[_heimdall]

While I agree based on the quality of software development I've seen over 15 years in the industry, I don't think the hard requirement should be a regulatory structure.

That absolutely can work, and does for plenty of industries, but it also creates the potential for a false sense of security until planes start falling out of the sky.

My frustration, and disappointment, in the software industry has generally been the complete unwillingness at scale for us to take on the responsibility to ensure safety and reliability without regulations enforcing it. Plenty of this responsibility (blame?) falls on companies led by individuals who are solely focused on profit and self-interest, but we have to own some of the responsibility as we're the ones agreeing to write and ship bad code.

[nostrademons]

There are plenty of software systems built for security (eg. OpenBSD, Haskell @ Galois, CapROS), but by-and-large customers don't use them. Shiny new features brought quickly to market seems to beat out security and reliability every time. This pattern seems to extend into other industries that have adopted software as well, eg. the auto industry is in the process of transitioning from shipping highly reliable cars that just drive to shipping computers on wheels that frequently can't go.

Understanding why this happens would be an interesting research project. Part of it might be information asymmetry with customers (shiny new features are very visible at sale time and reliability is totally unknown, so customers tend to weight known features over unknown reliability), and part might be principle agent issues (the decision maker who bought the software will have collected their bonus and retired long before the data breach can be attributed to them), and part might be that the market simply hasn't caught up to the negative consequences of all this change and careless companies will be purged by the market in the future.

I'm not terribly fond of regulation as a solution either. It tends to overconstrain industries, prevent innovation, and leave a hole at the lower end of the market that eventually makes products unaffordable. But there should be some quality mechanism that incentivizes decision makers to do the right thing and invest in quality even when there's a cost in features.

[_heimdall]

Removing legal protections for corporations and those in charge would go a long way. For example, if those in charge are personally liable for wrongdoing they would think twice. CrowdStrike as a product may not even exist as it is in that world, a company leader may not want the personal risk of being able to take down a large chunk of the internet. There also may not be security holes to guard if the leaders of an OS company weren't willing to skip security in favor of fancy new AI features.

[dopylitty]

This is a nice idea but the problem isn't the individuals in the system but the system itself. As long as shareholder value/profit is the only factor companies consider this is the end result you will get.

Management is just making decisions based on what the companies value and companies are just valuing what their shareholders value which is more money for the shareholders.

The best way to fix it would be to reform the stock market system so that companies aren't beholden to uninvolved third parties looking to make a quick buck. Only active employees should own stock in companies and sit on company boards.

This would also require reforming the retirement system so retirement money isn't just dumped into the stock market. It needs to instead go somewhere safe and just sit. Retirement funds being in the stock market creates a huge inflationary feedback loop by demanding constant increases in profits which cause companies to raise prices which causes retirement funds to need to be bigger which causes them to demand more profit increases.

[_heimdall]

I'm not opposed to stock market reforms, I'm sure there's good that could be done there. Even with today's stock market setup and companies' fiduciary obligations, if a company could be meaningfully financially by legal actions they would think twice.

Take CrowdStrike for example. If the company and its leadership wasn't so well shielded from financial and legal liability they likely wouldn't have had a process that allowed rolling out an untested update to the entire world at once. Instead, they have a CEO that did effectively the same thing at McAfee before allowing it at CrowdStrike and the company will likely get little more than a financial slap of the wrist.

Would it solve everything? Absolutely not, and other actions like changes to the stock market could help. But it surely would make a difference if leadership and companies knew they could actually be ruined if they are provably negligent or culpable in damages caused.

[ThrowawayR2]

> "Removing legal protections for corporations and those in charge would go a long way. For example, if those in charge are personally liable for wrongdoing they would think twice."

Cute fantasy about pinning everything on management but people do remember the old adage that "shit rolls downhill" don't they? What that will result in is very onerous processes and certifications mandated by "those in charge" on the people at the bottom to generate ironclad proof of no wrongdoing, at least for themselves. Maybe that is ultimately what this industry needs but it is also going to result in a work environment which really sucks a lot.

[_heimdall]

It isn't about pinning everything on management, that's just as unfair to them as today's setup is for everyone else.

When management actively makes decisions to prioritize profit over security, for example, they should be held personally liable when a security issue occurs. I'm not really sure what a reasonable argument for that not being the case would look like.

If such a setup did result in a shitty work environment, people would ultimately have the option to not work at certain companies or to work for themselves. We can't assume that people must work for big tech and limit ourselves to what works in that sandbox.

[nostrademons]

A lot of things besides CrowdStrike would not exist in that world, notably Windows and your electric utility. Some people might consider that an improvement, but beware unintended consequences.

[_heimdall]

Are you assuming that Windows and electric companies are all run by people knowingly making decisions to cut corners and put the company at risk?

Leaders of an electric company shouldn't be held liable for a lightning strike that starts a fire, for example. But they should be held liable if they purposely decide not to spend the money it takes to maintain power lines and a tree branch that should have been trimmed falls and starts a fire.

There would be consequences of such a system that change what we have today, but I wouldn't expect that to mean we couldn't possibly have things like electric companies.

[jordanb]

My perfect example of the failure of our industry to maintain any professional standards is the widespread use of YAML.

This is used as a configuration and data exchange format despite having no formal definition, resulting in different results based on the parser used, and a weak typing system that has caused many bugs in many applications that use it. This despite the fact that many better, more reliable configuration and data interchange systems existed even before YAML got popular.

[beardedwizard]

I have often blamed software engineers for being complicit, however we should avoid a system that forces a worker to bear the cost of this choice in the first place.

[_heimdall]

That's a bit of a chicken and egg problem, isn't it? We can only avoid a system that forces a worker to bear the cost if they first decide to bear it.

[beardedwizard]

If we force people to choose between paying the bills and cutting corners we know what happens - we have seen this movie many times in history.

I prefer the idealistic view that each individual can make a change through choice, but the reality is that choice is a privilege that isn't evenly distributed across the population. For example some can afford to not shop at Walmart, others can not - paradoxical as it may be from a local economics perspective.

Regulation is the typical blunt instrument to move the incentives to the business leaders rather than the individual. Other commenters don't think regulation is the answer, but I think most agree doing nothing won't change the status quo soon enough.

[_heimdall]

> For example some can afford to not shop at Walmart, others can not - paradoxical as it may be from a local economics perspective.

While I personally agree with the sentiment of your comment in general, this piece really is part of the blind spot in my opinion.

The assumption here is that everyone has to get all of their for from a grocery store, and the only question is what quality of products you can afford. It doesn't have to be that way, and wasn't until very recently in human history.

We almost always have alternatives. They just often seem so extreme as to not be feasible. People can grow their own food though. And at least in the US, we could go without a huge portion of the crap we spend money on every year. We just choose not to. There's absolutely nothing wrong with that choice, but its important to realize it is a choice.

[beardedwizard]

I can see your point. What I was hoping to highlight is slightly different which can be illustrated through your comment on growing your own food - you need the privilege of both time and space to even do that. Lacking both you may be forced to choose something that harms your long term interests like shopping at Walmart and putting local grocers you can't afford out of business.

A good example of this is an urban single parent of multiple kids, time and space are likely very scarce and choices are limited.