buildtogether.tech icon indicating copy to clipboard operation
buildtogether.tech copied to clipboard
verified publisher icon gvwilson

more on fairness and security

Open gvwilson opened this issue 4 years ago • 1 comments

For the security chapter - a pet peeve: this might be because I lack knowledge here - but I think password managers can be encouraged more. The author talks about the strength that 4 random words can have and the XKCD cartoon nicely demonstrates why - but I think that jobs can require passwords for a lot of different services, and reusing even the same 4 random words would still lead to threats because the password getting leaked would impact more than one account. Password managers recommend strong passwords (like they cite) and also keep track of multiple accounts because eventually people need something to store (I used a diary before...). I agree with them creating a single point of attack but some password managers come with 2FA (which people with cough smartphones may find useful).

What I think can be added: spyware/logs in work laptops - and how to safeguard against those issues with precautions like webcam covers, not accessing personal accounts on work laptops given by employers, and really checking what the employer can do and why. My employer wanted access to my phone's email apps- I get how they want to protect their own software, but it was suspicious.

For the fair play chapter: I felt like the tone was a bit geared towards someone who's had at least one job. Like the author stated with the "it must be nice to be able to walk away from a job" example - sometimes new students don't even know what's unacceptable.

Some concerns that I think can be addressed are:

  1. Companies (especially startups) paying students very little citing lack of experience, but getting a lot of work done. It's important (I think) for students to know that they're not the only ones benefiting from this job, especially as interns. Negotiating for pay shouldn't be something that they feel guilty doing.

My company's contract said: "you work from 9-5, but working longer would mean you get to learn more" - right, "learning" is a nice bait.

  1. Senior workers can exploit junior workers - getting more work done because "learning", transferring work assigned to them to junior workers, and shifting blames as well. When someone's new, I think they find it easy to do that because they think the junior worker won't complain, and if you're an intern - it's not a full time job anyway so shifting some blame on you won't get you fired. This one definitely stems from personal experience - I had a similar issue, frustratingly told my manager that I wanted to leave because I didn't think I fit, and happened to message [redacted] who went "resignation should be the last step. You should talk to your manager first, if that doesn't work talk to HR, and then you can quit." Luckily for me - talking to my manager was enough in that case, and senior employees were warned not to mistreat me and the other interns. Without someone telling me that I can do that, I wouldn't have known.

gvwilson avatar Apr 16 '21 10:04 gvwilson

For the security chapter - a pet peeve: this might be because I lack knowledge here - but I think password managers can be encouraged more. The author talks about the strength that 4 random words can have and the XKCD cartoon nicely demonstrates why - but I think that jobs can require passwords for a lot of different services, and reusing even the same 4 random words would still lead to threats because the password getting leaked would impact more than one account. Password managers recommend strong passwords (like they cite) and also keep track of multiple accounts because eventually people need something to store (I used a diary before...). I agree with them creating a single point of attack but some password managers come with 2FA (which people with cough smartphones may find useful).

What I think can be added: spyware/logs in work laptops - and how to safeguard against those issues with precautions like webcam covers, not accessing personal accounts on work laptops given by employers, and really checking what the employer can do and why. My employer wanted access to my phone's email apps- I get how they want to protect their own software, but it was suspicious.

I liked the content so far 😎 Security and privacy, though interconnected, can make more sense if addressed in two different chapters.
Perhaps, the security part can focus on usable end-user security as well as usable security from the developer's perspective [1]. The privacy part can focus on GDPR (it's not great, but the best we have)—e.g., describe things that developers would need to know, such as the different roles, type of data, etc.

My 2c

[1] Acar, Y., Fahl, S. & Mazurek, M. L. You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users. 2016 Ieee Cybersecur Dev Secdev 3–8 (2016) doi:10.1109/secdev.2016.013.

dfucci avatar Jul 26 '21 14:07 dfucci