Ask HN: How much faking it is ok?
i’ve recently left a job dude to being told:
“security doesn’t matter for a company at our stage, if we get hacked we’re fucked anyways”
is this normal in the start up world? is the fact that it’s a fintech company any different? am i truly out of touch with what “success” means now?
13 comments
[ 0.25 ms ] story [ 38.4 ms ] threadBasically, anything short of fraud or negligence is "ok". The world is built on what things look like, not what they actually are. It's sad so much of the world is run on opinion instead of fact.
Interesting side story, I work for a large financial company. I brought up a vulnerability and wanted to have it addressed (too big for just me to fix). The system had SQL injection vulnerabilities throughout it with schema owner privileges. Luckily it was an internal app, so not as likely to be exploited. How did management respond? They said it's fine since we have a real time or near real time DB backup. My next question was if this has even been tested... nope. Is there even documentation on the steps to take? Nope. Insane...
A new employee came in to my team, saw what was happening, and reported it internally. They did an "investigation" (but, somehow didn't interview me or anyone else who would have backed up what they had reported). The investigation found no wrongdoing and the reporting employee was told to leave.
Then, suddenly, the company decided to IPO. And those horribly misleading numbers made it into our S1, the investor decks, and continue to be routinely repeated on quarterly earnings calls. I left the company because of these issues, and now vacillate between reporting it to the SEC but figure they'd likely do nothing except burn my bridge with one of my longest employer tenures.
Anyway, you made the right decision to leave. Companies like that will never prioritize the right things, even when they're in more stable places. There are always trade offs to be made in early stage companies, but there are some things that you still should be doing regardless... there are other companies out there that take this stuff more seriously and act more ethically, but this kind of behavior is shockingly prevalent in the startup world.
You just wrote this company is defrauding investors and the government, and you are an insider who knows about it.
The fact it made you feel ill isn’t enough. Do society a favor and name the company. Maybe pen a paper anonymously. Is there a concern that when this information does come out, it will come back to you as one of the pre IPO leaders?
I didn't do anything wrong - I did my calculations and analysis correctly, stated the assumptions and limitations of my data, etc. Executives in my division ignored the data I produced and just made shit up for their own benefit. By disclosing what I know, I open myself up to legal threats, bad references (including back channel references), damage to mental health, and potential repetitional damage, all for something where it's unclear it'd rise to a level that the SEC or FTC would actual investigate.
I'm still not decided on what to do. I've been a whistleblower at other companies, which has made me a lot of money from rewards... but it wasn't without a ton of stress in the process. So, yeah, that's all -- in theory it's an easy decision, in practice there are other considerations that make the decision more murky.
So that's one guideline.
Even if that is a true statement, using it to justify not taking security seriously adds risk into your business operations and shows a distinct lack of focus on potential impact to your customers. Knowingly slacking on security because of an attitude like this (IANAL) sure smells like negligence or fraud to me, which is exactly when it is not OK legally.
In taking up the team's focus, in adding friction to getting stuff done, etc.
Early stage companies need to be relentless in trying to find product market fit, anything that's not that is a distraction.
Security is a tradeoff. You didn’t think they did a good choice, they think they did, that’s all we can say.
For most companies, security is about securing the border. Making sure nobody can get in.
Once someone gets in, it’s actually really hard to stop them, so people tend to favor what makes development faster rather than what makes security tighter…