This is the kind of thing I think about whenever people say "managers should trust engineers and leave them alone to do their work".https://arstechnica.com/security/2024/09/meta-slapped-with-101-million-fine-for-storing-passwords-in-plaintext/
-
Marco Rogersreplied to Marcus "MajorLinux" Summers last edited by
@majorlinux @donaldball @galactus I do t know what makes you think I’m misunderstanding you. I’m not. But since you’ve repeated it 3 times now, let’s agree that you’ve said your piece and we can leave it here. I hope you’re able to avoid being forced to choose between your job and harming your users.
-
@polotek Oh, come on, Marco. You know exactly what you’re doing — even here, you can’t help but exaggerate and read in bad faith.
I will be moving on though; I’ve said my piece, you’re making your choices.
-
@polotek @majorlinux @donaldball but most likely the scenario was not that simple. I bet it was a case of technical debt accumulated over the years that made ir easier for someone to miss the fact that password were being logged in clear somewhere.
Trying to convince management that you need to spend three months refactoring code only to make it simpler is *hard*, and that is one of the reasons that make engineers want autonomy.
-
@donaldball thanks for your input. Good luck with those mean old managers Donald.
-
Marco Rogersreplied to Sergio last edited by [email protected]
@galactus @majorlinux @donaldball I’m not sure what I said that made it sound like this would be simple to fix. What I have been responding to is people’s assumption that this happened because managers made people do it. Managers not allowing room to fix it after it has grown to egregious proportions does sound plausible. But thats still not an excuse. Let’s try to remember that the impact is a severe breach of user accounts. People’s actual lives. How much hedging do we need to do here?
-
Marcus "MajorLinux" Summersreplied to Marco Rogers last edited by
@polotek @donaldball @galactus
Again, that's up to management.
Let's hope they'll make the right decisions for the team.
-
Marco Rogersreplied to Marcus "MajorLinux" Summers last edited by
@majorlinux @donaldball @galactus and if not, then users better beware! Because we’re definitely not gonna risk losing our jobs to protect them. Yes I get it.
-
@polotek makes sense. Security and safety have a good regulatory fit. But sometimes it just comes down to, “Will this cost the company a bunch of money?”, which is just a management function.
-
@polotek this is a misrepresentation of what I said, I assume for comic effect?
-
@dan I don't think it's funny at all, no. If you'd like to seek clarity, you can feel free to ask questions though.
-
@agocke most leaders don't know how to make business decisions around risk. Their default is to take the risk as long as it feels like a remote possibility today. Then when the bad thing happens, they look around for who should've prevented it from happening.
After you understand that risk is real, you start building it into business plans and making sure it is accounted for.
-
@polotek in the course of this thread you seem to have done a 180 from "we need managers so that engineers don't do a half-assed job and ship code with cleartext password storage" to "managers don't care whether passwords are hashed and engineers should just do that shit anyway". Oh, and then something about being combative instead of looking to understand (can't remember the exact phrasing there).
I could ask for clarity or I could just, I suppose, regret having responded to the initial post -
@dan Let me give you a tip. Stating your characterization of what you think I'm saying is not the same as asking a question to seek clarity. If you have a question, please just ask it. If it helps, I can assure you that your interpretation of what I'm saying is incorrect and does not contain enough nuance. If you don't have a question and just want to exclaim incredulously, you don't need me for that and it doesn't have to be in my mentions. Thanks.