This is the kind of thing I think about whenever people say "managers should trust engineers and leave them alone to do their work".
https://arstechnica.com/security/2024/09/meta-slapped-with-101-million-fine-for-storing-passwords-in-plaintext/
I know it feels frustrating to engineers when I push back on this stance. They often telling themselves that I'm advocating for micromanagement. Because they can only see these things as binaries. (And they rarely ask for clarification even when I literally beg them to do so)
It's not about micromanagement. It's about who gets held accountable when you do something that has a huge cost. If you told everybody to leave you alone and don't ask questions because you're the expert. Then it's on you.
When it's time to pay $101 million dollars for a technical screwup, I never see engineers jumping in front of that. Go figure.
Let's talk about this. Because I get this every single time I bring this up. I have never once in 20+ years had a manager ask me whether the passwords were in plain text. Not once. So what is the truth?! Managers forcing engineers to not hash passwords? Or engineers not knowing any better and then blaming the manager because they still wanted something shipped?
https://col.social/@galactus/113211782990816056
@polotek I don't know what happened at Facebook. But almost every case I've personally run into (as a third-party contractor) where a security measure wasn't implemented boiled down to a developer telling me "I don't have time to fix this, it needs to be done by tomorrow".
How much the developer could have achieved by pushing back varied. Particularly in the US the answer was often "not very much" because of at-will employment, sometimes outright and overt threats of termination.
Generally the only cases where a developer was *definitely* at fault themselves, were those were a developer was being arrogant, the "do not dare to question me" type. There weren't a lot of those.
