
Equifax Was Warned - pfg
https://motherboard.vice.com/en_us/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning
======
otakucode
In other engineering industries, ignoring the heedings of engineers results in
charges of criminal negligence and corporate executives spending time in
prison. Eventually that will be the case for software engineering as well. But
Equifax probably won't tip the scale. My money is on the first company that
walks away unscathed after a self-driving car plows through a preschool or
something like that.

We already had Toyota following the same abyssmally unsafe (but dirt cheap!)
practices that most of the industry does, ignoring 90 of 94 'required or
suggested' practices for firmware development the automobile industry
recommends, their developers not even having a bug tracker, not using ECC
memory while lying and claiming they were, etc resulting in multiple deaths -
and an acquittal for criminal negligence. The court pointed out there are no
standards that the court could claim they violated. And they're correct. This
issue has been debated in the Communications of the ACM for several years now,
whether software engineering needs some sort of certification process or
regulatory body which can make substantive judgements. Companies don't want it
because they're aware of what a laughably cheap resource software engineers
are and don't want that price to go up. Software engineers don't want it
because any regulatory body is destined to make stupid decisions. But how long
will the general public tolerate being ground under the wheels (literally) of
bad software before demanding something be done? And just how much worse will
those standards be when drafted by committees of lobbyists and bureaucrats?

Good article about the Toyota fiasco:
[https://www.edn.com/design/automotive/4423428/Toyota-s-
kille...](https://www.edn.com/design/automotive/4423428/Toyota-s-killer-
firmware--Bad-design-and-its-consequences)

~~~
jlgaddis
> _Eventually that will be the case for software engineering as well ... My
> money is on the first company that walks away unscathed after a self-driving
> car plows through a preschool or something like that._

I agree with you that "eventually that will be the case".

I don't think it will happen until some people in government -- politicians
who can actually make/change the laws -- are personally impacted or affected
in some really major way, though. Until that point, their lobbying friends
will persuade them that everything is fine.

It's just like trying to warn management about "bad shit" that could happen.
Nothing will change until it actually does happen -- and then you will see a
swift, overwhelming response.

------
babesh
I think this is to be expected from organizations that don't have software as
a core activity. You don't attract the best people, don't motivate the people
you have, and don't promote them. It has happened again and again: Target,
Equifax, Toyota, Therac-25, etc... The seemingly most effective means of
mitigating it appears to be to throw money at people (ex: Wall Street and to a
lesser extent biotech) or to be in a really hot field (which basically allows
you to throw money at the problem).

~~~
babesh
There are two other ways to solve the problem. Wait for a more software
oriented company to eat the existing company's lunch and software as a
service. The SAS approach seems to work best for large markets.

------
sschueller
With such disregard for security it was probably also possible to change data
with a simple SQL injection.

If you were a malicious person, imagine the possibilities.

