[mises]

Legislators tend to do a very bad job of creating technical standards. There is no constitutionally-enumerated power for Congress to regulate which character-encoding standard is used. On the other hand, updating all gov't and military systems to unicode-only would force the change pretty quickly, I'd guess.

You also can't outlaw a vulnerability. It's an honest development mistake.

I assume you're joking about emojis and other esoteric characters?

[philwelch]

> There is no constitutionally-enumerated power for Congress to regulate which character-encoding standard is used.

If you squint, it's kind of covered by the weights and measures clause, in the same way that the clause that allows Congress to establish armies covers Congress establishing the Air Force.

[rswail]

You don't really need to squint. A combination of the weights and measures clause, the interstate commerce clause, the federal postal service, is more than enough for Congress to have jursidiction on how names are to be encoded and processed.

[philwelch]

It’s also unquestionably legal to have an Air Force, too.

[tgsovlerkhgsel]

> You also can't outlaw a vulnerability. It's an honest development mistake.

You can, however, threaten executives with personally-served jail time if they lead a company in a sufficiently irresponsible manner to allow such a mistake to happen, and can't somehow demonstrate that the measures they implemented were reasonable (despite the prima facie evidence that they weren't, because they failed).

Not saying this should be done in this case, but AFAIK some of the Sarbanes-Oxley Act requirements are being taken very seriously because they have similar provisions.

[cabaalis]

> You can, however, threaten executives with personally-served jail time

How about the developers? The IT guys? Maybe not so enticing an idea now?

[tgsovlerkhgsel]

Where they have a reasonable way to avoid it, I'm all for it to be honest. Engineers go to jail if they build a shoddy bridge.

Key is to require realistic things. Not "humans must not make mistakes", but "process needs to be in place to catch human mistakes". This is not something individual contributors can usually influence.

But in cases like e.g. the VW emission faking scandal, I do think that if (and that's a big if) it can be proven that the developer must have reasonably known what he was doing and that it was part of an illegal scheme, the dev should also be punished: This changes the game from "do it and keep my job, or refuse/whistleblow and lose my job" to "do it and potentially go to jail, or refuse/whistleblow and lose my job" making the second, societally preferable outcome more likely.

[chopin]

I would't count a SQLI as a honest mistake, at least not for newer systems. Any developer not knowing about this has no right to have his code run productively. A couple of times I had a quite hard time to convince people to fix their SQL code (in a framework, no less). It would have been easier if it had been outlawed, I am sure.

[Pulcinella]

Well they don’t have to make the standards themselves. They would delegate that to an organization like NIST.

The constitution does give Congress the power to regulate interstate commerce and weights & measures.

[Avamander]

We have UTF-8, they don't have to write it, they have to say it's how all names now are.