EU Cyber Resilience Act and RISC OS

103 posts, 15 voices

Pages: 1 2 3 4 5

Jan 2, 2024 8:30pm Steve Pampling (1551) 8170 posts	Without changes to QEMU, the only suitable machine I am aware of is the Pi2 OR that monster-Pi I configured in the other thread. I thought that the Sabrelite emulation might do for first playground.

Jan 2, 2024 10:07pm Paolo Fabio Zaino (28) 1882 posts	I thought that the Sabrelite emulation might do for first playground. Hummm, not sure TBH, looking at sabrelite sources, it’s an IMX6, which means probably reusing the HAL for the mini.m , but the sabrelite seems to have some option set by default that may cause some issue: sabrelite_binfo.secure_boot = true; However it can be configured to load on core 0: if (!qtest_enabled()) { arm_load_kernel(&s->cpu[0], machine, &sabrelite_binfo); } Which I think it’s what is happening on the mini.m (IIRC). it may be usable yes.

Jan 3, 2024 2:09pm David Pilling (8394) 96 posts	“the Investigatory Powers (Amendment) Bill…” “Using this power, the government could … stop developers from patching vulnerabilities in code that the government or their partners would like to exploit,” Expect a new law making RISC OS compulsory.

Jan 3, 2024 2:23pm Rick Murray (539) 13840 posts	“the Investigatory Powers (Amendment) Bill…” I’m sorry, I wasn’t able to make it beyond BE IT ENACTED by the King’s most Excellent Majesty without cracking up. stop developers from patching vulnerabilities in code that the government or their partners would like to exploit, Which part(s) in particular would imply this? ¹ What happens, for example, when it’s a British developer working on something used in other countries? Especially given as they may (as in the case if this EU law passes) require holes to be patched in a ridiculously short manner ². making RISC OS compulsory. Just slap a union flag on it and call it “Best of British”, job done. ¹ That’s not to say they wouldn’t, I don’t trust that group of degenerate muppets any further than I could throw one of them. But surely even they aren’t stupid enough to put a requirement like that in writing? ² The short window between first report and expected fix will act as a chilling effect on bug fixing. Nobody will want to diagnose and correctly fix problems because that might take too long and penalties… so it’ll just be a bit of virtual gaffer tape stuck on to make the reported problem go away. A few cycles of that and… ugh.

Jan 3, 2024 2:44pm James Pankhurst (8374) 126 posts	Nobody will want to diagnose and correctly fix problems because that might take too long and penalties Sounds like a job for me! If it doesn’t work, disable or remove the feature. Can’t have bugs if there’s nothing there to go wrong.

Jan 3, 2024 3:26pm David Pilling (8394) 96 posts	Which part(s) in particular would imply this? Seems Tech body thinks so: https://www.politico.eu/article/uk-bulking-up-spying-regime-breakneck-speed/

Jan 3, 2024 4:31pm Paolo Fabio Zaino (28) 1882 posts	“the Investigatory Powers (Amendment) Bill…” “Using this power, the government could … stop developers from patching vulnerabilities in code that the government or their partners would like to exploit,” Expect a new law making RISC OS compulsory. Sorry, didn’t we quit all that to get back control? Oh wait, no we can’t quit local regulations if we want to sell stuff to folks in their own countries (someone should have told this to the “exitiers” I think). Sorry for the sarcasm, not addressed at you at all, but things are getting more and more complicated for an international-UK has it was defined by the red-bus folks. The CRA will impact UK business potentially heavily, you are correct, also because it contains elements of remote data processing, so even on main land datacenters, if such services are willing to sell to EU customers. However, the only impact it should have on RISC OS is on whatever is identified as “sales” or “funding”. I am not aware of RISC OS paid Cloud services (yet!). For what concern UK businesses, things can be quite complicated, given here we’ll need to follow (or comply) with our specific regulations, plus the regulations in each country we want to sell stuff (this is literally a “Brexit benefit”! I know crazy, but a small country can’t impose its own regulations to bigger countries or unions, yup no one thought of that in 2016!) So, we have a combinations of laws and regulations which (generally) have to be looked at “together” to figure out what a business can and cannot do and how they should deal with cyber security: Computer misuse Act (1990), PECR – Privacy and Electronic Communications Regulations (2003), UK eIDAS – Electronic Identification and Trust Services for Electronic Transactions Regulations (2016), UK NIS (2018), Telecommunication Security Act (2021) and the new National Cyber Strategy (2022). Basically, depending on the business-type, one should look into one or more of them with Computer misuse Act and NIS + NCS applies basically to everyone. When compliant with the required UK regulations, then one has to make sure we are also compliant with the local regulations in the country where we want to sell our products or services. So, I wonder how we’ll deal with the good point you made… like, keep a switch that can be turned on and off depending on the gov requesting access, and then having to protect that switch at all costs to avoid becoming non-compliant with the rest of the regulations’ rules local and “worldwide” because cybercriminals discover the switch and use it too… oh boy!

Jan 3, 2024 6:50pm Steve Pampling (1551) 8170 posts	That’s not to say they wouldn’t, I don’t trust that group of degenerate muppets any further than I could throw one of them. Quite wise on the trust front, but would really want to try handling any of them without full PPE? But surely even they aren’t stupid enough to put a requirement like that in writing? Have you seen any indication that they aren’t? Nobody will want to diagnose and correctly fix problems because that might take too long and penalties… so it’ll just be a bit of virtual gaffer tape stuck on to make the reported problem go away. The main complaint about me is that I tend not to “give up” and thus delay things until they aren’t too flakey to give a decent service. The main reason tasks get thrown at me is that I don’t give up, and they end up with a useable setup.

Jan 3, 2024 7:01pm Steve Pampling (1551) 8170 posts	Sorry, didn’t we quit all that to get back control? No, Brexit was all about lining the pockets of Tories and their funders. For easy examples, select any one of the current list of criminal investigations into allocation of contracts, e.g. a notable case with Mone moaning, mostly about being a scapegoat because they found out. Not only profiteering on an NHS emergency, but supplying dodgy goods. yup no one thought of that in 2016 Part of the raft of stuff that the Remain campaign pointed out was a reason no to leave, stupidly assuming quiet fact speaking could knock down a set of loud, repeated lies.

Jan 3, 2024 9:14pm Rick Murray (539) 13840 posts	Sorry, didn’t we quit all that to get back control? Speak for yourself, maybe. ;) I didn’t get a vote, and if I had it sure as sunshine ¹ wouldn’t have been for that. Given that the government tended to lose ² in the ECHR ³, what they meant was “vote so we can take back control”. Us little people? Look at Kate’s lovely dress! (…and STFU) if such services are willing to sell to EU customers. There appears to be a curious omission for “software as a service”, which might exempt cloud-enabled software…which, I dunno, might have thought would be one of the things where online security might have actually been rather important? I smell the rancid whiff of brown paper enchiladas. ⁴ I am not aware of RISC OS paid Cloud services (yet!). http://shop.elesar.co.uk/index.php?route=product/product&product_id=66 Native filing system module that connects to a cloud service. With respect to the CRA, that surely has “oh crap” written all over it. So, I wonder how we’ll deal with the good point you made… Grab a bag of popcorn, sit back, watch the brown stuff splatter. cybercriminals discover the switch and use it too… oh boy! Yup. That’s why anybody who mandates back doors (because think of the children!) should be barred from public office, barred from voting, and just generally not allowed to play with the adults in the room. No matter how clever or special secret one thinks their itty bitty back door is, the instant that secret is known, it’s game over for everything that has that secret embedded into it. That one can have a way of checking up on what their enemies are up to equally gives their enemies the ability to check up in turn…as was recently demonstrated by that shady-as-hell Israeli spy outfit who’s little bit of spyware was found in places it shouldn’t have been. ⁵ a set of loud, repeated lies. Ah, yes, the simple succinct madness mantras. Like the one on the podium when Rish! speaks. People are on strike, energy bills are beyond a joke, the UK is the most unequal country in Europe (and getting worse), and possibly the most regionally unequal rich country in the world. ⁶ Do they really think people actually care that much about “the boats” when they’re struggling to feed themselves, and wondering if their children’s schools are safe? I mean actually care, not just whipped into a frenzy by the likes of the Daily Mail or GB News (that is, by now, surely just the propaganda arm of the government?). For easy examples And not an actual investigation as yet, but funny how many assigned contracts, if one follows the money, seem to end up at a company own, managed, or overseen by the PMs wife or Infosys (the PM’s wife’s father is one of the founders). It’s as if whatever flavour of English the Tories speak (probably Middle English ⁷ if Rees-Mogg has any say in the matter) doesn’t have any dictionary definition for the word “corruption”. ¹ I was going to write “sure as hell”, but then thought about the logic failure of suggesting a high level of certainly upon a place that I don’t believe exists… ² I think it was actually about fifty-fifty, but you don’t hear about the cases won, you only hear endless screaming about the vast amounts of public money spent on trying to get rid of this one guy that they never should have let into the country in the first place. ³ Which isn’t the EU, but it has Europe in the name and that’s close enough. I wish I was joking, but I’ve had this exact same discussion with multiple people in the past eight years. They voted to leave the EU when they aren’t capable of saying what the EU actually is. ⁴ I wanted to write “envelopes”, my phone thought I meant “enchiladas”, and since I’m eating homemade spicy chicken tortillas (Old El Paso kit), I thought “close enough”. ;) ⁵ NSO, Pegasus. ⁶ https://www.economist.com/britain/2020/07/30/why-britain-is-more-geographically-unequal-than-any-other-rich-country (only the first few paragraphs, paywall…) ⁷ Chaucer.

Jan 3, 2024 11:43pm James Pankhurst (8374) 126 posts	Corruption : noun A woke lefty socialist term incorrectly thrown about to try and discredit the perfectly correct and appropriate assignment and allocation of resources to the right sort of people.

Jan 4, 2024 12:39am David J. Ruck (33) 1635 posts	Lets get back on topic, and leave out the political moaning we’ve heard a hundred times before.

Jan 4, 2024 1:56am Paolo Fabio Zaino (28) 1882 posts	Native filing system module that connects to a cloud service. With respect to the CRA, that surely has “oh crap” written all over it. That is certainly an interesting pick, but the Cloud side will be on pCloud, not Elasar, although if the client side most likely implement the open source API provided by pCloud themselves. Lets get back on topic, Agreed, but I think at this point the “ball” is in the hands of the business (if they want to sell their goods to EU residents and citizens), given there are clear stated rules for the free side, most (if not all) of what we do/done is going to be fine. Paid support, sold products or services will most likely need (at the bare minimum) to implement the processes required and hope for no one to ever consider RISC OS (or any of the stuff we developed on it/ for it), otherwise those business will have to take actions on the fixing/resolving the found vulnerability (which in the case of RISC OS it’s pretty much everything). If that happens, then serious problems may arise, given it’s really hard to secure RISC OS and RISC OS based products. On a side note, I have been working also on a byte code interpreter that does implement a security model, where users can configure what a byte code app can and cannot do on a system, but, given it still under active development, it will take a while to a) be available and b) be fully test the security model. However it does have full memory protection and a lot of security practices in the code already, so maybe… To restrict traditional apps full emulation is required, tools like AEmulor do not grant isolation and compartmentalization. Another way is to leverage an Hypervisor, but that would require an hypervisor that already fully support either a Dom0 or support integrating the desktop to provide a convenient and cohesive experience and ensure that an App IS isolated from the rest of the OS. Now all of this requires a lot of work, so, personally I don’t think it’s going to happen. Not sure if there are other ideas or possibilities.

Jan 4, 2024 10:30am Rick Murray (539) 13840 posts	we’ve heard a hundred times before As long as the situation persists, it should be called out. To dismiss with “we’ve heard this before” normalises it. but the Cloud side will be on pCloud, not Elasar Are you sure about that? Reminder: “‘product with digital elements’ means any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately;” given there are clear stated rules for the free side Yup – open source only and not making any money from it, directly or indirectly. So say goodbye to those “Sponsor my hosting” or “Buy me a coffee” buttons. otherwise those business will have to take actions on the fixing/resolving the found vulnerability Which is why the result will be an unholy mess of patch upon patch. If product A has a problem that might be an OS issue, the logic thing is to work with somebody to work out what is actually going on, devise a fix, perform regression testing… When I fixed the timezone bug in CLib which was painfully obviously it calling the wrong SWI by mistake, I had to test (via emulation) everything back to 3.10 (because that’s still supported by CLib), and I had help for the 4.x versions that I don’t have. It took time. Under the new rules, time isn’t an option, so people will just patch over the problem. I get that there should be some expediency otherwise some will twiddle thumbs forever, but I think it’s better to provide status updates to the authorities to say “it’s being sorted” and to allow a reasonable length of time for a proper solution. To restrict traditional apps full emulation is required I don’t see how it’s possible to run anything “secure” on an OS that has a system call designed to give the caller kernel level access and by design runs third party extensions with those same privileges. Like I said, grab 🍿…

Jan 4, 2024 10:58am Steve Pampling (1551) 8170 posts	To restrict traditional apps full emulation is required, tools like AEmulor do not grant isolation and compartmentalization Stepping away from RO, how compliant would you say Windows was in regard to isolation and compartmentalisation? I can run something like Fiddler, as a service, sending the connection details and content over to another device on the network, and then replay the sequence.

Jan 4, 2024 2:12pm Rick Murray (539) 13840 posts	Stepping away from RO Exactly it. Two things are liable to happen as a result of this: Companies will simply cease making their products available to EU countries. This sort of thing has already happened with regards cookies, some American sites detect the IP is in “Europe” and simply toss you to a generic “The GDPR is important” page promising they’ll get right on the compliance, dated years ago… Prices will rise dramatically. Quality and security, less so. We might even end up with bastardised versions with less functionality as the “troublesome” things are simply disabled. And don’t be fooled by believing the EU is too big a market to lose, when the cost of penalties risks exceeding the potential for profit, they’ll walk. It would have been much better if the first incarnation of this law was aimed solely at firmware, that is to say software embedded within devices, rather than trying to be a catch-all for everything.

Jan 4, 2024 2:58pm Paolo Fabio Zaino (28) 1882 posts	Stepping away from RO, how compliant would you say Windows was in regard to isolation and compartmentalisation? I can run something like Fiddler, as a service, sending the connection details and content over to another device on the network, and then replay the sequence. We just mentioned to stay on topic… (sorry not trying to be rude Steve). However, you are obviously aware of the full memory protection offered by Windows, it’s permissions architecture and, I assume, you are also familiar with the new architecture that both Windows 10 and 11 implement where the kernel is effectively executed in a VM right? If that’s not enough for your own standards, remember Windows can run containerized applications now. So, if you’re trying to compare Windows with, let’s say, QubeOS, then yes MS Windows doesn’t have the same level of compartmentalization as QubeOS offers, but certainly Windows do have plenty of measures to protect itself and 3rd party code. Now, I am aware than some folks hates Windows in the RO community, so I am not trying to sell you Windows, that is your own choice to make, not mine. But in answer to your question, yes Windows DOES offers a certain degree of isolation and compartmentalization. As a general rule, RISC OS should be considered a toy OS compared to Windows, Linux and macOS (if nothing else) on the matter of security. So, not sure why this question in this thread and how it would help about evaluating the impact of EU’s CRA on RISC OS, but to copy Rick’s good humor here: Stepping away from RO Exactly it ;) at least for the folks that dream of RO taking over the world (I’d certainly be worried if such a thing would even be possible ahahaha!) Now that certainly helps. So, maybe it’s time to give up on “profits” using RISC OS ? (Oh dear I guess this will enrage many, sorry if it does!) Another option as mentioned by Rick is, companies will just stop selling RISC OS goods to EU, between 10 sold items and what 6 or 7? It’s not life changing. [edit] For the non-tech savies let me translate this sentence from Steve: I can run something like Fiddler, as a service, sending the connection details and content over to another device on the network, and then replay the sequence. What he meant is: If I have ADMIN permissions and decide to install and configure something like Fiddler giving it system privileges and on the HOST system, as a service, sending the connection details and content over another device on the network, and then replay the sequence IF I have decided to use non encrypted transmission protocols and I have full control on both systems. While on RISC OS: If I just open a zip file with SparkFS that contains an App, that App can decide to run automatically and just with a BBC BASIC small program (or better install a module to auto load at boot) start reading the content of my entire disk and memory and send it over the cloud service without having ANYTHING even blinking an eye. This also answers original Theo’s point BTW. HTH [/edit]

Jan 4, 2024 5:01pm Steffen Huber (91) 1953 posts	If I just open a zip file with SparkFS that contains an App, that App can decide to run automatically Actually, no. The user decides – I always open archives with Ctrl-Shift-Double Click. And yes, this is non-obvious functionality and doesn’t make RISC OS a safe OS :-)

Jan 4, 2024 5:38pm Rick Murray (539) 13840 posts	yes Windows DOES offers a certain degree of isolation and compartmentalization. Windows has holes. Less than before, but I bet it’s still possible to pwn a machine with an intentionally busted WMF (yet again) because some of the bugs in GDI date back to the Windows 3 days… Why d’you think Patch Tuesday is a thing? Why d’you think it’s a big deal when older versions of Windows become EOL? (given the number of “solutions” sold with older versions embedded, like self-scan tills, price check gizmos, photo kiosks, etc etc etc) that App can decide to run automatically Microsoft made that same mistake too. On a machine that defaulted to have the user be the administrator. For a company the size of Microsoft, that was dumb. I’m not admin on my XP box. I’m not sure if I even remember the admin password, but then I don’t really need to as Hirren’s BootCD has a tool that’ll blank it if I need to. and send it over the cloud service Well, there’s your first hurdle. ;) this is non-obvious functionality Hmm, maybe there should be a third party module to hijack the running of !Boot files to allow certain whitelisted things to happen. Icon sprites and filetypes, yes. Anything else, no. It’s not life changing. Depends upon your target market and how much is business within the EU.

Jan 4, 2024 5:51pm Steve Pampling (1551) 8170 posts	given the number of “solutions” sold with older versions embedded, like self-scan tills, price check gizmos, photo kiosks, etc etc etc Bloodgas analysers, biochemistry analysers, renal dialysis machines – oh, look we’re back to the bit about “the FDA won’t allow…” (they will but the b’stds don’t want to pay for the recertification, despite the cert only being valid if the OS is fully patched)

Jan 4, 2024 6:17pm David J. Ruck (33) 1635 posts	Windows has holes. Less than before, There is no evidence of any reduction in the inexhaustible torrent of Windows security vulnerabilities. Hmm, maybe there should be a third party module to hijack the running of !Boot files to allow certain whitelisted things to happen. Icon sprites and filetypes, yes. Anything else, no. One of the tiny number of RISC OS AntiVirus products attempted to do that, it wasn’t very popular as it broke some early applications which ran programs to determine machine configurations before claiming filetypes etc.

Jan 4, 2024 6:27pm Paolo Fabio Zaino (28) 1882 posts	Well, there’s your first hurdle. ;) Hahah, true, RISC OS can’t do performant networking, but data leaks aren’t done in TERABYTES per seconds lol, a common technique is to have very slow data transfers to hide between the network noice, on RISC OS this technique is not needed ;) Hmm, maybe there should be a third party module to hijack the running of !Boot files to allow certain whitelisted things to happen. Icon sprites and filetypes, yes. Anything else, no. A solution is to stop using Obey for Apps !Boot and, instead, solve it as Apple solved it too (yes a macOS App has the equivalent of RISC OS App !Boot), use a declarative language for !Boot, like JSON, XML, INI whatever as long as it can’t run commands. I made a specification for a potentially useful protocol for it, just for fun. Maybe it’s worth sharing it, but given the desire to keep things as they have all been, maybe that will just steer emotional reactions, so not worth the pain of formalization I think. However, when you solve !Boot issues (again the use of shift-click IS NOT the solution to the problem, because if one forgets, or if your wife, kid, nephew don’t follow it, you’re screw anyway), then you’ll have the !Run issues, or the lack of memory protection issues, or the direct kernel access issues, or the SWI that do not check parameter ranges issue, or the architecture that is not designed for tolerance and resilience issue… But, limiting attack surface is probably worth exploring on RISC OS, if nothing to avoid the most obvious hacks and so make the thing a little more resilient . Windows has holes. Let me rephrase your sentence: EVERYTHING has holes, not just Windows. But there is NO comparison between the level of security Windows has in this day and age to what it had 20 years ago. Which brings us to Steve’s point: Bloodgas analysers, biochemistry analysers, renal dialysis machines – oh, look we’re back to the bit about “the FDA won’t allow…” (they will but the b’stds don’t want to pay for the recertification, despite the cert only being valid if the OS is fully patched) Yes, there is a business (in some cases pure extortion) on making customers pay extra for security, but this is done everywhere even on Linux. On top of that, you are correct, many companies either stuck in the past and forces customers also to stuck (which the EU CRA should address) OR it’s the customers that are unwilling to redo an investment to upgrade (there is also this). Now, that is a serious issue (the whole lot of situations I mean). There is an ongoing debate if software engineering is still Engineering, in the sense of comparison with Engineers that have to design and build bridges which needs to be safe and secure and hold for years against weather and aging process. While software is more and more a very short time living thing. Should we drop the engineering title in favor of something more keep to a restaurant or something? Or should we start designing software and hardware to last for decades? A complete different topic, but if of interest we can open it. Maybe the EU CRA and more regulations that will follow, will make the agile/restaurant approach to software engineering not convenient anymore (but I doubt it, with folks needing more and more features as we breath literally). P.S. I dont’ want to look like a Windows advocate, as a matter of fact I am actually a Linux user (and BSD) mostly, and use macOS for music, so really not a Windows user, however there have been improvements on Windows over the years that can’t be denied. [edit] There is no evidence of any reduction in the inexhaustible torrent of Windows security vulnerabilities. Some data is available at the link below, although if is difficult to track number of vulnerabilities discovered vs solved, from the number of vulnerabilities reported for each release we can guess that Window 10 22H2 is more secure than previous releases, however again this is a guesstimation!!!! https://www.cvedetails.com/product-search.php?vendor_id=0&search=Windows Obviously, vulnerabilities will always be discovered for products that keep moving forward, it’s a fact and there is nothing anyone can do about it. This is true for Windows, Linux, macOS (Apple recently had to release a urgent patch set for a set of zero days on macOS and iOS that were even found being actively exploited int the wild), BSD and whatever application or program out there. [/edit]

Jan 4, 2024 7:14pm Rick Murray (539) 13840 posts	There is no evidence of any reduction XP is when the regular OS updates thing really started to take off. That was over eight thousand days ago. That’s a lot of patches in the 22 years since then. I’m assuming that the patches actually fixed things, and wasn’t Microsoft randomly breaking the printing services just to mess with us. it wasn’t very popular Yup. The ages old question: Security or Convenience, pick one. A solution is to stop using Obey Non viable. Far too much legacy baggage, there’s currently no suitable replacement, and you know if it is “better than BASIC” then people will want to start to use it for actual programs and, well, then it’ll gain the ability to run * commands and, oh look, back where we started. ;) [plus RISC OS in general is rather resistant to change, just look at attempts to get Switcher to do something with a right click that isn’t “what the left click does”] But, limiting attack surface is probably worth exploring on RISC OS Oh, are we back to rewriting it already? Maybe we ought to make it 64 bit while we’re at it? 😂 EVERYTHING has holes, not just Windows. Completely true, but Windows is perhaps the most widely used closed source OS that is known for its many security holes. it’s the customers that are unwilling to redo an investment to upgrade Well, when it’s a piece of important hardware and a mundane update costs hundreds of thousands (because they can), then the customer might decide that that sort of investment is better spent elsewhere. Customers, both private and commercial, are not endless cash cows to be milked (even if everybody and their mangey kitten is shifting to a subscription model in order to try to extract lactation). There is an ongoing debate if software engineering is still Engineering There are places where calling yourself a software engineer can get you into a lot of trouble as they treat “engineer” as a protected classification (meaning you need to be an actual engineer and not some random guy with a keyboard and pretentions). Maybe the EU CRA and more regulations that will follow …will make the EU a technological backwater (more than it already is – the top ten software companies, tech companies, etc; how many are in the EU? they can’t even point at ARM any more because Brexit) They should be cracking down on the lack of ongoing product support, certainly; but at the same time championing open source, and in particular exempting individuals who release their software for free (open or closed) regardless of whether they also sell printed user guides or have a Patreon as those sorts of things are optional and up to the user to decide.

Jan 4, 2024 7:39pm Paolo Fabio Zaino (28) 1882 posts	There are places where calling yourself a software engineer can get you into a lot of trouble as they treat “engineer” as a protected classification (meaning you need to be an actual engineer and not some random guy with a keyboard and pretentions). Very true, Italy is one of those places. To have engineer title you must successfully complete 5 years of university and then have an extra amount of years of practice and habilitation exam before you can claim the title. But then again, yes an Italian engineer invented the first microprocessor, but after than I am not sure how much computer science progress we have contributed across the decades. So, I’d say there are issues on both sides. Certainly making software without knowing what one is doing (Agile) and try to make it quick (Management insane demands) is NOT engineering. Imagine a bridge or a building designed and built using Agile methodologies and being in a hurry to release an MVP (Minimum Viable Product) ahahaha :D Customers, both private and commercial, are not endless cash cows to be milked (even if everybody and their mangey kitten is shifting to a subscription model in order to try to extract lactation). This is a complex subject Rick. I agree with you, but the entire economy is based of “continuous buy/sell” process. See the same customers you’re talking about use servers to make money themselves, so why should they charge others if we are all not endless cash cows? As an Italian, I constantly get reminded of the quality of Roman’s roads and I constantly have to remind every time that if we would build things to last 2000 or more years, we would have to change the economy completely. How those folks that work on building roads would live? Building more roads? Don’t we have already too many and we are causing environmental issues? (this btw applies to computers as well). Don’t get me wrong, I am not arguing with your statement, but it’s since the beginning of the 90s that the true business behind tech companies has been endless growth. At the beginning it was Microsoft game of acquisition, then it re-incarnated in other various forms to end in what Meta/Google/Apple and others have created in the last 25 years, where growth is pushed beyond reasonable numbers. This has been desired by investors and pushed and encouraged, now we seems to be observing a new age were a lot of these tech giants are being left without oxygen, but then again, AI is milking investors (so still old school endless growth on the market). Companies like Amazon, Twitter, Instagram and many others have deficit in their balances, but they got funded for decades purely for gaining more users! I am all up to change the economy into something more sustainable for both humanity and the planet, however at this point we have really gone completely off topic ahaha , so I stop, sorry!

Jan 4, 2024 9:05pm Simon Willcocks (1499) 513 posts	making software without knowing what one is doing (Agile) Come on, that’s not what Agile is. Nobody expects civil engineers to move a bridge 20m to the left or put a roof on it half way through a build, but that’s the sort of thing customers expect of software. Agile is not knowing exactly what your customers want (because your customers never know exactly what they want), but converging on a solution that is what they want with the minimum of wastage.