For a disease which (to my knowledge) can’t be slowed down or reversed, I think it’s a fair question why we would want to detect Alzheimer’s. Maybe there are other reasons, but my suspicion is that we will be able to, and an easy detection method significantly widens the pool of subjects to study later on.
If it turns out that driving a Prius on Tuesdays slows down Alzheimer’s, a larger pool of subjects would allow us to figure that out.
I would personally want to know as early as possible, so I could get my affairs in order and register my wishes around end of life care and euthanasia while I am still recognised as having full mental capacity.
It's also better for people around the Alzheimer's patient, as it will let them understand why someone's personality and behaviours may be changing, and possibly let them be bit more forgiving of such changes. It will also give family more time to plan and understand the health and community services and support are offered wherever they live.
I know two people who have been taking the new monoclonal antibody treatment for it. One who was a bit further along when she started, and did not show any significant improvement. The one who started while she was still in the early stages has completely arrested her descent. She hasn't recovered much of what she already lost, but she's still able to live independently and enjoy life, and her mental acuity scores are (slightly) better than they were last year. That's a hell of a thing.
I also know someone who's significantly better now than they were a few years ago thanks to alzheimer's medication. And Trontinemab, which is currently in phase III trials I believe, seems even better than what is publicly available as it crosses the blood-brain barrier more readily. We're entering a brighter future for alzheimer's patients.
Completely arrested? I don't. But it appears to be arrested in ways that matter for mental acuity, for now. I've taken care of a parent with Alzheimer's, and helped several other caregivers over the years with their own family's journeys, and one thing I can tell you is that I have never, ever seen an actual halting of the progression for this long. The descent is usually a stairstep pattern, but the steps are on the matter of weeks to a month or two. My friend has been stable for a year.
This is all new. There is research hinting at Alzheimer's subtypes, some of which are more likely to respond than others. Even halting the decline is a huge potential breakthrough.
The way I’ve watched Alzheimer’s work in a family member is that it’s a step down function rather than gradual. And once something is lost, it doesn’t come back. So anything that can delay the next step even just for months is a win right now.
That's 4–6 months in the 18 months the trials lasted for, i.e. about a 30% slowdown of progression. The open-label extensions suggest this relative slowdown seems to continue at least to the 4-year mark (at which point it would have bought you over a year of time): https://www.alzforum.org/news/conference-coverage/signs-last...
Time will tell if the 30% slowdown continues beyond four years, and/or if earlier treatment with more effective amyloid clearance from newer drugs has greater effects. The science suggests it should.
It's very useful to understand what you're struggling from even if it's not curable. It explains your symptoms, your experience and help you understand what you're going through. Understanding that you're suffering from something incurable is also helpful in not looking for other ineffective methods to cure a mysterious illness.
Most people get a dementia (or related) diagnosis after they are deep enough in it so that they cant do much about it or get their affairs in order.
My grandfather had a "fall" at work, he then left that job, and held down 2 more engineering jobs before he was diagnosed with a stroking condition and subsequent dementia. I got the distinct impression he thought he had more time, but rapidly declined.
If he knew he was short of time before his rapid decline he probably would have done things differently. Like not buying a house he would later have to sell to pay for aged care.
If he knew he was at risk of a workplace accident he probably wouldn't have worked as an after hours safety engineer at a major treatment plant, where if the worst had happened he could have endangered others.
The accuracy of this test is nowhere nearly good enough to do population-wide screening. The clinical setting for this test is memory clinics in which Alzheimers is already relatively highly likely differentially, and even there you're going to get a surprising number of false positives.
(There's enough info in the supplemental link on this page to have an LLM do the Bayes math for you.)
At a personal level, I've been through this with my grandfather.
I want to know. My family wants to know. I want to prepare because there are things I want to do today that I know I won't be able to do in the future.
In many ways, it's just like many terminal cancer diagnoses. You're going to lose that person, but you have some time.
But it is a wildly variated, almost meaningless diagnosis. 3 of my 4 grandparents got Alzheimer's diagnosis as well as my mom and mother-in-law. The variation of progression and symptoms is so wide that it really seems like a catch-all. One grandmother was fine until about 72 and in 2 years forgot who people were and 4 years had lost all executive function and passed away. The other one was diagnosed in her early 80s and lived to be 96 with no major progression, like slightly more repeating, but never forgetting people or not knowing how to talk etc. Similar dichotomy between my mother and mother-in-law but with considerably different presentations of symptoms.
It's a weird disease and IMO not even really a disease it's a bunch of different causes of cognitive impairment under one umbrella but shouldn't be separated out much further to find actual causes and treatments.
> doctors correctly diagnosed Alzheimer's in 75.5% of cases, but when incorporating blood test results, diagnostic accuracy increased to 94.5%
These patients are already seeing doctors. Would you rather your doctor to hide the diagnosis just because your disease isn't curable (for now)? It's not like we're testing the whole population in masse.
Being able to know someone's risk factor would be important for how we treat elderly people. I know someone who is 85 and super sharp (previously worked as a corporate accountant and banker), they still have a better memory than a lot of 40-50 year olds, and yet they are constantly harassed by eldercare "agents" for the state because whenever they make a investment decision that is even slightly questionable they get reported to the state by the bank. Sometimes the bank refuses to authorize transactions. If they could conclusively prove they aren't at risk I think they would be left alone much more often.
If the patient still has periods of lucidity but the disease is suspected to be advancing, knowing they have it could prompt them to get their legal affairs in order.
I assume this is hugely beneficial for research on intervention methods, not for treatment. I think everyone is focusing on "I'd rather know" but imagine if you could get larger populations with a diagnosis earlier on, how impactful that would be for testing an intervention?
Not saying anything about the article at-hand, but assuming we were able to detect it with such certainty, I think it would greatly increase the funding, rigor, and breadth or research devoted to finding a cure or treatment that actually worked.
Having struggled with hard to diagnose health issues before, I can’t emphasize enough how much of a relief it is to put a name on the disease that is causing you so much harm.
It is frankly shocking to think disease diagnosis would be a useless thing
For 20-ish% of Alzheimer's patients, the Shingles vaccine may be a treatment. This has been suspected for a few years now but has received recent confirmation studies.
While the study was about the shingles vaccine, I wonder if having passed normally through shingles influences positively or negatively the chances of later developing Alzheimer's.
Trontinemab is in trials right now and has 92% of patients achieving low amyloid levels. And more people should be able to take it as it causes less brain swelling (ARIA-E). I'm unaffiliated, I just follow medical research in my free time. But I'm quite hopeful about this medication
Nobody is ever going to do that with this test, because the overwhelming majority of positive test results in a population-wide sample will be false, and the proposed diagnosis is devastating. This is a test for people who already have symptomatic dementia that helps confirm the diagnosis.
Well this test isn't for whether you will get Alzheimer's, so that disqualifies it before we even consider the accuracy.
But apparently your odds go above 30% if you live long enough, so if you could test for being in that cohort I think that result would be too common to actually be devastating.
> Tell 50 million people they’re likely to have Alzheimer’s then tell them where to donate towards a cure, or treatments to slow it by a decade.
Pharmaceutical companies have spent something like $50 billion on developing Alzheimer's drugs with, well, the most furtive of straw-grasping to show for it. It's probably the most expensive single disease target (especially as things like cancer are families of diseases)... the failure to have good results isn't for lack of money, and merely throwing more money at it is unlikely to actually make progress towards meaningful treatments.
It just seems really obvious to me that it's not one disease. One problem with the research is that there is SO much money. It's corrupting. There's a whole thing about the plaque cartel and if you aren't testing around a possibly flawed concept the availability of funds is much lower.
I just feel the thinking is off, it's like we are trying to treat cuts by removing scabs and scar tissue. We really need deep investigation on the sources, which I feel in many cases are industrial chemicals and how some people's body / immune system respond to them.
One of the most compelling studies I saw was how distance from a Golf Course predicted neurodegenerative diseases, based on their use of certain pesticides.
I understand the "detect deadly progression but no cure" problem; this was the same rationale people used when Huntington disease could be verified in diagnostics. Many people don't want to know, but some want to know, in particular as you can manage some things here or there - diet affects many things, for instance, even aside from metaboic genetic defects. And for any (molecular) therapy at a later time you need to understand the molecular basis to some extent. Some things can be found out via trial and error (vaccination and before) but for some disease that can not work. Alzheimer is quite complex.
If a loved one is suffering from this, this diagnostic would allow for interventions such as guardianship to assume financial and logistical responsibility for them with less subjective decisioning based on observations alone.
Even though it cannot be reversed or eradicated (yet, let's hope) detection can allow individuals to adopt interventions that help either adjust their lives to better cope with its progression or help mitigate some of the detrimental behavioral consequences. In addition, if you have family to care for it may be impetus to get certain things in order for them before later stages of the disease, etc. It's horrible and bleak, but I could certainly see why one might want to know.
In the lucky case, it can also relieve anxiety. Even though false negatives may still be possible, receiving a negative detection might give people who have anxiety about certain symptoms relief, since they can rule out (rightly or wrongly) a pretty severe disease.
Yeah it’s confusing because there are really three “evaluations” you could have for a position
1) god-mode 1/0/-1 which you could argue is the “true” position
2) engine centipawns which help the search algorithm
3) human evaluation which would distinguish between two positions in terms of a subjective difficulty
For example, two positions might be 0.0 on the eval bar but one position is an obvious draw and in the other position one player has to walk a tightrope of precise moves to draw. Just because that’s obvious to a computer doesn’t mean a human can easily draw the second position.
First of all this is not technically distillation, it is more imitation learning.
Second, you could do something like asking Claude to create 1 million prompt, offensive response, non offensive response triplets. Then train a model with DPO to prefer the offensive responses.
It’s not that capabilities could not exist without the original work. It’s more that the shortest path between A and B isn’t repeating all of the same work.
Further, although media likes to depict Chinese labs as “just copying” I think there’s a ton of hubris involved. First of all, American labs are filled with Chinese who are trained at the very same schools as Chinese labs. Second, if you look at the contributions from Chinese labs many have pushed the state of the art.
Zooming out, data is kind of an arbitrary line to draw. Anthropic didn’t invent the neural network, back propagation, or the transformer. They didn’t invent all of the post training techniques they are using. They might even be using some pretrained open models during pre training and data prep. They got all of those for free because those things are shared openly.
Yes, it is annoying that companies keep calling it “distillation” when it’s really imitation learning. In fact the closest analogy is probably more like “scraping” which is pretty ironic.
Some problems are simply undecideable: if for identical inputs the desired output varies wildly, you simply need more information. There is no algorithm that will help you.
Sensors or intelligence, at the end of the day it’s an engineering problem which doesn’t require pure solutions. Sometimes sensors break and cameras get covered in mud.
The problem is maintaining an acceptable level of quality at the lowest possible price, and at some point you spend more money on clever algorithms and researchers than a lidar.
Does it have to be a government? Why not a third party non-profit? The white hat gets shielded, and the non-profit has credible lawyers which makes suing them harder than individuals.
The idea is to make it easier to fix the vulnerability than to sue to shut people up.
For credit assignment, the person could direct people to the non profit’s website which would confirm discovery by CVE without exposing too many details that would allow the company to come after the individual.
This business of going to the company directly and hoping they don’t sue you is bananas in my opinion.
1) If you make legal disclosure too hard, the only way you will find out is via criminals.
2) If other industries worked like this, you could sue an architect who discovered a flaw in a skyscraper. The difference is that knowledge of a bad foundation doesn’t inherently make a building more likely to collapse, while knowledge of a cyber vulnerability is an inherent risk.
3) Random audits by passers-by is way too haphazard. If a website can require my real PII, I should be able to require that PII is secure. I’m not sure what the full list of industries would be, but insurance companies should be categorically required to have an cyber audit, and laws those same laws should protect white hats from lawyers and allow class actions from all users. That would change the incentives so that the most basic vulnerabilities are gone, and software engineers become more economical than lawyers.
In other industries there are professional engineers. People who have a legal accountability. I wonder if the CS world will move that way, especially with AI. Since those engineers are the ones who sign things off.
For people unfamiliar, most engineers aren't professional engineers. There are more legal standards for your average engineer and they are legally obligated to push back against management when they think there's danger or ethics violations, but that's a high bar and very few ever get in legal trouble, only the most egregious cases. But professional engineers are the ones who check all the plans and the inspections. They're more like a supervisor. Someone who can look at the whole picture. And they get paid a lot more for their work but they're also essential to making sure things are safe. They also end up having a lot of power/authority, though at the cost of liability. Think like how in the military a doctor can overrule all others (I'm sure you've seen this in a movie). Your average military doctor or nurse can't do that but the senior ones can, though it's rare and very circumstantial.
You'd be surprised how many SE's would love for this to happen. The biggest reason, as you said, being able to push back.
Having worked in low-level embedded systems that could be considered "system critical", it's a horrible feeling knowing what's in that code and having no actual recourse other than quitting (which I have done on few occasions because I did not want to be tied to that disaster waiting to happen).
I actually started a legal framework and got some basic bills together (mostly wording) and presented this to many of my colleagues, all agreed it was needed and loved it, and a few lawyers said the bill/framework was sound .. even had some carve-outs for "mom-n-pops" and some other "obvious" things (like allowing for a transition into it).
Why didn't I push it through? 2 reasons:
1.) I'd likely be blackballed (if not outright killed) because "the powers that be" (e.g. large corp's in software) would absolutely -hate- this ... having actual accountability AND having to pay higher wages.
2.) Doing what I wanted would require federal intervention, and the climate has not been ripe for new regulations, let alone governing bodies, in well over a decade.
Hell, I even tried to get my PE in Software, but right as I was going to start the process, the PE for Software was removed from my state (and isn't likely to ever come back).
I 100% agree we should have even a PE for Software, but it's not likely to happen any time soon because Software without accountability and regulation makes WAY too much money ... :(
The problem with software is that it's all so, so decentralized.
If you're building a bridge in South Dakota, there's somebody in South Dakota building that bridge. That person has to follow South Dakota laws, and those laws can require whatever South Dakota regulators want, including sign-offs by professional engineers.
If you're a South Dakota resident signing up for a web portal, the company may have no knowledge of your jurisdiction specifically (and it would be a huge loss for the world if we moved to a "geo-block every single country by default until you clear it with your lawyers" regime). That portal may very well be hosted in Finland by a German hosting company, with the owners located in Sweden, running Open Source software primarily developed in Britain. It's possible that no single person affiliated with that portal's owner ever stepped food in your jurisdiction.
I work in manufacturing, though this comment is a generalization, and depends on what industry you’re in. What happens in practice is that products are certified by a third party regulatory agency, probably Intertek. They’re the ones who hire the professional engineers. The pushback comes from the design engineers being aware of the regulations, and saying: “This won’t get past Intertek.”
The downside is, bring money. Also, don’t expect to have an agile development process, because Intertek is a de facto phase gate. The upside is that maintaining your own regulatory lab is probably more expensive, and it’s hard to keep up with the myriad of international standards.
As for mom-n-pops, why do you want competition from them? Regulatory capture always favors consolidation of an industry. What happens in practice for consumers is that stuff comes from countries where the regulatory process can be bypassed by just putting the approval markings on everything.
Okay, that was sarcastic, but it’s possible that the vitality of software owes a lot to the fact that it’s relatively unregulated.
On the other hand, I wouldn’t mind some regulatory oversight, such as companies having to prove that they don’t store my personal data.
Note that I’m naming Intertek, not to point a finger at them, but because I don’t know if they have any competitors.
> 2.) Doing what I wanted would require federal intervention, and the climate has not been ripe for new regulations, let alone governing bodies, in well over a decade.
Unionization could achieve the same end but the propaganda is strong in the US
> You'd be surprised how many SE's would love for this to happen
I'm one of them, and for exactly the reason you say.
I worked as a physical engineer previously and I think the existence of PEs changes the nature of the game. I felt much more empowered to "talk back" to my boss and question them. It was natural to do that and even encouraged. If something is wrong everyone wants to know. It is worth disruption and even dealing with naive young engineers than it is to harm someone. It is also worth doing because it makes those engineers learn faster and it makes the products improve faster (insights can come from anywhere).
Part of the reason I don't associate my name with my account is so that I can talk more freely. I absolutely love software (and yes, even AI, despite what some might think given my comments) but I do really dislike how much deception there is in our industry. I do think it is on us as employees to steer the ship. If we don't think about what we're building and the consequences of them then our ship is beholden to the tides, not us. It is up to us to make the world a better place. It is up to us to make sure that our ship is headed towards utopia rather than dystopia (even if both are more of an idea than reality). I'd argue that if it were up to the tides then we'll end up crashing into the rocks. It's much easier to avoid that if we're managing the ship routinely than in a panic when we're headed in that direction. I think software has the capacity to make the world a far better place. That we can both do good and make money at the same time. But I also think the system naturally will disempower us. When we fight against the tides things are naturally harder and may even look like we're moving slower. But I think we often confuse speed and velocity, frankly, because direction is difficult to understand or predict. Still, it is best that we try our best and not just abdicate those decisions. The world is complex, so when things work they are in an unstable equilibrium. Which means small perturbations knock us off. Like one ship getting stuck shutting down a global economy. So it takes a million people and a billion tiny actions to make things go right and stay right (easier to stay than fix). But many of the problems we hate and are frustrated by are more stable states. Things like how wealth pools up, gathered by only a few. How power does the same. And so on. Obviously my feelings extend beyond software engineering, but my belief is that if we want the world to be a better place it takes all of us. The more that are willing to do something, the easier it gets. I'd also argue that most people don't need to do anything that difficult. The benefit and detriment of a complex machine is that small actions have larger consequences. Just because you're a small cog doesn't mean you have no power. You don't need to be a big cog to change the world, although you're unlikely to get recognition.
I also come from a more "traditional engineering" background, with PEs and a heavier sense of responsibility/ethics(?). I definitely think that's where it's going, although in my somewhat biased opinion, that's why the bar for traditional engineering in terms of students and expected skill and intuition was much higher than with CS/CE, which means the get rich quick scheme nature of it might go away.
I think you’re taking the professional responsibility that engineers are given too far. They are not given that responsibility to make political decisions, as you seem to be implying. Engineers are professionals in the hard sciences, not in social sciences. They only have power over ethical and safety issues directly pertaining to technical matters. I think ethics in this sense includes only very widely accepted ethical opinions, not anything that people from different political parties would disagree on. Engineering, in other words, is not political. Making the world better, as you put it, is something that requires political decisions. I hope people don’t make this confusion because the last thing most of us would like to see is Engineering becoming a political endeavor, including software engineering.
You're the one that brought up politics. You're right that they're hard to decouple from ethics as that's essentially how the parties form.
But where I disagree with you, and extremely, is that we should not have our own personal ethics and adopt that of what we believe is society's. You're asking the impossible. Such a thing doesn't exist. Whichever country you're in you'll find a diverse set of opinions. The most universal ethics are only the most basic. But if it did exist I'd still disagree as you're asking engineers to not be human. You'd be discriminating people based on religion. You'd be discriminating people based on culture. You'd be discriminating people based on their humanity. I'm extremely opposed to turning humans into mindless automata. Everyone has the right to their own beliefs and this is our advantage as our species.
I don’t think the current cost structure of software development would support a professional engineer signing their name on releases or the required skill level of the others to enable such …
We’d actually have to respect software development as an important task and not a cost to be minimized and outsourced.
In many countries you are only allowed to call yourself a Software Engineer if you actually have a professional title.
It is countries like US where anyone can call themselves whatever they feel like that have devalued our profession.
I have been on the liability side ever since, people don't keep broken cars unless they cannot afford anything else, software is nothing special, other than lack of accountability.
Exactly this - I had a role in a multinational, US-founded company, however - I was based in Canada - our title had the name "engineer" contained within it. We were NOT by any means certified professional engineers according to any regulatory body - we were great at our jobs, but that was the reality.
We were NOT allowed to refer to our job title when deployed to the province of Quebec, which has strong regulations around the use of the term "engineer". It was fine - we still went, did our jobs, satisfied our customers and fixed their issues.
And the people of Quebec are much safer for it. /s
This divide between Canada and the US has existed since the birth of software engineering as a thing. Where is the evidence the protected name has done anything useful for either Canadian software engineers or its citizens?
It's really hard to disentangle the myriad of factors that go into the differences that we see in life expectency and quality of life between Canada and the United States but it wouldn't surprise me that this is one of those ones that accounts for some miniscule amount of the difference.
Portugal, Germany, Canada, Switzerland are the ones I am aware of.
Software Engineering degrees are certified by the Engineering Order, universities cannot call themselves that just because they feel like it, and any kind of legal binding documents when notarised required the professional validity.
First of all, hardly anyone cares (default email signatures etc.pp even if the people don't want that - but you said legally bindign, and I think that just usually never happens.).
And second, at least in Germany it's also somewhat of a bullshit situation that 80% of the people who do a "normal" Computer Science degree don't have that (Diplom-Informatiker/M.Sc), but the 20% who happen to study at a certain uni in a certain degree (that is mostly related, but not the default Computer Science/Software Engineering one) are/were getting their "Diplom-Ingenieur".
Why the glib dismissal when you most certainly live in a country where the use of titles like 'doctor', 'dentist', 'officer' or 'lawyer' is most certainly regulated?
This isn't really that exceptional and as someone from a place where not just anyone can call themselves engineer I'm always baffled when people think that it is.
Your comment completely misses the point of my question. Those countries are regulating the title not the profession.
Here is the difference: the Doctors have a liability for their medical practice, the real Engineers meaning those doing Bridges and Buildings that can kill thousands of people if they fall, have a professional obligation and responsability on the outcomes of their designs and implementation.
I can guarantee you, no Software Engineer from Portugal to Germany will be willing to guarantee the behavior and fitness for purpose, of any System or Software product they develop :-) As you very well can see, if you bother to read the full details on the Software License disclaimers of any software from any large company. From Microsoft to Oracle, IBM and others.
As such those are Software Engineers on title only, what is convenient to be hired for post within Government and similar...
> no Software Engineer from Portugal to Germany will be willing to guarantee the behavior and fitness for purpose, of any System or Software product they develop
Then they shouldn't call themselves engineers.
It's not really a big deal and I don't understand the confusion around this.
That is the whole point. :-) Real Software Engineers do not exist other than in title. Some institutions and governments are arbitraging those who can use the title...
If Oracle, IBM or Microsoft after 50 years, and employing thousands of Software Engineers ...include the standard disclaimers on their Software, I dont think those in title only should make much fuss of the Software Engineer badge...
Then maybe you shouldn't be allowed to rely on such software not causing utter carnage when you're implementing some infrastructure thing via software?
Also note that such warranty disclaiming "fitness for any purpose" is not possible if you sell for money software that you say is for such an infrastructure situation, at least in e.g. Germany.
That's not from the license but from the sale though.
> If I start calling "bananas" "apples" then I devalue the meaning of the word "apple". You can't differentiate which I'm referring to.
In French, potatoes are called what translates to English as "apple of the earth". Nobody confuses a pomme de terre with an apple, because nobody calls a potato an apple without the adjective attached.
That's what the additional adjective as part of the title is for; like how apples and potatoes are vaguely related in that they're both plant-based food but are otherwise entirely different; turning "software engineer" into a compound term that has the extra word is specifically to differentiate it from expectations of it not having the extra word.
Software engineering is legitimately engineering going by the etymological meaning of engineering; but it's not really one going by some of the other (mostly orthogonal) things we've layered onto the term in many contexts over the years. It's creation through ingenuity. It has as much claim to the word as part of its title as any other usage of the word does.
Professional labour value isn't synonymous with late stage capitalism without ethics or morals.
Now if you mean for own much one is willing to sell themselves to late stage capitalism, producing low quality products and entshtification, maybe that is the bang for buck right there.
How do you explain the low quality of software coming out of all of the other countries you have mentioned with protected titles?
The software is happening regardless of title and you haven’t given any examples of the value of where kissing the ring to get the certification has been critical to Canada/Germany/Switzerland producing better software.
No, im looking for literally any evidence that the quality of software that comes from areas that require the protected name is better than something like the NASA coding guidelines.
Most web dev, gaming jobs don't care about those things, they care if you can ship fast and cheap. There's embedded and safety related SW that need well thought out safeguards but a lot of that slow moving SW has been farmed out to Asia, EE and India.
I mean the quality of people following NASAs C style guidelines.
Where is there any evidence that people using the protected title are producing higher quality software than companies in equivalent industries in the US?
>Now if you mean for own much one is willing to sell themselves to late stage capitalism
The government is the one selling you out to late stage capitalism through rampant inflation, business and fiscal regulations and deregulation, offshoring, and various nefarious policies on housing and labor migration.
People just adapt to survive by taking the best paying jobs, since voting clearly doesn't help them.
Don't tell me you're not developing SW for the highest bidder and would take the salary of a fast food worker out of class empathy just to stick it to the evil capitalist.
That is the difference between the US mentality of the winner takes it all that has given us late stage capitalism, entshitification and Trump, and most of the world.
Quality of life and health matters more than anything else.
After a certain point, more money doesn't bring any of that, one is not taking the money into the grave, other than build a mausoleum.
You talk around the issue throwing the blame on others, but you intentionally avoided answering my question, as if you're not part of the problem, and are working for peanuts, virtue signal points and "thank-yous". Sorry but my bank and landlord doesn't accept those, only money and the government makes sure those get more and more expensive.
We check the output of engineers tjats what infra audits and certs are for. We basically tell industry if you want to waste your money on poor engineers whose output doesn’t certify go ahead.
you could do that with civil engineering. anyone gets to design bridges. bridge is done we inspect, sorry x isn’t redundant your engineering is bad tear it down.
You couldn't do that with civil engineering, because checking if a bridge was built correctly is actually really hard, and it's why it's such a process for engineers to sign off on phases of construction.
You could look at the blueprints and calcs that were used to build it and inspect it, which they do. There’s no fundamental difference. Firms will self enforce engineering rigor because it’s a waste of money not to. Making it more stringent when lives are at stake makes sense, thats the only reason you could use to separate them. Also that can even get blurry in eg avionics software.
A lot of responses below talking about what a 'certified' or 'chartered' engineer should be able to do.
I thought it would be noteworthy to talk about another industry, accountancy. This is how it works in the UK, but it is similar in other countries. They are called 'Chartered Accountants' here, because their institute has a Royal Charter saying they are the good guys.
To become a Chartered Accountant has no prerequisites. You 'just' have to complete the qualification of the institute you want to join. There are stages to the exams that prior qualifications may gain you exemptions from. You also have to log practical experience proving you are working as an accountant with adequate supervision. It takes about 2-3 years to get the qualification for someone well supported by their employer and with sufficient free time. Interestingly many Accountants are not graduates, and instead took technician level qualifications first, often the Association of Accounting Technicians (AAT). The accounting graduates I have interviewed wasted 3 years of their lives...
There are several institutes that specialise in different areas. Some specialise in audit. One specialises in Management Accounting (being an accountant at a company really). The Management accountants one specifically prohibits you from doing audit without taking another conversion course. All the institutes have CPD requirements (and check) and all prohibit you from working in areas that you are not competent, but provide routes to competency.
There are standards to follow, Generally Accepted Accounting Practice GAAP, UK Financial Reporting Standards FRS and the International equivalent IFRS. These cover how Financial Statements are prepared. There are superate standards setting bodies for these. There are also a set of standards that cover how an audit must be done. Then there is tax law. You are expected to know them for any area you are working in. All of these are legally binding on various types of corporation. See how that switches things around? Accountants are now there to help the company navigate the legal codes. The directors sign the accounts and are liable for misstatements, that encourages them to have a director who is an accountant...an audit committee etc.
How does that translate to software?
There are lots of standards, NIST, GDPR, PCI, some of which are legally or contractually binding. But how do I as a business owner know that a software engineer is competent to follow them. Maybe I am a diving company that wants a website. How do I know this person or company is competent to build it? It requires software engineers with specific qualifications that say they can do it, and software engineers willing to say, 'I'm sorry I am not able to work in this field, unless I first study it'.
I’m big on increasing accountability and responsibility for software engineering, but I’ve learned about SEI CMMI, and worked in an ISO 9001 shop.
In some cases, these types of structures make sense, but in most others, they are way overkill.
It’s a conundrum. One of the reasons for the crazy growth of software, is the extreme flexibility and velocity of development, so slamming the brakes on that, would have enormous financial consequences in the industry (so … good luck with that …).
But that flexibility and velocity is also a big reason for the jurassic-scale disasters that are a regular feature of our profession. It’s entirely possible for people that are completely unqualified, to develop software full of holes. If they can put enough lipstick on it, it can become quite popular, with undesirable consequences.
I don’t think that the answer is some structured standard and testing regime, but I would love to see improvement.
As an accountant I am able to enforce an accounts regime appropriate to my entity, with concepts like 'materiality' to help. I'm not sure about ISO9001, I'm more familiar with PCIDSS, and I found it to be very proscriptive, and 'all or nothing', compared with accounting standards. For instance in a small company, it is perfectly reasonable to state verbally to your auditor that your control over something is that you are close enough to the transactions to see misstatements by other people sat in the same room. Or even that you have too few people to exercise segregation of duties controls. In a larger company it is not ok. I don't see that same flexibility in other kinds of standards
Regarding your 2), in other industries and engineering professions, the architect (or civil engineer, or electrical engineer) who signed off carries insurance, and often is licensed by the state.
I absolutely do not want to gatekeep beginners from being able to publish their work on the open internet, but I often wonder if we should require some sort of certification and insurance for large businesses sites that handle personal info or money. There'd be a Certified Professional Software Engineer that has to sign off on it, and thus maybe has the clout to push back on being forced to implement whatever dumb idea an MBA has to drive engagement or short-term sales.
Maybe. Its not like its worked very well lately for Boeing or Volkswagen.
> I absolutely do not want to gatekeep beginners from being able to publish their work on the open internet
FWIW there is no barrier like that for your physical engineers. Even though, as you note, professional engineers exist. Most engineers aren't professional engineers though, and that's why the barrier doesn't exist. We can probably follow a similar framing. I mean it is already more common for licensing to be attached to even random software and that's not true for the engineer's equivalents.
Oh there have been many cases where software engineers who are not professional engineers with the engineering mafia designation get sidelined by authorities for lacking standing. We absolutely should get rid of the engineering mafias and unions.
It's kinda wild that you don't need to be a professional engineer to store PII. The GDPR and other frameworks for PII usually do have a minimum size (in # of users) before they apply, which would help hobbyists. The same could apply for the licensure requirement.
But also maybe hobbyists don't have any business storing PII at scale just like they have no business building public bridges or commercial aircraft.
Web is already mostly centralized, and corporations which should be scrutinized in way they handle security, PII and overall software issues are without oversight.
It is also a matter of respect towards professionals. If civil engineer says that something is illegal/dangerous/unfeasible their word is taken into the account and not dismissed - unlike in, broadly speaking, IT.
I just don't feel we want the overhead on software. I'm in an industry with PEs and I have beef with the way it works for physical things.
PII isn't nearly as big a deal as a life tbh. I'd rather not gatekeep PII handling behind degrees. I want more accoubtability, but PEs for software seems like it's ill-suited for the problem. Principally, software is ever evolving and distributed. A building or bridge is mostly done.
I, as a self-proclaimed dictator of my empire, require, in the name of national security, all chat applications developed or deployed in my empire to send copies of all chat messages to the National Archive for backup in a form encrypted to the well-known National Archive public key. I appoint Professional Software Engineers to inspect and certify apps to actually do that. Distribution of non-certified applications to the public or other forms of their deployment is prohibited and is punishable by jail time, as well as issuing a false certification.
Sounds familiar?
The difference from civil engineering is that governments do not (yet?) require a remotely triggerable bomb to be planted under every bridge, which would, arguably, help in a war, while they are very close to this in software. They do something similar routinely with manufacturing equipment - mandatory self-disabling upon detecting (via GPS) operation in countries under sanctions.
GDPR doesn't have any minimum size before applying. There's a household exemption for personal use, but if you have one external user, you're regulated.
There are jurisdictions (and cultures) where truth is not an absolute defence against defamation. In other words, it's one thing to disclose the issue to the authorities, it's another to go to the press and trumpet it on the internet. The nail that sticks out gets hammered down.
Given that this is Malta in particular, the author probably wants to avoid going there for a bit. It's a country full of organized crime and corruption where people like him would end up with convenient accidents.
> it's one thing to disclose the issue to the authorities, it's another to go to the press and trumpet it on the internet.
At least in the US there is a path of escalation. Usually if you have first contacted those who have authority over you then you're fine. There's exceptions in both directions; where you aren't fine or where you can skip that step. Government work is different. For example Snowden probably doesn't get whistleblower protection because he didn't first leak to Congress. It's arguable though but also IANAL
> it's one thing to disclose the issue to the authorities
That's not how any of this works. You are basically arguing for the right to hide criminal actions. Filing with the CSIRT is the only legal action for the white hat to take. This is explicitly by design. Complaining about it is like complaining the police arrested you for a crime you committed.
> If other industries worked like this, you could sue an architect who discovered a flaw in a skyscraper
To match this metaphor to TFA, the architect has to break in to someone else's apartment to prove there's a flaw. IANAL but I'm not positive that "I'm an architect and I noticed a crack in my apartment, so I immediately broke in to the apartments of three neighbours to see if they also had cracks" would be much of a defence against a trespass/B&E charge.
Another missing link is here is the stock price relationship to security vulnerability history of the corporation. Somehow, I don't know how, but somehow stock prices should reflect the corporation's social responsibility posture, part of which is information security obviously.
> companies should be categorically required to have an cyber audit
I work with a firm that has an annual pen test as part of its SOC2/GDPR/HIPAA audit, and it's basically an exercise in checking boxes. The pen test firm runs a standard TLS test suite, and a standard web vulnerability test suite, and then they click buttons for a while...
The pen test has never found any meaningful vulnerabilities, and several times drive-by white hats have found issues immediately after the pen test concluded
There’s a ton of crossover between your method and RL. I guess instead of directly training on episodes and updating model weights, you just store episodes in RAM and sample from the most promising ones. It could be a neat way of getting out of infamous RL cold start by getting some examples of rewards. Thanks for sharing.
Thanks! You're right that there's a resemblance to RL. The original approach was proposed by Antithesis, and in Part 1 we map it more directly to a mutation-based Genetic Algorithm: stored paths are the population, the x-position scoring is the fitness function, and bit-flip input generation is the mutation operator. There's no recombination and no learned policy but just evolutionary selection pressure on input sequences.
Interesting point about the RL cold start, one could definitely use the paths discovered first through the evolutionary exploration to seed an RL agent's initial experience which could help skip the early random flailing phase.
The key difference from RL is the goal. We're not trying to learn an optimal policy for playing the game and instead we're trying to explore as much of the state space as possible to find bugs. In Part 2 we plug in a behavior model that validates correctness at every frame during exploration (velocity constraints, causal movement checks, collision invariants). The combination is where it gets interesting: autonomous exploration discovers the states, and the behavior model catches when the game violates its own rules. For testing, the main reason we even care about completing each level is that a completed path serves as the base for more extensive exploration at every point along it. If the exploration can't reach the end, by definition we miss a large part of the state space.
Developing, no, but once companies start releasing vehicles onto our shared public streets I have a lot less tolerance for launching science experiments that end up killing bystanders.
I can understand the argument that in the abstract over-regulation kills innovation but at the same time in the US the pendulum has swung so far in the other direction that it’s time for a correction.
I have no tolerance for bystanders being killed in general. If the science experiments kill on average less bystanders I'm all for them, if they don't they should be stopped until made safer.
In this case the judgement is so extreme because the judge had no tolerance for Tesla lying in relation to the server logs' existence and what they contained (namely that is was indeed their autopilot that was in full control, had been in full control for almost half an hour, and was not worried at all/not issuing warnings, at the time of the crash)
If it turns out that driving a Prius on Tuesdays slows down Alzheimer’s, a larger pool of subjects would allow us to figure that out.
reply