This is the kind of thing I think about whenever people say "managers should trust engineers and leave them alone to do their work".https://arstechnica.com/security/2024/09/meta-slapped-with-101-million-fine-for-storing-passwords-in-plaintext/
-
@polotek Literally never said that. I take great care with my words when I’m trying to engage respectfully and earnestly with folk who have different perspectives; you don’t seem to be granting me that courtesy with your reading.
Even if we take your interpretation here as accurate, though — what of it? Is it not rational for labor to be scared of adverse consequences from management for doing unauthorized work? You can insult me all you want, but the point remains.
-
@donaldball I didn’t insult you. Being scared is not an insult. I don’t know what argument you think you’re making. Maybe you didn’t read the article closely enough. These engineers knew the passwords were exposed. You’ve spent 2 days now arguing that maybe someone made them do it and they were too scared to say no. If I’m missing something, feel free to explain. We’re not having a respectful debate though. My stance on this isn’t likely to change. You can also feel free to move on.
-
Marcus "MajorLinux" Summersreplied to Marco Rogers last edited by
@polotek @donaldball @galactus Nobody said it was.
What I've seen being highlighted is that engineers normally try to make sure those things are covered, but, because they are overworked and rushed, things do fall behind the cracks.
Often, when the holes are found, management would rather fix it later, never gets fixed because management wants more features, then someone else finds the original hole.
It's not neglegence on behalf of the engs but on behalf of planning that creates problems.
-
Marco Rogersreplied to Marcus "MajorLinux" Summers last edited by
@majorlinux @donaldball @galactus I do t know what makes you think I’m misunderstanding you. I’m not. But since you’ve repeated it 3 times now, let’s agree that you’ve said your piece and we can leave it here. I hope you’re able to avoid being forced to choose between your job and harming your users.
-
@polotek Oh, come on, Marco. You know exactly what you’re doing — even here, you can’t help but exaggerate and read in bad faith.
I will be moving on though; I’ve said my piece, you’re making your choices.
-
@polotek @majorlinux @donaldball but most likely the scenario was not that simple. I bet it was a case of technical debt accumulated over the years that made ir easier for someone to miss the fact that password were being logged in clear somewhere.
Trying to convince management that you need to spend three months refactoring code only to make it simpler is *hard*, and that is one of the reasons that make engineers want autonomy.
-
@donaldball thanks for your input. Good luck with those mean old managers Donald.
-
Marco Rogersreplied to Sergio last edited by [email protected]
@galactus @majorlinux @donaldball I’m not sure what I said that made it sound like this would be simple to fix. What I have been responding to is people’s assumption that this happened because managers made people do it. Managers not allowing room to fix it after it has grown to egregious proportions does sound plausible. But thats still not an excuse. Let’s try to remember that the impact is a severe breach of user accounts. People’s actual lives. How much hedging do we need to do here?
-
Marcus "MajorLinux" Summersreplied to Marco Rogers last edited by
@polotek @donaldball @galactus
Again, that's up to management.
Let's hope they'll make the right decisions for the team.
-
Marco Rogersreplied to Marcus "MajorLinux" Summers last edited by
@majorlinux @donaldball @galactus and if not, then users better beware! Because we’re definitely not gonna risk losing our jobs to protect them. Yes I get it.
-
@polotek makes sense. Security and safety have a good regulatory fit. But sometimes it just comes down to, “Will this cost the company a bunch of money?”, which is just a management function.
-
@polotek this is a misrepresentation of what I said, I assume for comic effect?
-
@dan I don't think it's funny at all, no. If you'd like to seek clarity, you can feel free to ask questions though.
-
@agocke most leaders don't know how to make business decisions around risk. Their default is to take the risk as long as it feels like a remote possibility today. Then when the bad thing happens, they look around for who should've prevented it from happening.
After you understand that risk is real, you start building it into business plans and making sure it is accounted for.
-
@polotek in the course of this thread you seem to have done a 180 from "we need managers so that engineers don't do a half-assed job and ship code with cleartext password storage" to "managers don't care whether passwords are hashed and engineers should just do that shit anyway". Oh, and then something about being combative instead of looking to understand (can't remember the exact phrasing there).
I could ask for clarity or I could just, I suppose, regret having responded to the initial post -
@dan Let me give you a tip. Stating your characterization of what you think I'm saying is not the same as asking a question to seek clarity. If you have a question, please just ask it. If it helps, I can assure you that your interpretation of what I'm saying is incorrect and does not contain enough nuance. If you don't have a question and just want to exclaim incredulously, you don't need me for that and it doesn't have to be in my mentions. Thanks.