This is the kind of thing I think about whenever people say "managers should trust engineers and leave them alone to do their work".https://arstechnica.com/security/2024/09/meta-slapped-with-101-million-fine-for-storing-passwords-in-plaintext/
-
@donaldball @galactus by the way, I'm actually asking people to mitigate risk to users. And also to do the job they get paid for. But again, you do whatever you think is best. Don't let me stop you.
-
@donaldball you should find a better job Donald. Good luck.
-
yumaikas/sakiamureplied to Marco Rogers last edited by
@polotek It doesn't have to be management downplaying such a thing. In the past when I've raised things like SQL injection vulns, it's been other devs that have been downplaying it.
-
Marco Rogersreplied to yumaikas/sakiamu last edited by
@sakiamu that's not possible. Devs are perfect actors. Only managers are responsible when bad things happen.
-
@xyhhx actually I like that mastodon doesn't send notifications for quote posts.
-
@xyhhx if you want to seek clarity about anything I said. Feel free to ask questions.
-
@polotek ive been thinking about how/what you said, encouraging engineers to hold themselves to the highest standards, and my reaction to it and I'm not sure I'm ready for the level of vulnerability needed to really figure it out, but when you fail the standard you know you _should_ meet, and there are no consequences to you, maybe even praise for being a hero when fixing it, because your leadership can't tell good work from bad, is corrosive (wah, give me a tiny violin)
-
@raven667 yep. It's kind of a big deal. I talked about some related issues here.
https://social.polotek.net/@polotek/113154120364919634 -
yumaikas/sakiamureplied to Marco Rogers last edited by
@polotek LLM AIs are even -more- perfect actors.
-
Stephan Eggermontreplied to Marco Rogers last edited by
@polotek the fine is ridiculously low. This should be at the put them out of business level.
-
Mx. Aria Stewartreplied to Marco Rogers last edited by
@polotek I wish it hadn't been so in my career repeatedly. "hey, this needs to be done right" "That only has 2 story points, we need you to finish your sprint with no carryover. Make a ticket for the backlog to come back to it."
It wasn't for password hashing but it was for something security-important. and even more often for something stability-important.
-
-
Marcus "MajorLinux" Summersreplied to Donald Ball last edited by
@donaldball @polotek @galactus I agree.
The attitude taken by Polotek is giving “passing the buck to the engineer".
As someone who has worked on the engineering and ops side, the worker is normally advocating for security practices be put in place, but management says "ship it" because deadlines need to be met and they don't have to time to patch every little hole.
To assume that engineering doesn't have the customers at heart is insulting.
-
@polotek (checks out the tire fire of tech industry job openings in 2024)
I think you just neatly demonstrated why these conditions obtain for too many folk.
It’s sad to me that I don’t really think we disagree about the importance both of management and principled, competent engineering.
-
@donaldball we definitely disagree about knowingly putting users at risk because you’re scared.
-
Marco Rogersreplied to Marcus "MajorLinux" Summers last edited by
@majorlinux @donaldball @galactus “I really had your needs at heart. But then a manager said ship it, so I fucked you over anyway. I’m sure you’re understanding though.”
-
Marco Rogersreplied to Mx. Aria Stewart last edited by
@aredridel I hate sprints and story points with a fiery passion. Precisely because it’s used to separate out work that is not in fact separate.
-
Mx. Aria Stewartreplied to Marco Rogers last edited by
@polotek THIS SO MUCH. I loathe it so much, and at this point would argue work gets done despite and not because of it. It's a hamhanded attempt to bypass building accountable relationships and has the predictable failures.
-
Marco Rogersreplied to yumaikas/sakiamu last edited by
@sakiamu exactly. Managers would prefer employees who ship security vulnerabilities without even pretending to push back first.