This is the kind of thing I think about whenever people say "managers should trust engineers and leave them alone to do their work".https://arstechnica.com/security/2024/09/meta-slapped-with-101-million-fine-for-storing-passwords-in-plaintext/
-
This is the kind of thing I think about whenever people say "managers should trust engineers and leave them alone to do their work".
https://arstechnica.com/security/2024/09/meta-slapped-with-101-million-fine-for-storing-passwords-in-plaintext/ -
I know it feels frustrating to engineers when I push back on this stance. They often telling themselves that I'm advocating for micromanagement. Because they can only see these things as binaries. (And they rarely ask for clarification even when I literally beg them to do so)
It's not about micromanagement. It's about who gets held accountable when you do something that has a huge cost. If you told everybody to leave you alone and don't ask questions because you're the expert. Then it's on you.
-
When it's time to pay $101 million dollars for a technical screwup, I never see engineers jumping in front of that. Go figure.
-
@polotek engineers care about people who are capable at X skill be the ones who get consulted about decisions related to X, but then they like to pretend that business and organizational concerns don't exist, and thus that "managers are redundant". lol
-
@zkat "well clearly the person working on that was too junior. Somebody should've noticed that."
Who is somebody? The same managers you told to fuck off?
-
Let's talk about this. Because I get this every single time I bring this up. I have never once in 20+ years had a manager ask me whether the passwords were in plain text. Not once. So what is the truth?! Managers forcing engineers to not hash passwords? Or engineers not knowing any better and then blaming the manager because they still wanted something shipped?
https://col.social/@galactus/113211782990816056 -
I was just about to hash the passwords when a manager jumped out of the bushes and shouted "Stop right there!"
https://brvt.telent.net/objects/4eb1b56d-45fb-493f-853e-6011b8367cf3 -
I'm gonna make a bold statement. You don't need a managers permission to hash the fucking passwords. And in fact, part of your job is to do it even though they didn't ask you to. Because you're the expert, not them.
https://tech.lgbt/@sakiamu/113211742996518331 -
@polotek Was hashing really the issue here, though? From other reporting it sounds like what was happening is that the passwords were being stored (temporarily) in logs. A solution there is some sort of secrets-scrubbing in the logging process.
Tangential to your point of the management/developer relationship, of course, where I think you’re spot on. Not respecting non-developers as actual experts in their chosen fields is a too-common flaw among developers.
-
@polotek The distinction between "managers should trust engineers and leave them alone to do their work", and "You don't need a managers permission to hash the fucking passwords. And in fact, part of your job is to do it even though they didn't ask you to." seems fairly subtle?
-
@jimw or maybe just not logging the secrets. Because you shouldn't be doing that and you don't need to do that ever.
The real question though Jim, is how does this actually change the point I'm making?
-
@hungryjoe I'm not sure how to interpret this. Can you just speak more plainly? Is it a question?
-
Here's another secret. It doesn't require engineers to be "arrogant" or "lazy". All that is required is an engineer who hasn't learned about hashing passwords as a security practice. I know, we're all supposed to emerge fully formed with a baseline set of knowledge. And before that you shouldn't be employed at all right? It turns out people need to learn things. And before they learn, they don't know. Weird right?
https://nso.group/@xyhhx/113211898387385914 -
"But Marco!" I can hear you typing furiously, "wouldn't there be a Senior Engineer looking over this stuff?"
Perhaps. But that usually requires a manager type person to do some resource management. And we told all of those people to fuck off remember?
-
@polotek Sorry, I think I mean I understood you as asking engineers not to listen to management if they're asking to deploy something potentially unsafe, and also saying engineers often need more oversight from management
There's not a contradiction there exactly, and I think I agree with both statements, but I do think they're in tension?
-
@hungryjoe managers usually don't ask you to deploy something unsafe. What they do is tell you that it needs to be deployed and it costs us if we don't. Then the engineer has to explain why they got all the way up to launch time without hashing the passwords. Why wasn't that part of the plan in the first place?
-
Hmmm...
Made me wonder, ...
So I did a quick search, and ..."Facebook says it has spent $13 billion on Safety, Security"
"Company now has more than 40,000 safety and security employees."
Of course, yes, they mean something different by that.
But shouldn't *someone* (like really multiple people) have noticed that the passwords were *NOT* encrypted or hashed in any way?
>>> AND <<<
done something about it?!?!? -
@polotek this is true and also @dangoodin writing is unclear, because it says the problem was app debug logging including the password, which then got rolled up into their log collection that engineers used to troubleshoot. That's still a mistake, to not redact the password when logging, although many systems have a log level that will log form contents and login requests which includes creds, and this implicitly discloses creds into the log system.
-
Stephen De Gabriellereplied to Marco Rogers last edited by
Negligence is grounds for the engineering board to revoke the engineer’s license
-
@JeffGrigg that's the 101 million dollar question isn't it?