>You can either see his history and trust that he wants to get as much done with as little said as possible or say you trust Amazon
Or I can trust neither, and expect that both sides act like adults and actually state their concerns and accusations rather than vague "just trust me, you should be upset" statements.
Whipping everyone into a furor with vague concerns without actually giving enough information to address those concerns is the worst form of "discussion", if you can even call it that.
He called out specific things and had a tweet which was pretty vague about some bad behavior. If you want to focus on that and imply it's childish you are the one distracting from discussing more important issues. That's probably why takes like that get downvoted.
---
From the comments Steve has made it sounds like Amazon effectively has control of Rust not only because of their large involvement but also because a strange set of governing circumstances. I guess I can see how if he led with that it might be clearer why all the concern, guess he didn't want to spell it out so directly and point fingers.
He said in his first tweet that he wants to have a "serious conversation", then goes on to list three grievances: that Amazon has a lot of involvement in Rust leadership, that Amazon "marginalized the core team" (but no details) and that Amazon "has done some other dirty shit" (but no details).
That's two out of three grievances that have no substance whatsoever. You cannot have a serious conversation about these things if there is not more detail. I'm not distracting from anything, I'm asking Steve to either step up and discuss these things as he stated he wants to do, or he needs to stop distracting from serious issues with these snarky one-liners. If you include something like that in a tweet, you should expect to follow up on it.
It's ridiculous and disingenuous to tweet something like that and then say "well I don't actually want to talk about that and it's your fault for not reading my mind to know that".
>That's probably why takes like that get downvoted.
My comment currently has 50 upvotes. I don't think I'm the only person saying this.
Well he's one guy, against the industry behemoth. Give him some credit, rather than big brother. Even if he errs. I'd not buy any rebuttal by the thousand-pound gorilla at face value
I think not adding details was a warning to Amazon to step up on their front or he will indeed 'air out dirty laundry', but it does feel disingenuous given we're asked to support him based on his word (and history of rustc contributions) alone.
>> decided to not have a Rust Foundation ED, meaning Chair has outsized power in the Foundation
> that Amazon "marginalized the core team" (but no details)
That seems like details to me. It's also extrapolated on elsewhere here.
> That's two out of three grievances that have no substance whatsoever. You cannot have a serious conversation about these things if there is not more detail.
Actually, you could, just by ignoring the things you don't see evidence of and focusing on the points that do, and assessing them based on merit.
The messenger is irrelevant if the message is verifiable and is worth discussing. It's useful to call out points that seem to not be backed up, or be purposefully vague. It's not fine to use that as a reason to ignore other points because "you cannot have a serious conversation" when that's obviously not the case when it's not tried.
>Actually, you could, just by ignoring the things you don't see evidence of and focusing on the points that do, and assessing them based on merit.
No, you really can't. Just by including the other points in the discussion, but being unwilling to extrapolate on them, shows bad faith (perhaps unintentionally) on the part of Steve and compromises the entire discussion. The only reason you include some vague "Amazon did shady shit" in a tweet is to elicit an emotional response on the part of the reader and immediately biases the argument against Amazon. The argument is not based on merit; it never can be now, because it's been tainted. This is known as "poisoning the well" [0].
Even in this thread, commenters are saying how they implicitly trust Steve not because of the merits of his argument, but because of his personal brand. He's (again, perhaps unintentionally) taking advantage of that fact by mud-slinging at Amazon, priming readers to already be biased against Amazon, and then once called out on it the response is "oh just ignore the fact that I did that and look at this other argument which I promise is more substantive". That's not arguing in good faith.
I see all that Steve has done for Rust and I see him post here (and on reddit) a lot, so I have respect for him. But this "discussion" was brought up completely the wrong way by him, and any outcome is going to be tainted. It'd be best to just let this current discussion die, and bring it up again in the future in a more appropriate manner.
> Just by including the other points in the discussion, but being unwilling to extrapolate on them
That seems a bit strong. The statement was "won't go into rn (right now)".
> compromises the entire discussion.
It does. I'm not saying it causes no problems. I'm saying it shouldn't be grounds to immediately discount all other evidence given. It's perfectly valid as a modifier to another piece of evidence where you might use it to weight it, but I don't think it's valid to immediately ignore everything else said.
> The only reason you include some vague "Amazon did shady shit" in a tweet is to elicit an emotional response on the part of the reader and immediately biases the argument against Amazon.
No, that's one possible reason, it's not the only reason. Other possible reasons might be to signal other people more involved in the events in question that if they want to share their own story, perhaps now is the time and opening that makes that easier for them.
I agree that the presented argument would have been better without that statement, but that doesn't immediately negate the merit of what else is presented.
> The argument is not based on merit; it never can be now, because it's been tainted. This is known as "poisoning the well" [0].
The mistake you're making is in assuming that poisoning the well applies to and discredits non-dependent clauses. It should be easy to see how this applies when you consider the two statements "You should beware of John, he's made some threatening gestures to me and you in the past, and I there's been some assaults in the area" and "You should beware of John, he's threatening gestures to me and you in the past and multiple people have seen him assault three people recently." In one case it's used to imply guilt of something that is not factually proven or stated, in the other there's a fact to readily look into for confirmation that you can use as evidence to make up your own mind. That someone uses a call to emotion beforehand should not immediately discount that fact from consideration.
> Even in this thread, commenters are saying how they implicitly trust Steve not because of the merits of his argument, but because of his personal brand.
That's not what I've said, and not what I'm asking of you.
> But this "discussion" was brought up completely the wrong way by him, and any outcome is going to be tainted.
It may be tainted in some way. That doesn't mean easily verifiable facts should be ignored.
To be absolutely clear, since it seems very hard for some people to get my point, I have no qualms with your mistrusting him, or thinking his factual statements have no merit or are not problematic enough to act on. I just don't think it's valid to completely ignore the factual statements and refuse to consider them as you seemed to indicate you were doing because he also says "Amazon is being a meany in other ways too" and doesn't expound on it, and some other statements may not be as well supported as they could.
What merit? Lets take the claim of "marginalized the core team"?
WTF does that even mean? As in specifically, what was the action that amazon did, to marginalize anyone? Did they say mean things about them? Did they have a meeting without them? Did they kick them off of a group? Did they create a feature roadmap, without getting the core teams feedback?
Just say specifically what happened, with actual details, that describe exactly how someone was marginalize, and the consequences of that!
> reason to ignore other points
What other points? Specifically? The only verifiable point, that anyone has mentioned, is that amazon has a board seat somewhere, on some organization.
But even that point is low on details. Have they used the board seat to do anything bad? Whats the concern?
> Lets take the claim of "marginalized the core team"?
You mean, "let's take an acillary claim, not one of the core three" that are stated to be "undefinable(sp). they're just facts."?
My point, which I thought was clear, but apparently not, is that if you have a problem with the statement you brought up, sure, mention that's problematic. But is that a reason to ignore the things mentioned immediately prior, that Amazon is the lead on multiple teams, and chose not elect a new executive directory while letting the prior one go? I think not. Those are specific claims that can be assessed individually. What bearing does the "they've marginalized the core team" statement have on them that renders them being unworthy to assess?
> What other points? Specifically? The only verifiable point, that anyone has mentioned, is that amazon has a board seat somewhere, on some organization.
That exact same tweet you reference notes they've decided not to have an Executive Director. Maybe if people weren't ignoring that because of some later statement that might get some attention.
> But is that a reason to ignore the things mentioned immediately prior
Its not ignoring! Its asking people to say what the actual problem is, beyond just that Amazon has people on a couple committees.
Have these committees done anything bad? Is amazon pushing for features that people don't like? Will some future bad thing happen because of this? What is the value statement here!
> Those are specific claims that can be assessed individually.
Ok, and the problem is that nobody is actually saying why some things are bad or not.
> that might get some attention.
I still don't know why it should get attention though. So they don't have an executive director? Why should anyone care?
You keep trying to say things, without saying why anyone should care about this stuff, or why it is bad.
I could make a dozen different guesses as to why you, or others, think there is a problem. But I shouldn't have to do that.
It is on you, to both say what is happening, as well as for you to say why it is bad, and what the concern is.
Look a the comment I originally responded to. They complained that two out of three items had no substance, therefore we can't have a serious conversation. That is, specifically, what I was addressing.
> I still don't know why it should get attention though. So they don't have an executive director? Why should anyone care?
> You keep trying to say things, without saying why anyone should care about this stuff, or why it is bad.
It's specifically stated in the tweet. Not having an executive director leaves the chair with more power. Amazon is the chair. Amazon has chosen to let the position go unfilled which results in their own position having more power.
Actually asking questions about that, like you are here, is the outcome I was calling for, as opposed to ignoring it because of other statements, as the original comment I replied to was.
> It is on you, to both say what is happening, as well as for you to say why it is bad, and what the concern is.
No, you're placing me as someone on the one side of the argument, when the side is irrelevant. My point was that ignoring everything said because of portions that don't add up is not a valid way to assess the information. That doesn't require me to take a side, and in fact taking a side just makes it easier to people to dismiss my point and assume my goal is something else, as I suspect you did.
You continue to ignore the point I'm making and the context I made it in, in what appears to be an effort to push your own agenda. You can feel free to to that, but I don't see a reason to continue my part in this conversation when it feels like you're not attempting to actually engage with me.
If you care about why I think it's not worth continuing, and why I've come to this conclusion, I suggest you attempt to re-read what I wrote previously with a more open mind and instead of trying to drag it back into the specific argument. In any case, have a good evening.
Dude, even in the post that you linked, where you claim that he "goes into more detail", he is missing the main value judgement punchline.
The summary of that statement is "During that time, the chair of the board has more power than they usually would, and Amazon is chair of the board."
But once again, he is refusing to give the actual, moral punchline here.
If he wanted to convince people, he could explain all the dastardly things that he believes the board could do now. But he doesn't do that. All he says, is another statement that is devoid of moral argument, which is that "amazon is chair of the board" and that the board has more power.
The way to actually make an argument, is to not simply state facts. Instead you should say why people should care about these facts, and describe the actual material harm.
> , but I don't see a reason to continue my part in this conversation
Yes, I get it. When someone brings up the fact that basically everyone is pretty confused about the situation, and brings up how poorly this guy communicated, you have no response, and just want to assert you that you disagree, without backing it up.
So you've admitted you haven't read what I said and the tweets and you've just rushed into the comments section?
> I don't understand why Google, Microsoft and AWS et. al are on a board of this new foundation.
> It is the structure that I am concerned about. Again, I'd rather have them just sponsor Rust, why wasn't a gold or platinum sponsorship like structure considered without placing them on the board of directors.
> We shouldn't be giving corporations too much power by letting them buy board seats in a foundation to steer the language, in this case Rust.
Are you saying I didn't state these concerns?
And even steve is concerned about the structure himself, if you have bothered to read the tweets.
Maybe you should actually read my comment and the links before replying.
What "concerns"? Again you have stated and quoted nothing other than vague "it's the structure" or allusions to "too much power". What about the structure? What power are you alluding to?
What are your concerns, exactly? Do you even have any, or are you just being dramatic about "big company bad"?
> What are your concerns, exactly? Do you even have any, or are you just being dramatic about "big company bad"?
Where did I say "big company bad"?, I'm not against them sponsoring a project, they shouldn't get the opportunity to buy a board seat, which is what Rust's structure allows. Hence why, it's appearing that Rust isn't being led by the community.
Before you continue to gaslight me again, you can have companies (big ones) that sponsor a project/foundation and not be given a board seat.
Instead of going through all of what you just did here, why didn't you just directly state what the problem was, when someone asked?
That would be way easier. Instead of writing a paragraph, I don't know, attacking someone for not reading past threads or comments, you could just give a single sentence, that describes the issue.
That would be way faster, and then everyone is happy.
The problem is that other people are making vague claims, without actually substantiating them.
If someone makes vague claims like that, they deserve to be dismissed. It is on you to state your concerns clearly, not on other people to read between the lines.
> If most people are unable to understand you or your arguments, that is the fault of the communicator, for being so bad at communicating.
Sure. But is this really about "most people" -- or just a (very) vocal minority that doesn't (want to) understand? It's not like there are thousands of people asking for clarification; I make it three, including you.
I'm just saying that at least to me,
>>> Still don't know why we should let these big tech companies have board seats on programming language foundations for them to have the power to do this. [ https://news.ycombinator.com/item?id=28513316 ]
and, at the latest,
>>> they shouldn't get the opportunity to buy a board seat, which is what Rust's structure allows. Hence why, it's appearing that Rust isn't being led by the community. [ https://news.ycombinator.com/item?id=28514247 ]
felt perfectly clear. That's yanonninator's [sp?] whole beef, right there (twice over), AFAICS. What's not to understand about that?
Whats not to understand is the moral punchline of any of this, which is left completely unjustified, and is merely implied, without any reasons given.
Don't just say "They have a board seat". Instead say "They have a board seat, and are using that board seat for bad things X,Y, and Z, which have negative consequences A, B, and C".
Do you see how the corrected statement, actually gives people something to engage with, instead of someone merely asserting the amoral, unopinionated fact of "They have a board seat"?
If you actually make an argument, then other people can judge if they agree that things X, Y, and Z are bad, or they can judge if they agree or disagree with the consequences of A,B, and C.
But, when someone just says "They have a board seat", they are making a unopinionated factual statement, as opposed to actually justifying what the tweets intend to imply, which is that them having a board seat is bad for certain reasons which are unstated.
Unfortunately, though, I expect the reasons as for why the moral arguments are unstated, is because the person doesn't actually have any moral arguments. Instead, they likely just want to imply that certain things are wrong, without actually having to defend or give reasons as for why the things are at all bad.
> Do you see how the corrected statement, actually gives people something to engage with, instead of someone merely asserting the amoral, unopinionated fact of "They have a board seat"?
Yes and no:
Yes, I understand that to some people, obviously including you, "They have [bought] a board seat" is an "amoral, unopinionated fact".
But no, that's not "instead of merely". Looks to me like the problem is that you don't see that to many people, "They have [bought] a board seat" is not just an "amoral, unopinionated fact" but in itself already a moral punchline to engage with. There is no need for any tweets to "intend to imply" anything. Whether any non-beneficial consequences have followed or are immediately to expect is, in their view, irrelevant: That's just not how shit is supposed to work, i.e. wrong in itself.
And frankly, it's a bit baffling to me how you and those who argue like you seem to have such a hard time understanding this view. I mean, it's one thing not to agree with it, but you're all coming off as if it hasn't even occurred to you that it's possible to see things that way. Makes me wonder if you're seriously so blind, or if it's some underhanded debating tactic. Whichever it is, in my eyes it seriously weakens your argument.
> to have such a hard time understanding this view.
If I were a fiction writer, I could write a dozen different reasons as for what the problem is. But the issue is, that although I could definitely make up reasons, in my fiction book, as for why this is an issue, it tells me nothing about how this actually applies to the Rust community.
If you actually make the argument yourself, then it allows people to understand if there are specific issues, that are more or less bad, based on the informed opinion of someone directly from the community, instead of our uninformed, guesses, that might be right, or wrong, or slightly wrong.
For example, maybe the problem is similar to what Microsoft used to do. Maybe it isn't. Maybe Amazon is doing something that is bad, in a separate and different way, than what Microsoft did decades ago.
But if you don't actually make the argument, then other people cannot tell if the issue is bad, in a similar way as to how other past issues were, or if it is bad in a different way, than how the microsoft situation was bad.
Thats why it is better if people actually make the argument. Because although, yes, I could write a fiction book, or a script for a movie, to describe why these hypothetical issues are bad, I might get it completely wrong, and that the actual thing is bad in a different way, because of something specific to the rust community.
> if it hasn't even occurred to you that it's possible to see things that way.
The problem is that I can imagine a dozen different possible ways to "see things that way", which might be completely off the mark, or exactly correct of the reality of the situation.
I can imagine multiple different universes, where my guess would be right, or wrong, and I don't actually know which universe I am in, unless the informed party actually makes the argument, all the way through.
So I can both imagine arguments, as well as imagine how those guesses could be wrong, and why maybe the situation is wrong in a different way, than my first X number of guesses.
Thats why it is so much better if the person actually makes the argument, all the way through.
> Whether any non-beneficial consequences have followed or are immediately to expect is, in their view, irrelevant
Hey, if they had specifically said the following "I concede that there are no other negative effects at all, and that amazon hasn't done anything bad, and I have no other arguments, beyond them having a board seat is bad, in and of itself, with no other justification", then that would be an actual understandable, and straight forward argument!
But they might have made different arguments. If it literally is that they have absolutely no other arguments, beyond "Them having a board seat is bad, and there are no other bad consequences", then it would be nice if they explicitly said that.
> > to have such a hard time understanding this view.
> If I were a fiction writer, I could write a dozen different reasons as for what the problem is. But the issue is, that although I could definitely make up reasons, in my fiction book, as for why this is an issue, it tells me nothing about how this actually applies to the Rust community.
You're still not getting it: It's NOT A MATTER OF "applies". It's a question of principle.
> If you actually make the argument yourself, then it allows people to understand if there are specific issues, that are more or less bad, based on the informed opinion of someone directly from the community, instead of our uninformed, guesses, that might be right, or wrong, or slightly wrong.
He already made his argument in full. It's just that you're refusing to acknowledge that it is an argument.
So, thank you, I think I'm done here: I'm obviously unable to convey to you what you're not getting, and I don't think you need to go any more rounds of the same -- I trust it's clear enough to everyone else by now that this is due to your stubborn refusal.
> It's NOT A MATTER OF "applies". It's a question of principle.
Principles could apply to a given community in different ways. One principle in one context, could be more important than others. Thus, the person explaining their position out, even further, is useful.
For example, the principle of "innocent until proven guilty", is very important for law, because it involves locking people up.
But it is likely much less important, for determining if your friend lied to you about why they didn't want to go to dinner yesterday. The only consequence of this, is maybe you'll be a little bit annoyed at your friend.
Or take the principle of "free speech", which people talk about as a principle, and not just a law, all the time. Free speech is a principle, but it is still more important when it relates to the government, than to private individuals and what individuals allow to be said in their houses.
Thats why bringing up the principle, as it relates to the rust community, is important for a knowledgeable person to do.
> He already made his argument in full.
If someone is making, this pretty.... shall we say... specific argument which is straight up "There are no negative consequences at all to this, but I don't care", it is important to be more clear about it.
The reason, is because that is an opinion, that many people would normally only accuse someone of having, as a straight up attack. As in, People attack someone, by claiming that this is their position.
And because someone in good faith, might not want to attack someone, unjustly, it is important for the person making the original argument, to be even more clear, than normal.
I would be extremely hesitant to accuse someone of holding that position, unless they say, multiple times, that they simply do not care about any negative consequences, in the most forceful, and extreme way, because if I mistakenly, accidently accuse someone of holding this position, they might think I am unjustly attacking their position.
> it is an argument.
It is an argument, for which many people would get upset if I claimed that this is what they are arguing. And part of acting in good faith, is not accusing someone, of very extreme opinions, unless they are even more clear, than normal.
Instead, before accusing someone of holding that position, I would leave open the possibility that there are some other, unstated arguments, that they could actually mean.
Holding open the possibility, that someone could mean many different things, as opposed to the most extreme position, is a good thing to do, so that one does not jump to accusatory conclusions.
One of the biggest problems in the security industry is a misconception that security and computer science are the same. They aren't at all.
If you're doing low level design of crypto algorithms, you need to know math. If you're doing appsec reviews or pentests, then a background in software development might help (but is not required).
But there is an entire world of security roles out there that are essential to implementing security that have nothing to do with math or compsci. The security industry right now has a huge problem with gatekeeping, where they think you can't even begin to think about security unless you're already a top-tier principal engineer, and it's led to a huge drought of talent in security roles across the board.
And yet, (correct me if I'm wrong), a good security person does not need to understand cryptography. He should have some basic understanding of how to apply it, but the knowledge of it's internals and the math behind it is pretty much useless.
Yeah from the outside looking in, to me the biggest requirement is one of mindset, thinking like an attacker, thinking of all the possibilities… in that sense very much like the qualities for a good QA person
true, crypto(graphy - wow, been so long since i've typed it that I've just realized crypto has now been bogarded for something else).
theory vs applied but I think its still true the mindset of a hacker is still very different. ie similar to the whole IT vs dev
I don't doubt that T-Mobile could have done more, but it's also frustrating to see this trope that spending more money on security is some type of silver bullet. It's not.
I've been in security for over a decade. I currently work at a FAANG with nearly unlimited security budget. Previously I worked at another major tech company with nearly unlimited security budget. Before that I was a consultant and consulted at companies with huge security budgets. All of them, including my FAANG, struggle to have anything more than security that can only be described as "patchwork".
The truth is that nobody actually knows how to do security. Software devs are awful at it (the amount of FAANG engineers I know that don't even understand what encryption is, or think that hashing passwords is unimportant, would blow your mind), management is awful at prioritizing it or even knowing what to do in the first place, and every security professional in the industry is effectively just winging it based on what someone else in the industry promoted as "best practice" (and is probably outdated by now).
Sure, prolonged investment in security might help make things better, but that's not an overnight solution, and it might not be a solution at all given that the attackers are investing heavily in their methods, too. We have to do more than just acting like increasing the security department's budget is going to fix all of our problems. I guarantee it won't.
> Software devs are awful at it (the amount of FAANG engineers I know that don't even understand what encryption is, or think that hashing passwords is unimportant, would blow your mind)
But that's not because there aren't also lots of devs who understand security, it's because FAANG companies have purposely chosen to prioritize hiring based on leet code ability above hiring based on security knowledge.
edit: This is why software developers would benefit from a union or licensing process, because currently devs who don't understand security are artificially lowering developer salaries by externalizing risk onto users.
Eh, it's both. Other departments don't necessarily focus on security (and leetcode is certainly an idiotic way of hiring, IMO). But even in my department (where we explicitly don't use leetcode and do prioritize based on security expertise and offer a huge premium for it), we are significantly under our target headcount because finding devs (or any other role) that understand security is very, very difficult.
Could this be because so many companies don't focus enough on security? So there isn't enough collective experience out there, making it hard to find those that do have the knowledge and experience.
I believe this is the case. Engineers level up primarily based on experience, learning from their team, etc. Because security is:
a) Often not prioritized
b) Handled in the shadows by some other team
the engineers don't get exposed to it. Security hasn't gone through an 'operations' evolution where it melds with engineering so these problems aren't getting better.
I think partly so, yes. I also think in general the security industry is very bad at increasing the level of collective experience, so it sort of just stagnates.
Other fields like web development, consulting, engineering, lawyers, medical field etc all have very established career development pipelines, where you can join as a junior employee and learn on the job from those around you to become a better professional.
Security on the other hand lacks this. In the vast majority of organizations I've been in, security roles are something that you are expected to enter with an already established level of experience, and then you are dropped on a project by yourself with little mentorship or training. This makes it almost impossible to bring new people into the field.
At my company, we have a "security champions" program that is intended to allow software engineers to dedicate some of their time to security and help their team think through security challenges. But we really struggle with this program, because my company pretty much just hopes that the engineers signing up to be champions are already experienced in security. If they are not, we do not have processes in place to train them, even if they do want the training.
And what's worse, is that I even see resistance to making it easier for junior people to learn security. If you spend much time on r/cybersecurity, a common thing you will see is people insisting that security should not be an entry level job, and that everyone should be required to spend 5-10 years as a sysadmin before you're even allowed to apply for a security role. I think that's ridiculous, and not only for the reason that being a sysadmin has a lot less overlap with the world of security than people like to think it does.
> finding devs (or any other role) that understand security is very, very difficult.
At what level? Are we talking like knowing the different ways to mitigate XSS and other basic OWASP top-10 style things, or having the ability to find the next Spectre or Meltdown?
We recruit primarily for mid-to-senior level roles (5-15 yrs experience), and it's the former. I get a lot of candidates that can recite what XSS is at a high level, but for example struggle to explain the things to watch out for that would indicate a possible XSS vulnerability.
One of the other issues I see is that we should be able to take the above-described candidate, which is maybe not exactly what we need but shows promise, and train/mentor them into the type of security professional that we need. But my company (and most others I've seen) are also just really bad at security training and career development. It's a real problem, IMO, that security is treated as an "experienced people only" industry, and is not very welcoming to people that aren't already experts but are willing and able to learn. We are trying to change this in my organization, but it's slow and challenging.
> I get a lot of candidates that can recite what XSS is at a high level, but for example struggle to explain the things to watch out for that would indicate a possible XSS vulnerability.
To be fair, from a devs perspective you need to flip it around in your brain, in order to go from e.g. "you need to sanitize user input to make it safe for a javascript context" to "seeing unsanitized user input that could be getting injected into a script." Even if you know all the right answers, it's still probably not going to come out super eloquently. (And I realize there are other and better answers also, but just to choose one that's easy to explain.)
Something needs to be done at a fundamental level and finding some easier qualification in terms of security professional before this problem could be fixed.
One easy way to fix it would be market economics. Make senior security roles paid grade a lot higher than comparative other similar software engineering roles. These incentives should balance things out in time.
Otherwise I am looking at security professional death spiral.
Nah. First, actually being good at leet and knowing about hashing and such are not in opposition. In odd way, leet exercises makes lead to math parts of it.
And second, non leet devs are not some kind of safety panacea. The worst are people who don't care at all. Many have not heard of basics.
Third, if you actually decide that security is important and try to learn it, you will find resources are rare. There is very little of it targeted at developers. There is no shared knowledge base. There are no commonly known processes. Nothing like that.
So even if you care and try, you end up learning very little.
I don’t do anything security related — I’m a lowly bare metal programmer — but I’m still mystified as to how user passwords are securely kept on disk? The only thing I could think of was to encrypt a user’s password with their password…
Don't store them. Hash the password and store that, using a suitably strong algorithm that's relatively chunky and expensive to compute en masse (most, if not all, modern options, such as scrypt, Argon2, and bcrypt, support a scaling work factor so that in the future you can increase the work needed as computing resources increase). Then you can compute a hash based on the password that's passed in and make sure that they match.
Some folks will then further encrypt the stored hashes such that a database compromise, but not an application-server compromise, leaves the attacker without the keys necessary to decrypt even the hashes, but I am ambivalent about the usefulness of that (can't hurt, but the threat model for that seems more geared towards internal threats than external).
>I don’t do anything security related — I’m a lowly bare metal programmer
Sorry to make an example of you but this kind of attitude is the problem. Everyone does something security related. If something is giving input to the machine (that could be typing on a keyboard, collecting data from a sensor, or anything else), you have to care about security. Even if security means in your context sanitizing inputs to make sure you don't overflow and crash, or write something to the screen you're not supposed to, etc.
Full disk encryption (FDE). You provide the password at boot and either you can or can't decrypt (typically the key itself is derived from the password). You can also do this without FDE by doing the same thing but keeping the password around in memory if you're trying to avoid prompting them.
Modern machines work slightly differently. The key material is stored in a TPM which is a separate processor & dedicated memory that is purpose built to withstand physical and electrical attacks. Apple devices specifically have a complicated key wrapping scheme (protected by your pincode or password) to make certain files accessible/inaccessible depending on the policy defined (available after first unlock, available only when unlocked, available always, & a fourth one I forget). Your password is just used for protecting the underlying keys but the device actually generates strong key material that's used to protect all on-disk contents regardless of a password being present IIRC.
If you're talking about the password database for local login & whatnot, that was available without even having FDE by using PBKDF2 or similar to securely hash the password. That way you only store the hash & leaking that file doesn't mean that someone can reverse that back to get your password.
Multilevel encryption. It's like you keep valuable stuff in one room, a key for that room is kept in another room, that room not only needs a key, but also a 4-digit pin code, finally that key is kept in a safe that can be opened only with three other keys and so on.
> I don't doubt that T-Mobile could have done more, but it's also frustrating to see this trope that spending more money on security is some type of silver bullet. It's not.
So true. A problem is that "spending money on security" is so nearly always a synonym for increasing the infosec budget under the CISO. Which is useful, yes, but only a partial solution. A bigger ROI would be to spend it on developers who are experts in security and building a culture that cares. But even in enterprise security companies (most of my career), product security is so often seen as a checklist that infosec will take care of, not a core engineering competency.
This makes no sense at all---you're implying that the bad guys somehow have a monopoly on innovation and effectiveness, when in reality, there is just more upside for them to steal sensitive info than there is downside for companies to protect it. If T-Mobile's latest data breach led to them getting fined, say, $5 billion, I promise you it would be the last.
It would be the last for T-Mobile because it would end T-Mobile. But it wouldn't be the last breach ever.
I could give $5 billion to my FAANG right now and I bet we'd still be breached (hell, I'm pretty sure we already have that budget in my FAANG's security department). The US DoD already has a cyber security budget of $10 billion, and they still get breached.
You underestimate the amount that these companies care about security. Just because they get fined "only" a couple hundred million dollars doesn't mean they aren't scared shitless by being breached. I've sat in boardrooms with CEOs telling us they were willing to pay whatever it takes to increase their security (and they put their money where their mouth is, too). They still get breached.
Budget isn't everything. Does it help? Sure. Like any other security professional, I can recount plenty of tales of teams deprioritizing security in favor of something else. Would they have done differently if they were incentivized better by bigger potential fines? Maybe. Would they have actually been able to implement ironclad security even if they did prioritize it? In the cases I've seen, it's doubtful.
edit: and consider this. If you truly do think that money is everything, you should realize that you will never be able to throw more money at your security than a nation state attacker like China will be able to throw at breaching your security. In the competition of who can spend the most money, you've already lost.
Just to add to that, consider the hacker (technically cracker) only has to be right once, the security team has to be right 100% of the time and with 100% of the attack surface. There could be a new attack surface that wasn't even a thing at any given moment. Also consider a lot of the attack surfaces are software not even written by the company being attacked (Windows/Routers/etc).
It's like the 2000 era adage, the terrorists only have to be right once.
> I've sat in boardrooms with CEOs telling us they were willing to pay whatever it takes to increase their security (and they put their money where their mouth is, too). They still get breached.
Money flows (often) freely but it's not enough. I worked at one place where the CISO was very aware that security needs to be designed into the product ground up. Later a new CISCO came in who thought that security can be achieved merely by purchasing every security scanner on the market and sit back to bask in perfect security. Needless to say security was far worse with the latter one.
Or I can trust neither, and expect that both sides act like adults and actually state their concerns and accusations rather than vague "just trust me, you should be upset" statements.
Whipping everyone into a furor with vague concerns without actually giving enough information to address those concerns is the worst form of "discussion", if you can even call it that.