The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Personal responsibility in software design

http://money.cnn.com/2006/01/31/news/companies/security_bostonglobe.reut/index.htm?cnn=yes reports:

SAN FRANCISCO (Reuters) - Two Massachusetts newspapers owned by The New York Times Co., the Boston Globe and Worcester Telegram & Gazette, said Tuesday they had mistakenly sent out slips of paper with the credit card data of up to nearly a quarter million subscribers.


And I ask myself, "What programmer, when asked to put credit card numbers in a report format that was going to be used for mailing labels or whatever said, 'Sure, that's a fine idea.'?"  When asked to design that report, shouldn't a responsible professional -- concerned about data security -- have asked, "Why should we be printing out credit card numbers"?
Chris Nelson
Wednesday, February 01, 2006
 
 
What makes you assume he/she did not ask?
MBJ Send private email
Wednesday, February 01, 2006
 
 
I have to assume that had the question been asked it would have woken up some corporate robot who would have said, "Oh, I guess that _is_ a bad idea."
Chris Nelson
Wednesday, February 01, 2006
 
 
Yeah? You think?

I think the corporate drone would have said something like "I'm telling you what to do here. You do play with your little computers, I'll make business decisions. When you get paid what I do, you get to make decisions. Until then just go type."

Forgetting that the actual decision was taken in a meeting that no-one was really "at", they we all sort of popping in on their way to other meetings or lunch or squash or whatever.

I mean, this doesn't happen in all corporations. Happens in a lot of them though...
Katie Lucas
Wednesday, February 01, 2006
 
 
And I'd argue that the programmer failed to be sufficiently personally responsible. 

I once worked for a Fortune 500 company.  Shortly after a new CEO said we were going to be streamlining our proceeses, eliminating paper, etc. I was promoted into a "position of responsibility" where I was asked, nay required, to sign a statement regarding conflict of interest.  The statement wasn't worth the paper it was printed on: if I was dishonest enough to steer business to my brother-in-law, I'd sign the damned thing anyway and if I was honest enough to not do so, the paper wasn't going to make me more honest.  I refused to sign the paper.  After months of organizational nonsense, I had a half-hour meeting with General Counsel who explained that while he realized that the paper was "stupid" signing it was a condition of employment.  I signed.

How freaking hard can it be to say, "You know, you say we need to divulge CC info but let's check with our CIO. OK?"
Chris Nelson
Wednesday, February 01, 2006
 
 
Chris, I can tell you haven't worked for long in corporate America.
Peter
Wednesday, February 01, 2006
 
 
If you call over 20 years not long, I guess you're right.
Chris Nelson
Wednesday, February 01, 2006
 
 
I think some folks are reading a lot more into this news article than is stated.

Perhaps the original programmer DID raise this as an issue. Perhaps the programmer even resigned because they valued social responsibility over their day job. Or perhaps the programmer was assured that such a thing would NEVER happen, that NO ONE would be so thick as to do something like this even if it were theoretically possible.

Or, perhaps there WAS no individual programmer who could see this coming -- Software can be pretty modular nowadays. One person works on mailing label code, another on storing credit card data, and a third on a generic system to store and manipulate lists of (generic) data. None of them sees enough of the complete system design to even consider the implications of combining everything together. If the person writing the design docs is in management or marketing (which does happen), then blaming the programmers seems a bit misdirected.

And where's the personal responsibility of the end-user fit in to all this?
Ian Schreiber Send private email
Wednesday, February 01, 2006
 
 
I'd bet one of the following comes out in the investigation:

- they were never supposed to be routing slips in the first place, just happened to contain routing-useful info, then some 'customer service' flunky found them and had their 'aha!' moment
or
- some junior newbie programmer or service house got told to use the "Routing Assignment Number" or some other poorly-named or redirected (think database view) field.

In the first case, the "business" person is at fault, in the second, well, there have been _many_ discussions on this forum about using clear schema.
a former big-fiver Send private email
Wednesday, February 01, 2006
 
 
Katie nailed it.
Scott
Wednesday, February 01, 2006
 
 
"the programmer failed to be sufficiently personally responsible"

To be held responsible for business decisions do you think that one has to have the authority to make such business decisions?
Scott
Wednesday, February 01, 2006
 
 
>If you call over 20 years not long, I guess you're right.
No. Your reply to Katie doesn't sound like the sort of reply that an experienced person would make. It sounds more like the sort of excuse a blame-seeking-mismanager is looking for. Are you a programmer? I don't know that. Are you a mismanager? I don't know that either. Scott also hit the point. The business mismanager makes those decisions, not the programmer on the line.

>When you get paid what I do, you get to make decisions. Until then just go type.
That is the mentality of virtually every business mismanager. That is why we have Enrons and Arthur Andersons.

Why should I be held "responsible" for business decisions that I can neither make, nor change?
Peter
Wednesday, February 01, 2006
 
 
Maybe it was a poor sap using some reporting tool and not realising the "unique_id" he was extracting was a credit-card number?

Or, maybe the info was correct, but it was suppsed to stay internal. In which case its the an error of who ever sent it external...
Honu Send private email
Wednesday, February 01, 2006
 
 
Doh! Should read article first

It says near the end that the error was due to the dsitributer using recycled paper, to print the routing slips, that happened to have credit-card numbers printed on.  Sounds like whoever printed the creditcard info missed the shredder and hit the recycle bin...
Honu Send private email
Wednesday, February 01, 2006
 
 
Hmmmm.  I don't know if I skipped over that when I first read it or if the article has been updated (the joy of online publication).  Sloppy security in any event.  And in interesting discussion of personal responsibility.

For the record, I'm a software engineer.  "Programmer" if you wish but I have more experience and a broader scope of responsibility than I would attribute to that title.
Chris Nelson
Wednesday, February 01, 2006
 
 
One of my clients has two guys at about $9/hour to handle all the reporting.  They run crystal against the database and no programmer is ever involved because it is too expensive.  I could easily see them grabbing a stack of paper and recycling it.  Let's not be too quick to blame a programmer these days - none may be around.
MSHack
Wednesday, February 01, 2006
 
 
I once worked for a government place (university with 20,000 students) that would recycle long printouts containing financial aid information about all students, including tax id numbers and birthdates. These papers would be distributed as free scratch paper in the library and other areas for taking notes or what not. I complained about the practice but nothing was ever done.
Scott
Wednesday, February 01, 2006
 
 
"... long printouts containing financial aid information about all students, including tax id numbers and birthdates."

Why is this information on paper to begin with?

I think if you answer this question, you'd go a long way towards getting them to stop recycling the paper. Ideally, they'd realize they don't need it on paper, they only need one archival copy, or they can export/import the data between systems rather than printing it out and re-keying it back in. Get rid of this "need" and there's no paper to recycle.

With respect to the main discussion, I agree with the others who suspect the problem occurred because people are focused on their own jobs rather than the big picture.
TheDavid
Thursday, February 02, 2006
 
 
Worcester's where I grew up. Woohoo. Go Highlanders. Go embryo cloning researchers.

On topic: yeah, the manager who requested the report is responsible. Heck, they could have done it themselves.

I don't understand why credit card companies don't force businesses to store credit card numbers only as hashes signed with the merchant's private key.
Spinoza Send private email
Friday, February 03, 2006
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz