This is the kind of thing I think about whenever people say "managers should trust engineers and leave them alone to do their work".https://arstechnica.com/security/2024/09/meta-slapped-with-101-million-fine-for-storing-passwords-in-plaintext/
-
Mx. Aria Stewartreplied to Marco Rogers last edited by
@polotek THIS SO MUCH. I loathe it so much, and at this point would argue work gets done despite and not because of it. It's a hamhanded attempt to bypass building accountable relationships and has the predictable failures.
-
Marco Rogersreplied to yumaikas/sakiamu last edited by
@sakiamu exactly. Managers would prefer employees who ship security vulnerabilities without even pretending to push back first.
-
Marcus "MajorLinux" Summersreplied to Marco Rogers last edited by
@polotek @donaldball @galactus
If the code is already loaded into test and the managers say ship, what can the engineers do?
You sound like you are the manager of have never worked in development before.
If the latter is true, you must have worked in amazing shops and I envy you for that.
-
Marco Rogersreplied to Mx. Aria Stewart last edited by
@aredridel I’ve tried to reset this so many times at different companies. It’s so engrained.
-
Marco Rogersreplied to Marcus "MajorLinux" Summers last edited by
@majorlinux @donaldball @galactus I’ve been an engineer for 20 years and a manager for 10. I understand both sides of this issue pretty well. I’m not going to tell you it’s okay to expose user passwords just so you can keep your job. Because it’s not.
-
@polotek Literally never said that. I take great care with my words when I’m trying to engage respectfully and earnestly with folk who have different perspectives; you don’t seem to be granting me that courtesy with your reading.
Even if we take your interpretation here as accurate, though — what of it? Is it not rational for labor to be scared of adverse consequences from management for doing unauthorized work? You can insult me all you want, but the point remains.
-
@donaldball I didn’t insult you. Being scared is not an insult. I don’t know what argument you think you’re making. Maybe you didn’t read the article closely enough. These engineers knew the passwords were exposed. You’ve spent 2 days now arguing that maybe someone made them do it and they were too scared to say no. If I’m missing something, feel free to explain. We’re not having a respectful debate though. My stance on this isn’t likely to change. You can also feel free to move on.
-
Marcus "MajorLinux" Summersreplied to Marco Rogers last edited by
@polotek @donaldball @galactus Nobody said it was.
What I've seen being highlighted is that engineers normally try to make sure those things are covered, but, because they are overworked and rushed, things do fall behind the cracks.
Often, when the holes are found, management would rather fix it later, never gets fixed because management wants more features, then someone else finds the original hole.
It's not neglegence on behalf of the engs but on behalf of planning that creates problems.
-
Marco Rogersreplied to Marcus "MajorLinux" Summers last edited by
@majorlinux @donaldball @galactus I do t know what makes you think I’m misunderstanding you. I’m not. But since you’ve repeated it 3 times now, let’s agree that you’ve said your piece and we can leave it here. I hope you’re able to avoid being forced to choose between your job and harming your users.
-
@polotek Oh, come on, Marco. You know exactly what you’re doing — even here, you can’t help but exaggerate and read in bad faith.
I will be moving on though; I’ve said my piece, you’re making your choices.
-
@polotek @majorlinux @donaldball but most likely the scenario was not that simple. I bet it was a case of technical debt accumulated over the years that made ir easier for someone to miss the fact that password were being logged in clear somewhere.
Trying to convince management that you need to spend three months refactoring code only to make it simpler is *hard*, and that is one of the reasons that make engineers want autonomy.
-
@donaldball thanks for your input. Good luck with those mean old managers Donald.
-
Marco Rogersreplied to Sergio last edited by [email protected]
@galactus @majorlinux @donaldball I’m not sure what I said that made it sound like this would be simple to fix. What I have been responding to is people’s assumption that this happened because managers made people do it. Managers not allowing room to fix it after it has grown to egregious proportions does sound plausible. But thats still not an excuse. Let’s try to remember that the impact is a severe breach of user accounts. People’s actual lives. How much hedging do we need to do here?
-
Marcus "MajorLinux" Summersreplied to Marco Rogers last edited by
@polotek @donaldball @galactus
Again, that's up to management.
Let's hope they'll make the right decisions for the team.
-
Marco Rogersreplied to Marcus "MajorLinux" Summers last edited by
@majorlinux @donaldball @galactus and if not, then users better beware! Because we’re definitely not gonna risk losing our jobs to protect them. Yes I get it.
-
@polotek makes sense. Security and safety have a good regulatory fit. But sometimes it just comes down to, “Will this cost the company a bunch of money?”, which is just a management function.
-
@polotek this is a misrepresentation of what I said, I assume for comic effect?
-
@dan I don't think it's funny at all, no. If you'd like to seek clarity, you can feel free to ask questions though.
-
@agocke most leaders don't know how to make business decisions around risk. Their default is to take the risk as long as it feels like a remote possibility today. Then when the bad thing happens, they look around for who should've prevented it from happening.
After you understand that risk is real, you start building it into business plans and making sure it is accounted for.
-
@polotek in the course of this thread you seem to have done a 180 from "we need managers so that engineers don't do a half-assed job and ship code with cleartext password storage" to "managers don't care whether passwords are hashed and engineers should just do that shit anyway". Oh, and then something about being combative instead of looking to understand (can't remember the exact phrasing there).
I could ask for clarity or I could just, I suppose, regret having responded to the initial post