Why is a software developer an engineer when it fluffs their ego, but not an engineer when regulation and consequences for failures are necessary?
Yes, if the security failure is grossly negligent, you should face criminal proceedings. As a C level executive, you are responsible for your chain of command.
Is there any evidence that software engineers are protected in some way from criminal negligence cases?
The reality is that it is vanishingly rare for any engineer to face criminal charges for their professional actions. It doesn’t seem to me that software is held to much lower a standard.
Not protected, simply not pursued, although it’s usually outright fraud that is the target of most prosecutions.
Watching the SEC closely to see how many ICOs they prosecute. Also was helpful to see someone involved with their breech response who attempted to profit from non public material information prosecuted (although that’s tangential to the breach itself).
Someone relatively important is going to have to get burned before more software professionals are pursued for grossly negligent security failings.
You misunderstand my point. Are there examples of other sorts of engineers being brought up on charges?
It only happens in the most egregious of negligence cases as it is and even then convictions are rare.
I'm saying your impression that software engineering is protected is wrong, because no engineers (to any normal approximate) are brought up on criminal charges.
Lawsuits are commonplace in civil/geotechnical engineering because faulty work has life and death consequences for the general public. To be a certified professional engineer and sign-off on design plans in California you need to pass an exam, after which could result in issues of liability. This law practice defends professionals that may be in a dispute [0]. Here's a breakdown of why engineers might get sued [1]. Here's a case where a company was held liable for damages associated with a construction project [2].
The title 'software engineer' without any notion of liability is an exercise in stroking ones ego.
He said “criminal” charges. That is a very high bar.
Software engineers can be held liable in civil suits, as can other engineers even if there is no professional accreditation body for their industry.
It is less common in software than civil engineering for a few reasons, one of which is that customers literally have no problem signing away their liability. No one would sign a contract from a bridge designer that said “this might fall over in a stiff breeze” but that happens all the time with software.
By that extension if a McDonald's drive thru employee accidentally spills hot coffee on a customer, the CEO is responsible and should be charged with assault?
If they create a work situation where by cutting corners on container safety, protocols, and employee attentiveness I think they are guilty.
And in the modern security context we're pushing deadlines just to race to the latest features with almost no regard for security in the process.
Something has to change. If this kind of negligence were causing similar problems in physical realms there would be regulations.
The tech companies behind these mistakes won't have that free roam forever. Every major screw-up is a step closer to regulations and everyone will cry about it when it happens... But so many companies today don't seem like they're ready to behave responsibly.
Is that grossly negligent? No. Is keeping the coffee excessively hot for cost reasons, thereby causing the customer to receive third degree burns on their genitals and winning in court? Yes.
While I fully understand that without universal insurance in the US, it may be most expedient to go after someone like McDonald's with deep pockets, I am tired of hearing how shocking and unconscionable it is that coffee could be served at a near boiling temperature.
I make coffee nearly every morning by boiling water in a tea kettle and pouring it over coffee grounds in a Melitta filter. If I poured or spilled it on my genitals, that would be bad. Doesn't make an approximately 200F temperature incorrect though.[1]
I'm familiar with the case, that's why I mentioned it. My point was that although they lost the civil suit, there weren't any criminal proceedings against C-levels. I understand the argument of negligence being as guilty as malicious intent but it creates a sweeping blanket that's hardly fair or enforceable.
I agree with your principles in theory but it's just impractical.
The Department of Justice was able to dismantle Arther Anderson after their fraudulent audits of Enron. Lots of things that are impractical are possible with sufficient effort. And the government has unlimited resources for those efforts.
You must hold systemic negligence and corruption accountable, or it perpetuates the cycle.
A) The DOJ had been looking at Anderson for years prior to Enron due to irregularities with other major firms like Waste Management Inc. Enron was not an isolated incident.
B) They were prosecuted for the very specific crime of obstruction of justice after they were caught destroying evidence. It wasn't some backlash against a nebulous problem.
C) Their conviction was overturned!
I'm not sure you could have picked a worse example for arguing your point.
They keep the coffee that hot because customers like hot coffee. That's the main reason I get coffee at McDonalds, not because it's great coffee (though it's not bad) but because it's HOT. Half the time I get coffee at Starbuck's it's only a litte better than piss-warm.
I don't think forbidding hot coffee at drive-thrus is unambiguously in favor of safety, since not-so-hot coffee encourages people to drink while driving, which could cause an accident. Some people want to drink on their way to the office or home, and others want coffee that is still hot when they get there. The consequence of the litigation seems to be that the former group of customers is privileged, but I'm not certain that is an overall social good even if you prioritize safety - and some would of course be happy to trade off others safety for their own hot coffee.
There seems to be an unlimited supply of people always popping up to "debunk" the "myths" about the Liebeck case who seem to deflect from the fact that it is normal for coffee to be brewed at near boiling temperatures[1] that cause the sort of damage that was at issue. I could burn myself severely while draining pasta too, if I pour hot water all over my pants and don't remove them; it doesn't mean boiling water is too hot for cooking nor that say, a manufacturer of a non-defective pot is to blame.
it's unfortunate but leaks and breaches happen in programs (which a website is). it's coding, it isn't perfection and no one should go to jail or be ridiculed because they unintentionally introduced a bug that caused whatever problem arise (WE HAVE ALL DONE IT). This is why it is ideally best to have some sort of peer review and/or buddies reviewing our code for things we don't see before they are pushed into production, however unfortunately, this doesn't happen in all cases.
the only crime was not fixing the problem and keeping it a secret AFTER IT HAD BEEN DISCOVERED. in this case, it wasn't the mistake that was the crime, it was the cover up.
Engineers in other disciplines are held liable for their mistakes. Imagine a civil engineer signing off on a building and then having it collapse. If it was found that the engineer was negligent then you can bet your ass there will be reprucussions. As an engineer, you are the top of your field and with that comes a professional responsibility that is important to fully realize. Mistakes are mistakes sure, but if those mistakes end up being responsible for criminal activity then you’re fully responsible. It’s why the chain of command exists.
> Engineers in other disciplines are held liable for their mistakes.
To be fair, they have several hundred (if not thousands of) years of trial and error, documentation, etc. behind them to (try and) help people avoid the mistakes.
Computer Science has barely 70 years of half-arsed fumbling about.
Yes, if the security failure is grossly negligent, you should face criminal proceedings. As a C level executive, you are responsible for your chain of command.