[rudedogg]

What about management? What about the sysadmins/developers that left a security hole somewhere? Are they held responsible in some way?

It's unacceptable that this keeps happening. If you own a safe and it gets broken into every week, do you blame the safe cracker or who built the safe?

[eggsmediumrare]

Do you blame the dev? Do you blame the HR system that hired them? How about the manager that pushed them too much? What about his manager? Is it the VP of IT's fault, even if he didn't know the technical specifics? Nothing is any one person's fault. Blame is a stupid waste of time.

[inetknght]

At some point we will sit down and recognize that calling programmers "engineers" was a mistake. True engineers make guarantees within clearly specified limits and take on liability for those guarantees. Modern technology companies claim many things while owning little, if any, responsibility.

[HeWhoLurksLate]

For starters, the whole 'NOT FIT FOR ANY PARTICULAR PURPOSE EVEN THOUGH YOU PAY FOR IT TO DO THESE SPECIFIC THINGS' contract thing needs to go die.

WRT engineering- if someone walks into a production cell and a robot swings and hits them in the head, guess who generally gets the blame in an investigation? The group that somehow didn't put safety scanners or a cell wall with door interlocks or didn't use safety-rated equipment.

There's a big difference between "guys, please get out of the way before I make the bot move" and "guys, I can't make the bot move until you're out of the way and the door is closed and latched" and worst-case scenario, that difference can be any number of human lives.

Surely things can improve, but it'll take time, dedication, and sucking it up and rewriting legacy code and probably being slower at pushing features out. (Keep in mind this isn't a universal guidebook- and should mostly be for companies that create software and infrastructure that is or can be life-critical.)

[eggsmediumrare]

I agree, although I also think civil engineers who miss things (Elliot Lake mall collapse, for example) are mostly just scapegoats and don't deserve to shoulder so much of the blame.

[rudedogg]

This is what I was thinking with my comment. I don't like the idea of being liable for software I make. I love that the MIT license has a clause saying whatever happens to your computer is not my fault. It's comforting when you're just trying to share something.

But.. there are certain classes of software that I think should be written differently.

I feel like we made a lot of bad decisions. There should be a completely separate stack for hospitals, power plants, etc., including a custom operating system. Why is Windows running on every machine? Isn't this a national security issue at this point?

[FpUser]

>"Why is Windows running on every machine? Isn't this a national security issue at this point?"

Because for better or worse people make their choices and who are you to tell them what to run.

Infrastructural software - sure there should be some kind of security certification. this probably will not help much. Switches and routers are not running Windows and are still being attacked and crippled. Or consider the Stuxnet.

[asdfasgasdgasdg]

Sometimes analogies can be misleading. It's a lot harder to design a secure hospital IT apparatus than a safe. Also, in the event of a safe getting cracked, you'd likely have no recourse against the safe vendor. Safes are designed to present a firewall against tampering, but with sufficient physical access, no safe will stand for long. So your analogy fails two ways: one is that it trivializes the difficulty of the problem you're analogizing, and the other is that even if it were a good analogy, it would cut against your argument.

[rudedogg]

> It's a lot harder to design a secure hospital IT apparatus than a safe.

Yeah I agree there.

I'm curious what the surface area could look like. What is the minimum a hospital could operate with? How locked down could things be? Anyone in healthcare care to comment?

[RandallBrown]

My house would be trivially easy to break into but if someone did, I wouldn't be responsible.

Even if I leave the door unlocked, it's still a crime to break in and take my stuff.