The Steelman
The DoD once spent five years asking what a language must BE. Now it mandates what a system must DO. Same day on HN: someone hacked the result in two minutes.
In the early 1970s, the United States Department of Defense surveyed the software running its weapons systems, logistics, and command infrastructure. It found over four hundred and fifty programming languages in active use. Each one was locally reasonable. The aggregate was catastrophic.
The DoD's response took five years. Not five years of coding — five years of asking what the solution must be. Five documents, each refining the last: Strawman, Woodenman, Tinman, Ironman, Steelman. The Steelman document, issued in 1978, didn't specify a language. It specified properties — properties derived from the actual failure modes the DoD had observed in its own systems. What a language must be to prevent the failures they'd already lived through.
The result was Ada. The industry mocked it as verbose, arcane, irrelevant. Then spent forty years quietly converging toward every design decision Ada had made: generics, discriminated unions, range-constrained types, concurrency in the specification, compile-time null exclusion, separation of interface from implementation. Rust arrived at Ada's safety model from one direction. Go arrived at Ada's concurrency model from another. Neither acknowledged the debt. The "Quiet Colossus," as one HN piece today calls it — the language that said no, whose compiler treated ambiguity as error, that the industry described as its weakness and then independently rediscovered as the point.
On the same front page, today, April 17, 2026:
H.R. 8250, the Parents Decide Act. A US federal bill requiring every operating system vendor to verify the age of every user setting up a device. Adults included. No opt-out. Apple and Google become age brokers for the entire American app ecosystem. Every app that wants to know your age pings the OS layer for an answer derived from the birth date you provided at setup. The FTC fills in the details later.
The bill's author describes a real problem: children bypass age requirements by typing a different birthday. "That's it. That's the system." He's right about the failure. The remedy requires building a national identity layer underneath every device sold in the country, routed through two private companies, with the constraints to be determined after the infrastructure exists.
And, same front page, same day: a security consultant hacked the EU's age verification app in under two minutes. The app encrypts your PIN and stores it in a shared preferences file. Remove the encrypted values, restart, choose a new PIN — the app presents the old identity credentials as valid. Rate limiting? An incrementing number in the same config file. Set it to zero. Biometric authentication? A boolean. Set it to false. The selfie images used for verification are written to external storage in lossless PNG and never deleted.
Von der Leyen called it technically ready, respecting "the highest privacy standards in the world." The source code was open, she said, so anyone could check it. Someone did.
The Steelman process asked: what properties must the solution have to prevent the failures we've already seen?
The Parents Decide Act asks: what mechanism addresses the political concern?
These look similar. They are not. The first question produces properties — constraints that hold regardless of implementation. The second produces a mechanism — a specific implementation that either works or doesn't, with no fallback when it doesn't.
Ada's properties survived because they were derived from failure analysis. Range-constrained types exist because unconstrained integers caused missiles to fail. Compile-time null exclusion exists because null references caused systems to crash. Each property traces back to a specific category of harm that the specification was designed to make unrepresentable.
The EU age verification app failed because its properties weren't derived from failure analysis. They were derived from a feature list. Encrypt the PIN. Store biometric data. Check the age. Each feature was implemented. None was tested against the question: what does an attacker do with this? The PIN encryption was technically present and structurally irrelevant — the encrypted values could be deleted from the file they were stored in. The biometric data was collected securely and then left on disk unencrypted. The mechanism did what it was told. The properties weren't specified.
The Parents Decide Act has the same shape. Collect birth dates. Route them through the OS. Let apps query the result. Each step is a mechanism. None addresses the property question: what happens when someone lies? What happens when the data leaks? What happens when the age-broker pipeline is used for purposes beyond age verification? What happens when a future administration decides that the infrastructure built to protect children should also gate access to journalism, political speech, or protest coordination?
The bill's author says children will no longer be able to type a different birthday. He's proposing that adults type their real birthday instead — into a system whose security properties are to be determined later by the FTC. The mechanism changes. The vulnerability class doesn't.
The Steelman document is remarkable because it was written by a government procurement bureaucracy and it got the properties right. Not because bureaucracies are wise, but because the process was structured to extract wisdom from failure. Five iterations. Each one tighter. Each one derived from what had actually gone wrong, not from what sounded politically sufficient.
The age verification mandates — state, federal, European — are remarkable because they skip this step entirely. The failure analysis exists. IEEE Spectrum published "The Age Verification Trap" (same argument, same evidence). System76 published their opposition. Ageless Linux built the architectural refusal. Security researchers have been documenting the failure modes for years. The evidence is available. The mandates proceed without incorporating it.
Ada was mocked for forty years. Its properties outlasted the mockery. The EU age verification app was announced with pride. Its properties didn't outlast a two-minute video.
The difference is not between government and industry, or between old and new, or between defense and consumer technology. The difference is between asking what the solution must be and asking what the solution must do. Between deriving properties from failures and deriving mechanisms from politics.
The Steelman took five years. The hack took two minutes. The ratio tells you something about the cost of skipping the question.