This is the kind of thing I think about whenever people say "managers should trust engineers and leave them alone to do their work".https://arstechnica.com/security/2024/09/meta-slapped-with-101-million-fine-for-storing-passwords-in-plaintext/
-
@agocke I think it should exist. I think it would be very difficult to establish and regulate though. And I still think most of the kind of work we're discussing would fall outside of it.
-
Some people feel that it's really important to explain that the plain text passwords were in log files, not in a database. Apparently this is a more "understandable" mistake. So you know. Just forget everything I said.
-
@polotek Programmers have an ethical responsibility to protect user data, which takes precedence over anything their manager says.
ACM Code of Ethics and Professional Conduct
ACM Code of Ethics, tech ethics, tech Hippocratic Oath, computing ethics, software ethics, programming ethics, AI ethics, computing professional, public good
ACM Ethics - The Official Site of the Association for Computing Machinery's Committee on Professional Ethics (ethics.acm.org)
-
@polotek Sometimes, the management decision is going to be "deploy something now, and we can absorb the risk", and sometimes (possibly never with pw hashing) that decision is going to be right, and sometimes it'll be wrong
My point is "Sometimes Engineers need to listen to management and sometimes they need to push back", and a good Engineer is someone who knows which is which, and how to advocate for themselves when they need to
I agree with your point that sometimes Engineers need to accept oversight; I also agree sometimes they need to assert their expertise. I also think there's a trade off between those two positions, and that trade off is what I was trying to point out.
-
@polotek no. Engineers saying “we really should do this better” and managers prioritizing something else
-
@polotek I'm now also worried I'm explaining myself poorly, and didn't have as interesting a point as I initially thought
It is, after all, Friday
-
@polotek I for one love these threads! appreciate the reality check
-
Ditto! There's such great learning here -- for engineers, for managers trying to figure out when and how to get involved or explaining to engineers how they approach it, and for people mentoring engineers or managers. I really appreciate the time you put into these threads and the clarity of your explanations!
@[email protected] @[email protected] -
@polotek Every time in my career I’ve seen anything close to this level of garbage, engineers have been screaming to fix it and management couldn’t be bother to develop the fake-ass data-driven justification to do it.
-
@galactus and what happens after that? Engineers shrug and ship it. Users get harmed. Engineers blame managers. Managers lay all of the engineers off. Engineers get upset and talk about how important and indispensable they are. Nobody actually does what's necessary to help users.
Sound about right?
-
@polotek yes
-
@galactus cool. You keep doing what you're doing then. Works as designed.
-
@donaldball why are the engineers screaming instead of just fixing it?
-
@hungryjoe @polotek if I can try to synthesize both of your points? it seems to me that if junior engineers are acculturated to knee jerk tell managers to fuck off and leave them in peace, they will not have any chance or motivation to develop the skill of actually communicating and negotiating with managers. Furthermore, managers will have no particular reason to bother communicating with them.
-
@zwol @hungryjoe I don't think this is an accurate synthesis.
-
@hungryjoe I think your expanded thoughts come across just fine. If I was stating my own position more clearly, I would say that manager and engineer are both roles that have a job to do. They work best when both sides understand the other's job and they collaborate to achieve the best results.
There is an unbalanced power dynamic that has to be navigated there. But I think many engineers use this as an excuse to be unaccountable for their decisions.
-
galvao|[email protected]replied to Ben Ramsey last edited by
However, demanding this kind of ethical decision from programmers is really unfair.
What would help, IMO, is a culture of whistleblowing, with protections and assurances in place so programmers suffer no consequences if "forced" to make an unethical decision. And yes, this would involve either Government or another kind of entity with superior authority over the company, which is in itself a whole different can of worms.
-
@polotek Lack of authority and fear of being punished for doing work other than that assigned.
-
@polotek as one of the idiots who brought this up, maybe it is a professional failing to empathize with the shitty developers who didn't have think of the consequences of unredacted creds in logs, it's telling on ourselves that we think we could (or have!) make the same mistake, and are (what?) looking for preemptive forgiveness and avoidance of accountability/punishment? Maybe an undercurrent of why the idea of software engineering licences is threatening to some