You must log in or register to comment.
As a counterpoint to this articles counterpoint, yes, engineers should still be held responsible, as well as management and the systems that support negligent engineering decisions.
When they bring up structural engineers and anesthesiologists getting “blame” for a failure, when catastrophic failures occur, it’s never blaming a single person but investigating the root cause of failures. Software engineers should be held to standards and the managers above them pressuring unsafe and rapid changes should also be held responsible.
Education for engineers include classes like ethics and at least at my school, graduating engineers take oaths to uphold integrity, standards, and obligations to humanity. For a long time, software engineering has been used for integral human and societal tools and systems, if a fuck up costs human lives, then the entire field needs to be reevaluated and held to that standard and responsibility.
If capitalism insists on those higher up getting exorbitantly more money than those doing the work, then we have to hold them to the other thing they claim they believe in: that those higher up also deserve all the blame.
It’s a novel concept, I know. Leave the Nobels by the doormat, please.
I doesn’t seem unfair for executives to earn the vast rewards they take from their business by also taking on total responsibility for that business.
Moreover, that’s the argument you hear when talking about their compensation. “But think of the responsibility and risk they take!”
Was there a process in place to prevent the deployment that caused this?
No: blame the higher up
Yes: blame the dev that didn’t follow process
Of course there are other intricacies, like if they did follow a process and perform testing, and this still occurred, but in general…
How could one Dev commit to prod without other Devs reviewing the MR? IF you’re not protecting your prod branch that’s a cultural issue. I don’t know where you’ve worked in the past, or where you’re working now, but once it’s N+1 engineers in a code base there needs to be code reviews.
Oh you sweet summer child…
I hate to break it to you, but companies with actual safe rails to deploying to production do exist.
And when things go wrong, it’s never the responsibility on a single dev. It’s also the dev who reviewed the PR. It’s also the dev who buddy approved the deploy. It’s the whole department that didn’t have enough coverage in CI.
I would hate to work where you developed the idea a protected main/prod branch is something novel.
If they didn’t follow a procedure, it is still a culture/management issue that should follow the distribution of wealth 1:1 in the company.
If you don’t test an update before you push it out, you fucked up. Simple as that. The person or persons who decided to send that update out untested, absolutely fucked up. They not only pushed it out untested, they didn’t even roll it out in offset times from one region to the next or anything. They just went full ham. Absolutely an idiot move.
We still don’t know exactly what happened, but we do know that some part of their process failed catastrophically and their customers should all be ready to dump them.
I’m quite happy to dump them right now. I still don’t really understand why we need their product there are other solutions that seem to work better and don’t kill the entire OS if they have a problem.
The bigger issue is the utterly deranged way in which they push definitions out. They’ve figured out a way to change kernel drivers without actually putting it through any kind of Microsoft testing process. Utterly absurd way of doing it. I understand why they’re doing it that way but the better solution would have been to come up with an actual proper solution with Microsoft, rather than this work around that seems rather like a hack.
The kernel driver devs also fucked up. Their driver could not support reading a file containing zeros.
Git Blame exists for a reason, and that’s to find the engineer who pushed the bad commit so everyone can work together to fix it.
Blame the Project manager/Middle manager/C-Level exec/Unaware CEO/Greedy Shareholders who allowed for a CI/CD process that doesn’t allow ample time to test and validate changes.
Software needs a union. This shit is getting out of control.
Or it needs to be a profession.
Licensed professional engineers are expected to push back on requests that endanger the public and face legal liability if they don’t. Software has hit the point where failure is causing the economic damage of a bridge collapsing.
And in the cases of healthcare and emergency dispatch, loss of life as well.
Sounds like the kind of oversight that tends to come with a union and the representation therein.
IT needs unionizing. Unfortunately it pays too well and is filled with retarded libertarians.
Casual hard R slur in chat
Linus?
Apparently a snowflake deleted my comment too lol
I’m going to guess it was a libertarian who took exception to my calling them out hahaha
Snowflake? Why are mentally disabled folks ok to make fun of? They didn’t pick it or do it, and it has nothing to do with good or bad politics.
Make fun of things people choose to do. Not shit they were born with.
Definition of removed- a person affected with intellectual disability
I stand by what I said. Sorry I ruffled your jimmies. Not sorry I used the word. You imply my insulting mentally disabled people. I’m not.
You are. It’s a slur. It is not an accepted term in the medical community.
Edit here’s an actual definition from https://www.merriam-webster.com:
dated, now offensive : affected by intellectual disability : INTELLECTUALLY DISABLED NOTE: The term <r> is increasingly considered offensive. The use of intellectually disabled is now preferred over <r> in medical, educational, and regulatory contexts, as well as in general use.
Further, you use it as an insult specifically in that you suggest someone of a certain political preference is intellectually disabled.
Essentially you are combining someone’s medical situation they did not pick or cause, with someone else’s political interests. That’s fucked up.
I get that it’s not the point of the article or really an argument being made but this annoys me:
We could blame United or Delta that decided to run EDR software on a machine that was supposed to display flight details at a check-in counter. Sure, it makes sense to run EDR on a mission-critical machine, but on a dumb display of information?
I mean yea that’s like running EDR on your HVAC controllers. Oh no, what’s a hacker going to do, turn off the AC? Try asking Target about that one.
You’ve got displays showing live data and I haven’t seen an army of staff running USB drives to every TV when a flight gets delayed. Those displays have at least some connection into your network, and an unlocked door doesn’t care who it lets in. Sure you can firewall off those machines to only what they need, unless your firewall has a 0-day that lets them bypass it, or the system they pull data from does. Or maybe they just hijack all the displays to show porn for a laugh, or falsified gate and time info to chaos for the staff.
Security works in layers because, as clearly shown in this incident, individual systems and people are fallible. “It’s not like I need to secure this” is the attitude that leads to things like our joke of an IoT ecosystem. And to why things like CrowdStrike are even made in the first place.
CTOs that outsourced to a software they couldn’t and didn’t auidit are to blame first. Not having a testing pipeline for updates is to blame. Windows having a verification system loophole is too blame. Crowd strike not testing this patch are too blame. Them building a system to circumvent inspect by MS is their fault.
Now with each org there is probably some distribution of blame too, but the execs in charge are first and for most in charge…
Honestly this is probably enough serious damages in some cases that I suspect ever org to have pay some liability for the harms their negligence caused. If our system is just that is, and if it is not than we have a duty to correct that as well
"George Kurtz, the CEO of CrowdStrike, used to be a CTO at McAfee, back in 2010 when McAfee had a similar global outage. "
Wonder if he partied with John?
John left McAfee 15 years earlier
If I’m responsible for the outcome of the business, I want a fair share of the profits of the business.
