undefined | Better HN

0 pointsColinDabritz7y ago0 comments

Not the op, but meaningful fines, executive jail time for gross negligence and especially for intentionally taking inappropriate risks, breaking up or closing companies that are shown over time to be unable to safely handle sensitive information. Proper regulation. Consequences that can't be cynically taken as the cost of doing business.

0 comments

UncleMeat7y ago

Jail time for bugs? Have people here every worked on products?

Bugs and security vulns are literally inevitable. Security is important but it this was the standard I'm not sure that any company would still exist.

ColinDabritzOP7y ago

Jail time for bugs that should have been preventible and caused harm to users. Mistakes and bugs happen, but we also have methods of mitigating them. Standards, quality controls, tests, analysis, and other care. I specifically said jail time for gross negligence because that means not taking care and allowing harm to users.

If you had an error that leaked private information, it's worth an investigation. If it made it through despite controls, that's understandable. If they find you failed to do analysis on the risk to users privacy, if you failed to have controls in place, if you didn't code review or test the code, then you have made specific choices that harmed users. That should be criminal.

We need to take software engineering seriously as a discipline. We have the potential to do more wide scale aggregate harm than any structural engineering collapse. We need to start acting like it.

UncleMeat7y ago

What is "should have been preventable"? Mandatory continuous fuzzing of all apis? Interprocedural static analysis to detect all of the owasp top ten? Manual audits of all dependencies and transitive dependencies on every update? Hire world class auditors to manually inspect code?

I'm a huge security person. It's my job. But its unbelievably difficult to secure programs even if there are clear steps in hindsight that could have prevented a bug.

1 more reply

mirashii7y ago

Nobody said jail time for bugs, and phrasing that way is intentionally obscuring the debate. Gross negligence is an entirely different standard than just software bugs.

UncleMeat7y ago

Lots of people in this thread are explicitly saying jail time for bugs.

What evidence is there that this was gross negligence?

vwcx7y ago

But why do financial services bugs garner a higher penalty than one that exposes private photos? This is an argument for regulation.

Veen7y ago

> Security is important but it this was the standard I'm not sure that any company would still exist.

This is true and it's also the reason why there are more software vulnerabilities than necessary. Software could be a lot more secure. There will always be bugs, but its is possible to build software and platforms with many fewer vulnerabilities. But it's expensive, so we don't, and users suffer the consequences while the companies shrug their shoulders and count their money.

j / k navigate · click thread line to collapse

0 comments

UncleMeat7y ago

Jail time for bugs? Have people here every worked on products?

Bugs and security vulns are literally inevitable. Security is important but it this was the standard I'm not sure that any company would still exist.

ColinDabritzOP7y ago

We need to take software engineering seriously as a discipline. We have the potential to do more wide scale aggregate harm than any structural engineering collapse. We need to start acting like it.

UncleMeat7y ago

I'm a huge security person. It's my job. But its unbelievably difficult to secure programs even if there are clear steps in hindsight that could have prevented a bug.

1 more reply

mirashii7y ago

Nobody said jail time for bugs, and phrasing that way is intentionally obscuring the debate. Gross negligence is an entirely different standard than just software bugs.

UncleMeat7y ago

Lots of people in this thread are explicitly saying jail time for bugs.

What evidence is there that this was gross negligence?

vwcx7y ago

But why do financial services bugs garner a higher penalty than one that exposes private photos? This is an argument for regulation.

Veen7y ago

> Security is important but it this was the standard I'm not sure that any company would still exist.

j / k navigate · click thread line to collapse