[campground]

Analogies are always flawed, but I sometimes feel like computer engineering today is in the same place that mechanical engineering was 100 years ago, with the (fortunately less deadly) equivalent of a boiler exploding or a vat of molasses rupturing every other week. Does this mean we need more stringent regulatory and certification regimes for IT and computer security?

[bob1029]

I would hesitate to put all of computer engineering into the same bucket.

Continuing the analogy, Some mechanical engineers were better at learning from their exploded boilers than others were.

A few (many?) of us in the industry have been quietly watching and learning from the explosions occurring across the street. About once a week you find some wreckage strewn across the way and you find familiar stories in the tangled mess - "Too much webscale", "didnt care about the business", "meme language crippled productivity", etc. Usually doesn't take a forensic mastermind to determine why a software product exploded - at least in strategic terms.

> Does this mean we need more stringent regulatory and certification regimes for IT and computer security?

No. We do not need any more arbitrary regulatory & certification processes in our lives. If you have a specific business application that requires additional scrutiny (i.e. nuclear reactor scram control system), then the appropriate domain-specific regulations & certifications should be applied. It makes absolutely no sense to impose these constraints upon the field at large.

[mschuster91]

> It makes absolutely no sense to impose these constraints upon the field at large.

As soon as you deal with customer PII, it does make sense to mandate a) insurance and b) standards.

Just how much PII got compromised because of failure to adhere to basic IT security standards? Target got hacked because they put IoT devices on the same network as the cash registers and CC readers. Web shops are hacked every day because of software unpatched for years. Hospitals and other critical infrastructure get hacked on a weekly basis because of even more unbelievable security issues (like, once again, running unpatched software and lacking network segmentation).

And don't get me started on the utterly disgusting shit you see in smartphone BSPs. The stuff that vendors do there is just mind boggling - if I were a secret service looking for an exploit, I'd start in the horribly patched-together kernels. Or in IoT devices that are outdated the very moment they leave the factory floor.

Yes, we definitely need a lot more mandatory quality control and standards.

[bob1029]

I dont think the full meaning of my post was taken to heart.

> If you have a specific business application that requires additional scrutiny (i.e. nuclear reactor scram control system), then the appropriate domain-specific regulations & certifications should be applied.

Feel free to replace "nuclear reactor scram control system" with "PII" or any other less urgent thing that makes the particular business nervous. There are many problem domains where you literally cannot fuck this stuff up even if you tried.

The stakes for indie game developers are substantially different than those for a F500 insurance company.

We definitely need to get the fuck out of other people's business. If you dont want someone to have your PII, dont share it with them. Regulating everyone on the same axis is pure tyranny when the problem space is so large.

[mschuster91]

> The stakes for indie game developers are substantially different than those for a F500 insurance company.

No they are not, if your indie game has network connectivity that has security bugs it can and will be exploited.

[corty]

It does, however, make sense to take a lesson from medicine: Networked computers with common vulnerabilities are prone to herd infections in analogy to biological epidemics, mass hysteria, etc. So it does make sense to e.g. preventatively quarantine all unpatched windows boxes, prescribe security measures and development practices for those systems, where a network-wide spreading event may be caused.

[nexuist]

If you look closely enough you'll find that boilers are still exploding and chemical spills are still occurring. 98 people died in June from a building that simply collapsed in Florida despite ample warning signs from inspectors and regulators.

Engineering is just hard, full stop.

[corty]

How does "Engineering is just hard" follow from "despite ample warning signs from inspectors and regulators"?

What does follow from that is "listening to engineers is hard", because it costs money, time and other resources.

[thatguy0900]

This company tried to blame anarchists for bombing the tank, but in the IT world it actually is anarchists bombing the tank. Real life infrastructure isnt under attack by other humans 24/7. If it had been anarchists that caused this we would probably have seen a expansion of police state rather than corporate regulations.