Computer experts from some 30 organizations worldwide have once again compiled a list of the 25 most dangerous programming errors along with a novel way to prevent them: by drafting contracts that hold developers responsible when bugs creep into applications. The list for 2010 bears a striking resemblance to last year's list, …
And the time limit to fix a bug can be .. let me think .. Oh yes something like 17 years ?? .. and in that time you paid already how many time for the same error ??
In other words,
the "little" get smacked/sued and have to pay and/or fix their program immediately
and the "BIG" will start press conferences, lawyertalk, mumbeling about options, undocumented features, etc etc and nothing changes for a long time ..
and Paris ??
She knows BIG is NOT always better
RE: fix-it ?
I assume you're talking about Microsoft here...
We all know they don't make even semi-decent software. It's full of bugs. A quick search of El Reg for "Microsoft" will tell you that.
Paris - 'cos even she doesn't blow as much as Microsoft
What could go wrong?
the cost of development is going to go through the roof if this takes off.
Have to secure a code base, get a trusted third party to hold onto each commit, plus all the extra testing, and you will have to verify all the libraries and interpreters you use, along with a code review of compilers, which for the MS dweebs in the main is closed source, that should prove fun.
Background checks, you will have to pay a lot for developers to allow that., this is going to cost a King's ransom; need to make a quick change to a SQL statement is going to take ages to actually filter to live, no one is going to allow anything out of development, unless they have tested it from here to beyond.
Oh well, makes being a developer for others a bit boring and high risk, but they won't have to do much work though, and they will be a considerable cost to any business, so will be treated a bit better if the business actually survives the extra costs.
Smaller players who do their own coding for their own businesses will be in a much better position as well, as they will be able to make quick changes whilst everyone else bears the huge cost of any small change, big companies will just freeze.
And what is development, word processors have macros, as do spreadsheets, so accountants and secretaries will be liable if they put in a security risk and have signed the contract. As will anyone who uses a computer, it is all programming in a way, and if they put in a security hole due to ignorance they get sued :)
It is like a hack against the system, but anyone has been allowed to write such a contract in the past, it is nothing new it is just unworkable and uneconomic.
RE: What could go wrong?
Just to pick one of your points:
"need to make a quick change to a SQL statement is going to take ages to actually filter to live"
No. If the code has previously been tested and there is no SQL injection possibility, it can go straight into live...after testing ofc
I think you're overestimating the danger. These are all problems that already exist, the list will just help foolish coders avoid the dangers in future (MS - we're watching you!)
Not as much as you think
Storing and registering code commits is easy, and most shops use code management tools like PVCS, Harvest, etc already. Small time devs don't, but would not agree to these terms without much increased fees. They're not interested in that type of application development.
Background checks are cheap. I do them for my tenants. most businesses already do this for employees. Even going further and getting C2 clearance certifications for each employee is only a few hundred bucks, and your devs are probably making $50-150K anually, so that's chump change.
Avoiding the most common, published mistakes? You should be doing that anyway. Yes, going through millions of lines of old code to find this is an issue, but new developments should be starting clean.
Devs who do "internal" work are likely doing that for external customers, and those customers can just as easily hold your internal devs to the same terms...
Development of this kind of code we're limiting here to applications that touch protected content, or open system level risks. macro's in word? We're relying on WORD to have a code base that itself prevents Macros from causing harm, so writing a bad macro should not be able to interfere with your system and this is not a concern, and does not require this effort. Further, we're talking about CONTRACTED development here. If you are being paid to write macros, you SHOULD be doing it right.
Writing good code, and doing good testing IS economical. it reduces tech support loads, eliminates dissatisfied customers, and avoids contract disputes and legal action when customers simple sue over "bad code" they commissioned to be written. If the contract does not have these specific terms, you can easily be sued, and if there are glaring errors, including these common industry accepted and published dangerous errors, you can easily be ruled incompetent, and that you produced a flawed product, and can be ordered to refun and pay legal fees, if not damages. Having these terms provides customer level of comfort, requires only minimal training for your devs, and no one said you have to include ALL the contract stipulations (like 3rd party code review).
Firstly, for any developer who claims to sign up to this, such bugs uncovered will be discovered in "previously existing code".
Secondly, I can see this as nothing more than an excuse for a lot of finger pointing. People working on a project which may be vulnerable to penetration will create suboptimal code as their concentration will always be on deflecting the blame rather than getting the job done.
We don't need stupid contracts.
We need coders to be more aware of the potential risks, and to attempt to code with responsibly.
Indemnification is for lawyers with large budgets
It's a good thing to have well trained developers who understand coding with reference to security issues. (That's how I make some of my money.) But unless you are developing from scratch for a trivial microprocessor (itself developed from scratch) using machine code you are relying on code created by tens or hundreds of thousands of previous software engineers working in thousands of different organisations, either as part of the toolchain used to create your application, or your operating platform, or recursively in respect of earlier systems where these platform and toolchain artefacts came from.
Open source distributions are developing an effective form of suppy chain management with cryptographic signoff by developers and integrators. This is something likely far better than anything achieved in the complex and closed source world. But either way, the integrity of any final system beyond a given level of complexity still depends upon a web of trust with a great number of people past and present involved and it won't be possible to get them all to sign the proposed contracts. So if the platforms and toolchains are not going to be indemnified, what value is it to the customer of a more expensive application in practice if the latter is indemnified regardless of the legal status of the former ?
This one isn't going to fly in the open source world where licenses specifically disclaim developer liability, though there is nothing to prevent specific code being developed and released open source with side agreements. And if the source code supply chain isn't open source the customer has no way of knowing where all the platform and toolchain code came from or who checked it to what extent anyway.
actual customer requests
are more like this: "don't do any testing, we don't want to pay for it"
After a few years in the dev game, I've pretty much made all the mistakes in the book, including one potentially news-making SQL injection fail. Fortunately I'm capable of learning , so I reckon I'm at least half decent these days. I code defensively, check best practice, analyze for holes etc etc. All the stuff you're supposed to do.
Yet when I'm asked to estimate dev costs for a bid, including all of the above, why is that number invariably slashed in half when the bid goes to the potential client?
I hear that, worse yet is when a client is made aware of vulnerabilities and declines to pay to fix them. I'm sure that I'm not the only programmer who's had the nightmare of inheriting a messy code base.
Bad code quality is a reflection of the trend for businesses to compete on price rather than quality. The problem is far more widespread than just software. Businesses can hire professionals who know what they're doing, or they can give the project to the cheapest developers to jerry-rig the thing together. There are plenty of us capable of doing the job right, but frankly until clients start to care about (and pay for) quality, our employment hinges on doing the work quick, dirty and cheap.
This is evidenced by the eagerness of western business to hand over critical business functions to offshore teams with whom they can neither communicate in real time nor communicate proficiently in the same language.
The problem tends to be that the typical customer has a rather faint idea of what they actually want done (or what is possible/reasonable) at the time a contract is signed. Suggest paying for the work that is needed to figure this out and they are likely to go to someone who is prepared to overlook this. I suppose it is a fundamental flaw in how things work in practice: one can't really blame the customer for not being an expert as this is the very reason they come to you. Smart customers might (eventually learn to) make different contracts for experts looking after their interests and those doing the rest of the work, in which case the suggestion of contract provisions for liability for insecure code would be more realistic in practice.
Oh great, another stick for PHBs
And the PHBs, sales weasels and demented PMs still get off scot free ?
Just the poor coders get sued.
Buffer overflow is #3!
How many years since the Morris worm?
Will people EVER learn?
@ Fran Taylor
"How many years since the Morris worm?"
I think that should read "How many decades since the Morris worm?
Given that the list is a concensus of these errors the odds are.
1) The list will slowly change over time as programming target systems and methods used change.
2) Some items will remain persistent offenders due to *massive* code backlog, probably because a large part of this code calls certain *very* badly written library functions. Rewritting the library functions would porbably remove a lot of those vulns, but break some code (and of course it's impossible to say how much or where) that depends on those functions *being* poorly written. This presumes you still have the source to re-compile from. Also OMG it might *slow* the software a bit, and we can't have that, can we?
I have a better idea.
Instead of contracts to shift liability for bugs to the coders involved, how about we start a program of corporate education. We could call it "you get what you pay for."
I fail to understand how running your coders 18 hours a day, with no vacation for years, paying them barely enough to survive while either being already outsourced to some third-world code sweatshop or constantly under threat of same is supposed to produce good code.
Pay your coders well so they are enthusiastic. Give them vacation time between projects to decompress. Allow them to work sane hours so that they are well rested and their minds are fresh. Remove from them the constant stress of “fear of losing my job.”
Suddenly you have well trained coders who have their wits about them and care about their work. The code these folks produce will be better than that churned out by the folks at the code sweatshop.
The only way to make good code is to hold the management and directorship of the businesses involved personally liable for the quality of code they commission.
i know a LOT of coders. We employ about 600 of them, across 6 different development platforms in languages from COBOL to C to Java. A previous firm i worked for had about 10. I also worked for resellers and supported a number of coding shops.
Coders typically make well more than I do, and I'm not exactly underpaid... It's rare to find an "underpaid" coder.
Yes, some niche developers make poor wages, as do some guys in startup and small firms, and guys writing simply batch code. Most of those guys are also "starting" coders, who in 4-8 years will be making $60K+ given their experience. I started in IT making less than $20K a year too.
I also know very for coders who don't get vacation, and it's commonly held nowadays that lack of sleep make WORSE code. Well rested devs working 40 hours write more lines of complete code than thos who work 60+ hours... Most firms won't LET their coders work more than a set number of hours straight (though development emergencies sometimes override that in small firms).
"well trained?" we're not talking about complex math and rare algorithms here. We're talking about avoiding common, predictable mistakes. It's a simple few days of training, tops.
Management IS held responsible. If the devs push out bad code, and the company looses money, do you not think the investors will be looking at management for reasons why? management can't often read the code themselves, so all they can do is put in place people who can, and set up PROCESS for review. If that process fails, is it really some exec's fault, directly? No, it's a senior developer's problem. Commissioning code means "write something that does this" and has NOTHING to do with the internals of that code. it's not micromanagement.
Sounds like you work in a progressive, and frankly very nice company.
I envy you.
I think you misheard what management was asking for.
Most firms won't PAY their coders to work more than 40 hours a week, but will never the less encourage them to work 60+ hours in order to justify not off shoring their jobs.
Nail on the head there. Not just programmers, any IT folk...and probably just folk in general. Our buddy Michael C works at a pretty nice place I think. Unless my anecdotal evidence of talking to all the IT folk I know around the world about their jobs is totally off base, his gig is definitely the exception, not the rule.
I'm a network admin, and sure enough I am required to put [number shamefully well above 40] hours a week on average, 24/7 on call, no vacation pay for my own support cell phone, etc. etc. etc. Only get paid for 40 hours a week though, no overtime, no banked hours, nada. I’m consistently told that I choose to work overtime, and that because it’s my choice, the company can’t be held accountable. That may be true from one perspective, but the reality is I am not assigned hours to work, merely responsibilities, projects and deadlines. Heaven help me if anything is late or ends up broke. (No way you can keep this ship sailing on 40 hours a week and the shoestring budget we’ve got round here, letmetellyou.)
To be fair, there are some perks: the stock standard health/dental package. They do chip in $150 a month for parking, so I guess that’s generous. They let the IT types have their own coffee pot, (we pay for all supplies,) and a futon in the office for the nights we don’t make it home. Way I hear it though, coffee pot and futon won’t be allowed after the office move, and parking is up in the air too.
Still it’s the best job going in these parts for IT folk; might just be why I’m trying to get out of IT.
It's chip'n'PIN for programmers...
...won't help, just puts the liability on the group with the least ability/cash/time to fight back.
I like the list though. Always food for thought. I think the contract thing is just frustration on producing the same list every year.
The bean counters are running things, and know nothing about connectivity.
"The effort is designed to shift attention to the underlying mistakes that allow vulnerabilities to happen in the first place."
After reading through the list, there is one obvious over-riding problem. That problem is the lack of proper programming education and experience when it comes to the vast majority of the kids working on today's interconnected systems, combined with the general ignorance of whoever it is that is signing off on the internet-facing code that they are producing.
Which leads to the question "Why the hell are management hiring wet-behind the ears kidlets, with zero internet "street smarts", to program internet-facing software that (potentially) will cause all kinds of trouble for the userbase?" (see: TJX for a rather gross example.)
The answer is that manglement are cutting costs in areas that lead to security issues, PROBABLY because they are absolutely clueless about modern day security concerns and are hiring purely on paper, not actual ability.
Corporations need to realize that they need both a people management track, and a technical management track, with equal importance to the business. Until that happens ... Well, let's just say I'm happy in my retirement, working my ranch sunup to sundown (and beyond ...), 7 days a week. The corporate world has been fucked for years WRT connectivity and security.
Oh it's webby stuff
Sorry I though the article was going to be about real programming
How about blaming the root cause...
The weakly typed language responsible and it's complete lack of bounds checking?
"Failure to Preserve Web Page Structure"
A tad specific, don't you think? Looking down the list seems to show a distinct leaning to specific programming areas; namely the "web" -  "Improper Control of Filename for Include/Require Statement in PHP Program".
Clearly, the "experts" who compiled this list are only "experts" in single and very narrow field. So basically, this list of "top 25 programming errors" is a waste of space for 99% of programmers.
Buffer overruns doing at #3, then?
Did you even consider that perhaps web-specific errors show as much as they do because that's where the majority of newbie development is happening? In fact, given the % of development happening on the web vs on "traditional" programming" and the purported level of training required for each, the number of non-web issues showing on the list indicates that your "99%" of programmers REALLY need to read the list, because they obviously STILL HAVEN'T GOTTEN IT despite having had 4 DECADES to figure it out!
Simpler than that
You're over thinking things a bit. The reason that web vulnerabilities are so prevalent is that this is a list of the top 25 most prevalent security bugs and, this being the age of the internet and all, websites are the front door to most networks. It's simple really, you don't start breaking into someones network by cracking their internal payroll system, you do it by exploiting a flaw in some web facing application, which invariably means cracking a poorly written PHP, Java, or .NET site. Once you've got your foot in the door so to speak, then you can worry about mucking with more traditional systems. Of course the variety of worms, trojans etc. making the rounds also contribute to the prevalence of more traditional vulnerabilities (E.G. buffer overflow).
Another way of thinking about it is in terms of surface area, which for a program is the amount of the code directly, or indirectly but shallowly, accessible from the internet. Web applications by their very nature have a very large surface area, where traditional applications tend to have a much smaller surface area. To use a popular target as an example, Adobe Reader has a relatively small surface area requiring the user to first download or view a malicious pdf file, but that small surface area is mitigated by the prevalence of the software, as well as the tendency to embed the viewer inside web browsers thereby increasing its surface area (by reducing it's depth).
And what is the best way to make sure your dev team are up to speed on security ? Training.
Who are the best people to provide this ? Sans.org of course.
Advert posing as a serious study. It's like malware.
As mentioned above "you get what you pay for" ... of course this report suggests that you can get cheap inexperienced coders ... as long as they are trained.
Any firm that leaves quality, security, etc to the software vendors deserves a punch in t'gob for being naive.
#1 Failure to Preserve Web Page Structure
¿Programming? The mind boggles.
The real programming errors are nothing that a little experience won't put right, however, if junior developers are not allowed to make those mistakes they will never learn from them. As an example, just earlier this week my son spent hours on a university project trying to figure out why his program froze at a particular point. He eventually swallowed his pride and asked me to take a look. I saw the error in a matter of minutes, it was on the list. Furthermore, it wasn't directly related to the place where the progam was freezing, looking away from where you think the error is, is also something juniors need to learn.
It's all very well to say that errors shouldn't be made but in practice it is virtually impossible to account for everything an end-user will try do with a program. Bugs should be found in testng and the testing phase should include a "throw everything at it" approach to simulate what users might do, not what they are supposed to do. Quite often testing is reduced to inputting a few test values then checking that the output is as expected.
Remember, if your code is idiot proof it's only because the the right idiot hasn't come along yet.
Doom at Dilbert.com
Rather appropriately it appears that www.dilbert.com has been hacked this morning and is serving up a dodgy virus scanner instead of some pithy 3 pane comment on the IT industry.
Don't go there, especially if you've set your browser to 'download everything and infect me pleaase'.
at the risk of repeating myself
Devs held to account for management failure
For websites I have to fulfil two requirements:
1) Does work on the 'happy path' in IE?
2) Does it look pretty?
That is all.
I would love to be given the time and training to ensure that stuff is secure (probably best tested by an outside contractor to be honest) but it won't happen. The money people don't care and will not allow the resources as there is no visible benefit. Right up until a law suit lands.
Then it'll be my fault (despite having asked time and time again to consider security...)
I don't know much about security, but I at least know enough to know that I don't know much. Which is better than most managers. I have met. Most just don't give two shits. And it's developers who have no authority to do anything about it who get it in the neck time and time again.
Are you a manager? When was the last time you SPENT SOME MONEY ON TRAINING? £4,000 may sound a lot, but it's a damned sight cheaper than having your ass sued off! If you want experienced devs, good products, quality, then feckin' TRAIN US! And don't bitch and moan when we get it wrong because (despite our best efforts) we get NO SUPPORT from dickwads like you.
End of rant.
Re: TRAIN US
If you want a job, sit back and carry on bleating as you are. If you want a career, get off your arse and train yourself, it can easily be done on your employers time. Hands off training is a complete waste of time and money, it's only useful purpose is to make employees feel they are valued.
On the employer's time?
That'd be nice start. Let me know when reality hits your planet.
I train myself - it's not easy to do at all. Having to buy the books, kit etc is a serious financial outlay that is often hard to meet. Having to give up other hobbies (there is a life beyond the CRT, y'know) is also a serious sacrifice.
When picking up a new skill I support to make sure I know what pitfalls to avoid before I have to fall down them myself (like leaving sites vulnerable SQL Injection, for example). So that means someone who has does it time and again and will pass their skills on. That is the value of the "hands off" training you seem to think is worthless (personally I'd rather it was mentor based and on-site).
But no - all one gets are attributes like yours. Obviously working 9.-5 (and more, unpaid) simply isn't enough for some folks.
Re: On the employer's time?
>personally I'd rather it was mentor based and on-site
Fair enough, I forgot about that as I was thinking training courses, you are correct, this is the best way to learn but I wouldn't strictly call it training.
However, with regards to employer's time, I doubt anyone puts in 100% of an eight hour day, not even close. There are always lulls. I'm not suggesting these shouldn't be filled with reading websites nor contributing to forums, these are both time honoured work related activities, merely that some of that time could be better employed to improve oneself. There are myriad ways that you could include a small personal training project into a working day.
One other thing, if you value yourself, don't do unpaid work.
Nice to see...
...the "world owes me a living" brigade out in force.
I've always said there are two types of people in the world, those who do and those who moan about them. Please carry on moaning while I get on with things.
You say there are two types of people in this world: two types of people in the world, those who do and those who moan about them. Only two types of people, eh? Seems I might break your little black-and-white view of the universe.
I work for a living, 12-18 hours a day. I have a roof over my head for now, (and I am grateful,) and even a few shiny knickknacks and toys. I've worked hard for everything I have, but I still live paycheque to paycheque and put in enough hours at work to actually require a cot in my office. I would consider myself as someone who “does,” and isn’t afraid to put the time and effort in required to get things done. Yet, I still complain about the state of the world, so where does that put me in your view?
I don’t treat my staff like dirt, and I don’t ask anything of them I wouldn’t be willing to do myself. I give them the opportunity to make mistakes and I defend them vigorously around budget time. I fight for their raises, and better working conditions, I even manage to find time to volunteer at a couple of worthy causes outside the office, and make my varied donations.
When I look at the “management” folk, either higher up in my organisation or in other organisations around the world, I am sickened. (“Consultants” have a similar effect.) With some notable exceptions, they are greedy, self-centered little $expletives who will cheerfully ruin the lives of thousands of people for a small quarterly bonus. These folk certainly don’t lead by example; asking way more of those they lead than they are remotely willing to give in turn. They are constantly seeking the cheapest candidates who will work under the worst possible working conditions just to save a few bent coppers.
I am perfectly aware that the world isn’t so black and white as all that. People fall along a spectrum. On one end folk so charitable and self sacrificing they can’t look after their own selves. On the other end people who are so self-obsessed they can cause the deaths of millions for meagre personal benefit with a smile and a flip comment about “survival of the fittest.” What I rail against is a society that holds those close to the latter end of that spectrum up as role models, as though short-sightedness and selfishness were exemplary behaviour.
The world doesn’t owe me a living, but by $deity it could use a conscience.
From reading your posts it seems like you are allowing people to treat you like, as you say, $expletive. 12/18 hour days, being paid only for 40 hours, 24/7 on call using your own phone and whatever etc, etc... is. Quite honestly I can't believe that you have staff, however if you do and that's the best conditions you get for yourself then I dread to think how you can get anything better for them and how they can look up to you as a role model. You seem to have done little more than a lot of moaning under the guise of how wonderful you are.
I oversee a small department, be the company doesn't belong to me. I won’t ask my staff to work any more hours than I do, and I do my absolute damndest to make sure *they* at least get to make up their overtime elsewhere. (Legally there is no requirement for sick days, for example. I ensure they are not recorded, and am flexible about staff leaving early, etc.) I do my best to make sure they don’t have to bear the brunt of crappy upstream decisions. They better rested they are, and the better their spirits, the more efficient they will be.
I’d also like to point out for the record that I never said that I was wonderful in any way. I consider myself an "average guy,” no more or less selfish or giving than the folk around me. My complaint is that it’s those who tend to be the self-focused greedy $expletives who end up in charge. (Says all sorts of lovely things about our society, don’t you think?) The average working man, at least around these parts, tends to be a good sort.
As to "allowing people to treat me like $expletive," there aren't a lot of options around here. As much as I might gripe, it really is one of the best deals going for IT guys in these parts. (The guys that get gigs with the municipalities are all unionised and thus working there is pretty sweet...but job openings are rare and exceptionally competitive.)
There just isn’t a lot of work to be had. The power isn’t in the hands of the workers, it’s in the hands of the businessmen. There are far more IT people here than there are jobs, and frankly that seems to hold true for almost every industry I can name. I live in a metro with a little over a million people. There’s another metro to the south with about the same. There’s nothing else for 800km in any other direction. Ever major company (and even some municipalities) have been outsourcing to India or the Philippines. The only real work available is with the smaller shops, and as soon as they get big enough, they outsource.
You can cast aspersions on me all you want, but I still maintain that treating (and paying) people well should be the cornerstone of our society, not rabid self-interest, greed and idolising those who step on the backs of others to achieve their wealth. I'm sorry if that rubs your ideals the wrong way.
What seems to be the problem
is that your way of doing something about being treated badly is cry and tell everyone how they are wrong. All of your posts assume that you are "normal". Well, wake up, your not. Your letting yourself get treated like crap.
You think everyone is outsourcing, but the fact is that it is still a very small number of companys. It sounds more like you just don't have the spine to go and look for a new job, or the stills to move in to another area.
@ AC 12:47 GMT
You make a fair bit of unfounded assumptions, and like Chris W seem to believe the world is binary. Black or white, on or off. You are either doing something about it, or bitching about it. Oddly enough, it's entirely possible to do both, and life is very rarely so simple as to be binary about anything.
Where I live and work, most companies *are* outsourcing. For that matter, it’s a pretty big thing in various states in the US as well. Even where they aren’t outsourcing, many places are using the threat of it to drive down wages and working conditions. There are certainly places in this world where that isn’t true, and once my personal obligations are no longer binding me to this place, I do very much so hope to move to somewhere better. (Not everyone is so self-focused they are willing to screw everyone around them for personal benefit. I have commitments to keep.)
Not only am I out beating the streets for a new job, I am taking part in my political party to try to get actual change in the laws put through. I attend and do speak up at various industry organisation meetings, and pretty much anything else I can find where I have a chance to make an impact on the actual policies and regulatory structures of my country.
As much as it may seem to you I let others walk all over me, I really don’t. I fight for what I believe in, and if I didn’t, I’d still be working in (literally) a closet for an IT office as I was 5 years ago making less than half what I do now.
If you, AC, or Chris W, or anyone else have a great job with no worries in life I wonder how you got there. Was it because you are so innately better than everyone else? Plucky and spunky and possessing DNA without flaw? I really doubt it. Some of it has to be innate: to get anywhere in life you need the chutzpah to speak up for yourself and to stand out. There are other elements though: the hundreds, even thousands of people who went before you, standing up for workers rights and trying to keep businesses and governments honest. Perhaps you merely are without conscience, and soullessly stepped on others on your rise to the top. I don’t know, and I don’t really don’t care.
In the meantime though, while I am willing to fight for what I need…I honestly don’t believe people should have to. If you are willing to work hard, you should be able to earn a comfortable living. Time taken out for training should increase the level of that comfort. Forget all the fuzzy pink bunnies and hippy-happy reasons; I’ll give you the single best reason out there to keep your staff in good repair:
Every second your staff spend looking for a new job, fretting about their finances, campaigning for better working conditions or taking part in their political process is a second they aren’t doing one of the two things that make you money: working or relaxing. Relaxing keeps those workers sharp when they are called on to work, and a clear mind with no worries helps keep them focused. Happy, calm and focused workers are more productive than ones who are constantly looking for the next best thing. Retaining these workers is to the benefit of any business as well, as they are already trained, and familiar with the needs and flows of your organisation.
Of course this requires businesses, managers, politicians and even individuals who think “long term” and “big picture” to recognise. None of the above concepts mean a damn to members of the Cult of the Quarterly Bonus.
Whatever you believe, have a good weekend AC. I know I will, I just got a good Friday lunch-hour rant in.
Do you work for CSC by any chance?
All the best,
William Ernest Henley - Invictus
It matters not how strait the gate,
How charged with punishments the scroll,
I am the master of my fate:
I am the captain of my soul.
I don't know why you ask but just in case you think some other poor sod might be me then I'll answer. No, I don't work for CSC, not now nor ever.
>If you, AC, or Chris W, or anyone else have a great job with no worries in life I wonder how you got there.
I can probably speak for both of us when I say that the answer is we don't take $expletive from anyone.
Many thousands of people have crossed seas and continents, in many cases paying what to them are huge sums of money to less than savoury characters. They put themselves and quite often their family in debt and risk their lives using less than safe methods of transport. Many of them have died in their attempt to make a better life for themselves, others, knowing this still follow. Yet you won't make an 800km journey which to these people would seem like a ride on a cloud. One other thing, you can always return in safety from that 800km, for the others it is a one way trip into the unknown. Any one of these people have got more get up and go in their little finger than you have in your entire body. I honestly hope for your sake that Trevor Pott is not your real name because any future employer that can link you to your comments will throw your application straight in the bin.
"I am the master of my fate."
You honestly believe that?
Awwww…how quaint. Explains a lot.
Well Chris you are (in your mind at least) a far better man than I. I'd argue the point but we both simply care about completely different things. I acknowledge that people have "crossed seas and continents" and blah blah blah to make a better life for themselves. My grandfather was one such; after the war left his home country devastated we came here.
I look at things a little less black and white than you appear to though. Those people, when off “looking for a better life,” they generally do so when they have absolutely nothing left, or no chance of ever supporting their families where they are now. Shocking as it may be to you, there are perfectly valid reasons I can’t and won’t leave everything and everyone behind right at the moment. I have familial obligations, as well as friends who (at the moment) rely on my support. For that matter, my second-in-command at work has recently spawned an offspring...leaving him in no shape to take over the late-night duties or demanding hours I currently pull. There are several other commitments I have made that I simply can’t just walk away from. If you really are the kind of person that can abandon people who rely on you, I feel sorry for anyone who might come to know you. As much as I very much would like to improve my means, I won’t do so at the expense of others.
As to this being my real name, yes it honestly is. Here for the entire internet to see: there are people and ideals in this world that matter to me more than money, and more than my own sweet salient self. I honestly believe business should pay their staff well, and provide the best possible working conditions; in my opinion this produces the best results and value for money. I believe in leading by example, not through fear, or intimidation. If there is an employer out there who is reading this thread and decides that employing someone like me goes against their business style, then frankly they aren’t someone I’m all that interested in working for. Some employers build their relationships (with staff, suppliers and customers) based on honesty, loyalty and integrity. I admit these businesses are getting few in number ever year...but these are the types of businesses I seek out.
In the meantime Chris W, I’ve got a stupendously busy week ahead of me, and absolutely no time to devote to more back and forth in thread. I concede to you this argument; I accept that in your eyes I will forever be weak and pathetic, your personal methodology being superior to you in all possible ways to mine own.
I wish you all the best. Your ideology and philosophy seem to be quite in line with the Cult of the Quarterly Bonus, and I hope this allows you to reach the personal and professional heights you strive for. Certainly there are enough corporations where this seems to be The Way Of Things for you to do well. Have a pint on me, and enjoy the sweet taste of e-victory.
@Chris & Trevor
Seek couples therapy. It'll do the both of you a world of good.
LOL. Point taken, good sir.
The proposal is that the development company will be liable, not individual developers.
None-the-less, it's a complete load of ivory tower bollocks, as others have noted.
It also appears to be rather rabidly against free software, in sentiment. How does the Linux kernel get all its developers background-checked? In fact, what organization would be able to sign such a contract at all in respect of Linux? In the brave new world of hyper-secure software, we'll all be using Windows again?!
SANS, just publish the 25 top fails, and STFU.
A good thing
Perhaps this will force companys to employ real programers rather than some kid who made a few web pages and wrote a bit of actionscript.
I have 4 friends in IT, and only one of them has any formal training, and he's in sales FFS. The other 3 make it up as they go along. They have no idea about proper structure or documentation. As far as thay care as long as it dose the job it will do, and screw anyone who might want to look at the code later.
Its about time programers were seen on the same level as engineers, then perhaps the world would be a better place, and maybe they need pushing, but holding them to the same standards.
- Updated Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
- Pics Audio fans, prepare yourself for the Second Coming ... of Blu-ray
- Microsoft: Windows version you probably haven't upgraded to yet is ALREADY OBSOLETE