[SystemSafety] A couple of references on security

Chris Hills safetyyork at phaedsys.com
Thu Jan 16 18:18:49 CET 2014


Happy New Year All

 

I too have been looking at the Toyota/Brookout transcripts and it brought
home to me something I have been ranting about since 2000.    That was
regarding the proposed changes to the UK Corporate Manslaughter act from
"controlling mind" to "duty of care" which became law in 2008. (IANAL and
you should seek professional advice).

 

My point to anyone who would listen in 2000-2007 before it became an Act was
that:  When the Bill becomes an Act, whilst the new law will not be not
retrospective [it only applied to deaths since 6th April 2008] is that the
cars, boats, planes, industrial plant etc. involved in said accidents were
all going to have been built, with software written, well before the date
the new Corporate Manslaughter Act came into force.  

 

So you need to ensure you are using "appropriate Best Practice" NOW when you
write the code.  Lest in a decade you get some crusty academic expert
witness* with no project manager screaming "Deadlines!" at him go through
your code in court with several papers on Best Practice in his hand,
assisted by a prosecution lawyer.  A Lawyer whose job is to find you
"Guilty!" on behalf of his clients.    

 

*My rant at the time (2000-2007). No implied comment on the Brookout /Toyota
expert witnesses.

 

This is effectively what we see in the Brookout/Toyota case, code written
over a decade ago is in the dock.  

 

It is no use saying it does not apply to me because, as in the case of the
UK Corporate Manslaughter Act, laws can change.   Code written in 2006 with
one Corporate Manslaughter Act in place will be looked at from 2008 under a
very different law.  So your only real defence, as far as I can see and I am
not a lawyer, is to work to current appropriate Best Practice now.  Even if,
at the moment, you are not required to work to any particular standard. 

 

 


Subject: Re: [SystemSafety] A couple of references on security

 

and as the Internet of things 

[CAH]  PLEASE PLEASE PLEASE can we not start using that horrible phrase.
All networks connect "things". It is a vacuous phrase.

 

What are we all going to do when 'everything' is running Linux? 

[CAH] simple.. Die.  J 

 

The problem is not Linux per say but the religion that goes with it.  I have
seen some Devotees specify a Cortex M6 + Linux   to run an http Server when
the more appropriate solution was a PIC16 or 8051 (or even a Cortex M0 at a
push) with a standalone TCP/IP Stack.  Thus using Megabytes more, of vastly
more complex, code than was needed. 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20140116/d4ea0217/attachment.html>


More information about the systemsafety mailing list