Season 4 Episode 3 Apr 29, 2021

Basecamp Backlash, Remote Work Harassment, Linux Kernel Submission Ban, and Crypto Miners Killing Free CI

Pitch

So...what counts as political?

Description

In this episode, we talk about the problematic blog post put out by Basecamp CEO and Co-founder Jason Fried, and we also get into how crypto currency miners are killing free CI. Then we chat with Hector Monsegur, security researcher and former blackhat hacker, about how University of Minnesota security researchers submitted security vulnerabilities to the Linux kernel to show flaws in the approval process leading to a call for a ban on anything submitted by umn.edu emails. Finally, we speak with McKensie Mack, founder & CEO of MMG and a co-author of a report put out by the non-profit, Project Include, about how remote work is leading to more gender and racial harassment at tech companies.

Hosts

Saron Yitbarek

Disco - Founder

Saron Yitbarek is the founder of Disco, host of the CodeNewbie podcast, and co-host of the base.cs podcast.

Josh Puetz

Forem - Principal Engineer

Josh Puetz is Principal Software Engineer at Forem.

Guests

Hector X. Monsegur

Hector X. Monsegur is a security researcher and former black hat hacker.

McKensie Mack

MMG - Founder & CEO

Researcher, strategist, and digital organizer, McKensie leads the data-driven organization, MMG, which leverages mixed-methods research to transform culture and stop harm.

Show Notes

Audio file size

8034785

Duration

00:55:48

Transcript

[00:00:10] SY: Welcome to DevNews, the news show for developers by developers, where we cover the latest in the world of tech. I’m Saron Yitbarek, Founder of Disco.

 

[00:00:19] JP: And I’m Josh Puetz, Principal Engineer at Forem.

 

[00:00:22] SY: This week, we’re talking about the problematic blog posts put out by Basecamp’s CEO and Co-Founder, Jason Fried. And we also get into how cryptocurrency miners are killing free CI.

 

[00:00:32] JP: Then we chat with Hector Monsegur, Security Researcher and former black hat hacker, about how University of Minnesota security researchers submitted security vulnerabilities to the Linux kernel to show flaws in the approval process, leading to a call for a ban on anything submitted by umn.edu emails.

 

[00:00:49] HM: Now the Linux maintainers have to start looking at other universities with scrutiny, like, “Hey, are there copycat research projects happening in real time?” It becomes a major issue.

 

[00:00:59] SY: Then we speak with McKensie Mack, Founder and CEO of MMG and a co-author of a report put out by the nonprofit Project Include, about how remote work is leading to more gender and racial harassment at tech companies.

 

[00:01:12] MM: There needs to be a difference in the ways in which we perceive and think about power. So like who’s in positions of leadership within our organization and company and what kind of equity exists when it comes to that leadership.

 

[00:01:23] SY: We’re starting to sort of with a doozy. Basecamp CEO and Co-Founder, Jason Fried, authored a post on the Basecamp blog titled “Changes at Basecamp”, which got an incredible amount of backlash from the developer world. The post discusses six directional changes the company is making. We’re going to dig into the first one that states, “No more societal and political discussions on our company Basecamp account,” and post the full blog post in our show notes. The letter doesn’t expand on what Basecamp will consider to be political and not political, but essentially says that political discourse at work isn’t healthy, it’s too difficult to navigate, and is a distraction from work. Fried says, “Sensitivities are at 11, and every discussion remotely related to politics, advocacy, or society at large quickly spins away from pleasant. You shouldn’t have to wonder if staying out of it means you were complicit or waiting into it means you’re a target.” This is a similar move as the one taken by Coinbase’s CEO and Co-Founder, Brian Armstrong, that was outlined in a post he penned last year titled “Coinbase is a mission focused company,” which also received backlash. Now a lot of people had some pretty big problems with this post, particularly around the point about not talking about societal and political issues at work. And they took to Twitter. I’m going to read some of the tweets that do a pretty good job of summing up the overall sentiment. Coraline Ada Ehmke, Creator of Contributor Covenant, tweeted, “It’s amazing to me that we don’t recognize how the myth of the neutrality of technology props up white supremacy.” Jill Wohlner, CEO and Founder of Underpin, said, “As a gay woman, you tell me I can’t have a political or societal conversation. And that sounds a lot like I can’t talk about my wife at work because being in a gay marriage is an effing political statement to people. I’m angry.” Or Sarah L. Fossheim, Creator of Ethical Design Guide, who posted, “As a non-binary person, telling me not to have political or societal conversation at work sends me the message that I should hide who I am and can’t have conversations around pronouns, et cetera.” And finally, we have Hashim Warren, Senior Product Marketing Manager at WP Engine, who pointed out, “If a Basecamp employee suggests moving to Google cloud because it’s greener, is that a social issue? Is that banned? Or only stuff like Black Lives Matter?” After this backlash, David Heinemeier Hansson updated his portion of the letter, which dealt with this particular change stating, “Unsurprisingly, parts of Twitter is. very disappointed. in. us.” Those are periods after each of those words. “And the search for the tweet to serve as a stake for that disappointment is in full swing. Several contenders have included my tweets about how I find it okay for leaders and employees to be political on Twitter. I still do. And I still will be. Not just on Twitter, but on this here blog as well. These are my personal spaces.” At the end of Fried’s post, he said that him and Hansson were the ones to make these decisions and that there were discussions and even disagreements within the company, but these were their calls to make. It’s not just steps outside of the organization, but within as well, who share their frustrations with these changes. Jonas Downey, Head of Design at Basecamp, tweeted, “I’ve worked at Basecamp for a long time because it’s a company full of smart and kind people. And together, we’ve always tried to take care and do the right things. I don’t agree with the changes announced today and I’m sad and upset.” So…

 

[00:05:00] JP: Yeah, there’s so much going on here. So a little bit of history. Basecamp was called 37signals up until a couple of years ago, I believe.

 

[00:05:09] SY: Yup.

 

[00:05:09] JP: They got their start doing like graphic design work and then they started making a collaboration tool called “Basecamp”, which they renamed the company after. And recently, I think it was last year, they released an email client and service called HEY.com. One thing about Basecamp that is important to many developers, such as myself, David Heinemeier Hansson, who is their CTO, is the creator of Ruby on Rails, a popular open source framework that many of us use. So a lot of us in the Ruby community have followed Basecamp for quite a long time. They have a history of putting themselves out there as being an ideal place to work. They’ve written books about the way they work remotely, the way they structure their pull requests, the way they structure their design work. And a lot of people have kind of, for better or worse, idolize them as a top tier independent company to work for. And this blog post just blows it right out of the water.

 

[00:06:15] SY: Yeah. Absolutely. I mean, as an employer, as a manager myself, these are definitely questions I ask myself is, “How do you handle politics? How do you handle advocacy in the workplace?” And especially with my team of producers, when we were working on content together and all that stuff with the Capitol riots happened, I was like, “Oh, man, I don’t know what to do.” Because we’re trying to push through content and get our work done, but also life is happening and the world is happening. And I was just kind of like, “Do I acknowledge it? How do I acknowledge it? What do I say? Do we have a conversation? Do I just kind of give people a day?” Just what do you do in those situations, and I think those situations are just tough to navigate, but I think that making kind of a blanket decision of we’re just not going to address it doesn’t quite feel like the right thing to do.

 

[00:07:06] JP: I feel like there’s so much going on here. Okay. So let’s talk about like no political or societal talk at work. And I think that’s the one that really, I mean, a lot of stuff in here, I have a very visceral response to, but that’s the one that really kind of gnaws at me. I’ve seen it pointed out pretty well among other people on Twitter that the idea that you can just put away politics and put away societal change, right there that speaks to a point of privilege. Not everyone can just dismiss it as if it’s something that’s happening on the TV, something that’s happening down the block and it doesn’t impact your day-to-day lives. Depending on your ethnicity, depending on your race, depending on your gender and sexual orientation, societal and political changes affect you vastly differently. And for someone, frankly, a white cis guy in a position of power to just say, “Hey, we’re not going to talk about that,” a lot of these issues probably don’t hit him in the same way with the same force as they do other employees.

 

[00:08:15] SY: Absolutely. Yeah. I mean, it also kind of makes you wonder if you are a woman, a person of color, otherwise underrepresented person at a place like Basecamp and you are feeling discriminated against and you want to bring up issues like systemic racism, is that now advocacy?

 

[00:08:34] JP: Yeah.

 

[00:08:34] SY: You know what I mean? If I’m experiencing something in the workplace that is related to one of these issues, am I no longer allowed to speak up on it or address it because it might be misconstrued as political and too societal? So I think it’s the idea that people can leave a big part of themselves and their world behind and engage in the workplace purely as a profit centered activity. It’s just very unrealistic. And I think it’s easier for some. I don’t think it works for most people. I think it just seems like an unreasonable request to make of the people you work with.

 

[00:09:12] JP: Yeah. I a hundred percent agree. I also think there’s a lot of conflation of political and societal stuff in this post. And when I read this, in my mind, I was like, “Okay, I wonder what is going on over there. Are there Slack channels just full of people fighting about like political issues, like, ‘I support this candidate for president,’ or, ‘I think this person running in my local town’s treasurer race should win’”? I pictured the company just like being completely unfunctional, people unable to communicate because someone says they’re a Democrat, someone says they’re a Republican, and that honestly mirrors our national discourse here in the United States. Some of the reporting that’s come out, Casey Newton at Platformer has an Excellent article. I would point people to where he's spoken to both former base camp employees, current base camp employees and the co-founders themselves. He goes into this really awful dock that was created at the company that was making fun of customers' names, as well as the cold reception. The founders gave diversity and inclusion efforts that employees in the company were trying to start up. And Jane Yang, a policy and data lead at base camp, she came out with an open letter that goes into questionable decisions the company made around what the company's response would be to something like black lives matter, something like the capital insurrection, and what the company's policies would be specifically for email and for people that are using their email service to perhaps spread hate speech or false information. That seems to be the impetus for this blog post from the founders. And it's a completely different scenario that I had pictured in my head. 

 

[00:10:42] SY: Absolutely. And you bring up such a good point of what is political. If you think about Black Lives Matter and police shooting anyone, in this context, black people, that should not be a political issue. I mean, ideally, no one wants to get shot and killed by the police, right? Like that seems to be a pretty, solid, understandable request to be made, but that’s been politicized and that’s turning into this whole political conversation because that’s how some people have decided to approach that topic. So if you’re talking about police brutality, all of a sudden you’re taking an issue that we should all be able to agree on, and now you’ve made it into something that you can’t talk about at work. And so those are kind of the things that are most probably frustrating to people are these, and I don’t even know if advocacy is the right word, it’s just something that shouldn’t be happening. And when we talk about these things, all of a sudden we are causing friction or in Jason Fried’s world unpleasantness. So the idea of moving away from pleasant was, to me, a very strange way to put it.

 

[00:11:46] JP: Oh, it struck me as a very like white person way to put it. I distinctly remember hearing from white people when Colin Kaepernick was doing his protest in the NFL, “Oh, I wish they would keep politics out of football.” And that’s like code for, “Oh, I wish I wouldn’t have to think about this thing. I don’t have to think about every day.” No, you need to think about it. It’s affecting people. David Heinemeier Hansson posted a response and he brings up some things like, “Here are political positions I take that you might think I’m Liberal. And if I say I take these other political positions, you might think I’m more Conservative and it’s hard for us to have a conversation.” But I would push back. There’s a difference between taking a political position and then there’s a difference between advocating for rights because of who you are. If you say, “You know what? I agree with Republicans, and I think we should have a smaller government.” That’s a choice. That’s a political position. We can have a conversation with it. If you say, “I don’t think trans people should go to the bathroom.” That’s not a political position. That’s a position about an unchangeable aspect of someone.

 

[00:12:54] SY: Oh, that’s interesting.

 

[00:12:55] JP: Right?

 

[00:12:55] SY: Yeah.

 

[00:12:55] JP: And that’s where it’s like, “How do you ask an employee?” “Hey, could you not talk about things that are endemic to who you are as a person? If you’re a black woman, could you please not talk about systemic racism? If you’re a trans person, could you please not talk about healthcare and trans rights?” That’s significantly different than if you’re a Conservative, could you please not talk about why you think small government is good?”

 

[00:13:21] SY: That is such an interesting distinction. I love that because the other part of this conversation that we touched on at the very beginning is who gets to say what is political, who gets to decide that. It sounds like it’s just Jason and DHH who are making the call on that. But who gets to say and what counts as political? Because there are a lot of topics that shouldn’t be political that have been politicized. And so I really liked that distinction. There’s kind of opinions of different things that we can control and things that we can’t control. And maybe the conversations over who people are, which is something they can’t control should not be removed from the conversation.

 

[00:14:02] JP: Right. I think some companies want to go the path of, “We’re sitting out societal changes, we’re sitting out any kind of commentary on anything happening in society right now.” And other companies are saying, “We’re going to put a stake in the ground and we’re going to set forward what we believe.” And I think there’s a lot of fear from some companies. This seems like a lot of fear from Basecamp in terms of they don’t want to shut out any potential business or any potential customers by taking a stand. That’s great for some of the people at the company. They can afford to blend into the woodwork and not take a stand. Frankly, the white people, they don’t have to take a stand and things are just great. But not everybody has that choice. And I respect companies that do put a position out there. I might not always agree with them. I’m not going to go work for the MyPillow guy anytime soon. Right? I disagree with his choices, but I certainly appreciate that he, as a company, has put those choices out there.

 

[00:15:05] SY: Yeah. And the other thing, not so much the political conversation, but just a fun communication detail…

 

[00:15:12] JP: Air quotes around that one.

 

[00:15:16] SY: Basecamp did not communicate these changes to their team internally. They found out about it when it was posted on Twitter.

 

[00:15:23] JP: So to recap, the company that makes communication and collaboration software for small teams announced this large change in a public Twitter post and their employees did not know about it.

 

[00:15:35] SY: Yeah.

 

[00:15:36] JP: I mean, as shocked as I was to read this, I cannot even imagine being an employee at this company.

 

[00:15:42] SY: I’d be so pissed.

 

[00:15:42] JP: Exactly. I would be so pissed.

 

[00:15:44] SY: Oh my God! I'm going to be so mad.

 

[00:15:45] JP: Employees at the company have come out and said like, “Things were not perfect here. This has not been a private company for a long time. It’s been their public image.” But still, to read this in a public post, there have been follow-up posts saying that we’ve offered people severances if they don’t want to stay. It’s like breaking up with someone over text. It’s awful.

 

[00:16:03] SY: Yeah. Oh my God! It really is. It really is. It is very accurate. Yeah. So anyways, lots that are happening on Basecamp, clearly Twitter is not happy. For the most part, not very happy with these changes. It sounds like some of their employees are also not happy. So we’re going to keep an eye on this and see how this continues.

 

[00:16:22] JP: I think a lot of employees are going to start having conversations at their own companies about this as well. I know. I know. I know a lot of friends that are asking their own companies, “What’s going on with us?” So yeah.

 

[MUSIC BREAK]

 

[00:16:46] JP: Continuous integration provider Layer CI authored a blog post this week entitled “Crypto miners are killing free CI,” about how those who mine in cryptocurrency are driving up costs and leading to product changes that affect free CI options. The only thing about this is that it isn’t really a new problem. It’s something that’s been going on for quite a while. These platforms help developers with running automated tests and merging code into their repositories. And some places that are restricting or shutting down their free CII tiers include GitLab, TravisCI, and LayerCI themselves. What crypto miners are doing is using platforms like LayerCI for their proof of work validation model of mining, which is used to confirm the transactions, but that increases the utilization and end cost to CI providers. As market capitalization of cryptocurrencies surge, so has the usage and draining of these free CI tools. Of course, CI providers are on the lookout for this kind of activity. So miners use all sorts of techniques to hide what they’re really doing. One solution, which we talked about in our last episode, is a change some cryptocurrencies are making to switch to a proof of stake or PoS validation model. The difference between these two validation models, according to Investopedia is, “Proof of work requires huge amounts of energy with miners needing to sell their coins ultimately to foot the bill. Proof of stake gives mining power based on the percentage of coins held by a miner.” So an actual practice with a proof of work, you have to do a bunch of calculations to figure out are the coins you’ve produced valid. With proof of stake, you utilize a central authority to say, “Yes, those are valid.” Have you heard about this sort of things, Saron? I find this stuff endlessly interesting.

 

[00:18:21] SY: Oh, that’s great. No, I heard nothing.

 

[00:18:24] JP: Well, okay. Full disclosure, I used to work for a CI company called Codeship. And this was maybe about five years ago. And back then, we dealt with these same sorts of problems.

 

[00:18:36] SY: Really?

 

[00:18:36] JP: Yeah. We’d see increased utilization and often took the form of a PagerDuty alert in the middle of the night that our server farms were going crazy, utilization was through the roof for no apparent reason, and would turn out somebody had launched a thousand jobs and they were mining Bitcoins on our service.

 

[00:18:56] SY: Yeah, that sucks. I’m not surprised, I guess, because cryptocurrency has been known to eat up a lot of energy, it’s very intensive. I don’t remember what the numbers were, but it’s like one cryptocurrency mining takes up the whole energy of a country. You know what I mean? We always read stuff like that. So that’s not really surprising. I didn’t think about how it would impact specific products. I thought about the impact on the environment, but not specific products and the idea that a company, kind of one company that provides a service that they need to utilize can take on such a bill or potentially have to even just change the software and the product they’re building to accommodate this is definitely something new that I hadn’t thought of before.

 

[00:19:42] JP: Yeah. I think a lot of developers that aren’t involved with software as a service product might not have visibility to this, even developers that are involved with those might not have visibility to the business end of this. When you think about software as a service on the internet, a lot of roads lead to AWS or Google or Microsoft Azure. And companies have to pay for those services. And a lot of that billing is based on utilization. So if you’re running a service and your utilization spikes or you create a feature that uses a lot of computing power, all of a sudden, as a company, your bill goes up and you either have to pass that along to the consumers or eat it yourself. As developers, we don’t often think about the business cost in terms of like electricity and AWS bills of the features we’re writing and the computing that we’re doing. And I think that’s a really good thing to keep in mind as we develop these features.

 

[00:20:40] SY: Yes, absolutely. And it kind of makes me wonder what the business response is going to be to this. Does the CI company say, “Okay, well, we’re going to try harder to find these mining situations, we’re going to make a policy against it”? And hope that they’re able to catch these people. Or are they going to say, “You know what? We can’t catch them. It’s not worth our time. No free tier at all”? Is it going to be, “We’re just not going to give this up for free, maybe we’ll give you a free 30-day trial”? But ultimately, you either pay it or you just don’t become a customer. I’m kind of curious to see if this gets so bad that businesses ended up making significant changes that don’t just impact the miners, but that impacts all of us.

 

[00:21:20] JP: I also think one of the reasons we’re seeing this now and this particular blog post pointed out that over the past couple of years, the value of cryptocurrency has just continued to go up and up. And then meanwhile, with the way cryptocurrencies work, as the life of a cryptocurrency proceeds, it gets harder and harder to mine. You have to do dramatically more work now to mine a Bitcoin than you did when it first launched. So more work, more processing has to occur. The value of the currency is going up and those like have combined to kind of create this inflection point. I wouldn’t be surprised if we see more restrictions on free tiers and possibly more requirements if you’re making account, if you want to try out a CI provider, if you want to do something on GitHub Actions or LayerCI or CircleCI. You might have to prove who you are. You might have many more restrictions on your free account or you might have to start paying for a beginner account or something like that. I think we will start to see providers tweak how people onboard.

 

[00:22:33] SY: Yeah. Really interested to see where this takes, the cryptocurrency mining world, especially as you said as cryptocurrency becomes even more popular and increases in value. I'm definitely interested to see how, not just CI companies, which is companies in general who touched the cryptocurrency world, how they evolve too.

 

[00:22:51] JP: I really worry for open-source projects. I think they’re the ones that are going to be negatively impacted by this, especially non-for-profit companies that rely upon CI, rely upon contributors. I hope they'll be okay. I hope companies see the value in providing free accounts for open source.

 

[00:23:10] SY: Absolutely. Earlier this week, there was a call for the banning of anything submitted by a umn.edu email for patches of the Linux kernel. This came after University of Minnesota security researchers submitted security vulnerabilities to the Linux kernel to show flaws in the approval process. So to learn more, we speak with Hector Monsegur, Security Researcher and former black hat hacker, about both the decision to submit those security vulnerabilities and the response after this.

 

[MUSIC BREAK]

 

[AD]

 

[00:24:00] JP: RudderStack is the Smart Customer Data Pipeline. It makes it easy to build event streaming, ETL, and reverse ETL pipeline. It’s warehouse first. RudderStack doesn’t persist any of your data. It builds your customer data lake and your identity graph in the data warehouse and it’s open source. Sign up for free at rudderstack.com and give them a star in GitHub.

 

[00:24:19] Scout APM is the leading edge application performance monitoring designed to help developers quickly find and fix performance issues before the customer ever sees them. See why developers call Scout their best friend and sign up for your 14-day free trial today at scoutapm.com/devnews.

 

[AD END]

 

[00:24:37] SY: Here with us is security researcher and former black hat hacker, Hector Monsegur. Thank you so much for joining us again.

 

[00:24:44] HM: Well, thank you for having me.

 

[00:24:45] SY: So we talked about your developer and security background on the show back in Season 2, Episode 8, where we talked about a big governmental hack, and I urge anyone who hasn’t listened to that episode to take a listen. But let’s get down to business. Can you talk about this potential flub that security researchers at the University of Minnesota did with the Linux kernel?

 

[00:25:06] HM: So yes. We have a situation where we have a couple of researchers out of the University of Minnesota that try to identify potential weaknesses in the patching process for the Linux kernel in order to submit a patch to the actual Linux project. I mean, it’s actually quite simple. There’s no special requirements aside from the fact that submitting valid patches and providing specific details as to what software you’re looking to patch and the issue you’re either trying to fix or what kind of enhancements you’re trying to implement. So in this case, with this project, they wanted to identify whether or not there was an opportunity for adversaries to inject bad patches into the Linux project.

 

[00:25:55] JP: As a security researcher yourself, do you think this was the right way to go about checking for security vulnerabilities in the submission and approval process of the Linux kernel?

 

[00:26:02] HM: It probably would be if the Linux projects, the Linux kernel projects had some sort of bug bounty program where they allowed something like this to take place. In reality, there isn’t one, as far as I know, and it definitely does not include this. And what I mean by this is essentially social engineering, right? Pretending to be a developer/researcher and submitting valid patches with your organization. And that’s not what happened here. You know what happened here was a bit more arbitrary, partly the intentions were not as bad, but the results would have been as bad if it would have been a nation-state actor, doing those kinds of submissions.

 

[00:26:43] SY: So if this code had actually been accepted, could it have really led to harming the Linux kernel?

 

[00:26:49] HM: Well, judging by the patches they’ve submitted from what I’ve seen at least, it seems somewhat benign. And of course, part of their process, the researchers' process, was to submit a patch that was bad or what they call hypocrite patches. And before the process would get to the next stage, this next stage where the patch will be included into the Linux kernel source, they would respond back to the maintainer saying, “No, no, no. It’s okay. Do not submit that patch.” It’s definitely a full system here. The way I would try to translate it into the real world, now as a professional in the industry, my day-to-day operations entails hacking into systems that belong to my clients or social engineering. This would be akin to me doing a social engineering campaign against non-clients. Okay? And that’s borderline illegal depending on what happens along the way. That’s kind of the direction they went. They should have probably at some point contacted somebody. They could have contacted the Technical Review Board at the Linux projects, asking for permission or even collaboration. I think that would have actually resulted in a much better outcome.

 

[00:28:02] JP: Yeah, that leads into my next question. How would you have gone about this differently? And are there established ways that these kinds of vulnerabilities can be brought up that work with the Linux foundation instead of going around them or surprising them?

 

[00:28:19] HM: The direct answer to your question is, yeah, I would have tackled it a different way. The truth of the matter is that the Linux kernel projects and the whole patching process and submission process hasn’t been available to the project for like the last 20 years. Over those 20 years, I’m sure, you’ve had bad actors try to submit bad patches. I mean, these guys did not come up with something revolutionary. It’s not something new. So I can almost guarantee you that at least at one point in history over the last 20 plus years, someone somewhere submitted a bad patch on purpose Okay? What they could have done instead, and I think this is actually a really cool research project and I would love to read this if anyone puts it together, maybe the audience members, what they could have done was look at let’s say the last 1,000 Linux kernel vulnerabilities, look at the patches that were involved in the process and identify how those vulnerabilities came to an existence. Was it a bad patch? Was it a bad patch on purpose? Was it a back-dooring attempt? They could have gotten the same result with the same data from previous patches than starting a whole new thread, essentially. So that’s how I would tackle it. If it were I, I would look at the previous thousand patches or thousand security vulnerabilities and then identify weaknesses in the patching and submission process there. Now to add a couple more notes here, what really turned people off is that not only did they execute this campaign against the Linux kernel project and the human resources behind it once, but then the second round of patches really confused and conflated everything into this whole massive problem. Do I think that the people that run the project directly that they exaggerated in response? No, I think this course of action was fine and I’m glad that they responded the way they did.

 

[00:30:08] JP: So the researchers have publicly apologized for all this, but then another University of Minnesota student submitted code that allegedly does nothing at all. So in response to that, there was a call for all kernel maintainers to reject any code submissions from any umn.edu email addresses. Can you expand on why you think this might or might not have been a good response?

 

[00:30:31] HM: So here’s a problem. You have to understand that the whole patch submission process and all of that, it’s not open source concepts. It’s based off of trust. If you cannot trust an organization to submit valid patches, then you’re going to have to figure out a way to mitigate that their patches. These researchers themselves could have easily just created a fake email and tried to submit patches that way. Right? But because the maintainers realized that these patches were coming from the University of Minnesota, they felt that the best way to deal with this problem was to ban all umn.edu submissions. So why do I think that was effective? I think it was effective because, one, that’s a major issue. There’s a lot of developers and researchers coming out of that university. I mean, they’ve been involved with Linux for a very long time. So with that being said, by banning old patches from all developers and all researchers at the university is going to raise some questions and it’s going all the way to the top. And once the media got involved, that’s when things really took a turn. I remember reading one of the first emails by one of the researchers. He said that the maintainers response was slanderous. And I was shaking my head, like, “My man, you’re making it much worse,” not only for yourself and your career because I guarantee you, this is going to be a bad mark on that person’s career, but not only that, you’re making the university look terrible. So yeah, I think it’s been effective. I think the university has really dealt with this as best as they can. And I’ll be honest with you. From a legal standpoint, and I could be completely wrong, but I’m pretty sure there’s an FBI agent somewhere fiddling their thumbs, waiting to see what happens there.

 

[00:32:18] SY: What’s the potential impact of a ban like this? You mentioned your university doesn’t look good, your career probably doesn’t look good, but I’m wondering what is the impact maybe beyond just that university and those people?

 

[00:32:30] HM: So it is going to definitely push back on I will say the evolution of researchers’ development coming from universities. Now the Linux maintainers have to start looking at other universities with scrutiny, like, “Hey, are there copycat research projects happening in real time?” It becomes a major issue. So like I said before, this is nothing new, right? So I’m pretty sure the maintainers are already aware that bad patches will come in, whether it’s from a nation state or a bad actor. So for them to have to also include into that list of bad people, students. Yeah, that’s going to create a lot of tension and havoc on the maintainers’ lives. It’s going to add a lot of strain to the projects. There may be patches that are actually legitimate, good patches that are going to be rejected because of this incident. It may sound extreme, but unfortunately this is the kind of situation that it requires some harsh measures and the best thing they could have done was ban the university, at least temporarily, from submitting patches. The impact is going to be terrible. Imagine yourself, if you are a developer, you’re a student, you’re trying to make a career for yourself, and for whatever reason, you’re following the path of like kernel development. All of a sudden, just because of your affiliation with your university, now your career is impacted by this. Now you cannot submit patches to the kernel and you put yourself in a really tough spot. So yeah, there is impact here and I’m sure that it’s much greater than I’m speaking on. But eventually, we’ll hear about it or see about it.

 

[00:34:03] JP: Do you think there’s any way to like document a protocol and a structure to go about doing security research like this? Or would writing those things down and prescribing them kind of be antithetical to the idea of doing a hack?

 

[00:34:21] HM: I think that it really all involves the way the research project is handled. Right? I think, again, going back to what I said before, I think that what these researchers could have done was get together with the professor, put together a proposal, send that proposal over to the Linux projects, to the organization that wants it, and of course, the technical review board, hey, and CC Linus Torvalds while you’re at it. I guarantee you, had they gotten permission to do this, they would’ve killed it. They would have had an amazing report. It would have been great for their careers, their resume. It was a bad, bad direction here. I think this is definitely a process failure. And you know what, ironically, I know that the researchers were out to prove there may be potential process failures with the path submission process. But I think that what this exposed was that there was a failure, a process failure at the university with the whole IRB rules. It’s just one of those situations where, you know what, I wish it would have turned out better, but because of the way it was executed, there are going to be some serious consequences because of it.

 

[00:35:28] SY: Anything else we haven’t already covered that we should talk about?

 

[00:35:31] HM: The thing that I was saying, especially to the listeners who are developers, I know you guys have a lot of developers and researchers and students listening here. The thing I would say is you could execute these kinds of research projects. You can, but just do it the right way. Contact the people that you know are involved, get permission, work with them, collaborate them. I promise you it’s going to work out 10,000 times better than you trying to be sneaky and you trying to be like a nation state, because what’s going to end up happening is if you’re going to act like a nation state, people are going to treat you like a nation-state actor. Okay? Not only is going to impact your career, it may have legal consequences and you don’t want that knock on the door from the FBI or you don’t want to get dismissed from your school because of a research project. But moving forward from that point, the one thing that I would say is that, this goes back to me. I gave you guys an example before. Let me iron out the example. So I, as a pen tester, as a red teamer, my job is to hack into systems, but those systems belong to my clients. My clients give me permission. We signed a contract. There is a methodology. There is a process. There’s a structure. If, even if I make a mistake, it’s all covered in contracts. Or even if the customer forgets that I was doing the job and he called the cops on me and the cops were at my door, I’m protected by those contracts. If you’re going to execute a project like this, you need permission. And of course, when it comes out to the Linux, you have to remember, a lot of the Linux people that work as developers or whatever, most of these people are volunteers or they don’t get paid much. So if you’re going to execute essentially a human attack against these humans, not only are you hurting them, you’re hurting yourself, you’re hurting the process, but you’re hurting growth and evolution here. So please think twice about executing something like this and speak to the community first. Pick some minds, pick some brains. “Hey, do you think I should do this?” I guarantee you someone would have told them, “No, don’t.”

 

[00:37:37] SY: Well, thank you so much for joining us.

 

[00:37:39] HM: Thank you. And I hope you guys will have a beautiful week, weekend, month, year in life.

 

[00:37:44] SY: You too. Coming up next, we speak with McKensie Mack, Founder and CEO of MMG and a co-author of a report put out by the nonprofit Project Include, about how remote work is leading to more gender and racial harassment at tech companies after this.

 

[MUSIC BREAK]

 

[AD]

 

[00:38:16] JP: Scout APM pinpoints and resolves performance abnormalities, like N+1 queries, memory bloat, and more. So you can spend less time debugging and more time building a great product. With developer centric UI and tracing logic that ties bottlenecks to source code, get the insights you need in less than four minutes without dealing with the overhead of enterprise-platform feature bloat. You can rest easy knowing Scout’s on watch to help you resolve performance issues with Scout’s real-time alerting and weekly digest emails. As an added bonus for DevNews listeners, Scout APM will donate $5 to the open source project of your choice when you deploy. Visit scoutapm.com/devnews for more information.

 

[00:38:52] RudderStack is the Smart Customer Data Pipeline. It gives you the flexibility to choose the tools you want to use without worrying how to connect your customer data. Instrument once with RudderStack to capture event data, then send it to your entire customer data stack. It integrates with over a hundred cloud tools with new integrations releasing all the time. Start building a smarter customer data pipeline today. Sign up for free at rudderstack.com.

 

[AD ENDS]

 

[00:39:18] SY: Here with us is McKensie Mack, Founder and CEO of MMG and co-author of the Project Include report titled, “Remote work since COVID-19 is exacerbating harm. What companies need to know and do.” Thank you for joining us.

 

[00:39:32] MM: Thank you so much for having me.

 

[00:39:34] SY: So what is Project Include and what is the work that you do there?

 

[00:39:37] MM: So actually Project Include was the project that was started initially by Ellen Pao. They do a lot of work that focuses specifically on equity and inclusion and diversity within tech. And I’ll say that I am not necessarily like someone who works on the Project Include team, but as a co-author, I work very closely with Ellen Pao at Project Include and the organization as a whole to lead this research.

 

[00:39:59] JP: What is MMG and what kind of work do you do there?

 

[00:40:02] MM: At MMG, we do a lot of work around data equity. So specifically we develop processes for data gathering that help us to gain a better understanding of what systemic inequities, what culture inequities are present within tech, within nonprofits and foundations. And I personally have been doing that work for about 10 years. So at the core of it, it’s a lot of social science. And then also a lot of what I like to call “disruption design”. So how do we identify when a process or a procedure or a policy is potentially harmful and then how do we actually listen to folks across the organization? So not just senior leaders and board members, but also staff members and interns and community members as to how that problem can be addressed in the long-term.

 

[00:40:45] JP: So you co-authored a report about how remote work is leading to more gender and racial harassment at tech companies. Can you talk to us a little bit about the survey, how you built the survey, how it was administered, how many different people and companies? Just kind of the mechanics of it.

 

[00:40:59] MM: We worked on developing the survey with Ellen Pao, like I mentioned, at Project Include with Caroline Sinders, Machine Learning Designer and a researcher, there’s a lot of work within harassment and internet health. And then Yang Hong of Shoshin Insights who led a lot of our data analysis work. And so from May 2020 to I want to say about February 2021, we interviewed about a dozen tech workers, experts, and we asked about 120 questions of almost 3,000 respondents.

 

[00:41:28] SY: Wow!

 

[00:41:28] MM: So that was across countries, 50 industries, over a thousand US ZIP codes. So we talked to a lot of people.

 

[00:41:36] SY: So what was the impetus for doing this survey and report? Was there anecdotal data that made you want to take a look at this? Or was it just kind of a general curiosity about how remote work effected discrimination as a whole?

 

[00:41:49] MM: I’ll say that a big impetus for me was sometimes when we are collectively going through a very traumatic event, like COVID-19, I think we make a lot of assumptions about the kind of impacts it’s having on us, the kind of impact it’s having on our workplace, and then the kind of impacts that it’s having on our society. So for me personally, what drew me to wanting to do this, to co-author this research and to co-author this report was actually wanting to kind of take a step back and ask, “Okay, what happens impacts are happening? How people have been affected and change as it relates to like the tech workplace specifically and remote work as a whole? And what are potentially some of the ways in which we can address that, recognizing that we all play a role in developing the kind of communities that are accessible and equitable and communities where people actually want to come to every day and be involved in and collaborate within?

 

[00:42:37] JP: So breaking down the data that you collected, what were some of the biggest findings from the report?

 

[00:42:42] MM: We found, and I’ll say something that was interesting about our work is that there are a lot of folks who, when we started to share the findings, were like, “Oh, yeah, I knew that already. Yeah. That makes sense to me.” And I think what it means is that we’ve come to a place where there’s more of a knowledge and awareness of the ways in which folks are impacted within remote workplaces and within tech as a whole, especially when it comes to inequity and bias. So we found something that I know is not going to be surprising for many of us that 85% of workers were experiencing increased anxiety since COVID-19 that black, non-binary people and women are nearly three times as likely as non-binary people and women in general to experience race-based hostility, but trans people are nearly twice as likely to have experienced increased gender-based harassment in the age of COVID-19, and 98% of people who actually were experienced in gender-based harassment were women or non-binary folks.

 

[00:43:35] SY: Was there anything from the data you collected that was shocking to you?

 

[00:43:40] MM: I think that that probably came from some of our qualitative interviews and some of the interviews that we led with experts, and these were experts in psychology, in human resources, experts in the social sciences. And I think what took me aback in a pleasant way was how much hope there was among folks around the ways in which these kinds of impacts and this kind of bias, this kind of harassment and harm in the remote workplace can actually be addressed. So I’ll say that it wasn’t necessarily shocking to me. I’ll say that more so it felt kind of invigorating. It felt inspiring to be able to talk to so many folks who are leaders in their fields who wanted to come and participate in this research because they believe that change is possible.

 

[00:44:22] JP: So I know as part of your research isn’t necessarily to jump to any conclusions, but do you have any theories as to why there’s been an overall rise of gender and racial harassment as we’ve moved to more remote work?

 

[00:44:36] MM: I would say that when you think about what happens to the human brain, when it’s under stress, is that we tend to, as human beings, resort to whatever feels most comfortable. So we tend to challenge ourselves less when we’re experiencing increased anxiety, especially in situations where we feel like we’re not in control. And right, we know none of us were in control of COVID-19 and we weren’t in control of the ways in which it was impacting our personal lives, not just our lives at work. So I think that what happens is these are existing biases. These are existing inequities that are amplified because we’re working with folks that have less patience and we’re also working with a lot of folks that are seeking to find that sense of control within the workplace, within the remote workplace. So an example of that is I had a friend who works in a school. And as a part of their new COVID-19 protocol, they were expected to check in about five times a day with their manager on Zoom, like in person, turn your video on, turn your audio on, have conversations with your managers that you’re working. Right? And in an environment like that, I’m already feeling stressed. I’m already anxious. But the heightened sense of distrust is going to make that workplace even more difficult for me to stay within and usually more difficult for me to be able to navigate. I think also the global protest against anti-black racism, had a lot of folks within organizations also thinking about like, “How are we going to address this at work?” And then those that were not thinking about that, I think instead you had, “Okay, we have a lot of people that are complaining about race, that are complaining about racism and it makes us uncomfortable.” So again, how can we exert dominance over people? How can we kind of make ourselves feel like we’re in control? So it’s at work policy, more procedures, more check-ins with managers, and that just ended up having a more harmful effect on those that are most marginalized within these communities.

 

[00:46:26] SY: So one of the things that really stood out about the results is anxiety and the fact that anxiety increased across the board by 85%. And this was the biggest thing that people shared. Can you talk a little bit more about this data point?

 

[00:46:40] MM: I believe that’s the one that refers to 85% of folks surveyed, experiencing increased anxiety.

 

[00:46:45] SY: Correct.

 

[00:46:46] MM: And what I’ll say about that is in general, not just within the remote workplace, like within tech as a whole, and then within a number of workplaces outside of that ecosystem that we would identify as being tech-related, we really suck at helping people with their mental health and also providing resources for folks so that they can actually contend with their mental health in ways that really make them feel supported and in ways that can really help them to be successful within their roles. And I’ll say that COVID-19, again, was no different and that we saw an amplifying of people’s anxiety, which of course is so reasonable, makes so much sense why that was happening. And because of that, one of our main recommendations around that and our recommendations as a whole, we don’t focus on offering interpersonal solutions for systemic problems, right? So we’re not like, “Oh, well, if you’re requiring your staff to do 10 check-ins a day,” with people that matters to them or with senior leaders in the organization or with a board member or whatever that might look like, depending on the way in which that work is constructed, you should just give them access to a mental health care app and that’ll make them feel better because that actually doesn’t get to the root of what is amplifying the anxiety. So it’s the fact that there is an increased distrust that makes people so anxious, or an emphasis on productivity and perfectionism, and that makes people feel more anxious within the working environment. So how do you do that less? Right? How do you reduce that? How do you actually change that as a whole and dismantle these kinds of systems that you’ve created? Which really at the end of the day are actually reducing productivity and making it so that people can actually do their best work.

 

[00:48:21] JP: You touched upon this before when you spoke about how anxiety is leading some leaders to kind of clamp down on the conversation. We’ve seen that recently with companies like Coinbase and just this week Basecamp instituting policies where people are banned from having political and societal discussions at work. What are your thoughts on what’s driving that and what kind of impact that could have on employees?

 

[00:48:45] MM: Fear. I think that people who in organizations, in tech companies especially, which we know that, and a lot of these orgs and companies, the folks who lead tend to be white men and they tend to be cis and they tend to be heterosexual too. And so I think that when you start to challenge organizations and people more, to think about their positionality and also to think about the kind of impacts they’re having on other human beings. If that makes a lot of people afraid, I think sort of the first mythologies that come up that I’ve seen in my work and that I’ve observed in our work in MMG is that people think, “Oh, you’re trying to dismantle me as a person,” or, “You don’t want me to exist. So you don’t want me to experience success. You want me to be happy.” We couldn’t be further from the truth. And I think that those decisions that have been made, especially that sort of banning of people having political conversations at work, a big mistake is the way that I would identify it and then I would say one of the reasons why I would clarify it being a big mistake, because for many of us, especially if you’re a person of color, you’re a woman, you’re a queer person, you're a trans person, you're a person with a disability, just by virtue of you being in the workplace and having varied intersections of identities, it’s already political to come into a space like here and to say, “Hey, my name is McKensie Mack. My pronouns are they, them, theirs.” Right? Is already going to be considered to be very political for folks that are cis or folks whose pronouns are defined by what genders or really what sex they were assigned at birth. So I think by doing that, you’re restricting people from being able to get into these spaces and to know how to actually work with people. And it gets us further and further away from offering our staff members, our employees, and our leaders in our orgs the kinds of resources and tools that they need to be able to solve really difficult problems. But if the answer is, “We just want to make people more comfortable,” or, “Let’s make the folks who hold the most power and the most privileged within the organization or a company just make the most comfortable,” and then that’s the answer, that, again, is just perpetuating the same inequities that created the kind of data that we saw in this report.

 

[00:50:47] SY: So the survey brought up many good points and problems and different issues that a lot of us may not have been aware of, at least on the scale that you all captured. And so I’m wondering, what do you think the solutions are? Apart from generally benefiting from knowing these things, how do we put this information to good use?

 

[00:51:06] MM: We want to emphasize as co-authors of this report that systemic problems call for systemic solutions. So, for example, one of those being like I mentioned previously, needing a cultural shift where as opposed to focusing on productivity, we’re instead encouraging our staff members to focus on activity. Right? There’s been so much research that has been done on the fact that we have a 40-hour work week, but we actually tend to get our work done a few hours in the week and then we perform productivity for the rest. If you’re in a physical workspace pre-COVID and you finished all your work and it’s excellent, like you’ve gone above and beyond and then you have an additional 10 hours less for that week and your boss walks by, then you’re like going into your computer, like you’re doing something because you don’t want people thinking that you actually are not working hard enough or that you’re not doing enough. So I think it’s how do we focus instead on activity and recognize that there’s a lot of tasks within tech companies that are happening that also don’t just revolve around things getting done, like tasks being checked offs, but that are a part of the process and a part of what makes our work exemplary when we do it really well. Another is focus on mental health. So thinking about the ways in which policies and procedures are creating the kind of environment where it makes it really difficult for people to care for their mental health because they’re either working all the time or at times at work where something that they’re doing is not necessarily task oriented, they’re still expected to appear to be productive. It keeps people from being able to allow their brains to heal from the kind of collective trauma that we’re all experiencing right now. So we need mental health care time off that’s real, that applies to that, and definitely less work pressure as a whole. In addition to that, if I can name one last one, there needs to be a difference in the ways in which we perceive and think about power. So like who’s in positions of leadership within our organization and company and what kind of equity exists when it comes to that leadership. So for example, if we have a board and we have on that board folks, for example, that don’t understand why there are trans employees that are experiencing the work environment in a way that’s harmful. Right? If you don’t have any trans people in positions of leadership, then why would you understand that if you’re not a trans person? How do we also think about the ways in which we’re developing our C-suite specifically, our board leadership, our senior leadership in ways that are actually are equitable and that are not just sort of putting white people in positions of leadership or putting men in positions of leadership, folks without disabilities and positions of leadership and then wondering why we can’t really meet the needs of people that we don’t understand?

 

[00:53:41] JP: So, what advice would you have for developers that might be working at companies where they’re experiencing some of the things brought up in this study?

 

[00:53:50] MM: One thing that I’ll say is that in our work and through our research, we like to put the majority of the impetus on those who hold the most power. And because oftentimes even if we think about women in the workplace who are experiencing patriarchy or experiencing gender-based harm or harassment, we have a lot of advice for them, but then not as much advice for those folks that actually are deciding on the policy and the structures that make it so that their harassment is perpetuated in the workplace. So in that case, if I was talking to someone who was a developer in a company where they’re experiencing some of this harm and harassment, it would be, okay, what kinds of resources are currently available to you? Who was in that company do you trust, which may not always be HR? But if there’s someone in the organization that you trust to actually talk through some of the experiences you’re having, can you talk to those folks and ask for advice? I’m a big believer in having mentors who work outside of your company. We’re in the same sort of path that you’re on, who have the experience to be able to provide you with additional insight as to how you can navigate. And then if all of it fails, leave.

 

[00:55:00] SY: Well, thank you so much for being here.

 

[00:55:02] MM: Thanks for having me.

 

[00:55:13] SY: Thank you for listening to DevNews. This show is produced and mixed by Levi Sharpe. Editorial oversight is provided by Peter Frank, Ben Halpern, and Jess Lee. Our theme music is by Dan Powell. If you have any questions or comments, dial into our Google Voice at +1 (929) 500-1513 or email us at [email protected] Please rate and subscribe to this show on Apple Podcasts.