This is the kind of thing I think about whenever people say "managers should trust engineers and leave them alone to do their work".https://arstechnica.com/security/2024/09/meta-slapped-with-101-million-fine-for-storing-passwords-in-plaintext/
-
@hungryjoe @polotek if I can try to synthesize both of your points? it seems to me that if junior engineers are acculturated to knee jerk tell managers to fuck off and leave them in peace, they will not have any chance or motivation to develop the skill of actually communicating and negotiating with managers. Furthermore, managers will have no particular reason to bother communicating with them.
-
@zwol @hungryjoe I don't think this is an accurate synthesis.
-
@hungryjoe I think your expanded thoughts come across just fine. If I was stating my own position more clearly, I would say that manager and engineer are both roles that have a job to do. They work best when both sides understand the other's job and they collaborate to achieve the best results.
There is an unbalanced power dynamic that has to be navigated there. But I think many engineers use this as an excuse to be unaccountable for their decisions.
-
galvao|[email protected]replied to Ben Ramsey last edited by
However, demanding this kind of ethical decision from programmers is really unfair.
What would help, IMO, is a culture of whistleblowing, with protections and assurances in place so programmers suffer no consequences if "forced" to make an unethical decision. And yes, this would involve either Government or another kind of entity with superior authority over the company, which is in itself a whole different can of worms.
-
@polotek Lack of authority and fear of being punished for doing work other than that assigned.
-
@polotek as one of the idiots who brought this up, maybe it is a professional failing to empathize with the shitty developers who didn't have think of the consequences of unredacted creds in logs, it's telling on ourselves that we think we could (or have!) make the same mistake, and are (what?) looking for preemptive forgiveness and avoidance of accountability/punishment? Maybe an undercurrent of why the idea of software engineering licences is threatening to some
-
-
@polotek if youre gonna quote-post you should consider tagging the user so they know...
anyway, i was specifically talking about meta engineers, who (like i said) obviously knew about hashing passwords
at some point you gotta figure out who you think is at fault. one minute you dont trust engineers to make choices for themselves, the next they shouldnt have to ask permission to hash passwords, the next you cant assume they even know about it
-
@donaldball @galactus fixing security issues is job threatening. Yeah I understand. Feel free to keep shipping vulnerabilities. Sorry I mentioned it.
-
@donaldball @galactus by the way, I'm actually asking people to mitigate risk to users. And also to do the job they get paid for. But again, you do whatever you think is best. Don't let me stop you.
-
@donaldball you should find a better job Donald. Good luck.
-
yumaikas/sakiamureplied to Marco Rogers last edited by
@polotek It doesn't have to be management downplaying such a thing. In the past when I've raised things like SQL injection vulns, it's been other devs that have been downplaying it.
-
Marco Rogersreplied to yumaikas/sakiamu last edited by
@sakiamu that's not possible. Devs are perfect actors. Only managers are responsible when bad things happen.
-
@xyhhx actually I like that mastodon doesn't send notifications for quote posts.
-
@xyhhx if you want to seek clarity about anything I said. Feel free to ask questions.
-
@polotek ive been thinking about how/what you said, encouraging engineers to hold themselves to the highest standards, and my reaction to it and I'm not sure I'm ready for the level of vulnerability needed to really figure it out, but when you fail the standard you know you _should_ meet, and there are no consequences to you, maybe even praise for being a hero when fixing it, because your leadership can't tell good work from bad, is corrosive (wah, give me a tiny violin)
-
@raven667 yep. It's kind of a big deal. I talked about some related issues here.
https://social.polotek.net/@polotek/113154120364919634 -
yumaikas/sakiamureplied to Marco Rogers last edited by
@polotek LLM AIs are even -more- perfect actors.
-
Stephan Eggermontreplied to Marco Rogers last edited by
@polotek the fine is ridiculously low. This should be at the put them out of business level.