- Feature Articles
- CodeSOD
-
Error'd
- Most Recent Articles
- Stop Poking Me!
- Operation Erred Successfully
- A Dark Turn
- Nothing Doing
- Home By Another Way
- Coast Star
- Forsooth
- Epic
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
https://www.bikesrepublic.com/wp-content/uploads/2021/01/Damn-meme.jpg
Admin
They might get away with it on pen-testing (until the pen-testers look at the configuration-that-contains-code...), but a software-quality audit of the sort done by e.g. the French cyber-security agency ANSSI(1) would definitely shred them.
(1) ANSSI = Agence nationale de la sécurité des systèmes d'information. ANSSI and ANSI are different things.
Admin
Self-modifying code on a medical device under the control of people who know nothing about coding in general or the effect of changing the database to alter behavior sounds like a great choice if you want to kill people.
Admin
Admin
i can't imagine a situation where that solution could be a good idea
Admin
"...it was just clever." How many code disasters stem from trying to be "clever?"
Admin
I'm wondering what an audit from a national authority (FDA in the US, EMA in the EU, MHRA in the UK, PMDA in Japan, and so on) would do to them.
I'm wondering why QA wasn't screaming bloody murder, because they've got to figure out how to write and test against validation requirements surrounding that code. (Validation is no joke, but it is most definitely a pain in the a**.)
Admin
Wait, no one is going to bring up the fact that they evidently are running this medical device on WINDOWS?
Admin
Please tell me he was leaving because he was fired.
Admin
Heh, several years ago I was working for a company whose major selling point was the ability to configure new products by putting scripts into database and compiling assemblies on the fly, in a very similar fashion...
Admin
Wait, so in C#, you can just call the compiler like its any other system library and just make up random code to compile and run in memory, and that's just considered normal?! Why would any of that functionality even exist other than to enable nefarious deeds?! From my point of view, TRWTF is Microsoft.
Admin
Most likely dual system. Embedded system directly operating machinery with RTOS and communicating with world through interface computer though something - serial, USB, ethernet,...
Admin
How can you tell, it's nowhere mentioned in the article?
.net is open-source and open-platform with Mono for over 20 years now; heck, most of the games on your mobile phone have been made in Mono, so pretty everyone has now used .net in the world often without even knowing it thanks to Unity3D again for decades now.
Admin
It's not only for nefarious reasons- it's how the .NET compiler works under the hood. It ties into the architecture of their IDEs, enables refactoring functionality, etc. Remember, .NET is really about the CLR and libraries, so the idea is that it should be easy to spin up new languages and new language features without having to modify the compiler itself (at least in prototyping). So the compiler is an API.
Admin
Not been in the industry very long have you! Decades ago you could do exactly the same with command line scripting languages to get a script to generate code and run it. And that was before Windows and on mini computers so stop Microsoft bashing and get some real life experience.
Admin
As-is this is certainly out there. But at least strictly in terms of safety, WebAssembly could actually make something like this not a security nightmare: https://github.com/SteveSandersonMS/DotNetIsolator
Either way, certainly in terms of maintenance and verifiability the approach is wild.
Admin
Not at all uncommon.... client generated code is one way to approach the situation where every single practice [and often providers within a different practice need different workflows].
Admin
Yeah, a while back I worked at a medical device company. A certain British conglomerate had bought-up 32 different little medical startups in the USA and made one company out of them. Then closed and consolidated them so each building held about sever of the old companies. Only the employees that agreed to move 200 to 900 miles to a central location.
I was put in charge of FDA approving an old product. There was only one guy that came over from the old company and he knew nothing much, he was a middle manager. All the info on the product was loose sheets of paper in one cardboard box, with no organization or context. Mainly scribbled notes like "can't pass any tests anymore, juggling the code and the op-amps". The code was unintelligible. The op-amps were a curious mix of very-expensive deluxe precision op-amps, nestted in low-precision resistors so all the op-amp precision was lost. I wasn't able to make any progress, so I worked around the edges, coming up with a 3D model of the device on a nurs's desk, just to proce to the FDA that the display could be read from most any angle. That was fun. A few weeks later I found a very different job at a small company where things were about 400% saner.
Admin
I have to add, there was some artistic license in the story;
But still. The fact that it occurred at all, and yes, a week after pen-testing... [facepalm]