Monday, January 23, 2012

Lawyer Demands Pacemaker Vendor Supply Source Code

Last year at OSCON. Sadly the line was too long for me to shake her hand and say thanks for starting this.

There's a few points I'd like to add, many already covered.

1) She's qualified to do this. Not to review the software. But she has plenty of good colleagues for that.

She's a director of GNOME (I know, I know...), former GC of the SFLC, an attorney... and... from listening to her talk, she either genuinely gets software -- or someone that did wrote her whole speech for her.

2) This is a real, not a hypothetical problem.

People commenting without RTFA need to understand--These devices are 802.11 enabled. Remote exploits/have/ been demonstrated.

This is not a wholly uncommon situation -- one of my coworkers has a daughter with a computerized glucose pump that has also had remote compromise demonstrated.

And even a trivial interest in breathatlizers reveals there has been...myriad incidences of these devices not just being a total failure of design, but having rollover and similar bugs in their implementations.

3) People may be correct that it would be hard to get people to understand the code. That is wholly irrelevant and a false front of an argument. I don't care what your medical experience is in your industry or company. What your experience with regulators or lawsuits are. There's companies that commit fraud, lie, cheat, steal. They exist. This is indisputable. There's places where MBA's and biologists that can barely write a hello world by themselves compose pointer arithmetic, hit compile, hit test, and go home at the end of the day. I've worked at places like that on applications that could kill if they failed. It is why I do not as of two years ago.

I presently work with a woman that could not compose a CSV in a basic ETL from another filetype without help. She has the language being used using on her resume. Her workflow involved copy/paste off of the internet, and then changing one line at a time, saving it as file.### and trying to run it. If it didn't crash, she'd examine the output and try to put in what she thought would fix it. If it did, she'd try to find the error. When I offered a hand, she was currently at over her 500th revision.

So let me be damend clear -- even an unqualified person can do a basic code review just by running a fucking linter on it and looking at the warnings. Because if it generates one or a million -- that says something about the quality right there.

Why? Because unless you're in a business whose core business *IS* software, my personal experience is that 80% plus of the developers have never heard of one, and 95% don't know how to use it if they have. And that is why my code has less bugs than my colleagues.

Now -- even if my experiences are anecdotal, and "invalid" -- I've just proven the existence of the problem.

This is her life we're talking about. Her life entrusted to a piece of cybernetics that has had a demonstrated remote exploit.

Please/., have a little bit of humanity for once. This isn't about corporate profits, NDAs, lawsuits. This is about someone asking to read something to make an informed choice about their continued existence.

Source: http://rss.slashdot.org/~r/Slashdot/slashdotScience/~3/MBaFPIyBa00/lawyer-demands-pacemaker-vendor-supply-source-code

world aids day horse slaughter horse slaughter world aids day 2011 chester mcglockton chester mcglockton arsenic

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.