Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
jcgrillo 6 hours ago

> any software company should be legally responsible for not being able to match the resources of a nation-state that might want to compromise their data

No. Not the company, holding companies responsible doesn't do much. The engineer who signed off on the system needs to be held personally liable for its safety. If you're a licensed civil engineer and you sign off on a bridge that collapses, you're liable. That's how the real world works, it should be the same for software.

horsawlarway 6 hours ago | parent [-]

Define "safety".

jcgrillo 6 hours ago | parent [-]

Obviously if someone dies or is injured a safety violation has occurred. But other examples include things like data protection failures--if for example your system violates GDPR or similar constraints it is unsafe. If your system accidentally breaks tenancy constraints (sends one user's data to another user) it is unsafe. If your system allows a user to escalate privileges it is unsafe.

These kinds of failures are not inevitable. We can build sociotechnical systems and practices that prevent them, but until we're held liable--until there's sufficient selection pressure to erode the "move fast and break shit" culture--we'll continue to act negligently.

horsawlarway 6 hours ago | parent [-]

None of those are what OP proposed. Frankly, we also cover many of these practices just fine. What do you think SOC 2 type 2 and ISO 27001 are?

It seems like your issue is that we don't hold all companies to those standards. But I'm personally ok with that. In the same way I don't think residential homes should be following commercial construction standards.

jcgrillo 5 hours ago | parent [-]

> None of those are what OP proposed.

That doesn't worry me overly much.

> What do you think SOC 2 type 2 and ISO 27001 are?

They're compliance frameworks that have little to no consequences when they're violated, except for some nebulous "loss of trust" or maybe in extreme cases some financial penalties. The problem is the expectation value of the violation penalty isn't sufficient to change behavior. Companies still ship code which violates these things all the time.

> It seems like your issue is that we don't hold all companies to those standards.

Yes, and my issue is that we don't hold engineers personally liable for negligent work.

> I don't think residential homes should be following commercial construction standards.

Sure, there are different gradations of safety standards, but often residential construction plans require sign-off by a professional engineer. In the case when an engineer negligently signs off on an unsafe plan, that engineer is liable. Should be exactly the same situation in software.