'The Year That Software Bugs Ate the World'

FastCompany's harrymcc writes: It's not like there's ever a year that isn't rife with stories about buggy software. But 2017 seems to have had an unusually rich supply of software flaws that fouled up major products -- from Twitter to iOS 11 to the Google Pixel 2 -- in ways that were very noticeable and sometimes even funny. Sample this: A nagging flaw in Google's Play Services software for Android causes Gmail to demand access to "body sensors" before it will let users send email. Android Police's Artem Russakovskii discovers that his Mini is recording audio 24/7 and storing it on Google's servers. I rounded up a bunch of them over at Fast Company.

We need to go back to basics

[Anonymous Coward]

Programming in traditional programming languages instead of the latest fad language and framework. And develop in our own countries instead of outsourcing it.

Re:We need to go back to basics

[CastrTroy]

What we really need are programmers who actually know what they are doing. The problem is that there really aren't enough programmers out there to get all the development projects done by knowledgeable programmers. It doesn't matter how much you pay them, the programmers simply don't exist.

I think that the latest fad language and framework is actually just a symptom of the underlying problem. With a good enough tool set, you can fake your way through it for the most part and make it look like the system works from the outside. But you eventually hit a wall where the framework can't make up for the lack of skill of the developers, and this is where you run into problems.

Re:We need to go back to basics

[chill]

Why would they do that? They'll just address it in the next sprint! If you're agile enough, that is. Just add those bugs to the backlog! We've got features to ship!

Re:

[Anonymous Coward]

At the beginning of a project, it doesn't make sense to invest a lot of development effort into a comprehensive, secure, bug-free, scalable, and robust foundation. Doing so costs a fortune and your business flops before it is finished. And anyway the market hasn't tested your offering yet so you don't know if it is going to live long enough to need a foundation that is that advanced.

During the mid-life of the project the need for a better foundation starts coming up, but it still doesn't make sense to sp

Yeah. Build the house from the roof down.

[Anonymous Coward]

When will you suckers realize that a solid, well engineered foundation is the key to every successful construction project???

You "strengthen-it-later" types are why we can't have nice things; you merely sit back in your rubble, and smugly proclaim to be the great first-mover innovators.

Re:

[Rakarra]

When will you suckers realize that a solid, well engineered foundation is the key to every successful construction project???

That's great, except plenty of these programs/apps/what-have-you are made by startups. Startups have to show immediate RESULTS when it comes time for the second round of funding or else there won't be a second round. They have to build the application first, then fill in features and fix bugs.

Re: Yeah. Build the house from the roof down.

[Zero__Kelvin]

Yes, because startups are a new invention. There were no startups until incompetent idiots with beliefs like yours came along.

Re: We need to go back to basics

[kurkosdr]

Maybe stop worrying and give the company what they deserve? Aka keep the existing mess half-functional and don't refactor or re-architect anything, while looking for a job in a company with proper procedures in place and which doesn't act like a start-up.

Re:

[Hognoxious]

It's just that managing software developers pays better than being a software developer

Thing is, the people managing software developers don't know what they're doing either.

Re:

[Aighearach]

The problem is that there really aren't enough programmers out there to get all the development projects done by knowledgeable programmers.

This isn't actually true, though. In the late 90s when it was really true, the market responded, pay went up, and job availability went up too. The situation now is that pay isn't going up significantly, and jobs remain "open" forever without any attempt to hire whoever the most qualified person who applied was. You might 1000 applicants, and the "job" remains "open" and the work later gets outsourced.

If there was a real shortage, hiring would instantly increase!

Re:

[AmiMoJo]

The idea of frameworks and new super high level languages is to make it so people don't have to understand the hard stuff to write good software.

Even the best programmers struggle to write crypto, for example. Most people would be crazy to write their own, better to use a well tested library.

We need to make better frameworks.

Re:

[Hognoxious]

Hey, you said Qt twice!

Re:

[jellomizer]

Language, Country or origin, and even skill to a degree doesn't really affect the quality of the software. It is management who wants the product done ASAP, setups Rigorous time lines, loosely gathered specifications, and sells the product to the market, before any single feature is tested.

In a lot of of our software, I wonder how much proof of concept code is out there without being fully fleshed out, because it technically works, however the details to prevent it from breaking and access via ways that it

Re:

[Aighearach]

Language affects software quality a lot, because ultimately software quality is determined by the user based on how well their use case is served. Understanding the use case is a very human, language-and-communication type of problem. Even poorly written software can eventually be bugfixed to quality, if the management understands the use case and continues to apply resources.

Language differences don't prevent that, but it does make understanding use cases harder, so the average maximal result will be lower

Re:

[Hognoxious]

You're using "language" like {English,French}.

GP is using it like {Java,C++}.

Re:

[Aighearach]

My favorite bug of the year was the bluetooth one that caused a bunch of idiots to whine and cry that "everybody" was remotely rooted, while in reality RHEL/Centos users were only every exposed to a DoS bug. (box would crash instead of being exploited because RH turned on the bt memory protections already available in the kernel)

Re:

[TheRaven64]

I don't know about the other platforms, but when I look at the list of things on the security advisories issued for macOS they are pretty much entirely C/C++ code. None of this is latest fad language or framework, it's simply a function of complexity. I remember some old research from IBM that claimed that programmers produced five lines of bug-free code per day, independent of language. The difference now is that there are so many complex interconnected parts in a modern system that the probability of a

Re: We need to go back to basics

[Zero__Kelvin]

So when you look at a codebase written almost entirely in C and C++ most of the bugs are in C and C++? Say it isn't so!

99 bugs in the code....

[Computershack]

99 bugs in the code to be fixed, 99 bugs in the code. Fix a bug, wrap it up, 148 bugs in the code...

Re:

[hackwrench]

Not if you are writing a Langolier.

Re:

[DontBeAMoran]

148 bugs in the code to be fixed, 148 bugs in the code. Fix a bug, wrap it up, 835 bugs in the code...

Re:

[sysrammer]

99 bugs in the code to be fixed, 99 bugs in the code. Fix a bug, wrap it up, 148 bugs in the code...

Pretty much :)

Is there any field of human endeavour that suffers from so many unintended consequences, besides politics?

Re:

[someoneOtherThanMe]

Sex?

Will have to get worse before it gets better

[gweihir]

The average person still does not care at all. Hence software can still get worse and even cheaper to make before it starts to cut into profits. And it will.

Re:

[antdude]

Yep, companies too. They even care not about QA. MS axed its QA department years ago. I'm still unemployed after a year. :(

Re:

[hcs_$reboot]

This is the real problem. People got used to that bad software service.

Re:

[gweihir]

Indeed, it is. People perceive pathetically bad quality as "normal".

Re:

[TheRaven64]

Partly. Software engineering is a very young discipline and we still don't really know how to make good software. We know a few things that are pretty much guaranteed to make terrible software, but the closest thing to a process that produces bug-free software is that used by the seL4 team, which is estimated to cost around 30 times as much as a conventional process with a very good set of automated tests.

Re:

[TheRaven64]

Ooops, hit submit without thinking.

The second problem is the lack of knowledge in consumers. Given two pieces of software that fill the same function, do you have any mechanism to say which one is likely to be more secure? Creating good metrics for evaluating software security is an open research question in cybersecurity. When we don't even have research that can do the comparisons usefully, expecting consumers to make informed decisions with no information seems a bit of a stretch.

Re: Will have to get worse before it gets better

[Zero__Kelvin]

Bullshit. The competent among us know how to produce GREAT software. The real problem is that very few people have what it takes to do it but a pervasive meme that anyone can do it has resulted in a situation where 90% of the people getting paid to develop software shouldn't be in the field at all.

Re:

[TheRaven64]

The competent among us know how to produce GREAT software

Care to share your secret? What do you do when working on large (10 million or more lines of code) codebases that ensures that there are no security-related bugs?

Re: Will have to get worse before it gets better

[Zero__Kelvin]

Nobody said that, and if you know anything about complexity you know that can't be done. It isn't even a software (only) problem. Take for example prisons. Despite all the effort making them secure, including outrageous spending on full time guards and other personnel people escape. Security isn't a product it is a product it is a process; humans will always be the weakest link.

Re: Will have to get worse before it gets better

[Zero__Kelvin]

It's a process*

Re: Google is becoming a real problem

[Zero__Kelvin]

Nope. If I go to my site via HTTPS it says everything is great but if I go to the HTTP link which mod_redirects to the secure link it says my site is insecure.

Apply the razor

[arth1]

The examples listed are not necessarily bugs, even if they are named so when they're found out.

Never attribute to malice that which can be explained by stupidity. But then again, never attribute to stupidity that which can be explained by corporate greed.

Re:

[Aighearach]

explained by corporate greed.

There is no such thing as corporate greed; all greed is personal when you look under the hood.

I Blame Connectivity

[nwaack]

I think a major contributor to all these bugs is that every. single. thing. has to be connected to every. other. thing. My computer has to talk to my phone which has to talk to my watch which has to talk to my refrigerator which has to talk to my toaster. All that connectivity makes software waaay more complicated that it needs to be. Now throw in some corporate greed where software design goes to the lowest bidder and you get what we have today.

Re:

[DontBeAMoran]

How about stupid people who can't even spell stupid?

Re:

[TheRaven64]

Connectivity is not the problem. I can reach millions of web servers, that doesn't make the browser more complex.

It does. A modern browser splits itself into multiple processes and runs most of them with very little privilege precisely because of this. Out of those millions of web servers, the probability of at least one of them trying to attack the browser is approximately one. Browser writers know this and so have multiple layers of defence. They know that in the (roughly) 30 million lines of code in a typical browser, at least some of them will contain security vulnerabilities and so they try very hard to ensu

Re: I Blame Connectivity

[Denis Goddard]

Oh God this. And this is why I will never buy IoT appliances while "dumb" ones are an option. And why I will never spend one penny on the monstrosity IOTA [iota.org]

Re:

[hcs_$reboot]

I think a major contributor to all these bugs is

Apple.

More software, more bugs

[Anonymous Coward]

Next year: Even more software, even more bugs.

Re: Not all of them are bugs

[Reverend Green]

Yup. Both of the Google "bugs" sure do look a lot like features. User-hostile features, sure, but planned intentional features all the same.

Google is always watching. (And listening, too, it seems.)

Stop Google now before it's too late.

shorter development time,...

[Selur]

I would go with shorter development time, nowadays less and less testing is done before a release,..
"Beta testing? BAhhhhh,... that is what users are for."
with that and your boss telling you to release now since he had a quick look and didn't see any problem,... (after a 5min glance)

Not going away anywhere soon with AI

[yaznaz]

Formal validations of software using math is already difficult and will be more so when applied to AI domain. Just the definition of what constitutes correctness is a challenge in such systems.
The demarcation between traditional programming bugs vs undesirable outcome due to flawed learning blurs as software complexity increases. Subtle biases or other instabilities can be introduced that influence cognition and it will be nearly impossible to trace.
If the app misbehaves, trying to trace and attribute it

Re: Not going away anywhere soon with AI

[Zero__Kelvin]

You can't prove it correct due to Godel Incompleteness; You can only increase assurance. That's why it is called Software Quality Assurance, not Ensurance.

Is it really the year of the bugs?

[jellomizer]

I mean I remember the "Good Old Days" where the system would crash when you look at it wrong, or typed too fast. SQL Injection errors were common...

These bugs that came out this year, while bugs, is a far cry to the risk of trying to use a computer during the 1990's or before.
I haven't seen a BSOD (or its equivalent) in nearly a decade now. These glitches that we get today, while some are serious, they are rather small in the big picture.

Re:

[mccalli]

Unfortunately, handling ''typed too fast' actually was one of the iOS 11 [macrumors.com] bugs...

Re:

[jellomizer]

Yes, an animation error. Vs crashing or locking up a system.

Re:

[OffaMyLawn]

The BSOD on W10 seems to be a big frowning emoji attempt. Which took me a minute to realize what I was looking at the first time I saw it.

2017 also known as

[hey!]

the year the frog noticed the water was getting kind of hot.

Re:

[Aighearach]

Doubtful, since most people know that the frog thing was just some bullshit some asshole made up and not a real effect.

The reality is that frogs in heated water have nowhere to escape. That's the whole story. Give them a chance to escape, and they will; they do understand the problem, and all evidence confirms that. There was never any reason given for believing the cliche; it is just a sort of IQ test; people who are credulous to the point of mental disability will believe it, and everything else they hear

Re:

[hey!]

Myths are supposed to be truthful, not factual.

Too many moving parts

[cheesyweasel]

Have you taken the time to consider how many libraries are used in the average project? Most of those are open source projects, continually updating and relying on other libraries from other projects. Like coding inception.. a bug or change inside of a library, inside of a library, inside of a library inside of a program that messes everything up. Vigorous testing is the only hope.

Re:

[cheesyweasel]

Exactly. How are you meant to test for everything? Continuous delivery or continuous failure?

Re:

[Bomarc]

You hit it. (Also I didn't see any previous post saying this). Irony ... Facebook, Yahoo (and eBay) ... all have software quality that SUCKS. They all release broken code - many times. (FB: open a video to a 'new' style window; the video doesn't play, the "back" arrow takes you back to the top of the list, you've lost your place; Yahoo: I've all but abandon it due to bad quality. eBay: New features in "rating" have grammatical errors/issue; and BAD (wrong) information -- all of these I have (attempt

Re: It's because of the push back against testing

[Reverend Green]

My company has no QA testers, no spec to test against, no leadership motivation to get either of those things, and no financial resources to spend on them even if there was desire. We do have some unit tests but they are not a priority. As you might imagine, the quality of the end product is less than stellar.

Yet despite some serious usability issues tons of people use the system. That's considered validation of the business model. :)

Fast Company

[Hognoxious]

Fast Company - for those who find The Verge too technical.

Re: You get what you pay for

[Reverend Green]

Sometimes I talk socially with local "entrepreneurs" building various (mostly useless) applications with 100% outsourced dirt cheap labor. Often they will often tell me about some problem they're having with the software or the "coders", expecting a sympathetic ear or useful advice.

I literally laugh out loud at them. "Hahahaha - pay peanuts, get monkeys!"

The lower the inflation-adjusted pay goes in our industry, the more skilled and knowledgeable people who are going to sit back and just laugh while everyt

Capability Based Security

[ka9dgx]

If we had capability based security in our systems, this kind of stuff would require the user to knowingly allow these types of activities. Until then, we're all screwed. Stop blaming everything but the OS. It's not the programmers or the users.

Re:

[phantomfive]

Android is a capabiilities-based security system.

Re: Capability Based Security

[Zero__Kelvin]

Who do you suppose will create this magical OS that doesn't allow bugs and isn't written by programmers?

Two Bytes to $951M ..

[najajomo]

"2017 seems to have had an unusually rich supply of software flaws that fouled up major products -- from Twitter to iOS 11 to the Google Pixel 2 .. Google's Play Services software for Android ..

Something missing from that story, just on the tip of my tongue, is it any wonder this has become known as the Microsoft Slashdot.

Two Bytes to $951M [blogspot.co.uk]