Slashdot Mirror

← Back to Stories (view on slashdot.org)

'The Year That Software Bugs Ate the World' (fastcompany.com)

Posted by msmash on from the year-of-bugs dept.

FastCompany's harrymcc writes: It's not like there's ever a year that isn't rife with stories about buggy software. But 2017 seems to have had an unusually rich supply of software flaws that fouled up major products -- from Twitter to iOS 11 to the Google Pixel 2 -- in ways that were very noticeable and sometimes even funny. Sample this: A nagging flaw in Google's Play Services software for Android causes Gmail to demand access to "body sensors" before it will let users send email. Android Police's Artem Russakovskii discovers that his Mini is recording audio 24/7 and storing it on Google's servers. I rounded up a bunch of them over at Fast Company.

63 of 95 comments (clear)

  1. We need to go back to basics by Anonymous Coward · · Score: 4, Insightful

    Programming in traditional programming languages instead of the latest fad language and framework. And develop in our own countries instead of outsourcing it.

    1. Re:We need to go back to basics by CastrTroy · · Score: 4, Insightful

      What we really need are programmers who actually know what they are doing. The problem is that there really aren't enough programmers out there to get all the development projects done by knowledgeable programmers. It doesn't matter how much you pay them, the programmers simply don't exist.

      I think that the latest fad language and framework is actually just a symptom of the underlying problem. With a good enough tool set, you can fake your way through it for the most part and make it look like the system works from the outside. But you eventually hit a wall where the framework can't make up for the lack of skill of the developers, and this is where you run into problems.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    2. Re:We need to go back to basics by chill · · Score: 3, Insightful

      Why would they do that? They'll just address it in the next sprint! If you're agile enough, that is. Just add those bugs to the backlog! We've got features to ship!

      --
      Learning HOW to think is more important than learning WHAT to think.
    3. Re:We need to go back to basics by jellomizer · · Score: 1

      Language, Country or origin, and even skill to a degree doesn't really affect the quality of the software. It is management who wants the product done ASAP, setups Rigorous time lines, loosely gathered specifications, and sells the product to the market, before any single feature is tested.

      In a lot of of our software, I wonder how much proof of concept code is out there without being fully fleshed out, because it technically works, however the details to prevent it from breaking and access via ways that it shouldn't be, never got allowed to test and implemented because it needed to go out the door.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    4. Re:We need to go back to basics by Anonymous Coward · · Score: 3, Funny

      At the beginning of a project, it doesn't make sense to invest a lot of development effort into a comprehensive, secure, bug-free, scalable, and robust foundation. Doing so costs a fortune and your business flops before it is finished. And anyway the market hasn't tested your offering yet so you don't know if it is going to live long enough to need a foundation that is that advanced.

      During the mid-life of the project the need for a better foundation starts coming up, but it still doesn't make sense to spring for it because the application-wide refactor will be harmfully impactful to existing clients, and (more importantly) it doesn't sell anything in the short-term. Even though it will save a lot in the long-term, that savings just can't compete with the money that is sitting on the table if you just add a few more features instead.

      Yes, there are bugs that clients feel, but they aren't bad enough for the clients to abandon the project, and even the clients would rather pay for new features than fixing bugs they are already working-around.

      At the end of the project it obviously doesn't make sense to put the solid foundation in, nor to fix the majority of the longstanding bugs, because it won't be around long enough to capture any profit from that bandwidth.

    5. Re:We need to go back to basics by Aighearach · · Score: 1

      My favorite bug of the year was the bluetooth one that caused a bunch of idiots to whine and cry that "everybody" was remotely rooted, while in reality RHEL/Centos users were only every exposed to a DoS bug. (box would crash instead of being exploited because RH turned on the bt memory protections already available in the kernel)

    6. Re:We need to go back to basics by Aighearach · · Score: 1

      The problem is that there really aren't enough programmers out there to get all the development projects done by knowledgeable programmers.

      This isn't actually true, though. In the late 90s when it was really true, the market responded, pay went up, and job availability went up too. The situation now is that pay isn't going up significantly, and jobs remain "open" forever without any attempt to hire whoever the most qualified person who applied was. You might 1000 applicants, and the "job" remains "open" and the work later gets outsourced.

      If there was a real shortage, hiring would instantly increase!

    7. Re:We need to go back to basics by Aighearach · · Score: 1

      Language affects software quality a lot, because ultimately software quality is determined by the user based on how well their use case is served. Understanding the use case is a very human, language-and-communication type of problem. Even poorly written software can eventually be bugfixed to quality, if the management understands the use case and continues to apply resources.

      Language differences don't prevent that, but it does make understanding use cases harder, so the average maximal result will be lower quality.

    8. Re:We need to go back to basics by Hognoxious · · Score: 1

      Hey, you said Qt twice!

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    9. Re:We need to go back to basics by Hognoxious · · Score: 1

      It's just that managing software developers pays better than being a software developer

      Thing is, the people managing software developers don't know what they're doing either.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    10. Re:We need to go back to basics by Hognoxious · · Score: 1

      You're using "language" like {English,French}.

      GP is using it like {Java,C++}.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    11. Re:We need to go back to basics by AmiMoJo · · Score: 1

      The idea of frameworks and new super high level languages is to make it so people don't have to understand the hard stuff to write good software.

      Even the best programmers struggle to write crypto, for example. Most people would be crazy to write their own, better to use a well tested library.

      We need to make better frameworks.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    12. Re: We need to go back to basics by kurkosdr · · Score: 1

      Maybe stop worrying and give the company what they deserve? Aka keep the existing mess half-functional and don't refactor or re-architect anything, while looking for a job in a company with proper procedures in place and which doesn't act like a start-up.

    13. Re:We need to go back to basics by TheRaven64 · · Score: 1

      I don't know about the other platforms, but when I look at the list of things on the security advisories issued for macOS they are pretty much entirely C/C++ code. None of this is latest fad language or framework, it's simply a function of complexity. I remember some old research from IBM that claimed that programmers produced five lines of bug-free code per day, independent of language. The difference now is that there are so many complex interconnected parts in a modern system that the probability of a bug being an exploitable security vulnerability is much, much higher.

      --
      I am TheRaven on Soylent News
    14. Re: We need to go back to basics by Zero__Kelvin · · Score: 1

      So when you look at a codebase written almost entirely in C and C++ most of the bugs are in C and C++? Say it isn't so!

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  2. 99 bugs in the code.... by Computershack · · Score: 4, Funny

    99 bugs in the code to be fixed, 99 bugs in the code. Fix a bug, wrap it up, 148 bugs in the code...

    --
    I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
    1. Re:99 bugs in the code.... by hackwrench · · Score: 1

      Not if you are writing a Langolier.

    2. Re:99 bugs in the code.... by DontBeAMoran · · Score: 2

      148 bugs in the code to be fixed, 148 bugs in the code. Fix a bug, wrap it up, 835 bugs in the code...

      --
      #DeleteFacebook
    3. Re:99 bugs in the code.... by sysrammer · · Score: 1

      99 bugs in the code to be fixed, 99 bugs in the code. Fix a bug, wrap it up, 148 bugs in the code...

      Pretty much :)

      Is there any field of human endeavour that suffers from so many unintended consequences, besides politics?

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
    4. Re:99 bugs in the code.... by someoneOtherThanMe · · Score: 1

      Sex?

  3. Will have to get worse before it gets better by gweihir · · Score: 3, Insightful

    The average person still does not care at all. Hence software can still get worse and even cheaper to make before it starts to cut into profits. And it will.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Will have to get worse before it gets better by antdude · · Score: 1

      Yep, companies too. They even care not about QA. MS axed its QA department years ago. I'm still unemployed after a year. :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    2. Re:Will have to get worse before it gets better by hcs_$reboot · · Score: 1

      This is the real problem. People got used to that bad software service.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    3. Re:Will have to get worse before it gets better by gweihir · · Score: 1

      Indeed, it is. People perceive pathetically bad quality as "normal".

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re:Will have to get worse before it gets better by TheRaven64 · · Score: 1

      Partly. Software engineering is a very young discipline and we still don't really know how to make good software. We know a few things that are pretty much guaranteed to make terrible software, but the closest thing to a process that produces bug-free software is that used by the seL4 team, which is estimated to cost around 30 times as much as a conventional process with a very good set of automated tests.

      --
      I am TheRaven on Soylent News
    5. Re:Will have to get worse before it gets better by TheRaven64 · · Score: 1
      Ooops, hit submit without thinking.

      The second problem is the lack of knowledge in consumers. Given two pieces of software that fill the same function, do you have any mechanism to say which one is likely to be more secure? Creating good metrics for evaluating software security is an open research question in cybersecurity. When we don't even have research that can do the comparisons usefully, expecting consumers to make informed decisions with no information seems a bit of a stretch.

      --
      I am TheRaven on Soylent News
    6. Re: Will have to get worse before it gets better by Zero__Kelvin · · Score: 1

      Bullshit. The competent among us know how to produce GREAT software. The real problem is that very few people have what it takes to do it but a pervasive meme that anyone can do it has resulted in a situation where 90% of the people getting paid to develop software shouldn't be in the field at all.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    7. Re: Will have to get worse before it gets better by TheRaven64 · · Score: 1

      The competent among us know how to produce GREAT software

      Care to share your secret? What do you do when working on large (10 million or more lines of code) codebases that ensures that there are no security-related bugs?

      --
      I am TheRaven on Soylent News
    8. Re: Will have to get worse before it gets better by Zero__Kelvin · · Score: 1

      Nobody said that, and if you know anything about complexity you know that can't be done. It isn't even a software (only) problem. Take for example prisons. Despite all the effort making them secure, including outrageous spending on full time guards and other personnel people escape. Security isn't a product it is a product it is a process; humans will always be the weakest link.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    9. Re: Will have to get worse before it gets better by Zero__Kelvin · · Score: 1

      It's a process*

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  4. Apply the razor by arth1 · · Score: 1

    The examples listed are not necessarily bugs, even if they are named so when they're found out.

    Never attribute to malice that which can be explained by stupidity. But then again, never attribute to stupidity that which can be explained by corporate greed.

    1. Re:Apply the razor by Aighearach · · Score: 1

      explained by corporate greed.

      There is no such thing as corporate greed; all greed is personal when you look under the hood.

  5. I Blame Connectivity by nwaack · · Score: 3

    I think a major contributor to all these bugs is that every. single. thing. has to be connected to every. other. thing. My computer has to talk to my phone which has to talk to my watch which has to talk to my refrigerator which has to talk to my toaster. All that connectivity makes software waaay more complicated that it needs to be. Now throw in some corporate greed where software design goes to the lowest bidder and you get what we have today.

    1. Re: I Blame Connectivity by DontBeAMoran · · Score: 1

      How about stupid people who can't even spell stupid?

      --
      #DeleteFacebook
    2. Re: I Blame Connectivity by denis.goddard · · Score: 1

      Oh God this. And this is why I will never buy IoT appliances while "dumb" ones are an option. And why I will never spend one penny on the monstrosity IOTA

    3. Re:I Blame Connectivity by hcs_$reboot · · Score: 1

      I think a major contributor to all these bugs is

      Apple.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    4. Re: I Blame Connectivity by TheRaven64 · · Score: 1

      Connectivity is not the problem. I can reach millions of web servers, that doesn't make the browser more complex.

      It does. A modern browser splits itself into multiple processes and runs most of them with very little privilege precisely because of this. Out of those millions of web servers, the probability of at least one of them trying to attack the browser is approximately one. Browser writers know this and so have multiple layers of defence. They know that in the (roughly) 30 million lines of code in a typical browser, at least some of them will contain security vulnerabilities and so they try very hard to ensure that when (not if) a renderer process is compromised, there isn't much that the attacker can do with it. This doesn't always work: for example, someone compromising your gmail tab with a malicious image that exploits a libpng arbitrary code execution vulnerability can still log into the Play Store and replace your Internet banking app with a trojaned version.

      If web browsers didn't need to exist in such a hostile environment, they'd be a lot simpler. Unfortunately, most IoT devices exist in a similarly hostile environment, yet don't add the complexity required to deal with it. Many of them use simple cores that don't even support process-style isolation of components.

      --
      I am TheRaven on Soylent News
  6. More software, more bugs by Anonymous Coward · · Score: 2, Insightful

    Next year: Even more software, even more bugs.

  7. shorter development time,... by Selur · · Score: 1

    I would go with shorter development time, nowadays less and less testing is done before a release,..
    "Beta testing? BAhhhhh,... that is what users are for."
    with that and your boss telling you to release now since he had a quick look and didn't see any problem,... (after a 5min glance)

  8. Not going away anywhere soon with AI by yaznaz · · Score: 1

    Formal validations of software using math is already difficult and will be more so when applied to AI domain. Just the definition of what constitutes correctness is a challenge in such systems.
    The demarcation between traditional programming bugs vs undesirable outcome due to flawed learning blurs as software complexity increases. Subtle biases or other instabilities can be introduced that influence cognition and it will be nearly impossible to trace.
    If the app misbehaves, trying to trace and attribute it a segment of code may soon be a thing of past. So, 2017 as 'The Year That Software Bugs Ate the World' is probably just the precursor of a future where good enough is the new norm.

    1. Re: Not going away anywhere soon with AI by Zero__Kelvin · · Score: 1

      You can't prove it correct due to Godel Incompleteness; You can only increase assurance. That's why it is called Software Quality Assurance, not Ensurance.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  9. Is it really the year of the bugs? by jellomizer · · Score: 1

    I mean I remember the "Good Old Days" where the system would crash when you look at it wrong, or typed too fast. SQL Injection errors were common...

    These bugs that came out this year, while bugs, is a far cry to the risk of trying to use a computer during the 1990's or before.
    I haven't seen a BSOD (or its equivalent) in nearly a decade now. These glitches that we get today, while some are serious, they are rather small in the big picture.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Is it really the year of the bugs? by mccalli · · Score: 1

      Unfortunately, handling ''typed too fast' actually was one of the iOS 11 bugs...

    2. Re:Is it really the year of the bugs? by OffaMyLawn · · Score: 1

      The BSOD on W10 seems to be a big frowning emoji attempt. Which took me a minute to realize what I was looking at the first time I saw it.

    3. Re:Is it really the year of the bugs? by jellomizer · · Score: 1

      Yes, an animation error. Vs crashing or locking up a system.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  10. 2017 also known as by hey! · · Score: 1

    the year the frog noticed the water was getting kind of hot.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    1. Re:2017 also known as by Aighearach · · Score: 1

      Doubtful, since most people know that the frog thing was just some bullshit some asshole made up and not a real effect.

      The reality is that frogs in heated water have nowhere to escape. That's the whole story. Give them a chance to escape, and they will; they do understand the problem, and all evidence confirms that. There was never any reason given for believing the cliche; it is just a sort of IQ test; people who are credulous to the point of mental disability will believe it, and everything else they hear, and people who check for why they think it is true will quickly come up empty and see there was never any reason to believe it even presented.

    2. Re:2017 also known as by hey! · · Score: 1

      Myths are supposed to be truthful, not factual.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  11. Too many moving parts by cheesyweasel · · Score: 1

    Have you taken the time to consider how many libraries are used in the average project? Most of those are open source projects, continually updating and relying on other libraries from other projects. Like coding inception.. a bug or change inside of a library, inside of a library, inside of a library inside of a program that messes everything up. Vigorous testing is the only hope.

    1. Re:Too many moving parts by cheesyweasel · · Score: 1

      Exactly. How are you meant to test for everything? Continuous delivery or continuous failure?

  12. Fast Company by Hognoxious · · Score: 1

    Fast Company - for those who find The Verge too technical.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  13. Re:It's because of the push back against testing by Bomarc · · Score: 1

    You hit it. (Also I didn't see any previous post saying this). Irony ... Facebook, Yahoo (and eBay) ... all have software quality that SUCKS. They all release broken code - many times. (FB: open a video to a 'new' style window; the video doesn't play, the "back" arrow takes you back to the top of the list, you've lost your place; Yahoo: I've all but abandon it due to bad quality. eBay: New features in "rating" have grammatical errors/issue; and BAD (wrong) information -- all of these I have (attempted) to report to the companies many times. None of the companies have a meaningful feedback mechanism. For all of them -- their quality SUCKS. They are big enough that; who else are you going to go to?
    For me; it is - when I see the video bug, stop scrolling down. For Yahoo, I've almost abandon it. For eBay -- don't leave any feedback -- and I'm cutting back. The thing is that these are people {managers} have no clue about quality or testing. The suggestion of ''Let's have developers test their on code'' is insane. Time and time again, developers can't write bug free code; and are unable to properly test. Why should they? They will be paid to fix it on the next release! (Which they never do). I've reviewed developers written automation. One test case - did nothing (and reported that it was successful). A group of test cases (about 40%) passed with the server "down". None of the automated test cases (written by dev's) gave any rational as what they were doing, or the goals of the test case. Were they testing the GUI function, the server function, the ability to get the job done ... ? (No documentation... I have NEVER seen a dev write a test case that made sense by reading it). Yes, they (frequently) write great code. But you need a tester behind it writing test cases; both manual and automated.

    From the /. article "How Can I Make Testing Software More Stimulating"; the best response, worth reading and keeping: You can't, so don't try

  14. Capability Based Security by ka9dgx · · Score: 2

    If we had capability based security in our systems, this kind of stuff would require the user to knowingly allow these types of activities. Until then, we're all screwed. Stop blaming everything but the OS. It's not the programmers or the users.

    1. Re:Capability Based Security by phantomfive · · Score: 1

      Android is a capabiilities-based security system.

      --
      "First they came for the slanderers and i said nothing."
    2. Re: Capability Based Security by Zero__Kelvin · · Score: 1

      Who do you suppose will create this magical OS that doesn't allow bugs and isn't written by programmers?

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  15. Yeah. Build the house from the roof down. by Anonymous Coward · · Score: 1

    When will you suckers realize that a solid, well engineered foundation is the key to every successful construction project???

    You "strengthen-it-later" types are why we can't have nice things; you merely sit back in your rubble, and smugly proclaim to be the great first-mover innovators.

    1. Re:Yeah. Build the house from the roof down. by Rakarra · · Score: 1

      When will you suckers realize that a solid, well engineered foundation is the key to every successful construction project???

      That's great, except plenty of these programs/apps/what-have-you are made by startups. Startups have to show immediate RESULTS when it comes time for the second round of funding or else there won't be a second round. They have to build the application first, then fill in features and fix bugs.

    2. Re: Yeah. Build the house from the roof down. by Zero__Kelvin · · Score: 1

      Yes, because startups are a new invention. There were no startups until incompetent idiots with beliefs like yours came along.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  16. Two Bytes to $951M .. by najajomo · · Score: 1

    "2017 seems to have had an unusually rich supply of software flaws that fouled up major products -- from Twitter to iOS 11 to the Google Pixel 2 .. Google's Play Services software for Android ..

    Something missing from that story, just on the tip of my tongue, is it any wonder this has become known as the Microsoft Slashdot.

    Two Bytes to $951M

  17. Re: Not all of them are bugs by Reverend+Green · · Score: 1

    Yup. Both of the Google "bugs" sure do look a lot like features. User-hostile features, sure, but planned intentional features all the same.

    Google is always watching. (And listening, too, it seems.)

    Stop Google now before it's too late.

  18. Re: It's because of the push back against testing by Reverend+Green · · Score: 1

    My company has no QA testers, no spec to test against, no leadership motivation to get either of those things, and no financial resources to spend on them even if there was desire. We do have some unit tests but they are not a priority. As you might imagine, the quality of the end product is less than stellar.

    Yet despite some serious usability issues tons of people use the system. That's considered validation of the business model. :)

  19. Re: You get what you pay for by Reverend+Green · · Score: 1

    Sometimes I talk socially with local "entrepreneurs" building various (mostly useless) applications with 100% outsourced dirt cheap labor. Often they will often tell me about some problem they're having with the software or the "coders", expecting a sympathetic ear or useful advice.

    I literally laugh out loud at them. "Hahahaha - pay peanuts, get monkeys!"

    The lower the inflation-adjusted pay goes in our industry, the more skilled and knowledgeable people who are going to sit back and just laugh while everything breaks.

  20. Re: Google is becoming a real problem by Zero__Kelvin · · Score: 1

    Nope. If I go to my site via HTTPS it says everything is great but if I go to the HTTP link which mod_redirects to the secure link it says my site is insecure.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun