[nostrademons]

There are plenty of software systems built for security (eg. OpenBSD, Haskell @ Galois, CapROS), but by-and-large customers don't use them. Shiny new features brought quickly to market seems to beat out security and reliability every time. This pattern seems to extend into other industries that have adopted software as well, eg. the auto industry is in the process of transitioning from shipping highly reliable cars that just drive to shipping computers on wheels that frequently can't go.

Understanding why this happens would be an interesting research project. Part of it might be information asymmetry with customers (shiny new features are very visible at sale time and reliability is totally unknown, so customers tend to weight known features over unknown reliability), and part might be principle agent issues (the decision maker who bought the software will have collected their bonus and retired long before the data breach can be attributed to them), and part might be that the market simply hasn't caught up to the negative consequences of all this change and careless companies will be purged by the market in the future.

I'm not terribly fond of regulation as a solution either. It tends to overconstrain industries, prevent innovation, and leave a hole at the lower end of the market that eventually makes products unaffordable. But there should be some quality mechanism that incentivizes decision makers to do the right thing and invest in quality even when there's a cost in features.

[_heimdall]

Removing legal protections for corporations and those in charge would go a long way. For example, if those in charge are personally liable for wrongdoing they would think twice. CrowdStrike as a product may not even exist as it is in that world, a company leader may not want the personal risk of being able to take down a large chunk of the internet. There also may not be security holes to guard if the leaders of an OS company weren't willing to skip security in favor of fancy new AI features.

[dopylitty]

This is a nice idea but the problem isn't the individuals in the system but the system itself. As long as shareholder value/profit is the only factor companies consider this is the end result you will get.

Management is just making decisions based on what the companies value and companies are just valuing what their shareholders value which is more money for the shareholders.

The best way to fix it would be to reform the stock market system so that companies aren't beholden to uninvolved third parties looking to make a quick buck. Only active employees should own stock in companies and sit on company boards.

This would also require reforming the retirement system so retirement money isn't just dumped into the stock market. It needs to instead go somewhere safe and just sit. Retirement funds being in the stock market creates a huge inflationary feedback loop by demanding constant increases in profits which cause companies to raise prices which causes retirement funds to need to be bigger which causes them to demand more profit increases.

[_heimdall]

I'm not opposed to stock market reforms, I'm sure there's good that could be done there. Even with today's stock market setup and companies' fiduciary obligations, if a company could be meaningfully financially by legal actions they would think twice.

Take CrowdStrike for example. If the company and its leadership wasn't so well shielded from financial and legal liability they likely wouldn't have had a process that allowed rolling out an untested update to the entire world at once. Instead, they have a CEO that did effectively the same thing at McAfee before allowing it at CrowdStrike and the company will likely get little more than a financial slap of the wrist.

Would it solve everything? Absolutely not, and other actions like changes to the stock market could help. But it surely would make a difference if leadership and companies knew they could actually be ruined if they are provably negligent or culpable in damages caused.

[ThrowawayR2]

> "Removing legal protections for corporations and those in charge would go a long way. For example, if those in charge are personally liable for wrongdoing they would think twice."

Cute fantasy about pinning everything on management but people do remember the old adage that "shit rolls downhill" don't they? What that will result in is very onerous processes and certifications mandated by "those in charge" on the people at the bottom to generate ironclad proof of no wrongdoing, at least for themselves. Maybe that is ultimately what this industry needs but it is also going to result in a work environment which really sucks a lot.

[_heimdall]

It isn't about pinning everything on management, that's just as unfair to them as today's setup is for everyone else.

When management actively makes decisions to prioritize profit over security, for example, they should be held personally liable when a security issue occurs. I'm not really sure what a reasonable argument for that not being the case would look like.

If such a setup did result in a shitty work environment, people would ultimately have the option to not work at certain companies or to work for themselves. We can't assume that people must work for big tech and limit ourselves to what works in that sandbox.

[nostrademons]

A lot of things besides CrowdStrike would not exist in that world, notably Windows and your electric utility. Some people might consider that an improvement, but beware unintended consequences.

[_heimdall]

Are you assuming that Windows and electric companies are all run by people knowingly making decisions to cut corners and put the company at risk?

Leaders of an electric company shouldn't be held liable for a lightning strike that starts a fire, for example. But they should be held liable if they purposely decide not to spend the money it takes to maintain power lines and a tree branch that should have been trimmed falls and starts a fire.

There would be consequences of such a system that change what we have today, but I wouldn't expect that to mean we couldn't possibly have things like electric companies.