Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Deliberate problem. The inevitable corporate "oops, we fixed the auth" and common reply of "never ascribe malice to incompetence" is textbook psychological warfare. More importantly it's an effective overtone move vs collecting the data at all.

Explicit instruction isn't necessary or desired, it's trivial to write a unfunded 'compliance' requirement, practically guaranteeing a specific outcome.



The "sprint problem".

There is a technical or moral concern that does not immediately make money, or worse, reduces income.

Every development sprint tasks are prioritized.

All that needs to happen is for the desired items to have, say, a priority of 3, while items in the sprint are always priorities 1 and 2.

That ensures those items are never done.

Examples? Google web applications tested and bugs fixed for Firefox.


There's a person whose job is to prioritize.

If that person, and that person's management, think that security and privacy are a priority, then things get fixed.


Where's the incentive for company leadership to spend resources on security currently?

As long as there's no incentive to improve security, there will be no security.

Examples of incentive: laws. Fix security or you can't sell your product, if you can't sell product you don't get a bonus or get fired. Don't gather location data if it's not critical for the functioning of the car or you can't sell your product, etc.


In my experience it’s really up to technical leadership to highlight what will happen if security flaws are ignored. If more senior leadership continues to ignore these issues, then it’s a culture issue and I wouldn’t stick around.

Surely it’s all about risk mitigation; some out-of-date NPM package with a minor flaw might cause the can to be kicked, but a major flaw with demonstrable consequences should get priority.


You have a point. The problem in the german car industry there is no technical leadership. From the bottom management upwards they are all politicians. No technical people.


Is that unique to the German car industry? Outside of a few tech corps or some small startups, mainly in the US, most shops seem to 'run' their tech function more like buyer/seller e.g. "here's some Euros in exchange for [thing] we'd like" instead of the traditional employer/employee dynamic where your boss can evaluate your work to some degree.

Arguably they'd be better off actually doing that as a true buyer and just engaging B2B for their easily solved CRUD variants than this weird go-between that combines the negatives of managing employees with the negatives of buying unknown solutions.


No doubt it happens elsewhere. I meant only what I know for fact. Bur a good example where seems very much to be running similar is e.g. Boeing


GDPR already exists. It just needs to be enforced in this context.


Against VW? Ha ha ha!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: