these things for years software companies can legitimately claim that the typical user accepts the liability for crap software himself.
.......Ya doesn't has to call me Johnson!
... project manager. The project manager is responsable not the coder (unless they are one and the same person). And if they are wage earners their company should include liabilty insurance in their salary package.
But then that would be the honest way to do things - beating the shit out of an over worked underpaid joe is much more fun when you are lawyer.
realkiwi
I don't know about this.
Most programs are licenced under a "We are not liable" thing. Therefore if you use it and it breaks your data, Then it's your fault for using this software.
Think about it. I tell you that this peanut(software) could have poison(bugs) in it. But you like peanuts and so you ask me for the peanut(download the software), you then eat the peanut(use the software) and discover that OMG it's a poison peanut. Who fault is that?
I'm sure it more people actually paid attention to the "We are not liable" thing and wouldn't buy/use software that didn't guranteee to work and not break your data, then I'm sure there would be a market for good guranteed software.
- Jesse McNelis
...and that is all I have to say about that.
http://jessta.id.au
when you buy a car, drive it, the breaks fail, you hit a wall and die... who is held responsible? the company that built it.
when your airplane crashes in the middle of the ocean due to engine failure... who is held resposible? the company that build it or the airline.
the answer is never the designer, engineer or whatever.
Superb Hosting
Microsoft Windows has a disclaimer saying it shouldn't be run to control nuclear power plants or similar safety-critical applications.
People pay Big Bucks for software to control systems where a bug can kill.
It is reasonable that if you MARKET your software saying "Please use this to control your nuclear power plant" and as a result someone is hurt or killed, you have some liability. It's reasonable for this liability to be personal if your employer ASKED you if your software was suitable for such an application and you said YES.
However, BEFORE we start assigning personal liability, we need the equivalent of a "Professional Engineer" license for programmers who write such code, in much the same way that a PE signs off on a bridge design. Before any code is used for certain applications like nuclear-plant control, a licensed engineer would have to sign off on it.
Sure, this will have some unintended consequences. For example, there won't be many people doing FOSS software for nuclear-plant control, because they won't be able to afford the liability insurace without a paycheck, and changes to the code, from inside or outside, will require excrutiating code reviews by the PE who signs off on them.
Not that there are many FOSS projects for nuclear-plant control.
As for run of the mill code which in and of itself doesn't directly kill people when it breaks, the current system of "buyer beware" is much better than this proposal. Today, if customers want to buy insurance against the effects of bad software, I'm sure Lloyds will sell them a policy. For a price.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
So, not content with the actual state of things (an ever decreasing number of young people willing to chose a career in the software development field, at least in most developed western countries), the guy wants developers to be held responsible for the bugs they introduce (and as if that was that easy to determine): so basically no one will want to be in the field anymore, which will just make all things worse and force us to outsource every development work even more than we already do. Yes, all in all, a great move indeed.
If developers are to be held liable for bugs, then developers should be paid for every time their software is used. For instance if I'm one of the developers for Hotmail, then I get like 5 cents per user session.
It seems as if Mr. Schmidt has never programmed and has no idea what it is like to create/solve bugs.
Generally most software companies - Micrsoft, EA, Apple, what have you - will decide at some point to ship their product to the masses. And at that point there will still be hundreds if not thousands of bugs. Yes, they could sit there and try to fix all of them before release, but that woud delay the release by years! Not to mention exponentially increase the price of the product. If Mr. Schmidt, as a CEO who is responsible for his company's financial well-being, is OK with that consequence, by all means then he should change his company's practices. But if companies like Microsoft and Apple, with all the profit they bring in, still can't afford to do it, then I have my doubts that Mr. Schmidt would be able to pull it off.
At some point you need to ship a working product or risk losing all your customers. People do not want to wait for years (they have a hard time waiting for months!) for your product. Yes, some might complain because of the existing bugs, but at least they will have bought your product, which allows you then to finance a product version 2.0, in which you can actually fix some of those original bugs.
Maybe we should hold the glass producing companies liable for it.
Just doing tests to see if the software matches up with the specs is already tough enough for most companies.
My wife's sketchblog Blob[p]: Gastrono-me
...yeah, and next you'll be asking for responsible government!
Seriously, if this story mentioned Microsoft as the target, people would be all for it and that scares me. In fact, there have been stories in the past that show this.
Alternatively, we can keep things in perspective, do our best, manage risk, and not involve the government in yet another facet of our lives...
Individual developers should not be held accountable for flaws in their code. This is like blaming an individual soldier for losing the entire war.
Companies, and their generals, on the other hand, should be held responsible for producing low quality code. There are software engineering techniques available to improve the quality and integrity of software, but far too many companies are worried about the bottom line so they skip through these processes (or ignore them outright) without care.
This is where the real problem lies -- it's in the processes (or lack thereof) used to develop the software.
Bugs happen. Security Flaws happen. A well established process has the Architecture, QA points and a Test Plan to track, control and manage these concerns.
Why is blame even being passed at all? If there is a problem with a piece of code, finding out who wrote the bad code takes more time than fixing the problem. Why not concentrate on fixing the issue first, and then educating the engineer responsible so future problems can be avoided? Playing the blame game just causes lower moral and a higher sense of hostility towards your job. It's not worth it.
Programmers are not a parallel to automotive makers; they are a parallel to Authors, Book writers. Can you think of anything more absurd then suing an Author of a book over typos? Or the reviewer of that book who says "this is the best book of the year" and you thought it was the third best?
This is the same reason patents on software are ridiculous, can you patent a love story plot? It's just absurd. This is another example of our society's run-away liberal government mentality. Big government stifles creativity, freedom, and crushes capitalism.
A case like this should be thrown out of court as a frivolous lawsuit and the lawyer held in contempt, but we won't get that from activist judges.
There are dozens (if not hundreds) of examples out there of high-quality code being produced by a single standalone programmer, some of them fairly complex applications/utilities, and that is true not only in the DOS/Windows shareware and open source software environments but also in the corporate mainframe environments where I've worked.
That's great, but as far as mainstream software that is actually sold to people, the vast majority of it is written by a team. If the solution doesn't address that issue, then it isn't a solution.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
yeah, sure, I'll give you perfect, bug free, bullet-proof code. You're gonna have to adjust that project timeline out a bit, though...
This whole issue is similar to holding devlopers liable for damages for problems resulting from the Y2K issue. While, very little actually happened when Y2K actually rolled around, there was much talk about lawsuits and whatnot before it actually happened. See: http://www.illinoisbar.org/Sections/Corpandsecuri
Randy.Flood@RHCE2B.COM
Can I now sue Sun And Microsoft for creating development environments that allow me to write software with bugs in it.
This the Howard Schmidt who left being chief security officer for Microsoft to join the Bush administration. This is the Bush administration that let Microsoft off with a slap on the wrist in their antitrust suit. This was the antitrust suit that attempted to hold Microsoft responsible for their policy of destroying or buying-out competitors rather than improving their own products.
Surprise, surprise. Bill has seen the light. He's a reformed whore. No longer will Microsoft be peddling crapware and relying on anticompetitive agreements, marketing bullshit and sabatoging competing programs to win the day.
No, no. They'll be relying on a much more respectable form of mischief. Government regulation.
The Microsoft that told the US courts to fuck off, and is busy telling the EU the same, is now buying out their latest (last?) competitor. Only this one has guns.
Well, here's what I have to say to Microsoft, and to Howard Schmidt: die. You created this market. You lowered the bar. You made software a race to sell the most features for the least cost with no regard for security or functionality. You evolved a competitor that can't be bought out.
Now, OSS is beating you at your own slimy game. And guess what? OSS will win. Frivilous lawsuits or not. Free Software will win. Software patents or not. DRM or not. Liability laws or not. The market will win, and users will win. You have nowhere to go but down. OSS has nowhere to go but up. Innovation and choice will beat out marketing and manipulation.
"I assumed blithely that there were no elves out there in the darkness"
Under oath, Clinton was given a very specific definition of sexual relations, and according to that definition he didn't have sexual relations with Monica Lewinsky. Where he did lie was to turn around and say the same thing to the American people. We didn't give him any such specific definition, so he should speak our language.
Now get back to putting that Access database into the nuclear control program like I told you.
Put someone else's name in all the code I wright.
Coder's Stone: The programming language quick ref for iPad
I would agree that this could possibly be good for developers. I've done things quick-and-dirty, against my better judgement, and with flaws that I personally would have preferred to remove many a time because management wants it done fast and just barely meeting the contract specs, and bugs can always be fixed "in the support phase."
That said, programmers would start having to behave like Engineers, and I'm not sure they're all ready for it. It would be a rocky transition for the industry. I don't think management will be happy to hear the sort of estimates that come from engineers whose personal reputation is on the line in a design-- before I'd sign off on anything personally, I'd be damn sure it was right and that there was a rigorous test plan to make sure the implementation worked as planned when we were done. Costs for software will go up dramatically, but so will quality. Still, I suspect it will be a tough sell to management, who will fight any sort of liability legislation tooth-and-nail.
If this would ever come to pass, I'll quit my programming job and go to law school. I'd specialize in labor law and specifically in helping programmers held liable for code defects to sue the pants off their employers. I'd probably become an extremely wealthy man doing that.
In Soviet Russia, I ruled you
..and gun manufacturers should be responsible for murder.
No, but they should if the gun explodes when you pull the trigger.
Who gets sued has to do with who has the deepest pockets. If there is a billion dollar software company and a 50k programmer who introduced a defect. The lawyer for the plaintiff will counsel that the company and the store that sold you software (assuming it is a big store chain) will get sued to maximize the lawyers return on investment (not necesarrily yours). You see that with car accidents as well where the car company might also be getting sued if it looks like an argument can be made. Not that it make any sense but it will mean usually it is better for a company to settle than to pay their own lawyers big fees to take something to court where they might loose.
Doctors are leaving my State because of this practice. Malpractice Insurance is way up. Not because there is more malpractice but because the laws of the State and the courts and the lawyers are having a field day, and orgy of wealth sharing. (Well sharing among lawyers).
Its more a lawyer wealth acquisition opportunity than a user or industry complaint resolution or redress technique.
How many times have you heard a plaintiff say "I'm not suing for the money, just to get satifaction or prevent this from happening to someone else". You don't hear their lawyer saying that (pro-bono aside) so often the lawyer gets much much more of a settlement than the plaintiff. Wheres that at. Usually it is structured that the lawyer gets 50 or 70% of a settlement, but wait I'm not done, lawyers expenses (including time spent) are taken off the top before the split or taken out of your split. And I though project managment was a racket.
From purely a technical standpoint Turings Halting Problem and Gödel's Completeness Theorem show that there is no way to prove a program has no bugs or security holes. Even the simplest "Hello World" program is guaranteed to have bugs merely by using a runtime library on top of an operating system on top of a BIOS on top of a chunk of silicon (all of which harbor bugs).
To follow along, lets make shareholders and CEO's personally liable for the actions of the companies they run. That would promote better corporate citizenship.
oh, wait...
----- If communism is a system where the government owns business, what do you call a system where business owns govern
I believe a lot of bugs are not caused by programmers, but by the
environment they're forced to work in. I am regularly told what
language I will be allowed to write the code in, what database
server software I must use, and when the code must be done. I have
repeatedly asked for regression testing software or testing
hardware and my requests are always refused. The management believes
the bugs are cheaper than the cure. This guy is either spouting
nonsense for political gain or he's not spent any time finding
out what he's talking about. In either case his opinion is worth
nothing.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
I'm not a programmer, but, this stuff is *strictly* a problem of management. The corporation, not the programmer, should be held liable, if anyone at all.
"I'm giving you this project. It's going to take three weeks of work. I need it next thursday. Oh, and no bugs; You'll get sued if you screwed up, as the company liability policy excludes coverage for employees security flaws"
If your organization isn't producing secure, high-quality code, there is a chance your coders are messing up. There is also a chance you are pushing them too hard, your project requirements are a mess, you are dealing with an old crap codebase, you have crap contractor, or your QA sucks.
If it IS your programmers, the answer is NOT to sue them. There are many brilliant people out there that make mistakes. Good programming practices are NOT an innate skill; indeed, some of the most brilliant coders out there are the brilliant pile of poorly documented spaghetti code people.
I'm not sure what, exactly, the answer is. I'm sure, however, that it lies in the realm of education/training/good business practices/peer review, rather than in torts.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
So now in my contract, I can specify I will not be held personally liable if my employer forces a deadline on me that I can't possibly meet having to have my code 100% secure.
Deadlines == bugs in code.
So either deadlines go (and products take +years to finish) and you get this, or uh you keep the deadlines (like now) and don't hold the coders personally responsible.
OK.
My email addy? should be easy enough.
If I write a book and put a comma in the wrong place or a maths article and put a + instead of - I'm not going to get sued. So why should I get sued if I by mistake in my code... ;) )
On the other hand though:
If I deliberately release software with a design flaw which I or others can exploit ANd you can prove I knew about the flaw prior to release and chose to do nothing then there might be case to answer. (Anyone fancy trying that one against the practices of a certain large purveyour of office applications and operating systems
--- Users are like bacteria -> Each one causing a thousand tiny crises until the host finally gives up and dies.
I think you're looking for:
"So if I buy a car that will tip over when I make a corner over 15 kph, the company is responsible? And if the same car can have its windows opened by pushing in and down, the company has to claim partial responsibility for the damages and theft done by any vandal who exploits this?"
Things that are fucked by design are the responsibility of the engineers who designed them, in addition to any other factors. Most people don't have the discipline to engineer good code. They should not be writing code!
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Ok, this sounds interesting, but my first question right off the bat was, "Who do we hold responsible?" "The developers". Oh, right, and how do we find them? Holding a company responsible is one thing, you can be fairly sure the name on the box is the one that made it, but how do you track the Joe Blow that forgot to bounds check his string and allowed a buffer overflow? Unless there's a comment right there with his name on it, good luck! And even on the company level, you can't always be sure that X part of the code was contracted out, in which case would you blame the guy that wrote it (again if you could find him), or the guy that failed to correctly bug test it when it got in-shop? This sounds like a nice load of bull to me, designed to make the public say "yea we need this!" and not actually useful. Imagine if you will if they held the operator of the tire manufacturing thingy liable, instead of goodyear, no way that'd go over. Adn as someone pointed out above, what about if you change the code once you purchase it? Then Does the blame shift to the person who was supposed to choose what to change? The guy who changed stuff within 100 lines of the bug and missed it, or does the blame still stay with Joe Blow? Again, I think this is a load of bull, and I tell you MY Hello World programs never had exploits written for them *grin*.
Want to find other gamers to play board and role playing game
So says the guy from the country with the best medical care system in the world.
;)
You get what you pay for, you Capitalist Pig!
The REAL jabber has the user id: 13196
What you do today will cost you a day of your life
It's less like "the bricklayer" and more like "the NASA engineer" being sued because the space shuttle explodes. Oh, the space shuttle that costs $99 and is operated by retards.
"I assumed blithely that there were no elves out there in the darkness"
I don't think that holding people accountable for security related bugs in feasible; security is up to the person who has something they want to protect. There's no reason that anyone sufficiently paranoid cannot run every application in its own virtual machine on a computer behind a firewall or, better yet, not connected to a newtwork. Security is what you pay for. Guarnateeing a certain level of security would price most software outside normal users wallet.
That is not to say, however, that bugs that intentionally or unintentionally causes phyiscal damage or data loss should not be prosecutable as fraud. If the software manufacturer makes claims as to the application's functionality and the application does not deliver on said promises, that's fraud. Software development companies probably should be held liable for those kinds of bugs.
The problem of software failures has very little to do with the competence of developers, IMO. Sure we can make software very reliable given enough time and resources. But we don't have that. In our modern society where everything depends on software, we cannot wait forever for the software to be bugless. Avionics and other safety-critical applications are extremely expensive precisely because of this. The problem has to do with our current software construction methodology. No amount of software metrics can guarantee the full reliability of complex algorithmic software.
The problem is not complexity but the algorithmic nature of software. Switch to a signal-based synchronous model and the problem will disappear (see link below). We can hold developers legally liable only if a method is found to guarantee reliability. We hold other engineering disciplines liable only because they have known ways to ensure safety. When it comes to mission-critical applications, very high reliability is not good enough. Only 100% reliability will do. The proper role of quality control is to ensure complete reliability. This is impossible with our current software construction model. There is a solution, however. If only we could wake up and realize that the algorithmic model is hopelessly flawed. We must reinvent computing at the fundamental level. EEventually, even processor architecture will have to be overhauled. Afterwards, software developers will have no excuse.
Ever notice how it's always the security consultants, or in some cases the anti open source, advocates that want to hold developers liable. People need to take a good look at the people who ask for things like this.
You're right, but you don't go far enough.
The fact is that the supply of competent people in the world is vanishingly small, whether they be programmers, managers, or people whose job it is to procure things. I'm not talking paper qualifications, I'm talking about functional competence: the ability to handle a complex and uncertain situation, and make the right decisions. It's generally found among people like farmers and blacksmiths who know their business because it is part of body of knowledge that has been handed down from time immemorial. Marketers, managers, software engineers and other people engaged in modern professions -- well lets say good ones are rare indeed.
Furthermore true integrity, the type that makes you do the right thing when it's easy to pretend things are better than they are and leave some other poor bastard holding that bag -- that's even rarer.
Software, like most other modern products that are intangible or have a significant intangible value components, is a product of the Shambling Juggernaut of Incomptenence and Denial. The SJID, it must be admitted, works far better than it has any business to. People caught up in it interact like atoms of gas, the composite average of which produces a tolerably reliable mediocrity. Occasionally it will miraculously spit out something wonderful, and not unusually it will produce something horrible, but the machine roles on. And what keeps it running is Denial. Incompetence is the common denominator to be sure, but denial is the fuel that drives the machine and the glue that binds it together. Success has a thousand fathers but failure is an orphan. Those who have reason to be glad of this find their most natural home in the SJID.
Unfortunately for you, dear Slashdot reader, there may be no place for you here, because unlike the marketers, management consultants, CEO, board, procrement agent, and virtually every other party in the software development arena, you left a paper trail of every mistake you made, no matter how small or how minimally contributory to the overall failrue it may be. Blame is supposed to ooze throughout the system so that pain and damage is not felt in any one place, but instead diffuses into a general atomosphere of dissatisfaction and helplessness. But you, dear reader, carry the antibody of Accountability, which can reliably attach to Blame in concentrations as low as 1 PPM.
And now, they've noticed. Beware.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Note also that it's illegal to practice as a doctor, solicitor, accountant and so on without appropriate documentation (your local examples may vary, but I can't think of many countries where you can set up as a doctor without a recognised qualification).
If the law simply said that software products much be tracable to a company with more than X% (for X>80) software developers who are certified, and that the certification must be in a territory where the sanctions are credible, you'll see off-shoring end. Grandfather in existing developers and you're all sorted.
It's outrageous that we, as practitioners, believe that software cannot be written properly.
ian
not to mention the timelines that companies try to stick too. Befre consulting the programers or sys admins..
Howard Schmidt, ex-White House cybersecurity advisor, thinks that developers should be held personally liable for security flaws in code they write.
How can you hold a corporation "personally liable" for anything? See, here's the thing: the programmer is NOT (usually) the developer. The developer is IBM, Microsoft, Google, Yahoo!, Sun, Apple, etc.
The programmers only work for them. How about, instead, commercial software should have a mandated warrantee that states that the software is "free of any defects in workmanship" for a period of its copyright? And how about they fix the problems on their dime, like car manufacturers do now?
FOSS should be off the hook; you can fix the damned bugs yourself, hotshot, or buy a commercial app.
Damn. I guess this means the end of Microsoft, and Linux, and FreeBSD, and UNIX (I would say SCO-UNIX, but let's face it, they're gone already), etc. - God knows they've got plenty of names lurking in their code and all have had some sort of vulnerability at some point in time. I guess all that'll be left is OpenBSD, although that one exploit may come back to haunt 'em.
On another note, I'm curious to see how Mr. Schmidt would lke the liabilities to be addressed. Are we talking say a $5.00 fine for typos, $100.00 for DLL/Library breakage, $1000.00 for a viral vulnerability, and, oh, maybe $1,000,000.00 for a exploit that grants root privileges? Would these penalties be scaled by installed user base so that smaller companies like Bob's Fuzzy Linux won't go bankrupt after the first lawsuit? Or will larger companies be able to buy "vulnerability credits"?
I'm not tense. I'm just terribly, terribly, alert.
Why do so many slashdotters claim that writing bug free software is impossible? It is difficult, expensive and time consuming, but it is possible. This attitude is why I think the term "Software Engineer" is mostly an oxymoron. Yes, it is posible to apply engineering principles and disciplines to the production of software. If you can do this, and if you take full responsibility for any defects in your work, and if you have the authority to not release code until you are satisfied that it is correct, complete and safe, then you are a software engineer. Otherwise you are just a coder.
Remember, just because you can't write bug free code, doesn't mean it isn't possible.
None of them can see the clouds; The polished wings don't care.
By the way, dont companies snatch code as intellectual property? If so then why at that point is the developer at fault? They should own that hot potatoe and take intellectual reponsibility. The developers sure don't have the resources to finance QA for massive code bases. I agree that if there is a conscious dicision to not follow the proper channels to ensure code validity then thats one thing but if those measures are followed then we can't always have our panties in a bind because after all, code is made by humans and as you know, to err is human. How many times have we all messed up? True, we probably paid the consequences but our intent was at least taken into consideration. In addition to points made earlier, in this all too complicated web of interconnected development who do we blame? The makers of libs, OS, Harware, etc... Its amazing we even have what we have. Don't you think? We can't even insure problem free operation for life-critical applications in military, space programs, flight systems etc... Peace
It's the education of business people managing developers, not the education of developers.
Programmers would love to fix flaws in their code. Managers are the force that prevents this from happening. And they do it because of economics, and because of the way they've been trained to disregard the opinions of technical employees.
What bothers me is that most programmers (myself included) honestly try hard to write robust, bug free code. I find it hard to beleive that anyone with this view has ever written a line of code in his/her life.
Ignoring the complexity of software, there are deadlines which force compromises. As a developer, I have some say, but not enough to avoid some sacrifices. This is simply a fact of competing in a world market.
Second, my employer dictates how much time I can spend on any given part of the development process (after listening to my feed back). As a developer, I always stress trying to make the code as bullet proof and well tested as possible. Sometimes I'm over riden. Managment has to make sure the cost of developing the software doesn't exceed their expected return. They are a buisness. In the end, they arn't going to pay for the time it takes to make software bullet proof, and they won't sacrifice the feature set to help the process either.
Buisnesses that SELL software for a specific purpose (say reading email and callender) should be held somewhat responsible if that software fails to live up to their own advertising. Beyond that, gross negligence at the buisness level should ceartainly be criminal (say building a mail client that exeicutes scripts it receives via mail without so much as asking the user).
The developers have almost no say in the process.
Spell check? Why bother. That is what grammer/spelling Nazi freaks who waiste band width posting "spell right" are for.
It depends what you're assigning liability for. Holding a software vendor responsible in the event of any bug ever being discovered is unreasonable, just as it's unreasonable to expect no car ever to have mechanical problems during its lifetime. It's an impractical goal that would rarely if ever be reached, even by good guys making good products.
On the other hand, software companies should be expected to take reasonable steps to ensure the quality of their product, and be held liable for negligence. Rushing a product out the door when you have knowingly failed to follow sound practices during development and testing is negligent, and the vendor should be held liable for any resulting damage.
Of course, in order to police this practically, there has to be some level of incentive, so companies don't just "forget" to record bugs they discover and then claim the database was empty at shipping time. This would probably require a more robust, engineering-oriented culture to develop within the industry, voluntarily (because well-engineered software makes more money, and some managers are smart enough to realise that already) or through compulsion (because receiving compensation in exchange for software that hasn't been properly signed off becomes illegal, perhaps).
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
Only the government can do this. That is to say that the government is never wrong. When it seems that the government has done something wrong, that is when a person is blamed. Witness one Iran Contra scandal. The government is never wrong. Now when it comes to private business, your implied rights that are assumed when you buy something are formed between you (the purchaser) and the 'company' you bought it from. Nothing in the law allows for holding a person liable for the quality of the goods that the company sells.
The first thing that would happen is that coder joe writes some code for company xyz, it goes into production, 2 weeks later coder joe moves to another city and a different company. Company xyz is still selling the product with coder joe's code in it. 6 months later it is found to be defective code. Now who does the consumer sue?
If we hold the code writers responsible, then when they leave the company, their code has to go with them, or they will never be able to get liability insurance like doctors get malpractice insurance.
Second issue is this: Coder joe writes some code, but it belongs to company xyz because of clauses in the employment contract. If coder joe has to have liability insurance, he will never write anymore code for company xyz because he is not seeing direct profits: Responsibility without compensation is a strange and twisted sort of slavery.
Third issue: How many managers does it take to totally screw up a software product? One... when a manager is able to tell coder joe how to write the code, how can anyone legally hold coder joe responsible for the effects of using software that 1) does not belong to coder joe, 2) was designed and compromised by someone other than coder joe, and 3) was sold by a company that coder joe no longer works for
This would mean that for the life of the software product, coder joe would have to list his details on some sort of registry so people could find him to sue him? THAT is not going to work.
Support NYCountryLawyer RIAA vs People
Sometimes a solution can cover less than 100% of all cases and still be viable.
In fact, I'd bet that very few solutions are able to cover "all" cases.
While I agree that commercial software development for external customers might actually require more (as I had explicitly noted in my original comment), that represents a fairly small minority of the entire software development universe.
(Most programmers write in-house code, not retail applications).
Mainframe/UNIX Bit Twiddler and long time Windows/Linux Hobbyist.
The Theorem Theorem: If If, Then Then.
The moment I become personally liable for my code, I'm leaving the business. It's hard enough developing good code when faced with endless status meetings, poorly expressed requirements, pointless process, feature creap, and schedule compression. Throw in the possibility that I might get sued if someone exploits a bug and I'll be a total basket case. If you make me liable, you better pay me like a doctor so I can afford the insurance.
Just think of all the lawyers browsing CERT once a day looking for victims....
There are those who think that it's possible to write bug-free programs. I'm not one of them, or at least I've never seen, much less written, a bug-free program. But I can be more specific than that: I have never seen a program that I'm willing to call bug-free, even if there are many programs whose source code I can read and which I use regularly without finding incorrect behavior.
The general principle is that writing software, like scientific theory, is a process. You think over the problem, design and propose a solution, and let people whack at it. Wait for a flaw, and repeat until something better comes along. Programs are not bug-free any more than scientific knowledge is "fact".
One reason we say that "Every non-trivial program has at least one bug" is that if a program is non-trivial, there is room to interpret its mission. One person may like the way it behaves, while another may expect something else. The conditions under which the program was specified, documented, and written are also always different from the ones in which it is used, if only by the passage of time.
Holding developers personally accountable for bugs is like punishing a process engineer when someone thinks of a better way to do something. "Why didn't you think of this before! Twenty lashes!"
Software development is a creative process. If you punish failure, you stifle creativity. The software may work, but it will suffer poor performance and lack desired features. Those who would have chosen software writing as a career will find other work, or they'll keep their best work to themselves. In a team environment, they'll hide their mistakes and cover up their failures, rather than allowing anyone to learn from them.
The bozo ought to be ignored. Sadly, he won't be.
sigs, as if you care.
Let's make developers liable for *all* of the flaws in the code they write. For the first flaw, just a warning and a fine. For the second flaw, increase the fine to...say...$2000. For each subsequent flaw, we're talking jail time...maybe 6 months per flaw. The end product of this new zero-tolerance policy will, of course, be fewer flaws as the developers all concentrate harder on their work and stop going to those late-night developer parties with all of the naked women running around.
Of course, there will be hardly any developers actually coding any more since so many will be in jail and/or bankrupt, but that's a fixable problem if we just increase the number of new developers that are in training.
And then there's bound to be a few bleeding hearts who will sympathize with the developers and want to take a softer approach. With shrill cries they'll say stuff like 'all complex code has bugs' 'testing' and 'better bug tracking'. Don't listen to them, of course.
Carpenters that build thin doors should of course also be liable for burglaries.
Sindri Traustason.
And who is going to pay for this?
We create a "secure" web browser but, its gonna cost $10K per copy. This will cover the cost of developemnet, security auditing, extra QA, and the dev cycles that go along with it. Since, the OS can't be trusted to run the browser, it will only work on a dedicated browsing computer with no operating system. Since other peoples code poses a risk, it will not run javascript, java, flash, or any kind of plugin.
Who would buy this?
If developers are carrying malpractice insurance, then the insurance companies are going to have a lot to say about how development is done, and *if* it should be done. Your boss hands you a project specification, you send a copy to your insurance co. You then tell your boss that you can't work on his project because you won't be covered.
Developers are going to have to charge a lot more for their services. Both for the personal risk involved and to cover the cost of insurance.
Programs can be made "more" secure and have "fewer" bugs but, its going to take more time. Time=money. Look how eveybody is whining that Microsoft is taking too long for the next version of windows. Maybe if they want it to be *secure and bug free* they'll tell MS not to rush; to take a few extra years to be sure about the product; and they'll pay more for it.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
More people died in the US last year (and every year) from medical malpractice than from auto accidents.
If I have to carry professional liability insurance, I will have to charge some very prodigious rates. These will be rates on a par with what doctors charge. Which means that I'm driving a new Mercedes in the not too distant future.
At least in theory, companies will simply refuse to hire domestic programmers because their rates would be too high. However it's likely that companies could become pretty risk-averse and unwilling to hire foreign programmers, since they will have no recourse when the corporate data is compromised. The discrimination against foreign programmers will become similar to what is faced by foreign doctors currently.
Likewise, because of the increased expense, companies will buy far less software in general, and they will plan our their real needs a lot more carefully.
I can't say if this will be good or bad for programmers in the long run. Attorneys and doctors seem to be prospering and they live under the same burden. It could well be that placing professional liability on programmers and weeding out the pretenders would be good for those that remained. The only question would be which of us would remain?
Easy Online Role Playing Campaign Management
1. It would cause the cost of software to blow out to pay the enormous cost of public liability insurance. There are local councils closing their childrens playgrounds in Australia due to the insurance costs involved. At best, software prices would increase. At worst, all the little players would quit the market leaving only the large firms who would then operate in an monopoly/oligopoly market.
2. Most companies already have incentive to provide updates to fix buggy code through the marketplace. If they consistently botch it, their products lose credibility and sales.
3. There are places in the market for software of all levels of reliability: public betas (expected to have bugs), ordinary commercial release and stuff tested heavily for mission critical use. In the end, you get the guarantees you pay for.
What this really demonstrates the most, though, is an ignorance of the lifecycle of software development: software takes time to mature. At maturity, it's at its most stable. A little while after that, feature creep takes hold and bugs increase again until those new features become mature. (And so on and so forth until the project dies or is redesigned from scratch.)
Which I (as well as many other posters) believe is a bad idea, it could be rather difficult to pin down who it was.
Yes, it is easy to go through the version control system and find out who comitted the offending line when. But it's not often one line of code that does it. What if someone adds a line of code that breaks someone else's function due to a side effect? Who get's blamed there? And what about the developer who reviewed the code? And the QA engineer who didn't test it in a proper production environment? And the manager who didn't approve QA's budget for a perfect mirror of a production environment? And on and on....
It's easy to say "let's blame the bad developer" but software is often not written by just one person and identifying the responsible party might not be that easy. Even if it was a good idea in the first place.....
Now as far as holding the companies liable, I kinda like that. Software prices will go up but perhaps companies will stop cutting corners and focus more on quality.
Well, if it means taking out malpractice insurance, asking for independent audits, etc. - fine. I'll have to be paid for all this of course, and I'll keep a percentage for myself, like lawyers and doctors do.
Oh, by the way... are you ready to shell out $50K for your copy of TurboTax this year?
If you think abusing programmers is going to get them to write better code, you need to stop huffing that canned circuit board cleaner.
What it will do is kill all but the most well funded projects. Anyone who can hire hoards of lawyers to defend themselves against the lawsuits will survive. The rest will give up and go into something that actually pays good money.
If we are going to play the accountability game, lets start at the top. When the public holds the current administration to account for even 1% of their crimes, then we might consider accountability elsewhere. I doubt it will ever happen in my lifetime.
"Trademarks are the heraldry of the new feudalism."
I think, not sure, that I am above the 64% programming skill/security awareness line, and I'm not confident I could write a secure application. What this says to me is that up to 36% of software developers are dangerously overconfident.
So, heck yeah, cripple the IT economy, and make me stinking rich!
Life, the Universe, and Everything... in my image.
Interesting take on the present state of things and the view of the corporation.
Several points come to mind about how it all fits together.
If a developer works for a company and the company owns the code, and the deveopler is paid a reasonable salary, and the company and its executives and stockholders make big bucks, then you could consider that the work that was done by the developer is like a paid out license. The company owns the code, the company is responsible for the code and the company should accept all the liability for the code.
That can be mitigated with the usual "pass the buck" legal tools such as disclaimers limits on warrentees in EULA's. Which limits (in some cases) the
risk the company has.
If however you want, as Howard Schmidt advises, make the individual developer entirely accountable, then you should let them get the entirity of the profits from that work (if just to build up a loss reserve), or limit their liablility to some percentage of their benefit from that code. (which would go a long way to queching suites because no lawyer would make a profit from them).
As to CMMI it is programming management framework not a development framework. It does absolutely add several hundred percent to the development process without any guarentee of quality. One might argue for a smaller percentage but that is only in those cases where CMMI replaces equivalent processes already in place, and even in those case you never hear of it reducing the amount of overhead to a project.
I think sometimes is just comes down to common sense. "One size does not fit all".
CMMI adresses only one aspect of doing business, that of a defined project with a beginning and and end and this works well for a consulting business that is hired from the outside to do a project for some other company and then leave. For a business that is having work done, much of the time you have in place applications that need to be owned and tended and upgraded and repaired. The CMMI model does not address this continum of existance or ownership just the summer winds of projects that blow through. It adresses maybe the initial software design but not the ongoing care and maintanence.
If fosters a model where CMMI experts who know nothing of the application area come in and "manage" the project, with a common set of forms so everything looks like something good is happening and that the people know what they are doing.
It becomes a burden on the application developers that have to train the project managers about what is going on.
One thing that is lacking in the CMMI conversion I have observed is that no benchmarking has been done about quality or overhead of the processes before.
The industry stampede suggests that those questions have been answered and that CMMI is a universal good. I am extremely doubtful. You end up with trackable documentation sure, but not necessarily good result. Its a managers dream of course, things to read and documents to fill out, it seems like a more orderly world but I think it is just more paper loaded, sort of Project Management standardized Blogging. Maybe thats where it is all coming from, you think.
I have seen several projects already where the plans from this process have come out with say 150 tasks to preform with responsibilities and dates, but one thing missing. Either none or one task was on the list for the actual implementation of the system. This for me is a big red flag. If that can happen then the process feeds on itself so much that the actual work and purpose of the effort has a minor or no role. From my perspective this it where Project Management is headed and it links directly with where lawyers have gone. Where a legalistic burecratic middle structure grows up, finds a legal framework to leverage and then takes control of the organizaton milks the system. (well some people anyway)
We have a chance now to give good counsel about keeping reality and good checks and balances in the process. What we need are
Wait just a minute here... hold the DEVELOPERS personally responsible? Sure, as long as they get to hang on to ALL rights to and profits from their code.
If a company employs me as a software developer on a "work for hire" basis - where all software I create on their time belongs to the company, as far as I'm concerned, the COMPANY, not me, is liable for the defects. After all, for purposes of copyright (and pretty much every other law), THE COMPANY wrote the software, not me. How come now I'm getting saddled with responsibility for software which, in a legal sense, I didn't write and I don't own?
Sorry, jackass - this is just a "protect the corporation overlords" tactic. You can't have your cake and eat it too... the company can't take all the rights (and all of the profit) and none of the responsiblities. In any other field, it would be laughable for one party to buy all the rights something - but none of the liability - from another person (leaving the "other person" with no rights but only liability).
If I, as a developer, retain full rights to the code and all profits derived therefrom, fine. But as long as I don't get any rights to the code, why are you saddling me with the responsibilities?
Then Windows Vista will never be released. Not like that would be a bad thing.
MadOgre.com
Now you see the real driving force, the 'insurance industry'.
They are about as bad as the 'media industry', except they have already bought the laws that GUARANTEE business. ( the AAs have only managed to buy tax laws to guarantee revenue ).
The insurance industry is also behind the push to make 'IT' a 'licensed trade'. That way you will have to be bonded and have insurance just to reformat some bozo's harddrive.
---- Booth was a patriot ----
Imagine someone intentionally rear-ending a Pinto.
Both Ford and the malicious driver would face legal action.
And blaming any individual Ford engineer would be outrageous.
So that's how Bill Gates found himself in prison.
Or has he always had a government job?
I would love to write the best code possible; but guess what, programmers only do what the managers tell them to do. And that usually means get it done yesterday.
Documentation? Testing? HA HA HA HA HA. Maybe in some crazy fantasy world with elves and little gumdrop villages and magic pixie dust.
It sort of makes sense that someone that is formerly from the Bush administration would propose making individual developers responsible for what are typically system-wide problems in software development.
I wonder where he got that idea from?? You know.... scapgoat the underlings, and let the execs and admin go scott-free.
Comment removed based on user account deletion
Managers (the good ones, at least) should know that when a problem, or in this case a "security flaw", arises, the problem is generally with the process, not with the people. Holding programmers resposible for a bug is poor management! If bugs keep popping up, then the process of reviewing and testing needs to be fixed. Sure, if the programmers can't stick with the process and consistently fail, then get a new programmer. But blaming a programmer for a bug in released software sounds like something the pointy-haired boss would do. Why take the chance on holding programmers responsible when a solid process would eliminiate the uncertainty?
For example. Today, I set up HPLIP for the first time instead of HPOJ for my PSC2110. What a pain. I had no problems configuring or making, but then there was an issue when I tried installing. Clearly the HPLIP programmers' fault, right? Or was it that I was using a Slackware derivative with a mixture of packages and as a result, many libraries and config files were in non-standard places? I would have guessed that if ./configure && make worked, everything was found properly. But it wasn't. If my nonstandard config was the problem, then perhaps I'm responsible. Eventually I got everything working but with one caviat. I could only scan as root.
In the real world, if this happens to a litigious happy individual who likes to bill $400/hour, he'll sue:
While this may actually be feasible for shrink wrapped software that sells a million copies and has a team of expensive testers going over it button by button, this would completely destroy custom programming.
I write software that is usually only run on one or two computers at one location, and it's constantly modified to add features, fix bugs, etc. Our company and our customers can't afford to pay triple the cost for the stringent software testing that a huge Micro$oft type place would have, so a law making the programmers personally liable would make all custom software prohibitively expensive.
We do sell our code with a 1 year warrantee, so we agree to fix all bugs that come up within the first year. However, the agreement is not a guarantee. If there is a bug, we agree to fix it, but we're not going to compensate the customer for lost production or expenses.
There is software in this world (I'm thinking the QNX kernel here) that actually comes with a guarantee that it works as documented. The company (QSSL) has liability insurance just in case. Of course, that makes QNX licenses more expensive than they would otherwise be.
Most software comes with a disclaimer. Microsoft tells you that the user accepts the liability for any bugs. Even though nobody reads that disclaimer, it still exists. Right now you have a choice - you could hire someone to write code and give you a guarantee (expensive), or you could just buy something off the shelf (cheap) that would probably work ok most of the time. The article is talking about removing that choice.
"I have never let my schooling interfere with my education." - Mark Twain
People/companies are not writing bad code because they are sloppy or doesn't want their code to be secure or correct. They write bad code because there really is no way ensuring the security today. If there were, price insensitive things like battle ships would not be dead in the water because of software error. I suppose you could make code reasonably secure for certain certified environments e.g. Running a certain build of MS-Office on a certain build of Windows XP in a certain hardware in a specified configuration.
What if the user doesn't run it under the conditions specified e.g. connect it to the internet and internet was not covered by the specification should the developer be liable then? Of course you could hold the developer liable no matter what. But that would put software development in a different position than all other products. E.g should a building contractor of a high building be held responsible for the damage to a parked car outside the building caused by somebody jumping from the roof in the act of committing suicide? I think not, even though the errors in building construction making this possible and the means to fix them is much more evident than most software problems.
The only thing that will happen if this was introduced is that software prices would go up radically as software companies or individual developers need to make sure the make a profit even if they have to pay damages now and then. I.e. the price of the software will have to pay more lawyer and insurance fees. If this is introduced in a country the cost of running a business will increase significantly, and I am not just talking about software business. How many businesses would afford to have the cost of their IT infrastructure increased by several orders of magnitude. A country that introduced such laws would kill all business that need some kind of IT support, at least if it did not also have very high customs fees or taxes for imported products and services.
As for the software industry of such a country you would probably see fewer and bigger companies with the money to bury customers claiming their rights in legal process for a very long time perhaps until they go out of business before they get their money. The fact that there was fewer actors in the market would in itself raise the price of software due to less competition. It would also slow down the speed of development. If you for instance create a new version of an office productivity suit, you would probably want to test it for several years on a group of subjects that have waived all their legal rights before you release it to the general public. Then you would like to profit from that investment for a very long time. Perhaps 20 years or so.
God is REAL! Unless explicitly declared INTEGER
There is over $3B spent a YEAR on "cybersecurity." So far, they've implemented an email alert system that tells people of new viruses/worms going around. They've convicted less than 10 people. They made claims that Al Queda operatives can turn off the Internet and disrupt powerlines through a modem in a cave (even though powerlines are turned off through a physical switch).
:)
.NET/Java/Python etc etc)
Now, our Cybersecuity making an outrageous claim that developers held responsible for unforseen security breaches. I would only be up for this if every time someone does a buffer under/overrun as a security breech that the OS developer be held responsible - Microsoft
There's many layers below the developer that can have security holes:
* the virtual machine (for
* The OS
* the hardware's firmware
* an error in the processor
* the API the developer uses
* poor requirements
* encryption algorithm flaws
* idiot bosses who proclaim that a product MUST ship on time
This guy is nothing but a tool of the government. All of cyber security has always been this way. My only regret is not joining them to get a piece of the terrorist/cybersecurity pie they're handing out due to FUD.
In the Code of Hammurabi, 18th Century B.C.:
If a contractor builds a house for a man and does not build it strong enough, and the house which he builds collapses and causes the death of the house owner, than the contractor shall be put to death.
If it causes the death of the son of the owner, then the son of the contractor shall be put to death.
This is of particular interest to me as I contribute code to software used to design steel buildings. I would not want to see this code reapplied today to dwellings or programming.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
as soon as you can get the end users to stop accepting responsibility by agreeing to the EULA...
Honestly, who reads these things? It says right there who is responsible for these security vulnerabilities. The government is run by cowards who are too scared to go after the real criminals, the people who have accepted responsibility for a device they don't know how to operate. Well, that and Howard Schmidt is a cock whore.
End Users should be required to pass a test to use this equipment and if they misuse it by speeding around the internet, sending out malicious packets, they should be fined and imprisoned and lose all their stuff. Whatever it takes to get them to 1. RTFL, 2. Learn Something(tm), and 3. Secure Their System.
Everybody seems to forget the rules. They were made for manufacturing, and therefore it seems people forget that they also apply to programming. After all, what is programming if not manufacturing of a piece of software.
The rules are:
1. Cheap
2. Good
3. Quick
Pick any two. And the reason that this is a rule is because it is not mutatable. It is solid. It is in fact, a law.
Guilt is irrelevant, and a person should not be able to be sued unless there is proof that the weaknesses were created intentionally.
It's right there, in every license of almost every piece of software made:
THIS SOFTWARE IS PROVIDED "AS IS," WITHOUT ANY WARRANTY OR GUARANTEE
Did you ever notice that *nix doesn't even cover Linux?
Codes of ethics, standards, practices, minimum competency, etc. specify the limits to what a Client may expect from one of these professionals. Tort, in this case, is not simply a matter of a user complaining "The equipment/software/system failed and that Engineer was the last person to look at it." (Yes, this really happens. A lot.). If the Engineer screwed up, he's liable (or his supervisor, or his company, depending on other things). But the practice of hiring a professional and then abdicating all responsibility for the entire situation does NOT work. Neither should it. A doctor/lawyer/engineer/realtor/... has a specific task that they were hired to perform, and it's typically not "make me healthy/get me out of jail/make my plant run how I want it to/get me the price I want for my house/..."
For professional responsibility to work, everybody involved needs to know WHO is responsible for WHAT. And the assignment of responsibility needs to be done by people who are competent to do so.
This is why professional organizations function as (often legally empowered) regulatory bodies. They maintain standards and practices, codes of ethics, and minimum qualifications for licensure. These bodies are self-policing, and often write the text of statutes that deal with the professions they regulate.
The types of penalties that the article talks about fall under the general concept of "Malpractice". This concept has been applied in our legal system to the activities of experts, and this is how we balance the interests of experts performing a service with the interests of people affected. Everybody knows what to expect.
In this context, "Malpractice" is understood to be: An act or continuing conduct of a professional which does not meet the standard of professional competence and results in provable damages to his/her client or patient.
This is not a new concept: Even if a man builds a house badly, and it falls and kills the owner, the builder is to be slain. If the owner's son was killed, then the builder's son is slain. . Violation of professional standards must occur (...builds a house badly...), qualifying injuries are defined (kills the owner or the owner's son) and retribution is specified for each qualifying injury. The law does not say "If the house falls down, kill the builder." Why did the house fall down? Was it maintained? How old was the house? Did an earthquake occur? Did the owner build a second and third story on top of the original house? Was the owner using the house to train soldiers in urban infiltration? The law holds the builder accountable for "building a house badly". And liability is only assigned when the builder's malpractice causes an injury. Not when "something bad happend in the house".
There is a legal system in place (you may or may not think it sucks, but it IS the social context in which these things take place), to support and balance the interests of all parties concerned in such situations.
There are other questions that should be addressed in this context as well:
* Is licensure required to approve the work?
* To perform the work?
* To sell the work?
* To present the worker as a professional
* How is the licensing authority regulated? Who gets to be on the board? What authority do they have?
Professional licensure, professional liability, and malpractice laws are certainly not a perfect system. However, the system is predictable and manageable by the parties invovled. It is possible for the Client to know what to expect and for the licensed professional to know what standards and practices he must meet.
A knee-jerk "shoot the developer" reaction is never helpful and rarely appropriate.
"Reality is that which, when you stop believing in it, it doesn't go away." - Philip K. Dick
http://www.theregister.co.uk/2005/10/12/ibm_open_s ource_blueprints/ is reporting that IBM wants to contribute software development blueprints to the open source community to help developers make fewer coding flaws.
I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
Provided CEO's can be held personally responsible for an increase in stock price at least as high as their salary increase, testers can be held responsible for not finding bugs and customers can be held responsible for changing specs. Not to mention holding middle management responsible for scheduling and timing.
Really, people, there is a reason we have corporate responsibility - having a lot of people point a lot of fingers at each other is not going to help.
However I don't think that a person who makes a mistake in the code or forgets a simple check should be held liable for a criminal case. If that's the case then who will write security code if I could sue every guy who made a mistake?
A grievous error in judgement or such is a different story. Microsoft has constantly made errors repeatidly and we let them off. Perhaps we need a regulator for security (better then CERT, who actually will hit code and try to break it, and then give seals of approval or something of the like, but it would have to be more proactive than CERT.)
The problem is if we attack the programmer with lawsuits no one will want to tackle such big problems, except giants like Microsoft, who can ride out lawsuit after lawsuit with out blinking. I work in IT and if every line I wrote that had issues meant the company could sue me I'd be quiting right now. (because my company would smile about that and then wait with lawyers in the other end of the building. They are a vindictive bunch, which is why I'm looking for work)
when they guarantee or claim stability. should an OS developer claim 99.9999% uptime, they should be liable if the OS is 95% up. 'Stable' should also have a legal definition, and it should be better than Windows95 connected directly to the internet.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
At my last development job (building DB applictions for the web and the desktop for individual clients) I was required to stand by my code. I got a bonus for how many I hours I could bill our clients, and any time spent fixing bugs was NON-BILLABLE. Our clients didn't make the bugs, so they don't get charged to fix them. This caused me to be extra careful in my personal debugging and QA testing. Others should do this too.
I was quoted out of context in my autobiography...
Where activist judges and politicians believe that gun manufacturers ARE, in fact, liable for murder.
I'll start writing bug free, secure code when my employer starts putting the same amount of pressure on me to do that as they do to cram the next ill concieved feature just before the code 'freeze'. It isn't caused by a lack of ability, it is purely a lack of time. Time to think out a proper design, time to do an implementation, time to make a concerted effort to break security, and time to do it all over again whe a fundamental flaw is discovered. The sad reality is that customer's don't demand secure code until after there is a breach, so vendors don't insist on it either. Customers buy features. They only find out about the rampant security flaws after it is too late and they are locked in. It is the secret of Microsoft's success, and pretty much every other software vendors success. The remedy is to hold the vendors legally liable for security flaws, not the individual programers. If the vendors knew that they were liable, they wouldn't be applying continual pressure on the developers to ship broken products.
First of all, at most, the companies that produce the software should be held liable, not the individual developer. You just can't hold employees liable for company products unless you give them ownership of it. Additionally, many companies still develop software without source control and few have strict security policies on the source control. So it's easy for developers to deny culpability for a specific piece of code. "Hey, someone else must have checked it in with my ID. I didn't write that."
Software, as a field, isn't engineering. It's very much a combination of science and art, with a bit of engineering thrown in. But you can't mathematically prove code to be faultless. Some of the most bug free code written, is done by the group that does the shuttle onboard computer software. Few companies could afford the kind of process they go through to develop their code, for every commercial app. And the shuttle team still has bugs that get through from time to time. The cost of software would have to skyrocket to cover the expense of this sort of process, along with the liability insurance (which would also go through the roof) companies would have to carry to cover lawsuits.
When you build a bridge, there's math that can insure, assuming the materials are within spec (and the manufacturers of the materials have their own processes and math to ensure this), that the bridge will hold through certain stresses. You simply cannot do that with software for a number of reasons which I'm sure many people here are familiar with.
The result of this kind of change to the industry would basically kill it. Few companies would actually be able to afford much software, few companies could afford to develop software, and few programmers would be able to deal with such a stringent development process.
Organizations must be held responsible, not developers. Development is an organizational-based activity. If you're going to blame the developer, you'll also need to look at the project manager. Did the project manager rush the developer? If the project manager was rushing the developer, maybe the president oversold the product? And what about the tester, maybe they should have found security holes? The point is, software development typically isn't a solo activity. See How many Microsoft employees does it take to change a lightbulb?
So let me get this straight....
Let's say I have to write code quickly or I get fired. Nobody wants a manager or VP breathing down your neck over a process they have all but lost touch with, but the fact in many cases is that a company measures performance by functionality / time.
Now, if I incorrectly implement a method (probably at 2AM while in crunch mode) to calculate interest on your [insert interest bearing product], my company would not be held liable, I would? Now I have a class-action suit against me from all 500,000 account holders? How about testers? If this method somehow passed QA, would they share some liability?
I think holding developers liable is garbage. I agree that I would like to see higher quality products on the market, but a blanket statement for holding all developers liable for all products is going too far. Corporations, Companies, and those who dare to venture out independently - I can see this liability issue to a certain extent. Again, there needs to be some type of limit. Like the software pricing margin isn't high enough, you're going to throw this in?
What if we applied this thinking to other industries???
If the FedEx guy doesn't deliver my package on time because his route had too many packages on it that day - can I take the money I lost out of his pocket?
How about State/Federal Transportation planners? The geeks that designed the freeway system in my area must not have imagined how much traffic would traverse the system. It's not very scalable, and so following the "Security Guru" 's logic this is a huge bug. So while I wait in gridlock every day, losing time and gas - is some level of our government liable for this?
The truth is that this crap just won't work.
holding door manufactures libel if a thief finds a way to break in. Lets face it unless the computer is turned off, locked in a safe, sealed in concrete and launched into the sun someone will find a way to hack in.
,br> Of course this is not an excuse for writing bad code.,br>
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
I think this is a great idea but only if it's applied universally and includes politicians so that they are held personally liable for the harm their policies and decisions cause.
I don't mean the false "just vote for someone else" notion of accountability but rather than all they own should be on the line for them too.
My car is buggy, very buggy by software standards. Here's a list of just a few of it's bugs:
1) It is not resiliant to attacks. If someone wants to break in and steal it, it's very easy to do. Trivially easy to someone with training. The manufacturer has done NOTHING to fix this. In fact, all suggested solutions are just bandaids, they don't really do anything. Stronger glass, a kill switch, the Club, all are easily defeatable. They offer me no absolute security against attacks.
2) My car does not deal with user error very well. If I put it in neutral and floor it, the engine will overheat and seize up, no cut out. If I poot toothpaste in the oil tank instead of oil I'll ruin the engine. There is virtually no protection against me making mistakes, and many of the mistakes will permenatnly disable the car.
3) My car doesn't handle unexpected situations well. If it suddenly hits a brick wall, it will be damaged or destoryed, same if another driver suddenly collides with me. It only operates properly under normal circumstances.
What's worse? They KNEW about all these problems from the car's inception. They sold it to me, knowing these problems, and are doing NOTHING to fix them! Even upgrading to a newer version of my car (for which I must pay full price) won't fix them.
So I feel it absurd to attempt to say "We have to hold software to the same standard as cars" and by that mean that software should be perfect. Cars aren't perfect, by software standards they are buggy peices of shit. I expect that software should be essentially immune to any malicious attacks. If a flaw is found, I expect it fixed in a timely fashion for no charge. Likewise, I expect software to deal with user error well and not blow up if I do something wrong. However if I told you I wanted a car that did all that, I'd be laughed at.
When you purchase software, how much security are you buying? Is it reasonable to expect software to resist any and all attacks? What's the cybercrime equivalent of jiggling the handle, and what's the equivalent of driving a Mack truck into the door? I don't think we even really know enough to set clear, defined situations like we have with regular locks.
Our campus library uses Keso locks. These are special high security locks with the pins on the side. They've paid extra for these, doubly so since the key blanks aren't easy to get.
A rather well known magician explained to me the other day a way to defeat any Keso lock with minimal skill and a few objects that can be easily obtained. This is a systematic flaw in the Keso design and I don't think it can be corrected. (He'd probably know better than me)
Is Sargent Keso liable if someone uses this trick to get through the library doors? The expectation would certainly be that a high security lock should be harder to pick. How about software? Do I have a better case against a company who claims "industrial strength security" products when I buy SecureFoo and then get hacked?
"Seven Deadly Sins? I thought it was a to-do list!"
If you pay for a Taurus, you won't get a Cadillac.
There's no place like ~/
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
I don't think it can work:
- Our industry is not nearly mature enough. Civil engineering has existed for thousands of years (Roman aqueducts are fine examples). How long have distributed web applications existed?
- The cost is completely prohibitive. A P.E. working on a building knows the suppliers of the parts going into the building. He can investigate their credentials and require sub-contractors to sign off (just as he does) on their part of the project. I wouldn't put my P.E. stamp on a piece of software unless I had sign-offs for every library included in it, making the developers of those libraries, not me, liable if they screwed up. Good luck! Obviously this goes for the OS too.
- Software is exponentially more complex than hardware. It's not an excuse for bugs, just a fact. Physical systems can often be modeled as lumped parameter systems and simplified. How many 'use cases' does a 2x4 have? Software must often handle dozens and dozens of cases that the marketing dept. can't even imagine, so they have no problem specifying behaviors that make the programmer's life a nightmare. Expectations are not clear.
- The margin of error for a lot of software is zero. This is related to the last point but not the same. A single bit error can kill plenty of applications. Our capacity and techniques for catching and handling exceptions are not sophisticated enough to completely counter this problem. "Hey look, my bio-medical app. didn't GPF, but it didn't deliver the right dose of chemo either." Oops.
RETURN without GOSUB in line 1050
It's called MIL-SPEC. Do you now how much Time, Planning, Testing, MONEY goes into a MIL-SPEC level project?
When I first got done reading this article, I just couldn't believe that a reasonable person could ever conceive of such a mind numbingly stupid idea as this. Since it clearly defies all logic, I began to consider what might motivate someone to publicly express this ludicrous opinion. And then it became stunningly obvious: large software companies will be able to protect their programmers by either purchasing insurance, or deploying their fleet of lawyers when the need arises. Whatever additional expense is incurred will simply be passed on to the customer (or possibly recouped from the programmers in the form of lower salaries, fewer benefits, no bonuses, etc.). Problem solved. Of course, there is a fortuitous side effect to a policy such as this: open source programmers will either need purchase expensive liability insurance just to continue doing something that most of them do for free, or simply quit coding.
So, it's pretty obvious that this would be a losing proposition for everyone involved except for very large software companies with deep pockets and an army of lawyers. Customers would almost certainly be required to pay more for shrinked wrapped software, FOSS could be severly crippled, and programmers would suddenly become even more dependent on big corps for employment. Good luck getting that startup off the ground with the added load of crushing liability insurance rates. Sounds to me like this would seriously chill inovation, increase costs to users, and probably drive programmer salaries down. I'm not sure what effect this might have on off-shoring, but I'm betting that it might become even more attractive as it would be difficult (and probably not that financially rewarding) to sue some programmer in India making $10/hr.
And lets not forget that this is all based on the premise that it's even possible to write completely secure (and useful) software. Doesn't the old saying goe something like this: Cheap. Easy to use. Secure. - Choose any two.
Also, the risk/reward ratio for programmers suddenly goes through the roof. Let me get this straight - if I work for a smallish software company, I'm more than likely going to be *personally* at risk of financial ruin in the event of failure, and (unless I'm lucky enough to have my compensation tied to sales) have virtually no chance of a financial windfall in the case of success. Sticks, sticks, and more sticks, but where the FUCK are the carrots?
This whole thing just makes me want to puke. If my car stereo gets stolen, can I get the engineer who designed the door lock to buy me a new one? If my house is burglarized, can I sue the carpenter? If I get mugged walking down the street, can I sue the guy who poured the concrete for the sidewalk?
Which leads me to the conclusion that Howard Schmidt is either a nitwit of titanic magnitude, or simply another corporate shill. Personally, I'm thinking both.
Sounds great. If the developers had no legitimate complaints about process, schedule, or tools, then they should be held personally liable for security flaws in code they write.
But if the developers had legitimate complaints about process, schedule, or tools, then their managers should be held personally liable for causing the developers to have no realistic way to avoid writing security flaws.
_boneHeadedIdeaCount++;
Education is the silver bullet.
Developers now holding managers laiable for crappy software requirements...
"Glory is fleeting, but obscurity is forever." - Napoleon Bonaparte
Okay, and you thought it was hard to get a delivery date out of a developer now?!!
Ha! Yeah, that'll happen.
Political responsibility is limited by the memory span of the constituents. If we've forgotten by the time of the next election, then they're not held responsible. There are several problems contributing to this:
There are other reasons why politicians' actions are poor.
Constitutionally Correct
Ah! The smart-ass/knows-it-all of the week from the US government. We didn't had one this week.
Since I'm not in the mood of writing a long diatribe, let's put it that way:
Softwares are expensive to write. Good developers are expensive. Either you outsource to India and whatever happens happens, or you put more cash on the table. Then you'll get better code and less software defects.
As for the educational system, same problem. Much too expensive and many so-called teachers are just paid too much for the bad work they do: last example in Concordia University where a (supposedly) HTML teacher was heard saying "Why in hell would you want to write XHTML and close tags?". Quality software? Maybe?
It is agreeable that developers should be fully responsible for their code, but what kind of punishment are they talking about? As long as the program doesnt steal money, information, kill anybody, then it should just be expected that the developer update the code as soon as possible.
When a developer writes software for their employer, the developer does not own his or her code, as it is a work for hire. I think its a little ridiculous to hold developers personally responsible for code they do not own rights to. In this scenario, the developer assumes 100% of the risk, and the employer assumes 100% of the return. What an interesting way to convince people to not become programmers.
--
"I'm don't know exactly what an AS/400 is, but I'm pretty certain I wouldn't want one up my ass" --Lou
...as long as we, as programmers, get to decide how long it will take to do things properly. But don't make us liable for doing something that requires 80 hours in 40 just because our boss demanded so, especially if those 40 hours mean just 3 days.
I would buy karma from ebay but I'm not sure I can trust the seller.
If you're doing genuine engineering, then signing off and being responsible for your work is an important aspect. However, if we extended the analogy to building a bridge, the average software developer is equivalent to a construction worker. You don't expect the people riveting or painting the bridge to sign off on every job they do. In fact, it's impossible after the fact to figure out who did what. Instead, the engineer responsible inspects the work that was performed and signs off on that.
While in the software world, you probably can can trace every change made to a large project, but it still makes sense to elevate the "sign off" to a higher level than coder grunt just as it is in the physical world.
If we're going to hold developers responsible for security flaws like this, we need to apply the same standards to the Quality Assurance folks who let the code get out of the door.
and tech-writers impose the same rules of conduct on themselves, Hell will be frozen.
hundreds of posts, and noone has seen this for what it is - a way for porporations to battle open source. If there is a chance I could get sued, I would NOT contribute to an open source project... And I have contributed to 3 different ones in the past.
If a developer can be held liable for a defect, then that same developer needs to have approval over when to ship. That is what this is implying, isn't it? I mean, if I can be held liable, I should have the authority to say "It isn't good enough yet". That would be an interesting power for the average cubicle-farmer to have... It would also mean that if they fire me for saying that, I should have the power to have all of my code removed from the shipping code, as I do not have faith the company would maintain it properly.
With responsibility comes authority.
In California if the Database Admin loses a bunch of customer data they have to contact the customers to let them know. That's great.
But if the database has security flaws the database vendor doesn't have to inform the Database Admin. For example, Microsoft has been going around saying how secure their new products are so a Database Admin might think he's being responsible. But the problem is that Microsoft doesn't have a full disclosure policy so they know about security problems but they're _still_ going on about how secure they are.
So basically the Database Admin is screwed.
If the Database Admin knew about all the problems he might have bought a different product. Letting the market decide doesn't work unless we have full disclosure laws so that people can make correct choices.
Full disclosure laws are very cheap. Debian discloses their vulnerabilities. If Debian can do it, Microsoft can do it. This is much better than lawsuits and fines.
Here is a tidbit of information: other engineering disciplines can and do hold the engineers (and not their employers) responsible. This is not always the case, but it happens. For example, assume Joe Smith works for Civil Engineering 'R Us (herein referred to as CEU for simplicity). Next, assume CEU is contracted to construct a bridge, and Joe Smith is the lead engineer and performs all of the stress and strain analysis for the bridge. Joe Smith completes his analysis and makes materials recommendations. Joe Smith knows, however, that his stress analysis is slightly flawed because he forget to take into account the yearly average low temperature, but to do the recalculation is to time consuming and he feels that it will probably be ok to just leave it as is. Now, the bridge is constructed and on the first cold day it collapses. Joe Smith CAN be held liable for his gross negligence, and this is not necessarily a case of vicarious liability. Software should be no different. Far to many times I've seen people avoid fixing critical stability or security holes because "it takes too long." This is nonsense, and would not be tolerated in other engineering disciplines. The members of the industry need to stop acting like "artistic book writers" and should start acting like engineers.
For those who would like to go on an in-depth exploration of issues touched upon in this article, check out the Case Of The Killer Robot on the onlineethics.org website: http://onlineethics.org/cases/robot/robot.html which I edited back in school. Note that the case is a hypothetical one and all the characters are fictional.
--
http://unk1911.blogspot.com/
That is a very isolated view of the process. Security is a different problem entirely. As many of you will recall, you cannot verify that a program works, you can only show that for conditions X,Y, and Z, it appeared to work. This is exaclty like the scientific method: you show that you can't break it, but that does not prove that it works.
Handling security flaws can be a matter of good code reviews and hiring employees knowledgeable in exploits, but in alot of cases it is an "outside" call kind of thing.
For example, the good old buffer overflow exploit completely blindsided people back in 1988. No one even thought to check that strcpy would exceed the call frame in the execution stack. Security flaws are usually not as obvious as poorly written code. Claiming other wise is silly. Quality software does not mean it is secure.
I do think that when MS released SQLServer (and it was full of possible buffer overflow attacks), better quality control would have helped. But sometimes this is not up to the developer. Some Operating Systems have a safe run time where programs cannot access the execution stack directly. So if you install a product on an OS that prevents certain problems, you are safe, but if not, nothing is guaranteed.
And what if the requirements don't cover security? What if you Quality Model includes things you know about, but does not cover the as-yet-unimagined attacks?
And how many flaws are introduced because a developer was running short on time? Schedule and money constraints are the number 1 difficulty in the real world. You can't always make everything as nice as you want, and in that last week before delivery you might be hacking up those nice modules you wrote. It happens. It happens all the time.
This is not like real world problems: because software by its nature is abstract, you cannot be assured of security. When people like Howard Schmidt can understand that, real solutions can be found. It shows his level of ignorance to claim that flaws are the fault of a single developer.
Placing the liability on the littlest guy in the chain of command is idiotic. The people who actually write the code are the ones following orders, trying to meet the ridiculous demands and schedules of the management, who usually doesn't have realistic expectations.
Making the people who are between a rock (time constraints) and a hard place (bosses and clients) do not have enough freedom in the matter to be able to produce a completely secure piece of software. Even the most well-designed software must go through very rigorous quality assurance before it can be even remotely deemed secure. In my experience as a software engineer, the actual number of man hours spent on QA is usually lacking.
If anyone should be held liable for flaws in software, it's the people making all the decisions on design, scheduling, etc. They're the ones who are actually in a position to make the desired change (e.g. allocating enough time, doing enough QA work, etc).
Putting additional risk on people without increasing the amount of freedom in their job and reward they reap will just drive them away.
Did we hold scribes liable for mis-transcribing trig tables?
This will die a quick death.
so if I write totally cool makes a million $$ code for my company, they own it and retain all rights and $$ for it.
but if I write bad code, I am "resposnsible"?
of course in good slashdot practice, I didn't actually read the article....
I agree 100%. I think all companies should be liable for their products. However, I do not think it should be at the individual employee level.
Here's an interesting question. A piece of software that is written to work with Windows has a security flaw in it. The security flaw creates an exploitable condition in Windows such that you can gain total control over the system. Who's fault is it?
Obviously there was a security flaw in the software that you were using, but then it wouldn't be that critical if Windows handled it's security better. So isn't Windows partially to blame. And what if you set it up in an insecure manner? Isn't that your fault? Or is the developer's fault for not making it more idiot proof.
Now taking that down to the code inside of a program is just ridiculous. If you've got a team of 10 people (which is small in the grand scheme), each one of them could, individuall write totally secure code. However, come integration time, it turns out that they are opening up holes in eachother's code. So then who's fault is it? What about QA? Shouldn't they have some liability too?
Finally there's the PHB factor. You could have a group of the best, most security knowledgeable programmers in the world, and they could still screw up due to lack of time and resources. What if the boss tells them to do something that makes the system innately insecure? Who's fault is it then, his for telling them to do it or theirs for not pushing back on the requirement. Not to mention what happens after people have work a few months of 60 hour work weeks trying to get a project done.
In the end, liability is just a dumb concept in computers. In the end this is one of those places where the invisible hand of the market place is the best correction. Companies that write buggy software routinely will be smacked by the marketplace, by and large. The only exception to that rule is companies like Microsoft who have an effective monopoly. But then that's why we have anti-trust law isn't it?
This sig has been temporarily disconnected or is no longer in service
Personally, I think this is a horrible idea as no software exists in a vacuum.
So let's say I write a nice 3D program for doing something medical. Since I'm a reasonable person, I decide to use some engine, let's say I license the Unreal engine for some odd reason. After updating the engine from version 1.0 to 1.1, function foo() in my program crashes where it didn't before, but it seems to crash in an openGL function call which could be caused by a graphics driver by Nvidia.
From an engineering standpoint in our current model, we want to solve the problem and its difficult enough. With this new idea, everyone from epic to nvidia won't want to my company won't want to try to fix the bug because to do so would be accepting a huge monetary penalty by saying that "I caused this". In the end, lawyers would end up litigating this problem to death and at the end of the day, the software would stil crash.
We'd also have one supported platform (both hardware and software-wise) because no company would want to insure on a plethora of platforms with limited testing resources.
-- Political fascism requires a Fuhrer.
"People (shareholders) in corporations get to legally hide behind "the corporate entity" to shield them from personal finanical litigation, their employees should have the same benefit."
Considering those *shareholders* are you and I. Would you have it any other way? Would you want to be responsable for Enron and Worldcom's screwups?
*And yes, it's a myth that the only people who are shareholders are rich people who can afford to take a hit.
"If we are not directly given rewards, then I'm going to study for an MBA after my CS degree to limit my personal responsibility (paradoxically increasing overall responsibility), and most likely make more money anyway."
Another myth.* If one's the head of a company they will not be held responsable for their actions.
*Most likely held because the one's holding it have no experience running a company.
What we are talking about here is a new class of lawsuits and nothing else. The government is not going to pass a law to punish someone who dereferences a null pointer.
If software companies want to guarantee that their code will work as promised, no current law is stopping them. The marketplace can decide if such promises are worth it. There is no need to pass any laws requiring such guarantees.
In the Enron case it was established that CEOs can be held personally responsible for misreporting information, even if the CEO didn't intend fraud or to misrepresent information. If they are merely incompetant they are still liable.
Accountant's can legally be held personally responsible for making mistakes in the reports they compose for a company.
I'm not saying I agree with the liability of Developers over their code, but their is starting to become precedent for a legal basis.
If American coders have to buy bug-insurance, there will be no coders in America.
he blames the education system
Yeah that's what people do when they want to whine without actually conducting a solution.
I am NOT a number! I am a - oh wait, I'm number 761710. Look! 761710!
ex-White House cybersecurity advisor Yeah!, like we can hold the other bloke living in that same building responsable for his little tour of rampage around the world.. get real..
ok fine. so blame the coders. apparently coders are not allowed to make mistakes, or risk litigation. given that, programming has just become as risky as being a surgeon, but without all the extra respect or money. Hence, I hereforth expect to be either paid comparable wages to a vested surgeon, or should probably quit coding, since it is now so dangerously unprofitable a profession.
idiots...
sometimes, i wonder if i'm the only conservative on teh intarweb. ah well, back to mah hogs and warmongerin'....
IANAL.....
First, if someone is grossly negligent then that person should be held accountable. Not that it is easy in a closed source world because it is impossible to get the code review done for the court in a cost-effective way.
Similarly if the company is negligent, then they could be held accountable. Again, this is very hard to prove, I would think if it is a coding or design issue.
In the FOSS world, it is much easier to prove these things, but it is also much easier to get the word out before major damage is done, or at least done repeatedly, and since less formal education is required than, say, structural engineering, then I would assume the legal standard to be less.
LedgerSMB: Open source Accounting/ERP
In the vast majority of software, failure to function does not lead to injuries and fatalities. Those software systems that are at risk for that like in the Space Shuttle, or nuclear reactors, etc, are already subject to far more stringent validation. So I think the comparisons to building collapses, surgical procedures, etc, are a bit apple and orange.
When I worked at nortel we had a contract with our OS supplier that they were allowed no bugs in their os. As in if we found a flaw in their OS they had to fix it within a certain time period or face damages. Likewise were we sued for loss of revenue if it was determined they were responsible they would bear a proportionate measure of the blame.
These kinds of guarantees are perfectly effective when you have a controlled environment. If you are going to have a hardware device that runs on a particular OS that's been licensed for that specific purpose you can lock down constraints very nicely. It's when you get into complexity that you have a problem. You couldn't make similar demands of Microsoft for Windows for example.
It is possible to produce good software if you treat it as engineering as opposed to hacking.
Really what it boils down to is a balancing act between general software quality, security, usability and business concerns like cost and time to market. People will write "bad" software because it needs to be done quickly and/or at low cost. Also software is often made insecure out of an interest of making it more usable. Arguably the tight integration between IE, Outlook, and Windows itself makes the system easier to use. It also make is a breeding ground for all kinds of problems.
But ultimately that's all a choice and where it gets into being "engineering" is in making those choices conciously rather than accidentally.
This sig has been temporarily disconnected or is no longer in service
The debate on this is thoughtful and mature. Nevertheless, may I be the first to put forth my humble opinion that Howard Schmidt is as full of ka-ka as you can get without bursting. Cybersecurity, while he was sitting in office, was HIS duty, and I think HE should be held liable for all the viruses and worms that happened on his shift. Furthermore, he should have had all proprietary sofware companies open their code to the public for security review. And forced all hardware manufacturors to release drivers for their hardware compatable with *every* system so we don't have to write dodgy code trying to make it work. And he should have stamped out spam, spyware, and adware; which it can be clearly shown weakens computer and network security overall. Outrageous claims? Now you know how programmers feel if they're blamed every time some warez script-kiddie with nothing else to do with his time finds a hole that nobody with a life would have thought of looking for. Now, when it's my contractor's fault every time a burglar manages to break into my house, then we'll consider it.
From reading these posts, it seems most people agree, it would be good if someone was acountable for flaws/bugs in software but they cant agree on who is responsible.
What I propose is the creation of an international independent organisation to check source code for bugs & flaws. This organisation would NOT be responsible for any kind of assurances or guarantees regarding the software other than to verify that the code had been verified independently. The developer/software company would be responsible for any license/guarantees attached to the software.
I am a developer of buggy software but I am woefully underqualified for this so it would need people who actually know more about this.
Would this work?
It would need support from some major software vendors/developers to be accepted.
I'd be prepared to donate some money to get this started if it would help.
I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
Take off from Dilbert: I'm going to test me a minivan.
If companies/developers can be sued for software defects, I can imagine some QA joining with lawyers to chase bad code. Find defects and sue.
the people who create bank vaults will now be sued whenever a bank is robbed. Stupid, stupid idea...
"PC Load Letter? What the $@#% does that mean?!"
... Hard to hold me responsible if I sell you something and tell you in BIG CAPITAL LETTERS that whatever I'm selling to you is useless.
The contract doesn't say the software has to be useless (if I did, no one would buy software). No, it really says that the RISK for whether or not the software is useful lies entirely in the hands of the buyer.
This kind of contract isn't just limited to software. A unit with a guarantee puts the costs for the risk of failure on the seller; a unit without one puts the costs for the risk of failure on the buyer. A vacuum with a guarantee is more expensive than the same vacuum sold without a guarantee, because the company bears the costs of the risk of failure.
Just about no software company is willing to bear the risk of insuring it's software against defects. It's too expensive, and very few people will pay for the costs of low defect software. Each time you make a testing team do an independant analysis and assessment of a system, you get better quality; but you increase costs, too.
A few industries, of course, are willing to pay for quality software. The companies that build subway train controllers spend days and weeks arguing over the tiniest little changes to a specification, and work through every single ramification of a change, testing out all sorts of worst case scenarios, because a train crash is very, very bad. It's worth it to the company to ensure that things are as perfect as they can be, because a train that crashes means the company folds, too.
In the airplane industry, one company wanted to give their pilots a laptop instead of a binder full of paper. Two years later, they were finally given permissionn by the FAA to do so. They had to get the laptop certified, the cockpit certified, and prove formally that under no circumstances could the electro-magnetic signals from the laptop interfere with the electronics of the cockpit, even in a worst case scenario. They successfully proved their case: for a specific brand of laptop, with specific laptop hardware, and a specific model of aircraft, with a specific electronic configuration. Any change to any of those elements (such as a laptop upgrade), and they'll have to re-certify everything all over again.
That's, of course, a bit excessive, but the fewer untested assumptions you make ("common sense or not"), the fewer flaws your system tends to have. And the FAA hates it when planes crash, because it makes them look bad.
So, yes liability is a big issue. If people really want developers to be held liable for every bug, expect the costs of software to increase by a thousandfold or more.
If developers were made personally responsible, it would be trivial to start an LLC under your name and put all of your code under that umbrella. Once again the responsibility is avoided.
There definately is a problem here, but it's not with software. Software companies have been skirting responsibility because they are corporations.
I get tired of hearing about how much better it would be if software developers acted like 'real' engineers. Try designing the Golden Gate bridge, but rather than connecting two fixed points of land, it instead connected to the roofs of two different skyscrapers (other apps). And instead of sinking footings into the bedrock, you put the footings into floating barges (the OS). And it just so happens that the barges support hundreds of other bridges besides yours, sometimes all at once. Oh, and the skyscrapers and barges can be swapped out for newer versions at any time after you've finished building your bridge. Make it stand up for 10 minutes and i'll be impressed, never mind 10 years.
The bridge metaphor is not a good metaphor for software development.
It must be a slow news day.
Some ignorant politician, probably in the back pocket of a large software firm that is on the verge of being sued, comes up with an inflammatory statement about how we should be able to sue the guy who is just making a living for something he has little control over. After all, it is the American way.
I'm going to dumb this down for all of the ignorant politicians out there...
I walk into a fast food restaurant across town, not my regular restaurant across the street that usually makes my burgers...this one is cheaper. I wait in line for a burger. Why do I have to wait in line? Aren't I better than everyone here? Whine...whine...whine. Oh, am at the cashier. What was it I wanted again...something to eat...oh yes a burger. What to do mean what kind? A fish burger...who eats chicken (with avian flu) or beef (with BSE) anymore? You would think that this would be common sense. What do I want on it??? EVERYTHING of course!!!! It costs how much????? That is insane...Whine...whine...whine...oh alright, but only because I want a fish burger with everything not because I'm hungry. Waiting again...how long does it take to cook fish? How dare they make me wait...don't they realize who I am. Whine...whine...whine. Finally, it is done. I take one bite...take it back...I ordered chicken and I'm allergic to pickles...its all your fault that I didn't get what I wanted...it will come out of your wages!!! Oh I almost forgot...whine...whine...whine.
The simple fact is, you get what you ask and pay for. People are not mind readers so be sure you know what you are asking for. If you don't get what you want, it is not the other person's fault it is yours so quit whining.
He was disbarred for lying under oath.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
I got to get back to it...
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
...and there's no unions to blame. So, rather than addressing the need for (and expense of) solid security requirements, standards and certification, let's blame the developers for not implementing features the client and/or management for the most part hasn't bothered to even mention, much less specify or budget for. As if developers should be expected to be perfectly prescient. And as if developers even have the power to enforce such security standards on the products they work on.
It's morons with responsibility-dodging attitudes like this that has given us the impotent swiss cheese of bolt-on security that we have now.
The "education system" is another convenient scapegoat. The "education system" in the U.S. at least, tends more and more to teach only what industry wants it to teach-- and industry hasn't been asking for security until very recently. But, the education system is a particularly popular scapegoat...
Just when you thought they couldn't be any worse, the current administration shows they are still fully capable of collossal errors in judgement and complete ignorance of the facts. Buffoonery on parade, Schmidt's just the baton twirler for today...
Something you (and so many others) are assumming here is that all code is written by humans. This isn't always the case.
Take, for instance, the credit industry (and a host of others) which utilize neural net software. Depending on the software, and the company that developed it, a neural net might be evolved using genetic algorithms to determine, based on a set of inputs, whether a person is a high or low credit risk, or whether fraud is occurring, or a host of other applications.
What happens if a decision that NN reaches happens to be the wrong decision - who do you blame/sue/fire/imprison?
The individual(s) who coded (or built, if made of hardware) the neural net engine? The individual(s) who coded the genetic algorithm? The genetic algorithm which evolved the neural net? The neural net itself?
Who would sign off (as in "this has no faults") on this kind of an application?
Many people, from highly educated programmers to computer scientists - have looked "under the hood" of trained neural nets (trained via a variety of methods, from simple back-propagation to genetic evolution systems), and in many cases, they are "aghast" at what they see: structures and "code" which seems to defy logic. When encoded via hardware, sometimes things get even stranger: with enough evolution and such, the "best" version begins to rely on issues of the parts themselves, such that the evolution took in favor tolerances and spacing of certain parts in certain manners to acheive the desired result. Furthermore, we are talking very simple NN systems here - should the complexity go up several magnitudes, "looking under the hood" would be so close to impossible (akin to trying to map and understand the neural net which makes up a single individual's brain) as to actually be impossible, practically speaking.
No engineer would, and no engineer could - sign off on such software.
This thinking doesn't just apply to neural nets - it applies to all complex systems. In many ways, a lot of software, and the interactions that software has within a single machine and with other software elsewhere (via a network) - form a complex system. These complex systems of "simple" parts have been known (it is like a natural law, actually) to exhibit behaviors outside the norm which aren't cause by flaws in the software, but by the way things are interacting. Anyone who has studied complexity and network theory at even a base level should understand this, that sometimes problems can arise from nowhere due to unexpected and possibly unexplainable (and maybe not even repeatable!) interaction of complex (and in some case, not complex at all - that is, complexity arising from the interaction of simplistic rules - see Wolfram's "A New Kind of Science") systems.
Can you imagine being a lead developer and being fired, sued, or imprisoned simply because your system was a part of an unpredictable (by ANY method) complex interaction between the systems it ran on and the other software it interacted with? Now, I am not saying that all software and systems are this complex, but we are talking about interaction here, which has nothing (and everything!) to do with underlying complexity...
Reason is the Path to God - Anon
Ignorance can be cured, stupidity is forever.
One of the basic issues is the waterfall model.
A major fallacy is that users know what they want at the start of development.
With iterative development and short cycles (4 weeks is good) you can show them where you are going frequently and they can think of all the things they didn't consider.
Bad requirements gathering is another issue. One project I worked on went like this.
1) BA's. Here are the requirements. Write the system!
2) Dev. These are incomplete- we need to ask the users some questions.
3) BA's. You can't talk to the users- it might lead to scope creep.
4) Dev. We can't develop until we talk to the users- you can control scope- we just want to get more detail.
5) Okay.
6) Dev. Spends a couple months gathering requirements, doing storyboards.
7) Management Review. What?? That's not what we wanted at all.
8) Dev. Spends another month doing storyboards, adjusting requirements.
9) Management Review. Hey that looks pretty good!
10) Dev. Spends another month finalizing business rules, glossary and specs. Now ready to code (8 months after first handed specs that were "ready to code".
11) Dev. Submits project for approval to start. Should take about 6 months to finish.
12) System Architects. We are going to purchase a packaged system.
13) Dev. That system doesn't meet user requirements.
14) SysArch. The users must conform to the system. Business processes will be changed to match the software.
----
Makes you go.... HMMMMMM.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
"It's much more efficient, and enriches everyone except insurance salesmen."
The fly in that particular ointment is the "save 'em at all costs" mentality that prevades patients and their doctors. Then there's the little matter of paying for it.*
"Insurance was created as a concept to deal with the fact that in a purely capitalist society there is no sense of community or common good and no one will help you when you need it most."
Katrina shows how much of a lie that is. Anyway insurance was created to addreess the fact that there are circumstances that can financially wipe a person out through no fault of their own. By distributing the consequences over a larger group of people society overall is better able to deal with it. Sounds like a "sense of community" and "common good" to me.
"Does anyone actually consider it to be an efficient and effective means of addressing this need?"
We're waiting to hear your alternative that's more than just at political speech level.
*Actually the insurance companies have contributed to the problem in one important regard. By hiding the true cost of medical care from the patient. Kind of the way the cellular phone companies hide the true cost of the phone from you. You can bitch and moan about the middlemen all you want. But that'll not compare to the weeping and wailing you'll hear when you have to pay for the entire experience out of your pocket. Maybe that'll put some brakes on the "do whatever it takes/I can't be bothered taking care of myself" patient and the doctors that cater to them.
honestly fucktards like this get me worked up because due to who ever they have blown, they have a high public position and it makes them think they have a single shred of intellegence.
"security" consultants always seem to be the WORST at it as well, so ready to point out everyone elses failings, but when something goes wrong they are working on you will see the 101 excuses book come out.
If you mod me down, I will become more powerful than you can imagine....
Are you the author of the COSA methodology/design? I had quick look-through of the site, about COSA, what it means, etc. I am definitely going to study this as time allows. From the little I have read, I find it insightful and highly interesting, not to mention very stimulating from a software development perspective. Wow!
Reason is the Path to God - Anon
I seem to remember a slashdot article posted a couple weeks ago, describing how our newest supreme court justice had successfully defended Microsoft in a case with some of the same issues. I believe that one was a class action against Microsoft for charging people to fix a buggy MSDOS. If she could prove that Microsoft wasn't liable for faulty code in this example, I don't know how she could uphold this law if put to the test.
The moment he demonstrates an intellect and education that begins to compare with that of the average developer. Perhaps he could even learn something about programming before claiming that all the developers are idiots (since there are no developers who do not write flawed code regularly, despite good practice and best efforts) and incompetent.
If a politician can spend an entire term in office using perfect grammar, in a foreign language, then they just might have understanding and justification to complain about improperly written code. People can't wait for the perfect solution to waltz along for them to pick. What would prevent some programmer from saying a flaw doesn't exist in the software, but in the protocol upon which the software relies? All I see is careless reasoning by someone granted more power than their capacity to understand the problem. Such is politics, I suppose.
or does our Federal Government seem to be passing whatever laws and regulations are required to make any technological or scientific progress in the United States as unprofitable and risky as possible? They seem hell-bent on hastening our total economic collapse.
... utterly disrespectfully) submit that they have caused more harm to more people than every programmer that ever lived. And let's not forget that most dangerously bad software is as much as result of bad management as it as bad developers. It would be far more effective to hold management responsible for software flaws: hell, you'd have our support in a heartbeat.
People will march on Washington to protect trees and foetuses and "the environment", and that's all well and good, but I think now is the time for a little enlightened self-interest to come well to the fore. How about we all head to D.C. to drive home the point that our duly-elected public officials were not put there to make this nation non-competitive, destroy its industries, protect self-serving private interests at the expense of all others, and/or sell us out to foreign powers. Something is seriously wrong when "cybersecurity officials" make dangerously stupid recommendations like this. Just hearing words like that from someone at that level of government makes me think that a career switch might not be a bad idea at this point, since America doesn't seem to consider its human technological resources of any real value anymore. Maybe I should go for an MBA, since they seem pretty much immune from prosecution no matter how much they screw up.
Personally, I think we should hold our public officials responsible for all the havoc they've wrought upon this great nation of ours. You want to hold me responsible for a bug in an application that I code? Fine. How about I hold you personally responsible for all the lives lost, jobs lost, and industries left in ruins because of bugs in your legal "code". So, I and others like me should go to JAIL because of a misplaced semicolon? My God. Who are these people?
Hey, you want to really make a difference, Mr. Cybersecurity Expert? I have a suggestion: tell your friends in Congress to fix the patent system. It's broken and it hurts people and they did it. Here's another idea: I say we hold all MBA's, CEO's, CFO's, and all politicians and bureaucrats responsible for the damage they do! I respectfully (fuck it
What an incredible asshole. I am getting so sick and tired of this administration, I really am. I just hope that the next dimbulb that wants the job has the will and the wherewithal to undo some of this mess.
The higher the technology, the sharper that two-edged sword.
..can help us buy out when we need to buy certification/reviews/insurance.
or at least the few companies large enough to keep making software.
Under this sort of regulation the only producers of code that won't be subject to lawsuits are the ones writing exploit code.
.. After all, that code does what it is designed to do, and only what it was designed to
do.
Is this something we really want to encourage through legislation?
This guy sounds like a fascist...
Add to the 'sign-off' aspect the usually required (at least here in Canada) training in law and ethics and you will find that few P.E.s will sign their names or affix their seals to things they don't have relatively high degrees of confidence in. When a P.E. screws up, they lose their license to practice and quite often their businesss, consultancy, or academic credentials at the same time. Thus, they try very hard not to screw up. This means they are act as a check on poor practices.
But getting to be a P.E. involves overcoming the standard challenges and it isn't for everyone. A lot of engineering in non-software fields seems based around working with known processes and known parameters to produce a product or some result.
The reason bridge building is a pretty sane discipline is that the characteristics of materials and the physics of bridges is pretty well explored. When a Civil Engineer builds a bridge (or designs one), he has good computer aided tools to do it, standard catalogs of parts and materials, and he knows all about tolerances, safety factors, and good processes. He couldn't sign-off on the project otherwise, without taking his head in his hands.
Contrast that with my work, where I have to build applications using an OS I know is inherently flawed (they all are, but some more notably), it must be designed to work on a wide variety of hardware platforms (many of which I don't have on hand), it must often work with other people's code from outside my organization which is bleeding edge and often of dubious standards, and it is built with tools I only mostly trust and on top of libraries from the OS provider and from third parties into which I have no visibility. There are strategies to mitigate risk, but I'd be very damn leery of signing my name or affixing my sigil in a P.E. context to even my best code - because I know the system it is part of has so many components I don't control and so many points of failure.
One risk mitigation strategy involves extensive testing (some say up to 90% of project cost). Anyone interested in paying $1500 for a copy of Office? I don't see many hands.
I'm all for seeing an improvement of professional standards and practices in the field, the injection of more engineering approaches into the field, etc. But the software field moves faster (IMO) than any other technical field. It also is one in which you have the least faith in the parts you build with. Until reform happens *across and throughout* the field, any efforts to go after companies or individual engineers is a waste of time.
Let's put it another way, more succinct: If I had to sign off in a legal liability sense for the code I've been writing for the last two years on the current contract, I'd imagine I'd have written about 10% of the code I have written and I'd have demanded a *lot more* from the people supplying me with 3rd party code to integrate. Since I know the business model wouldn't support that (the costs would kill the product as it stands), I have to think this approach is only viable once we decide we don't want 'the next new thing' in software and that we care about what we get enough to pay for it.
Someone compared the effort to Ford or GM making cars. If you want to spend $15-50K dollars for a computer, I'm sure we can offer you a lot higher level reliability from the software. heck, at those kinds of costs, you might get the same sorts of warranties you get from Ford and GM, though they warrant around as much as they can get away with. But if you want to pay under $1000 for the hardware and under $1000 for the principal software, then you might as well expect something that works about 1/10th as well. And it seems to me you've got that.
So, who here is lining up to buy the first $15K personal computer?
Nice idea, don't see it happening anytime soon.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
Any bug you document is a feature!
FOr non-triveal software it would be _very_ hard to identify who was responcible fo a bug. Most software is a group effort. You have someone who specifies what it is to do, some who design it but don't write the code and others who do write code but don't get to do the overall design and then you have the people who test and document it. When something fails you have to look at the process that created it as having failed. A perfect example of this is the MS Windows OS. The root causes of it's problem are conceptual. No one person is to blame the system just eveloved from the non-networked, single user, single task OS, into a networked, one user at a time, multitaking OS. When you try to carry backward compatabilty through such an evolution you have a mess. I read a lot of things about sodftware managment from people who have not written a line of code in 20+ year or even ever. they sem to loose touch with reality
...Ok, I have donned the flame proof underwear here. And speaking entirely subjectively; well, in reference to Australian Engineering in any case.
:)
Anyway, I am an Engineer, with certified competencies in Australia. I specialise in mechatronic engineering and work mostly in manufacturing systems development. As a highly qualified professional, I can be and indeed am held personally liable for my failures, as can a Medical Doctor. The similarities?? LONG and COMPLEX degrees, sufficient training and sufficiently rigorous oversight that graduates, after an intern period, may be considered legally liable and have the skills and competence to operate in such an environment. Not only that, but I must demonstrate a significant number of hours a year in professional development to maintain my certification. Without it I couldnt get professional indemnity insurance, nor indeed jobs for which I am likely to be held personally liable.
Here in Australia at least, there are NO true Engineering degrees for computer programmers, Electrical or Electronic engineers often specialise in computer systems, but they are still trained as Engineers first and foremost. Degree qualified computer programmers are at best science graduates and at worst arts graduates. It is unreasonable to place the burden of personal liability on people who did not choose such a career path. When I was at university the difference was 35+ contact hours vs 16- contact hours and a 4~5 year degree vs a 3 year degree. Those doing the latter certainly arent likely to be adequately prepared to shoulder that kind of professional burden.
Take a graduate mechatronic Engineer, a mechanical Engineer, a civil Engineer and an aerospace Engineer. Give them each problems from the other's field and appropriate references. They will struggle with unfamiliarity but they WILL be able to competently solve the problem, why?? they are all trained in the same basic principles. Hand a computer "engineer" a fluid dynamics problem and they will almost certainly NOT be able to solve it. They learn to write programs (so do we, actually, in fact, I consider the ability to program essential in graduate Engineers I hire, same as a second language; just important complementary skills, not core skills).
In summary, you cannot start to hold an employee personally liable until the training and development systems that produce them are sufficiently rigorous to ensure that people who graduate into that field are at least theoretically able to take on the responsibility. Furthermore, some strong professional bodies would be required. The kind that require members to continue their professional development to retain certification and, therefore, continue to be considered competent to be held personally liable.
Anyway, not trying to belittle computer "engineers", but I think their training has to step up several levels in rigor and broaden its scope to truly be considered an Engineering discipline before you start laying the burden of personal liability on their shoulders. Essentially, if you couldnt get professional indemnity insurance, you probably shouldnt be able to be held personally liable. Whilst there are very certainly programmers and hackers out there more than competent to be held liable for their work, without a professional structure; there is no sure or reliable means to make that descision or filter people who really aren't able.
Just my $0.02 AUD, apologies to any I offended
err!
jak.
what's next, malpractice insurance for developers?
sure, it sounds good in practice - developers should be held accountable for holes that are results of blatant neglegence, but the way the hacking system works is that hackers find holes that are previously undiscovered - new exploits unknown to anyone, and in order to discover them all, software development would just not be feasible - it's a task force vs. an army. As it is, it's like trying to fix what isn't broken
I think holding programmers liable for the bugs they produce is a capitol idea! Why didn't anybody think of this before!?!?!
... oh yes... the list goes on... ... and on... ... and on...
And while we're at it, we should make the President responsible for the COUNTRY he runs...
And make the Congress-critters responsible for the LAWS they pass (pork pork pork)... Not to mention just simply being SUBJECT to the laws they pass...
And corporate CEO's and fat-cat EXECUTIVES responsible for the COMPANIES they ruin... (ooops, meant "run"... really, I did... a silly gesTYPO)
And wall street brokers responsible for the MONEY THEY LOSE...
And make Presidential Advisers responsible for the CIA AGENTS they reveal..
And national heads of emergency agencies (but I'm not naming names, you know who you are) responsible for the NATURAL DISASTERS they fuck up
And racist pig cops responsible for the poor, ethnic people they beat up...
And rich mother-fucking assholes responsible for the TAXES they dodge...
And silly-ass movie stars responsible for the stupid shit they spew...
And Haliburton responsible for the under-the-table BILLION DOLLAR contracts they got without bidding or anything...
And Microsoft responsible for the entire fricken COMPUTER INDUSTRY it destroyed...
And school board members responsible for the CHILDREN they administer...
And pedophile priests responsible for the LIVES they stole...
And arrogant drug companies responsible for the BLOOD MONEY they extort...
and there's more...
I think they should be responsible.
Make 'em ALL PAY!
Then maybe we'd have a decent country to live in again.
What a capital idea!
That's pretty moronic. Anyone who works in software security (and has a clue) would never put themselves in a position of being personally liable for certifying a piece of software as being "secure".
Likewise, security consulting companies generally only issue "verifiable statements" regarding the software they evaluate. Such statements can include things like "passwords are not stored in plaintext", or "all network traffic is encrypted with SSL". No company with a clue would risk its business on a blanket guarantee that a piece of software is "secure". That's because there is no way to verify a given application is "secure" in the absolute sense anyway.
Yet Mr Schmidt expects developers to certify as such. He clearly has no clue. While he's at it he should demand that automotive engineers certify their cars will never break down, and that police be held personally liable for failing to prevent a crime.
I had last week to develop a set of 3 programs based on a sort-of-kind-of specifications document mostly pissed but certainly not written by some asshole who did not even care about his own horrendously numerous logical flaws and obvious design flaws.
I had to rethink more than half of the process, and told him at every step.
It took long to get him aknowledge that there was mistakes, and when he did that, he just told me, in essence, "do the changes yourself".
I did the changes myself, I'm looking forward to the test, because I don't have enough information to guarantee that my changes go into the right direction.
Now, should the client hold somebody responsible for the failure I see coming next week, I wonder why I should take the blame, and not that lazy bastard of a specification designer.
Hmmm ?
Bull!
It helps management force people to follow the rules laid down by the bureaucracy, but it doesn't ensure those practices have any relationship to the desired outcome. Quite the contrary: they reinforce a risk-adverse corporate culture that stifles your best employees merely to keep the poor ones from doing harm. Look no further than one of their favorite slogans: The nail that sticks up will be pounded flat.
These programs are all about consistency: quality control as opposed to quality results. It's there to prevent failures, rather than lead the way to success. The gap between these is the wasteland of mediocrity, where products and companies are neither good enough to suceed in the long term, nor poor enough to come to a swift, humane end.
Why i amlost totaly agree with what your saying, I'm wondering how the resoncibility would be passed. As you noted, you have to rely on third part software as well as libraries from the OS provider.
What happens when a liability rises from the use of somethign in a maner described by the spec or general function of the library/third party software but only as your code in its present configuration does it exist. Would you be liable, Would the otherwise sound library be at fault, or would there just be something not done about it. What happenes when something becomes insecure or faulty only when some obscure combinations of programs are running at a certain times or maybe even a cartain order. We have seen theoretical axploits like this were you have to open office then goto some websight and copy some thing form that sight.
I bet the cost of figuring out who is liable for the fault is going to be just as expensive as the testing to make sure it doesn't happen and nothign is 100%. Also how would trade secrets or copyright be protected when you have to reveal parts of code to show your not at fault and how would you defend against someone elses fault without access to thier code? Microsoft wouldn't just hand you thier ntkernel source because you might be in jepordy of losing a case were your software, while interacting to the spec, found a friendly explit used to crash the system in certain circumstances. Also, your competitors my claim/create a suite just to see your groud breaking aplication's code and learn how you do somethign they couldn't implement properly.
I'm thinking a hole big can of worms can be brought out here. This can get ugly real fast. What happens if you slap some app together to help you do some trivial task and after leaving the company, someoen else decided to include it into some other tools suite. Are you then still required to asume some liability? This is just getting insane.
I'm sure it will take no time at all to identify the specific developer that was responsible for the line of code that introduced bug X into windows build version Y...and even easier to track him down and prove it was his line of code.
What a fantastic use of government resources, I'm sure you now that you've caught that Bin Laden guy there's a bunch of people sitting around waiting to investigate stuff
...I'll submit to this the day they hold engineers personally responsible for car breakins and SUV rollovers, business execs for falling stock prices and failed companies (though SOX is doing that to some extent now, albeit at great cost to corporate agility, but no more golden parachutes for Carly and her ilk, damnit!), politicians personally responsible for the negative effects of their many decisions, and anyone else in any similar position of risk and responsibility personally responsible for their mistakes.
I swear, America is becoming a Pussy nation. Everyone wants control, security, no risk, and someone to blame and punish when shit happens, at the cost of squelched creativity, strangled innovation, and scientific and technical stagnation. I try to look on the bright side and think that no place is perfect, and I haven't spent much time in other countries so I don't have a great basis for comparison, but articles like these (and about copyright, drm, ip, etc) sometimes make me feel like I'm living in the last days of the Roman Empire.
Flying is easy, just throw yourself at the ground and miss. -Douglas Adams
Google "clinton disbarred" and you see it was for misleading testimony. At least they got him on something.
On the other hand, I'd take Clinton back in a heartbeat over the President who won't keep his promise to fire Karl Rove for blatant treason. At the risk of going back on topic, that's an intolerable security defect in this administration.
And I think we should hold politicians ... with fire.
responsible for the laws they help pass
In other words the process of creating software is presently immature, and we shouldn't expect "engineering" out of it. Now that we've dealt with that. How about taking the "S" out of CS, since the afformentioned process isn't up to science standards either.
--
The "are you a script" word for today is impetus
Presumably you knew of all these issues when you purchased the car. Most software purchasers have far less idea of how badly their software can go wrong.
Perhaps there should be a limited guarantee included with most software - "This program will not launch itself on startup or crash more than once a week." or similar - rather than generic click-through agreements simply saying that anything that happens is the user's problem.
Then buyers can start discriminating between products on the basis of partially guaranteed reliability, rather than simply choosing the one with the most features. And then, perhaps, we might find that the market rewards well-written software after all.
it might be good in theory, especially if youre pissed off about windows crashing on you often.
how will this effect the mostly volunteer-based open source projects, though? Are free programs going to be held to this rule (especially since most open source programs tell you right off the bat "offered as-is with no warranty"), or is it just a way to snap back at microsoft?
Jeez, who about holding accountable the rocket scientists that designed the programming languages that make it so hard to write secure code?
... well, I dunno, maybe a hermit.
Not like we're all slouching around being intentionally lazy...
Morons like this make me want to become
What profession doesn't get threatened w/ idiotic liability laws these days? I can't think...
You heard it from me first: Turbo-PHB
Here is the thing. My car is 20 years old. I'm living in a 40 year old building. The building is warm, and secure. My car runs, and has very little mantinance issues. My 3 year old computer is seriously out of date. If the computer could be garunteed to last for 10+ years, (Even I will admit that 20 years for a car is exceptional) I would have no problem shelling out $15K for it. I think this is where some of the issues come in to play. Every one is so desperate to have the Newest and prittiest, that they arn'd demadning the Best. And companies deliver what the people whant. And don't get me started on the big companies (not just M$, others do the same) that push the New and Pritty, just so they can keep turning large profits. Most of it is the software equivalent of repaining last years modle, and selling it as this years. Yes it looks newer, but it still has that faulty Altenator, that unreliable Fuel line. Eg. Word Perfect 5.1 did everything I use Word 2003 for, So why did I need to buy Word 97, Word 2000, WordXP, and Word 2003. (O.K., I still use Word Perfect 5.1, don't tell anybody, But most people out there know what I am talking about)
sorry, got on a little bit of a rant there.
You make some valid points about the dangers of Big Government. However I'm not sure that the "conservatives" in power for the last five years in the U.S. share your reservations. Contact your Congress people and express your views everyone!
As long as I'm allowed to hold CEOs and advisors liable for every result of their actions and words, too. Now, if all you CEOs would please line up against this wall, we will 'process' you as quickly as we can.
Developers should be held legally responsible for bugs.
By the same token, incompetent government officials should be held legally responsible for people perishing in disasters when those deaths could have been prevented with reasonable foresight, planning and resources.
By the same token, government officials who cause the deaths of thousands by fabricating evidence used to justify starting a war, should be held legally responsible.
Um...how about management, the rating's system, the reward system? The Choose2_Fun(features,time-to-market,quality) => [usually](features,time-to-market)? Or how about, the "we get paid for support and bug fixes but not for perfect products, non-customer reported bug-fixes are against the company's financial best interests"? (That one sucks -- as soon as "support and bug fixing became a profit center for most companies, there became an incentive to release badly documented, confusingly designed and malfunctioning programs.)
.... but then, the schedule is shot to hell, by outsiders/latecomers/marketing about this and that and the other thing " needing to be in this release" and the time being dropped out of testing and documentation? If you say "no", you get viewed as unpopular to outside groups, but respected by peer groups and subordinates who don't get pulled in for regular all-nighters and weekend work-a-thons, but conversely the opposite can happen. It only gets worse if one doesn't or can't allow those involved in such a mess time-off or a big bonus (what, a bonus? for doing their job?! You gotta be kidding!)
How about the lovely project design where one designs a schedule to fix all High & Medium bugs (at minimum) to be fixed, some features, then allows some nearly equal amount of time for documentation and testing and further bug fixing. There was a time that time in testing was thought "should" be nearly the same (maybe 3:2 ratio) as time in development) -- need to allow for time to fix bugs from testing and do full retest of products.
Hold the companies to blame, maybe, but individual programmers? The individuals are usually pawns manipulated in a much larger political organization that rewards specific behaviors and punishes others. Until the reward/punishment system is changed within the company, it's simply farcical to hold individual contributors responsible for bugs. As for "free software" or "independent" developers -- they are up against the same unethical pressures as their corporate siblings.
The reason why overseas outsourcing has become so popular is that there are no "personalities" or "people" involved. Right now, it's so cheap to outsource that it's looked at as a commodity product, and people just don't care that much about quality. So it's the ideal solution for many of today's corporations.
They can eventually export "blame" and scapegoat anonymous overseas entities who likely won't have legal recourse to fight back against slander or liable (not that many individual employees do). Unfortunately, even in America one can find one's self scapegoated for a companies illegal and/or unethical behavior and find one's self with little or no recourse.
-l
Your rant is accurate. But which came first, the car that can last 20 years, or the crappy car that fell apart? Now, don't go getting all Model T on me, because that was a pretty sizable good thing, but that wasn't the first car either. Lots of abortive efforts that would have been quite costly preceeded it.
And even today, look at the number of recalls cars have. Ford just recalled a whack of F150s because a weak partition between brake fluid and brake electronics cause engine fires. That kind of stuff still goes on. And yet you pay $30-40K for a fully loaded truck!
And since they started dumping huge amounts of salt on the roads (maybe not where you live...), and since the warranties mostly run to about 7 years at the max (seen some starting to stretch to 10), getting more than that out of your car seems unlikely. And look at how every car manufacturer is trying to get people in to test drive 'the latest and greatest' and they'll gladly finance you beyond your means to buy a car you don't need, can't afford, and that won't be worth a lot five years down the line.
I guess my point is that cars are the same as computers, driven by the same predatory sales schemes. Why do you think we have cars marketed with mountain bikes, flower vases, doggie-friendly setups, etc.? It's trying to pimp a new product to you. And if they could make a car that lasted 20+ years in 1925, why can't they do it now? Why don't they? Because that isn't how Big Car Companies make $$$.
I've got 9.5 years and 260K km on my Mustang GT. It's starting to show some signs of age, but overall (with one notable warrantied catastrophic exception) it has been a reasonably cost effective and reliable car. But the price is now around $33-39K (before taxes/charges/etc) Canadian, when I bought mine for $24K with all taxes and charges in last time. And everyone thinks it is incredible that I've squeezed 10 years out of it by carefully husbanding it and caring for it. But if I hadn't, it would have failed more seriously before now. And if it does that now, the math says buying a new car might be required.
Turning back to computers, I have an NT 4.0 box that has run rock solid like a trooper for the better part of a decade (8+ years, IIRC). It rarely if ever crashes, the apps do exactly what they used to, and the machine does word processing and spreadsheets lickety split. Sure, I'm not running the latest XP on that machine, but there is nothing wrong with either the hardware or software, in terms of reliability. I have a Win 98 box that has been pretty good too. And my XP Pro boxes has proven *very* stable platform for multiple software development projects - both are crammed with tools and IDEs and I can't even *remember* the last time I got a program crash or blue screened while working (one has a bit of a bluescreen issue at shutdown, but that's on account of me having made the mistake of okaying a windows ATI driver automatic update... if I go back to the old driver, I'm sure she'll be solid as before...).
Anyway:
1) Cars have lots of flaws too. Their projected lifespan is about 5-6 years. They can last 10-20, but that's not the norm. They have recalls, they have areas they come up short, and the car companies want you to buy new ones. And they cost $20-40K new.
2) Computers, if you get them setup right and that is easier now out of the box, can be very robust and reliable. Standard office apps can be very stable nowadays as can software development tools. I have computers, including a 486 running Win95, that have been clunking away on and off for more than 15 years. And the new ones are pretty much rock solid as long as I don't patch my graphics drivers (that's still a weak point...). Your computer is envisioned to last 2-4 years (according to the tax people). You can get 5-6 out of them pretty easily and 10+ if you really want to. Yes, they have companies trying to sell you stuff. They have patches (like car recalls).
Seems to me they are a lot the same as cars, except they cost about 1/5th to 1/10th as
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
The problem isn't that the programmers don't know what they are doing.
The problem is that their bosses and customers don't understand how long it really takes to produce high-quality software.
They expect that the features to be created by snapping fingers.
The truth is that it takes a lot of planning and work to create complex systems (and most systems are).
Nevertheless, most developers try to keep unrealistic deadlines.
The result is naturally a lot of bugs, workarounds and hacks.
The employer is to blame, not the developer.
Every building is paid for.
Not every copy of a program is paid for.
If a developer created high-quality software, and attempted to charge a higher price that reflected the quality, the developer would never receive sufficient compensation because the program would soon be pirated.
That is the heart of the software quality problem.
Slashdot entertains. Windows pays the mortgage.
You hit part of what I was trying to say on the head. There are two focuses that can be taken when developing. New and Improved, or Reliable. 20 years ago, car manufactures where focused on Reliable, and (ignoring F(ix)O(r)R(epair)D(aily)), for the most part, still are. That's why they cost $10K-$15K. Computers are focused on New and Improved. Unstable, (I have even had some problems with Linux and Macs. Crases by O.S. that I have had to deal with: Linux: 4; Mac OS: 1; Dos: 5; Win 3.1: 3; Win 9X: Lost Count after 103; Win XP: Lost Count) sorry where was I. Unstable, and out of date within a few years. My comment wasn't based soley on Instability, but also with Usability. That car from 20 years ago, functions just as well today, as any other car out there. (For it's inteded use as a passenger Vehicle. It never was, and never will be a performance race car.) My 8 year old Dos box still runs without any problems, but today its only use is as a Router/Firewall. For what I do, I can nolonger use it for modern Software Development.
It all comes down to what people whant. I whant a Computer that is stable and will last min 5 years, Willing to spend $15K for one. There are maby a few thousand of us willing to do the same. Joe Blow on the street whants fast, new and Cheap. $1000 max. There are a few hundred Million of them.