• (nodebb)

    https://www.bikesrepublic.com/wp-content/uploads/2021/01/Damn-meme.jpg

  • (nodebb)

    Sally raised this to her boss. He sighed, put his head in his hands, and was silent for a long moment. "We just signed off on doing pen-testing last week. They're going to destroy us."

    They might get away with it on pen-testing (until the pen-testers look at the configuration-that-contains-code...), but a software-quality audit of the sort done by e.g. the French cyber-security agency ANSSI(1) would definitely shred them.

    (1) ANSSI = Agence nationale de la sécurité des systèmes d'information. ANSSI and ANSI are different things.

  • (nodebb)

    Self-modifying code on a medical device under the control of people who know nothing about coding in general or the effect of changing the database to alter behavior sounds like a great choice if you want to kill people.

  • dusoft (unregistered)
    Sally is the most experience
    should be either: has the most experience or: is the most experienced
  • giammin (unregistered)

    i can't imagine a situation where that solution could be a good idea

  • Richard Brantley (unregistered)

    "...it was just clever." How many code disasters stem from trying to be "clever?"

  • BPFH (unregistered) in reply to Steve_The_Cynic

    I'm wondering what an audit from a national authority (FDA in the US, EMA in the EU, MHRA in the UK, PMDA in Japan, and so on) would do to them.

    I'm wondering why QA wasn't screaming bloody murder, because they've got to figure out how to write and test against validation requirements surrounding that code. (Validation is no joke, but it is most definitely a pain in the a**.)

  • (nodebb)

    Wait, no one is going to bring up the fact that they evidently are running this medical device on WINDOWS?

  • (nodebb)

    Said tech lead is leaving

    Please tell me he was leaving because he was fired.

  • Jim Jam (unregistered) in reply to giammin

    Heh, several years ago I was working for a company whose major selling point was the ability to configure new products by putting scripts into database and compiling assemblies on the fly, in a very similar fashion...

  • Goose (unregistered)

    Wait, so in C#, you can just call the compiler like its any other system library and just make up random code to compile and run in memory, and that's just considered normal?! Why would any of that functionality even exist other than to enable nefarious deeds?! From my point of view, TRWTF is Microsoft.

  • Klimax (unregistered) in reply to Baflingo

    Most likely dual system. Embedded system directly operating machinery with RTOS and communicating with world through interface computer though something - serial, USB, ethernet,...

  • (nodebb) in reply to Baflingo

    How can you tell, it's nowhere mentioned in the article?

    .net is open-source and open-platform with Mono for over 20 years now; heck, most of the games on your mobile phone have been made in Mono, so pretty everyone has now used .net in the world often without even knowing it thanks to Unity3D again for decades now.

  • (author) in reply to Goose

    It's not only for nefarious reasons- it's how the .NET compiler works under the hood. It ties into the architecture of their IDEs, enables refactoring functionality, etc. Remember, .NET is really about the CLR and libraries, so the idea is that it should be easy to spin up new languages and new language features without having to modify the compiler itself (at least in prototyping). So the compiler is an API.

  • Graculus (unregistered) in reply to Goose

    Not been in the industry very long have you! Decades ago you could do exactly the same with command line scripting languages to get a script to generate code and run it. And that was before Windows and on mini computers so stop Microsoft bashing and get some real life experience.

  • (nodebb)

    As-is this is certainly out there. But at least strictly in terms of safety, WebAssembly could actually make something like this not a security nightmare: https://github.com/SteveSandersonMS/DotNetIsolator

    Either way, certainly in terms of maintenance and verifiability the approach is wild.

  • TheCPUWizard (unregistered)

    Not at all uncommon.... client generated code is one way to approach the situation where every single practice [and often providers within a different practice need different workflows].

  • Gumpy Gus (unregistered)

    Yeah, a while back I worked at a medical device company. A certain British conglomerate had bought-up 32 different little medical startups in the USA and made one company out of them. Then closed and consolidated them so each building held about sever of the old companies. Only the employees that agreed to move 200 to 900 miles to a central location.

    I was put in charge of FDA approving an old product. There was only one guy that came over from the old company and he knew nothing much, he was a middle manager. All the info on the product was loose sheets of paper in one cardboard box, with no organization or context. Mainly scribbled notes like "can't pass any tests anymore, juggling the code and the op-amps". The code was unintelligible. The op-amps were a curious mix of very-expensive deluxe precision op-amps, nestted in low-precision resistors so all the op-amp precision was lost. I wasn't able to make any progress, so I worked around the edges, coming up with a 3D model of the device on a nurs's desk, just to proce to the FDA that the display could be read from most any angle. That was fun. A few weeks later I found a very different job at a small company where things were about 400% saner.

Leave a comment on “Compile It Yourself”

Log In or post as a guest

Replying to comment #:

Log Out

« Return to Article