This is the kind of thing I think about whenever people say "managers should trust engineers and leave them alone to do their work".https://arstechnica.com/security/2024/09/meta-slapped-with-101-million-fine-for-storing-passwords-in-plaintext/
-
@polotek Was hashing really the issue here, though? From other reporting it sounds like what was happening is that the passwords were being stored (temporarily) in logs. A solution there is some sort of secrets-scrubbing in the logging process.
Tangential to your point of the management/developer relationship, of course, where I think you’re spot on. Not respecting non-developers as actual experts in their chosen fields is a too-common flaw among developers.
-
@polotek The distinction between "managers should trust engineers and leave them alone to do their work", and "You don't need a managers permission to hash the fucking passwords. And in fact, part of your job is to do it even though they didn't ask you to." seems fairly subtle?
-
@jimw or maybe just not logging the secrets. Because you shouldn't be doing that and you don't need to do that ever.
The real question though Jim, is how does this actually change the point I'm making?
-
@hungryjoe I'm not sure how to interpret this. Can you just speak more plainly? Is it a question?
-
Here's another secret. It doesn't require engineers to be "arrogant" or "lazy". All that is required is an engineer who hasn't learned about hashing passwords as a security practice. I know, we're all supposed to emerge fully formed with a baseline set of knowledge. And before that you shouldn't be employed at all right? It turns out people need to learn things. And before they learn, they don't know. Weird right?
https://nso.group/@xyhhx/113211898387385914 -
"But Marco!" I can hear you typing furiously, "wouldn't there be a Senior Engineer looking over this stuff?"
Perhaps. But that usually requires a manager type person to do some resource management. And we told all of those people to fuck off remember?
-
@polotek Sorry, I think I mean I understood you as asking engineers not to listen to management if they're asking to deploy something potentially unsafe, and also saying engineers often need more oversight from management
There's not a contradiction there exactly, and I think I agree with both statements, but I do think they're in tension?
-
@hungryjoe managers usually don't ask you to deploy something unsafe. What they do is tell you that it needs to be deployed and it costs us if we don't. Then the engineer has to explain why they got all the way up to launch time without hashing the passwords. Why wasn't that part of the plan in the first place?
-
Hmmm...
Made me wonder, ...
So I did a quick search, and ..."Facebook says it has spent $13 billion on Safety, Security"
"Company now has more than 40,000 safety and security employees."
Of course, yes, they mean something different by that.
But shouldn't *someone* (like really multiple people) have noticed that the passwords were *NOT* encrypted or hashed in any way?
>>> AND <<<
done something about it?!?!? -
@polotek this is true and also @dangoodin writing is unclear, because it says the problem was app debug logging including the password, which then got rolled up into their log collection that engineers used to troubleshoot. That's still a mistake, to not redact the password when logging, although many systems have a log level that will log form contents and login requests which includes creds, and this implicitly discloses creds into the log system.
-
Stephen De Gabriellereplied to Marco Rogers last edited by
Negligence is grounds for the engineering board to revoke the engineer’s license
-
@JeffGrigg that's the 101 million dollar question isn't it?
-
Marco Rogersreplied to Stephen De Gabrielle last edited by
@spdegabrielle not in the US. Not for software engineering.
-
@raven667 @dangoodin I'm sure some manager *made* them log the request data. Under threat of death.
-
Why do I do these threads? It's not because I like being an asshole and giving engineers a hard time. At the end of the day, I think we need to change our culture. The way engineers talk about our work and our responsibility and the value we provide is just way out of whack. And I'm trying to find different ways to explain and illustrate why I say that.
https://social.polotek.net/@polotek/112905943985848707 -
@polotek this sounds like what’s historically meant by “professional” — someone legally recognized as an expert, who also has some legal culpability. Do you have an opinion on professional software engineering?
-
A lot of people are still hurting in this job market. We went from being in high demand to everybody scrambling to replace us with AI. We should be organizing and trying to establish better labor rights. But before we can even do that, we have to establish our value. Except we can't do that. Because every single time anything bad happens, our goto response is "that's some managers fault. Nothing I can do." And somehow we still wonder why we are not valued when it's time to "trim the fat"?
-
@agocke I think it should exist. I think it would be very difficult to establish and regulate though. And I still think most of the kind of work we're discussing would fall outside of it.
-
Some people feel that it's really important to explain that the plain text passwords were in log files, not in a database. Apparently this is a more "understandable" mistake. So you know. Just forget everything I said.
-
@polotek Programmers have an ethical responsibility to protect user data, which takes precedence over anything their manager says.
ACM Code of Ethics and Professional Conduct
ACM Code of Ethics, tech ethics, tech Hippocratic Oath, computing ethics, software ethics, programming ethics, AI ethics, computing professional, public good
ACM Ethics - The Official Site of the Association for Computing Machinery's Committee on Professional Ethics (ethics.acm.org)