Formerly /u/Zalack on Reddit.e

Also [email protected]

  • 0 Posts
  • 37 Comments
Joined 1 year ago
cake
Cake day: August 3rd, 2023

help-circle









  • Formal licensing could be about things that are language agnostic. How to properly use tests to guard against regressions, how to handle error states safely.

    How do you design programs for critical systems that CANNOT fail, like pace makers? How do you guard against crashes? What sort of redundancy do you need in your software?

    How do you best design error messages to tell an operator how to fix the issue? Especially in critical systems like a plane, how do you guard against that operator doing the wrong thing? I’m thinking of the DreamLiner incidents where the pilots’ natural inclination was to grab the yoke and pull up, which unknowingly fought the autopilot and caused the plane to stall. My understanding was that the error message that triggered during those crashes was also extremely opaque and added further confusion in a life-and-death situation.

    When do you have an ethical responsibility not to ship code? Just for physical safety? What about Dark Patterns? How do you recognize them and do you have an ethical responsibility to refuse implementation? Should your accreditation as an engineer rely on that refusal, giving you systemic external support when you do so?

    None of that is impacted by what tech stack you are using. They all come down to generic logical and ethical reasoning.

    Lastly, under certain circumstances, Civil engineers can be held personally liable for negligence when their bridge fails and people die. If we are going to call ourselves “engineers”, we should bear the same responsibility. Obviously not every software developer needs to have such high standards, but that’s why software engineer should mean something.



  • My experience has often been the opposite. Programmers will do a lot to avoid the ethical implications of their works being used maliciously and discussions of what responsibility we bear for how our work gets used and how much effort we should be obligated to make towards defending against malicious use.

    It’s why I kind of wish that “engineer” was a regulated title in America like it is in other countries, and getting certified as a programming engineer required some amount of training in programming ethics and standards.







  • Sorry you’re right that I wasn’t being precise with my terminology. It’s not a DDOS but it could be used to slow down targeted features, take up some HTTP connections, inflate the target’s DB, and waste CPU cycles, so it shares some characteristics of one.

    In general, you want to be very very careful of implementing features that allow untrusted parties to supply potentially unbounded resources to your server.

    And yeah, it would be trivial to write a set of scripts that pretend to be a lemmy instance and supply an endless number of fake communities to the target server. The nice thing about this attack vector is that it’s also not bound by the normal rate limiting since it’s the target server making the requests. There are definitely a bunch of ways lemmy could mitigate such an attack, but the current approach of “list communities current users are subscribed to” seems like a decent first approach.