This is the kind of thing I think about whenever people say "managers should trust engineers and leave them alone to do their work".https://arstechnica.com/security/2024/09/meta-slapped-with-101-million-fine-for-storing-passwords-in-plaintext/
-
yumaikas/sakiamureplied to Marco Rogers last edited by
@polotek LLM AIs are even -more- perfect actors.
-
Stephan Eggermontreplied to Marco Rogers last edited by
@polotek the fine is ridiculously low. This should be at the put them out of business level.
-
Mx. Aria Stewartreplied to Marco Rogers last edited by
@polotek I wish it hadn't been so in my career repeatedly. "hey, this needs to be done right" "That only has 2 story points, we need you to finish your sprint with no carryover. Make a ticket for the backlog to come back to it."
It wasn't for password hashing but it was for something security-important. and even more often for something stability-important.
-
-
Marcus "MajorLinux" Summersreplied to Donald Ball last edited by
@donaldball @polotek @galactus I agree.
The attitude taken by Polotek is giving “passing the buck to the engineer".
As someone who has worked on the engineering and ops side, the worker is normally advocating for security practices be put in place, but management says "ship it" because deadlines need to be met and they don't have to time to patch every little hole.
To assume that engineering doesn't have the customers at heart is insulting.
-
@polotek (checks out the tire fire of tech industry job openings in 2024)
I think you just neatly demonstrated why these conditions obtain for too many folk.
It’s sad to me that I don’t really think we disagree about the importance both of management and principled, competent engineering.
-
@donaldball we definitely disagree about knowingly putting users at risk because you’re scared.
-
Marco Rogersreplied to Marcus "MajorLinux" Summers last edited by
@majorlinux @donaldball @galactus “I really had your needs at heart. But then a manager said ship it, so I fucked you over anyway. I’m sure you’re understanding though.”
-
Marco Rogersreplied to Mx. Aria Stewart last edited by
@aredridel I hate sprints and story points with a fiery passion. Precisely because it’s used to separate out work that is not in fact separate.
-
Mx. Aria Stewartreplied to Marco Rogers last edited by
@polotek THIS SO MUCH. I loathe it so much, and at this point would argue work gets done despite and not because of it. It's a hamhanded attempt to bypass building accountable relationships and has the predictable failures.
-
Marco Rogersreplied to yumaikas/sakiamu last edited by
@sakiamu exactly. Managers would prefer employees who ship security vulnerabilities without even pretending to push back first.
-
Marcus "MajorLinux" Summersreplied to Marco Rogers last edited by
@polotek @donaldball @galactus
If the code is already loaded into test and the managers say ship, what can the engineers do?
You sound like you are the manager of have never worked in development before.
If the latter is true, you must have worked in amazing shops and I envy you for that.
-
Marco Rogersreplied to Mx. Aria Stewart last edited by
@aredridel I’ve tried to reset this so many times at different companies. It’s so engrained.
-
Marco Rogersreplied to Marcus "MajorLinux" Summers last edited by
@majorlinux @donaldball @galactus I’ve been an engineer for 20 years and a manager for 10. I understand both sides of this issue pretty well. I’m not going to tell you it’s okay to expose user passwords just so you can keep your job. Because it’s not.
-
@polotek Literally never said that. I take great care with my words when I’m trying to engage respectfully and earnestly with folk who have different perspectives; you don’t seem to be granting me that courtesy with your reading.
Even if we take your interpretation here as accurate, though — what of it? Is it not rational for labor to be scared of adverse consequences from management for doing unauthorized work? You can insult me all you want, but the point remains.
-
@donaldball I didn’t insult you. Being scared is not an insult. I don’t know what argument you think you’re making. Maybe you didn’t read the article closely enough. These engineers knew the passwords were exposed. You’ve spent 2 days now arguing that maybe someone made them do it and they were too scared to say no. If I’m missing something, feel free to explain. We’re not having a respectful debate though. My stance on this isn’t likely to change. You can also feel free to move on.
-
Marcus "MajorLinux" Summersreplied to Marco Rogers last edited by
@polotek @donaldball @galactus Nobody said it was.
What I've seen being highlighted is that engineers normally try to make sure those things are covered, but, because they are overworked and rushed, things do fall behind the cracks.
Often, when the holes are found, management would rather fix it later, never gets fixed because management wants more features, then someone else finds the original hole.
It's not neglegence on behalf of the engs but on behalf of planning that creates problems.
-
Marco Rogersreplied to Marcus "MajorLinux" Summers last edited by
@majorlinux @donaldball @galactus I do t know what makes you think I’m misunderstanding you. I’m not. But since you’ve repeated it 3 times now, let’s agree that you’ve said your piece and we can leave it here. I hope you’re able to avoid being forced to choose between your job and harming your users.
-
@polotek Oh, come on, Marco. You know exactly what you’re doing — even here, you can’t help but exaggerate and read in bad faith.
I will be moving on though; I’ve said my piece, you’re making your choices.