A decade ago, as I was stressing out about an upcoming go-live, my boss at the time (a wonderful, caring, thoughtful person) provided well-intended advice; he said something like "My wife is a doctor; when she does her job poorly people die! Cheer up, we just move code around".
It was intended to a relatively junior architect to provide some perspective; and perspective is indeed important.
But I think in IT, much more often we commit the opposite error - we are too disconnected from consequences of our seemingly abstract, technical, impersonal work.
I currently work on a massive Payroll ERP. In many ways a boring, uncool system. But if we don't do our job right, people don't get paid right, and while that may not have the same immediate impact as a doctor mistake, it's... very much a real human impact. And more of us could probably draw a line from IT error to human impact if we consciously actively tried to.
Devastating story, every time I read about it. Should be taught in Computer Science universities alongside the Therac-25 and few other choice cases :|
> But if we don’t do our job right, people don’t get paid right, and while that may not have the same immediate impact as a doctor mistake, it’s... very much a real human impact.
As someone whose spouse is a teacher in the San Francisco Unified School District (where they had a disastrous rollout of new payroll and HR software), the effects are very, very real and concrete to me. Luckily, I work in tech and our could handle the problems, but many teachers live paycheck-to-paycheck. We know of teachers who have donated blood to get rent money because they weren’t paid, and one teacher died from cancer while being denied healthcare as a result of the HR software being borked. Total disaster with real, negative human consequences, unfortunately.
When a doctor messes up, their patient gets hurt. When we mess up, millions get inconvenienced. You can’t really say one is worse than the other. Take Twitter for example. You could say “so what, people can’t tweet for a while” but among those millions of users are a couple (like the Japanese tsunami twitter account) where lives can be lost if your service doesn’t perform adequately.
I work in financial services — if my bug causes a million people to lose money, what percentage of that million were on the border of suicide and my bug tipped them over the edge? Even if that number is 0.1 person / 1 million that means I can commit 10 such bugs in my lifetime before I’ve statistically taken a life.
Not saying this line of thinking is right or healthy, but it’s just not as black and white as “doctor can kill people, we can’t”.
I believe we are in complete agreement though, if you read through the entirety of the post? :)
My main point was indeed: "While we may not have as immediate and visible impact on people's health, we can and do have significant impact on people's well-being, and should think more consciously on such connections"
> "My wife is a doctor; when she does her job poorly people die! Cheer up, we just move code around".
I can't imagine the pressure to write this code:
> In 2014, former CIA and NSA director Michael Hayden said in a public debate, “We kill people based on metadata.”
> According to multiple reports and leaks, death-by-metadata could be triggered, without even knowing the target’s name, if too many derogatory checks appear on their profile. “Armed military aged males” exhibiting suspicious behavior in the wrong place can become targets, as can someone “seen to be giving out orders.” Such mathematics-based assassinations have come to be known as “signature strikes.”
> we are too disconnected from consequences of our seemingly abstract, technical, impersonal work
i think it's important to be connected to your work (when it matters, like your former boss said), but I realized that we're all just human beings, and we each have a set capacity for such things
a few people may be able to knock out life-saving operation after operation and just pound a stiff drink before going back
to the OR the next day for years on end, but the rest of us can only do that sort of thing for a year or two tops before 'shutting off' (or burning out)
going back and forth between 'boring, but dependable' and 'exciting, but mercurial' seems to keep my personal trajectory interesting at least :)
I think there's also a lot of engineers with a, shall we say, hands off attitude about ethics and the downstream effects of the software they are writing. Like it's "Boss told me to do it" or "Boss told me not to do it" and that's the end of the ethical quandary! Software engineers need to take at least partial responsibility for the code they are physically typing in and causing to come into existence. If that software is going to fail and cause harm to people, it's literally your job and responsibility as a professional engineer to raise that concern and stop it from shipping.
A lot of software teams have too much of a "JIRA ticket is closed, so my work here is done" attitude.
totally agree, i think the problem is deeper than an engineering problem; every industry can find a group of people "just doing their jobs"
thinking about it, the excuse is often "i gotta pay my mortgage / bills / child's college" , but I have a hard time pointing to self-inflicted debt as the root cause of human suffering
unless we just want to sweep it all under sin: "greed"
My expectations for people to take ethical responsibility generally scales with rank/level. It’s hard to fault a junior engineer for doing what they’re told; they might not even know about any harms they are doing, or maybe they’re economically vulnerable and can’t speak up for fear of losing their job.
On the other hand, a Director or Staff Engineer has my full blame for anything unethical that happens under their purview.
> there's also a lot of engineers with a, shall we say, hands off attitude about ethics and the downstream effects
Yeah. I know one (not involved in my projects thankfully) whose response to pointing out likely downstream problems is generally "that sounds like a 'their' problem rather than a 'me' problem".
And I'm quoting, as I've heard it from them often. :(
If it could save a person's life, could you find a way to save ten seconds off the boot time? If there were five million people using the Mac, and it took ten seconds extra to turn it on every day, that added up to three hundred million or so hours per year people would save, which was the equivalent of at least one hundred lifetimes saved per year.
The Steve Jobs quote was from the 1980s. Back then, you really did boot daily (at least; it wasn't uncommon on both Macs and PCs in that era to need to reboot multiple times a day because applications could and did crash the system often).
I remember Mac OS crashing so much I found ways to resume the system from a crash state in some instances by pressing key combos and typing incantations into a shell of some sort.
Not many corporations do user research. Architects and developers should be attending these sessions.
Seeing with your own eyes, how average user of the system interacts with it is sobering for many. Sometimes it leads to fundamental changes in thinking and has overall positive effect on the product.
The Post Office were told about the problems in 2003 but decided to sack the contractor they had hired to check their software rather than deal with the problems.
Fujitsu provided shoddy software that was inadequate for the job, then lied about it. The Post Office threw hundreds of subpostmasters under the bus, rather than admit the issues in the system. Senior management at both the Post Office and Fujitsu should be in the dock.
There has only been 1 Fujitsu whistleblower (as far I am aware). Surely hundreds of IT people must have known?
The mainstream print media mostly seem to have ignored this scandal, perferring instead to write about celebrity tittle tattle (with a few honourable exceptions, such as Computer Weekly and Private Eye).
This scandal has been known for years. But only the recent TV drama seems to have forced most politicians to care about it (with a few honourable exceptions, such as Lord Arbuthnot).
While it is fair to say "Fujitsu," a more complete picture is a British company called International Computers Limited (ICL) acquired by Fujitsu after the Post Office job started. ICL seems like a British variant of IBM.
The Horizon accounting system was developed by ICL Pathway, owned by the Japanese company Fujitsu. [0]
International Computers Limited (ICL) was a British computer hardware, computer software and computer services company that operated from 1968 until 2002. [1]
In May 1996, ICL Pathway Limited (later Fujitsu Services (Pathway) Limited) was awarded the private finance initiative contract to develop the Horizon IT system to modernize Post Office and Benefits Agency operations. [1]
The reference from that first wikipedia article, here: https://find-and-update.company-information.service.gov.uk/c..., dated 1996, states on the final page that the ultimate controller of ICL Pathway (who developed Horizon) was, at this time (1996), indeed Fujitsu.
It wasn't like Fujitsu had bought the company and inherited the liability - they had in fact themselves bid for and won the project - via these intermediaries.
There have been literally hundreds of articles about this in the mainstream media for well over a decade. Yes, Computer Weekly and Private Eye deserve the biggest share of credit for persuing it, but it's simply not true to sat that the rest of media has ignored it. The real scandal is that even though it was widely reported, so little was done about it for years.
One upshot of the current UK government being in such dire straits in terms of their popularity, and this scandal causing such a universal uproar in public opinion, is that they do seem to be bending to it and actually doing something. Enough? Probably not.
I would be interested to know the number of articles published on the scandal by mainstream papers, such as the independent, Guardian, Times and Telegraph.
A quick search for ["post office" horizon] on The Times showed >700 articles. The Guardian and Independent both use Google, which show an improbable tens of thousands of results, but I'd imagine it's still similar to The Times.
Randomly selecting 2022, The Times seems to have published 5 articles substantially about the Horizons system. Its not nothing, but it is hardly a flood.
The function of the mainstream media (particularly in the UK) is not to inform the public but to keep them in line. It's worth remembering that Rupert Murdoch owns 4 newspapers and a TV channel.
They are paying out roughly 150k per prosecution. That seems low if most of those resulted in fines and jail time. Does anyone have a source for data on the outcomes of these cases?
(If pressed on “seems low” I couldn’t exactly say, but if ten million is the actuarial value of life then every year of adult life in prison should be worth at least 175k, on top of the difficulties of enduring prosecution and career and reputation being harmed.)
Andrew Malkinson was wrongly convicted and spent 17 years in a UK jail. He is likely to eventually get less than £1M compensation and that's after the government scraped the rule that "board and lodge" would be subtracted from the compensation.
I mean, for starters you can just calculate average lifetime earnings and subtract expected earnings of the person over the remainder of their lifespan, then add an amount per year in prison roughly corresponding to the QALY value of prison vs normal life...
But is there anything else you might add on? I expect the above calculation to only arrive at about a million for a country like the UK (which is less rich than the US and has less bad prisons).
> I mean, for starters you can just calculate average lifetime earnings and subtract expected earnings of the person over the remainder of their lifespan, then add an amount per year in prison roughly corresponding to the QALY value of prison vs normal life...
I would at least double, or triple it. He lost his life outside his work and earnings. He wasn't in prison for only 8h/day.
It's an immediate 150k payment, followed by a further settlement figure. I think that's a choice between either 600k without question, or an investigation to assess actual loss.
It is often trying to find any ways to pinch pennies, indeed.
A recent case made the news and prompted a change of the rules [1]. Until last year they deducted "living costs" from compensation for wrongful imprisonment because while a person is in jail they don't have to pay for food and housing, thereby saving money...
That's why there is an option of a no investigation settlement. But if that were the only option, postmasters who felt that it didn't compensate them adequately would have reason to complain.
The problem with modern management is that they are rarely accountable to those that have been wronged. Rather, they are accountable to their bosses. And the are fine as long as they are sycophantic bootlickers.
"The Post Office said the honour was given for [Former Post Office boss Paula Vennells'] work on "diversity and inclusion", and her "commitment to the social purpose at the heart of the business and her dedication in putting the customer first".
Not even close. They conspired to cover up deficiencies while people were being criminally prosecuted for the discrepancies caused by those deficiencies. The knew about it and they belong in jail. Nothing less.
American, here. I remember first hearing about this (maybe a couple of years) and just being in complete shock. And not much can shock me nowadays.
And reading this article just...I dont know what to say, honestly.
How could there a complete and total lack of justice? And in the modern western world - it feels like the western world is turning into one big failed state.
Those that have been wronged are owed a great deal. I am not religious, but if I was, I would pray for them.
I can barely comprehend it. They conspired to maliciously prosecute hundreds of people to cover up their own incompetence and the consequences of that are "give that trophy back to the king". The rich and powerful truly live in a different world than the rest of us.
That a public corporation has persecuted these individuals makes it doubly worse. At any point the government minister in charge of the Post Office could have yanked chains and stopped it.
They can, but the CPS can always choose to take over the case -- and they are allowed to take over with the express intent of dropping the prosecution.
And especially when she oversaw the malignancy of destroying people's lives so that she can collect her bonus. At least she has the decency to announce that she's giving back her award (CBE) after many years of gaslighting everyone and of course now that a public petition quickly got over a million votes.
Paula Vennells needs to be locked up for a long time.
It will conclude in the 2030s, when anybody who could have been held accountable is long dead, or retired and overseas or too infirm to stand trial. This is how it goes in the U.K., far too frequently - particularly when public bodies or government connected parties are involved.
They also aren’t typically about finding fault or figuring out who to blame, and don’t often result in criminal proceedings - they are about preventing reoccurrence.
Not yet. But it certainly feels to be heading in that direction: shit in the rivers, health services struggling, local councils going bankrupt, underfunded regulators, rampant profiteering by pals of the government during COVID, scapegoating of the most vulnerable.
Thanks capitalism. Sorry to be snarky, but I really do feel that he advent of Thatcherism/Reaganism led to massive erosion of moral values in favor of raw economic leverage.
Interestingly the TV drama doesn't mention Adam Crozier, who was CEO of Royal Mail 2003-10. I wonder if this is at all related the fact that Crozier was also CEO of ITV 2010-2017, the company that made the TV drama? Hmmm.
It is curious how the BBC keep going on about it being Fujitsu and them being Japanese, yet the problematic system was developed by ICL in the UK prior to the Fujitsu acquisition.
The final page of the company returns for ICL in 1996 (thanks to Wikipedia) notes that the ultimate controller of the company was indeed Fujitsu at that time. The rebrand happened in 2002, but it is correct to say that the system was developed by a part of Fujitsu.
There is an excellent Computerphile video discussing some of the issues in the Horizons software system at the heart of this scandal:
https://www.youtube.com/watch?v=hBJm9ZYqL10
Stuff like this shows that licensing for certain software development activities is long overdue.
Could you imagine if software engineering was like real engineering, with you having to sign off on work done and accepting personal liability, including fines and jail time for negligence? So much of software development as it is practiced today simply wouldn't be tolerated in such a world.
Yeah, the software was broken, but the real harm was caused by people much further up the chain of command when they refused to admit the software was broken, even after they were explicitly told so by a contractor they hired.
> with you having to sign off on work done and accepting personal liability
I think that makes it even easier for those at the top who are willing to lie and cheat because it becomes easy to use the lowly developers as scapegoats.
I think the only way you stop stuff like this scandal is to prosecute every c-suite executive that knew about the problem and helped cover it up instead of blowing the whistle on it. Claw back their wealth and send them to jail.
I think you've taken the complete wrong lesson from this. The problem wasn't the software - the software had bugs, all software does. The problem was that people in the Post Office and Fujitsu asserted there were no bugs, no bugs could happen and made all sorts of statements that weren't even plausible and those that went against them got prosecuted and destroyed. Not because the software didn't work but because the people in charge covered up the software not working rather than dealing with the fallout.
These exact shortfall issues could've happened and with an open and honest process of investigating the problems they could have been sorted decades ago. It wasn't the software that was the problem, it was the systematic cover up that was the problem.
I can't understand how no-one has been prosecuted for perjury or perverting the course of justice for declaring the infallibility of the software in a criminal trial.
> Could you imagine if software engineering was like real engineering, with you having to sign off on work done and accepting personal liability, including fines and jail time for negligence?
some sections of the industry have this (notably finance)
Canada's Phoenix pay system (IBM and PeopleSoft) was quite problematic and caused financial suffering of federal employees for years, but thankfully without the outrageous legal pain inflicted on Horizon's victims.
For those who don't know, Private Eye is a UK published satirical magazine which takes it as it's mission to go after liars, fraudsters, bent politicians, and all those who are a disgrace. It plays a pivotal role in British democracy and consequentially may be closed any day soon. It has been doing this since 1961 and everyone involved is a hero.
Indeed. British politicians have not infrequently been crooks or shaggers (or like Boris, both), but we don't see the authoritarian tendencies that have seized the Right across much of the world in recent years.
Private Eye's biggest threat is likely the death of print, apparently the reason you can't get it at all except on paper is cited by the editor (Ian Hislop) as a success factor. I admit if I could pay the same and get it online (instead of a package through the door every couple of weeks) I'd do that, but it would significantly reduce their visibility.
Ian Hislop (the editor) is apparently the most sued man in history! (I may be exagerating).
Seriously though, they are roped around with super injunctions and actions of every type intended to bring them down. I agree that they seem to be in rude health now (mostly because of my subscription I am sure) but it's really possible that some bastard will get them.
> Ian Hislop (the editor) is apparently the most sued man in history! (I may be exaggerating).
Wikipedia says he's in the Guinness Book of Records for that but equally a whole bunch of links say it's unverified (and I believe he himself has said he isn't recently.)
They have come close to being sued out of business on several occasions. Most notably by thief, bully and liar Robert Maxwell. Private Eye was one of the very few institutions to stand up to him during his (sadly much too long) lifetime.
BTW I subscribe to Private Eye partly because it is interesting and funny, but mainly because they are one the few institutions in the UK that still seem to be doing proper investigative journalism and holding power to account. The rest have been hamstrung by Google et al taking all their advertising revenue or being owned by plutocrats (or both).
One of their legal battles[1], Harkell vs Pressdram[2], has become legendary and the precendent apparently referenced often in the UK legal system and beyond.
It's pretty much a personal project of Ian Hislop these days, who is a mere mortal. And it would only take a few libel lawsuits going against them to bankrupt the business.
This is so tragic. Ive tried reading the reports in this thread that have more info about the cases, but I don't understand how there wasn't enough evidence to exonerate these people at the time of the accusations.
It doesn't seem the post office had to prove their software worked as they claimed it did. I may have missed this or misunderstood something but there are access logs, receipts given to customers, the money itself vs the stock/services sold ...these are can all be counted by hand no? There should be a 1-to-1 relationship between the business that came in and the products/services that went out, physical evidence. I feel like I've missed or misunderstood something about this situation.
Its horrific to imagine management would ruin lives over something like this. They really ought to be prosecuted and thrown in jail today, even if they're 90 yrs old. Anyone who took part in this cover up really shouldnt be let off the hook here.
One of the worst things about dealing with SaaS is that you might have no practical way to generated your own audit records for reconciliation during a dispute. You have to ask the vendor for data to dispute the vendor! The organizational incentives are all against you. Just a cursed relationship.
There's nothing to discover if they simply don't collect information that proves your case.
My favorite is "we have no evidence that XYZ was stolen" when a company gets compromised. Why would you want high quality logging at that point? Don't log access to sensitive information and then there's no evidence it was "stolen" (copied or cloned is the correct term).
Retention policies are a huge issue too. There have been a lot of cover-ups discovered by people going through old boxes of papers. That's not going to happen in the future because tech companies are providing enterprise grade tooling to continually scrub history via retention policies. No one is going to find a 10 year old "smoking gun" email if you have a 7 year retention policy on all communications.
No! The problem here is the the Royal Mail had bad records. Discovery doesn't help at all! Discovery just gets you a copy of the bad data. You need good data, and nobody has it! This is why we invented double-entry bookkeeping 500 years ago.
And even if, by fluke, discovery might help because there was actually a good copy somewhere, that means you've already lost by spending a fortune on lawyers in a dispute with a crown corporation! Look at these disputes - lives were ruined over $44k pounds. Suing the Post Office wouldn't be cheaper than that.
In a traditional paper based flow, I have my own copies. I talk to a salesperson, get a price, and fax a PO. I keep a copy of that PO on file. The vendor delivers the order along with a waybill. My staff receive the order and count it, reconciling against my order. If the count is short, we check the waybill. Is the waybill short too? Then there was a problem in order flow. If the waybill matches my order, but the shipment is short, then the problem is in fulfillment. I call sales and hash it out. Honest errors happen, and reasonable people resolve them when given the facts.
If the salesperson says their copy of the PO looks different, and calls me a liar when I send them my copy, then we have a real dispute. We might have to get a lawyer involved. But this is well beyond honest error.
But in most SaaS environments (GB egress, bytes storage, etc), you are dependent on the vendor for the data. There is no practical way to disagree with AWS if they tell you your usage was 20TB and you expected 15. You are trusting the vendor not to lie (maybe reasonable), and also to never make an error (totally unreasonable!). We now have no defense against honest error.
B2C is in a similar boat. In olden-times, I knew people who kept a log book and stop watch by the phone and logged all their calls. Every month, they reconciled their phone bill against their log. Just like they reconciled their bank statement against their cheque stubs and deposit slips. But who in this day keeps their own log of PayPal transactions safely outside Paypal? My main safety with PayPay is short latency - they report significant transactions right away so any errors can be corrected quickly.
I feel like we in the software industry should do more reflection on what happened here. Yes, many of the most evil acts were the result of social non-technical problems like terrible management, stupid legacy UK laws allowing PO prosecutions, and so on.
But the root cause was bugs. So many bugs.
There isn't much the average HN poster can do about the political and justice problems, which are firmly in the realm of the British government. But there are people here who work on databases and app frameworks. What can be learned from the Horizon scandal? Unfortunately there doesn't seem to be much discussion of this. Compare vs the airline industry where failures are aggressively root caused.
I'll start:
1. Transaction anomalies can end lives. Should popular RDBMS engines really default to non-serializability by default (non repeatable reads, for example).
2. Offline is very hard. A lot of bugs happened due to trying to make Horizon v1 work with flaky or very slow connections, and losing transactional consistency as a result. The SOTA here has barely advanced since the 90s, instead the industry has just given up on this and now accepts that every so often there'll be massive outages that cause parts of the economy to just shut down for a few hours when the SPOF fails. Should there be more focus on how to handle flaky connectivity in mission-critical apps safely?
3. What's the right way to ensure rock-solid accountability around critical databases, given that bugs are inevitable and data corruption must sometimes be manually fixed? A lot of the Horizon problems seemed to involve Fujitsu manually logging in to post offices and "fixing" the results of bugs, in such a way that they didn't realize their fix created ledger imbalances that the SPMs would be blamed for. A part of why big enterprises got so excited about blockchains was this notion of an immutable ledger in which business records can't go magically changing around you without anyone knowing how. There are clearly ways to do this, but they're not the default.
4. IIRC at least some failures were traced back to broken touch screens generating false random touches, which could lead at night to random transactions being entered and confirmed when nobody was around. Are modern capacitative touch screens immune to this failure mode? If not, are consoles in embedded applications always reliably engaging screen locks?
I guess there are bazillions more you could come up with.
According to the TV drama, the Fujitsu staff could go in and change data in the live data, while the log said it was the subpostmaster making the change. If so, that seems like negligently bad design.
It was an IT project for a government department designed and delivered in the 90s, negligently bad design is pretty much what I think we would've expected.
There is an organizational axis too. The technical capabilities of the GPO went off with BT in 1984. The remaining organisation was anything but a competent customer for IT implementations. Outsourcing has definite limits and potentially catastrophic results - as does the demolition of corporate technical capability.
An empowered technical architecture function could have vetted this system and prevented this all. But gut it and stamp it under the heal of the CFO and you may as well not bother.
> Outsourcing has definite limits and potentially catastrophic results - as does the demolition of corporate technical capability.
A lot of what seems apparent in this case is that contractual and commercial factors weren't set up correctly - they were set up to deliver predictable prices (loved by public sector clients), but not necessarily to deliver good outcomes.
An example - it appeared much of the rush to ship the point of sale terminals was to get through customer acceptance (and presumably the payment milestone), despite scope creep and quality issues. And there was a cost for PO to access audit logs, and limits on capacity of these logs which could be handled. Presumably this delivered a lower headline price for an accountant negotiating the price down, but it ultimately made a poorer solution that wasn't for for purpose.
It seems like (from what I've seen of the evidence) nobody internally in PO really had full understanding and ownership of the project and they'd outsourced that (but kept the suppliers tightly commercially managed, creating the incentives for shipping poor quality code, rather than spending the time to polish it, as some had tried to do in the development team).
I have "owned" the technical delivery of projects for clients, and I like to think I did a very good job - but it was very uncomfortable because when I insisted on things being done properly it ate into my bonus. Lucky for me I had a great team and this didn't happen so much, but I think that external ownership and accountability for project outcomes is only appropriate when the organisation really doesn't know what it's doing and really has to act. In that case I believe that the best thing to do is to get a third party to do it and separate the delivery organisation / program office from the development organisation / resource management.
> The remaining organisation was anything but a competent customer for IT implementations.
This is very much the standard in UK public procurement and has been for a large number of years. It's got a lot worse since Brexit when most civil servants with any skills or capability to deliver have moved on because they didn't want to deliver the 'will of the people' to have their cake and eat it.
Can you evidence that claim? The only major public sector procurement effort I can recall since Brexit was the COVID vaccine in which the UK procurement programme worked much better than the EU level one did, to the extent that at the height of the event the EU was seriously talking about seizing the factories manufacturing vaccines the UK had bought whilst the EU were still talking.
And they also bought far too much. Germany is now required by the EU treaties to buy so much vaccine supply that if it didn't expire it would last them until the 24th century.
After all that, there was an attempt at an investigation but it turned out the whole thing was negotiated in secret and key deals were made by Ursula von der Leyen using deleted SMS messages.
Don't worry about dbms transaction management. This is the wrong level. No bank uses database-level transactions to make sure a balance transfer doesn't erase or double money. They post a durable entry in the transaction log, and then compute balances as roll-ups of the transactions. If some weird data glitch or cosmic ray produces the wrong balances, just re-run the tx rollup!
Yes I know, but banking isn't the only place where this sort of stuff can go wrong. See also the payroll discussion above. And Horizon had a similar design I think (message logs that were replayed to catch up with the true state of the ledger).
This approach still leaks, but the breakage will be things like overdraft limits, and those can be handled as business exceptions. And that's why we have transaction size limits. Risk-management, all the way down.
> Offline is very hard. A lot of bugs happened due to trying to make Horizon v1 work with flaky or very slow connections, and losing transactional consistency as a result. The SOTA here has barely advanced since the 90s, instead the industry has just given up on this and now accepts that every so often there'll be massive outages that cause parts of the economy to just shut down for a few hours when the SPOF fails. Should there be more focus on how to handle flaky connectivity in mission-critical apps safely?
If there's a network partition you have two options: accept reduced availability and keep your consistency, or have better availability and have reduce node consistency. Not much else you can do, that's just life.
Obviously, ways to increase consistency with consensus algorithms etc with 2 phase commits, and you reduce consistency with consensus algorithms. Depends on your requirements.
In many real-world situations conflicts are rare and it's OK to temporarily lose consistency (especially if you know that it's happened), as long as you can catch up later and resolve the merge. Version control is a practical example that we interact with every day but there are others.
A lot of the Horizon stuff was very local to the specific post office, hence their initial replication based design.
I disagree, these were not the root cause of this scandal. Bugs happen and even if those ones might fall below expected standards, trying to pin the 'blame' on them might be perceived as deflecting from the real culprits. The scandal here is how the technical issues were handled.
It's a bit like saying planes will just fall apart in the sky, it's inevitable, what matters is whether the compensation was handled appropriate. All of it should be improved, but we can't just assume arbitrarily incorrect software will always be covered for by non-technical systems.
You can't technical your way out of a social problem. It doesn't matter how many best practices you define if the management aren't going to follow them, and get their mates to award them a CBE for services to misconduct.
> Are modern capacitative touch screens immune to this failure mode?
It was intended to a relatively junior architect to provide some perspective; and perspective is indeed important.
But I think in IT, much more often we commit the opposite error - we are too disconnected from consequences of our seemingly abstract, technical, impersonal work.
I currently work on a massive Payroll ERP. In many ways a boring, uncool system. But if we don't do our job right, people don't get paid right, and while that may not have the same immediate impact as a doctor mistake, it's... very much a real human impact. And more of us could probably draw a line from IT error to human impact if we consciously actively tried to.
Devastating story, every time I read about it. Should be taught in Computer Science universities alongside the Therac-25 and few other choice cases :|