The home team discusses pay equity at New Relic, Okta’s security SNAFU, and the AI creating “wildly good” generative art.
Read about how New Relic achieved pay equity—and what, exactly, that means.
Last month, hacker group Lapsus$ released screenshots showing it had successfully breached Okta’s internal systems using compromised credentials. What does it all mean? Read about it here and here.
Matt recounts a harrowing example of a man-in-the-middle attack that nearly emptied a friend’s bank account
Today’s recommendations: Cassidy recs Midjourney, an AI art-making tool currently in beta. (Learn more about Midjourney here.) Matt recommends Elden Ring to folks who want a more “adult” version of the Ceora-approved Breath of the Wild.
Today’s Lifeboat badge goes to user Subhajit for their answer to Send HTML in email via PHP.
Matt Kiernander One of my only information security lecturers at university, he was working for the Nigerian government for a period of time. So he was over there working, doing information security stuff. He was a professional, very good at what he does. And he was moving from Nigeria back to New Zealand, and skipping over a whole bunch of details, he had a bank account set up somewhere. He was getting paid in Nigeria, sending all this stuff over to another international bank account. And then when he moved to New Zealand, wanted to get a house deposit and he transferred all of his cash over. He looked at his bank balance and wondered why there was 14 cents in his account. What turned out happening is he was the victim of a man in the middle attack where essentially a lot of the information that he was saying to verify his bank account, all that kind of stuff, that was being interrupted by a third party who were then forwarding that onto his bank, essentially acting as a proxy. And they were taking all the information, changing certain figures and bank accounts within the email. What saved him, and this is the kind of level that you need to be at to be able to understand these things. When he was negotiating with his bank and setting up transfers and that kind of thing, he said to only make a transfer if you provide a four digit pin. This is the four digit pin, only make transfers when this happens. He did not provide the four digit pin when he was making that transaction and neither did this nefarious party who were communicating with the bank. So what ended up happening was the bank was then liable because that was part of his contract for the transfer because they didn't authenticate the pin. So he managed to get all of his house deposit back. If that had been anyone else, if that had been me, goodbye house deposit. All of that hard work– gone. So when you're thinking about taking your internet security flippantly, please don't. Be very aware of what you're doing online, especially when it comes to online banking and everything else. So please be careful.
[intro music plays]
Ben Popper Does your workforce have the skills necessary to protect against cyber threats? Attend an exclusive webinar on Tuesday, April 19th at 2:00 PM Eastern to prepare your workforce to adapt to emerging threats. Visit skillsoft.com/events to save your spot.
MK Hello everyone, and welcome to another episode of the Stack Overflow Podcast. My name is Matt Kiernander, I'm a Technical Advocate here at Stack Overflow. I'm joined again by my two wonderful co-hosts, Ceora and Cassidy. Please introduce yourselves.
Ceora Ford Hi everyone. I'm Ceora Ford. I'm a Developer Advocate at ApolloGraphQL.
Cassidy Williams I'm Cassidy. I am Head of Developer Experience and Education at Remote.
MK We have some really exciting topics to talk about today. We're going to be talking about New Relic achieving pay equity, some pay transparency and everything involved with that. Okta had a bit of a booboo with a laptop that caused some grief, and we also have potentially the most interesting thing that I've seen in a very long time, an AI that produces some wildly good generative art. So first of all, let's talk about New Relic achieving pay equity.
CF Yeah, I ran across this article today. It is from New Relic, it's about how they were able to achieve pay equity for all of their employees. Their pay scale is now based off of, I believe the article mentions it's based off of location, your experience, and it's done in this way to make sure that no one is basically being cheated out of making more money. I'm sure everyone is aware that there's a huge pay gap problem between men and women, and also when you factor in other people of minority backgrounds, like being a person of color, or black, or what have you. So they've been making an effort over a certain period of time to kind of correct this issue. And they talk about in the article, their Chief of People and Diversity Officer, she kind of talks about how they were able to even figure out what the right way to go about achieving pay equity is, and how they are going to maintain that in the future. Because obviously the market is constantly changing, the cost of living is constantly changing, so salaries are not going to be a stagnant thing. So it's going to be something that as an organization you'll have to continuously commit to. But I thought it was very fitting, especially since March is Women's History Month and this is when we're recording this episode. So yeah, I think it's a very relevant topic right now. Always, honestly, but especially now.
CW Yeah, it's one of those topics that's very evergreen. And I'm really glad that they're doing this. I think it's something that a lot of companies should be doing. Where first of all, pay equity across gender, across race, across all kinds of different elements of intersectionality. But I also think just across the board at companies in general, that's something that they're not very good at. You see companies all the time where they are fighting for talent because right now the job market is very, very hot, but then the people that are already at the company don't get the raises that they should be getting to be on par with the new hires. And it's a very funky problem that I'm sure us, as people who don't necessarily determine who gets paid at any given job, we're just like, "This is easy! Just do it." I'm sure it's a harder problem than it sounds, but I'm glad to see that New Relic is moving in the right direction with this.
CF Yeah. And the way she describes it, it definitely wasn't like a straightforward process. That's why I enjoyed this article, because she talks about the process of how they even establish what the standard of pay equity even is in the first place, because when you state the problem, it does seem like a straightforward answer, like just pay everybody the same thing. But they hired a consultant agency that deals with this specific problem, which I thought shows that they really feel like this issue is important. And yeah, I do think it's a problem that not just tech jobs have. A lot of companies see Women's History Month as a time to do good PR, and prove that we value our female employees. And so they'll tweet out these posts about like, "We celebrate Happy Women's History Month." There's a Twitter bot out there that will basically quote-tweet these tweets of like, "Happy Women's History Month. We value diversity, we value our female employees," and they'll actually tweet out whatever their gender pay gap is. And it was really interesting to see that a bunch of companies had these huge gaps, 15%, sometimes higher.
CW Huge gaps. Embarrassing gaps.
CF To the point where it was like, "How could you even post this?" And most of the companies were based out of the UK, I believe. But it was just very eye-opening to see. I think we're very hush-hush about salaries in a lot of places, which is understandable because people want their privacy. But at the same time, you don't even realize how much the difference is. And it could be someone that has either as much experience as you, or less, same title or lower. And because they're a man they get paid more and you don't even know, you don't even realize. That Twitter bot, for me, seeing those tweets on my feed was very eye-opening to how big a problem this is in some places.
MK One of the things that frustrates me about this whole thing is that I don't think your net worth or your salary compensation at the end of the day should be dictated by how good of a negotiator you are. Like the value that you bring to the company should be that value, as opposed to how well you played off another company during the interview process, and who your manager happened to be at the time. All these kinds of things.
CF First of all, negotiating is totally nerve-wracking. And I know that many people listening can probably relate to this. I always low-ball myself for everything. Whether it's how much I should be getting paid to speak at a conference, how much I should be getting paid by an organization to write a blog post, how much I should be getting paid at my job. I always think probably numbers on the lower end. And one thing that has helped me is asking people who have been in positions that you're trying to aim for, or who do work that you're aiming for, "How much would you charge to give a talk at a conference?" And the numbers people tell me are baffling. Their numbers I would never even imagine to even utter. That to me exemplifies why leaving how much you make up to negotiation isn't always the best thing because everyone's work, depending on the job that you do and the level that you're at, is pretty much worth the same. But what you think you're worth is going to be different, especially depending on what your background has been, what your identity is, all those kinds of things. So leaving it up to how I perceive my personal value is not going to be a great thing for me because I'm going to say something that's lower if I don't keep in mind to ask somebody, if that makes sense.
CW Right. A lack of transparency only benefits the companies. It doesn't benefit the employee. And so if you can talk about it, it's so, so useful. I know so many women in particular who didn't realize they were being underpaid until they talked with a coworker at their same level or something, and they realized they were getting underpaid. Some people in the five digits and more, being underpaid, and it's infuriating. It grinds my gears to see that. And similarly, Ceora, there've been so many times where I just reach out saying, "Hey, I'm thinking about speaking at this event and I don't know how much to ask for." And then the person gives me a number that blows my mind. I remember specifically, I talked with Kimberly Bryant of Black Girls Code. She is awesome. And I said, "Hey, I know that you spoke at this event. I'd love to talk with you about how much I should ask for the pay comp because they asked me and I don't know what to say." And she gave me a number that added two zeroes and doubled it. And I was just like, "I should ask for what? What!?" And she was just like, "Cassidy, don't even consider that low of a number, are you kidding me?" But I had no idea. And you don't know until you ask.
CF Regarding relying on negotiating to decide what your salary will be, I came across this other post from Fast Company that is talking about how in some states companies will be required to post salary ranges based off of area in their job postings. And there's been a lot of mixed response to this because some people realize that this will limit your ability to negotiate if there's a standard benchmark for how much you're supposed to make in such a position. There have also apparently been a lot of companies that have been trying to fight this move in certain states. The one that they talk about is New York City, which is soon going to require that all companies list the salary for the position that they're posting for. And I just wanted to hear what your thoughts would be on this, because in my mind, I think it's a good idea. I don't know if you've ever been through an interview process where it takes you like two or three interviews to figure out what the salary range is for the position when you could have just known that before you even applied. And you would have known from the gate if that was something you would be interested in or something that would be a good fit for you. And now you wasted all this time researching, preparing, just to find out that this could never work because they don't have the budget for you. And with that in mind, I feel like having salaries in job postings would be a good idea.
CW Once again, I think that a lack of transparency only really benefits companies and not so much employees. What I like about it in particular is that you don't have to be reliant on negotiating in order to get compensated fairly. And I remember I interviewed with a company once where they gave me two job offers and they said, "Okay, these are your two options. You can get one with more equity or one with a higher salary. You can pick how you want to balance it." And when I mentioned negotiating, they said, "In order to keep things fair, we don't negotiate. These are just the options, and then everybody gets vetted across the board fairly and we try to do this to maintain equity." And I thought that was really, really great. It not only saves me the stress of negotiating in general, but also it was so transparent that I was able to be just like, "Oh, that's great. Awesome. I don't have to deal with this type of negotiating stuff and conversations."
MK And I wish some companies as well would have that said up front so you know when you're going into the interview process, you're going to be getting that one offer, and that is that. I feel like I would be much more inclined to apply to a company that was transparent around that, as opposed to one where you have to go through several different emails, and can we adjust equity here, can we cut total compensation here, what about benefits, all that kind of stuff. I agree that I'd be very interested to hear from others who would argue against pay transparency or that kind of bracketing.
CF It kind of reminds me of the whole debate between do we pay based on location or do we pay based on labor that's done. I think that's a factor in this too, because I guess that companies would list salaries based off of wherever the company is incorporated or based out of, which wildly differs. So for me in Philadelphia, obviously the cost of living is not nearly as high as it is in San Francisco. So I'm wondering how this is going to play out in actuality. Like, is it one of those things that sounds great in theory, but if I'm applying for such and such San Francisco company, and I'm like, "Wow, that salary sounds great." And then they're like, "Oh, you're from Philly? We can't pay you that much." I wonder how that's going to look as well, because that definitely is a factor, especially now that most tech companies are remote, remote culture is a huge thing. People can work from anywhere. So how is that going to affect salaries as well? And then how is that going to affect salary transparency in job postings as well? Any thoughts on that?
CW There's so many factors to it, where I understand why companies do location-based pay, but I also don't necessarily know how to solve it while still being fair to as many people as possible.
CF Yeah, I totally agree with that.
MK I guess, if you were to take two employees and one of them was living in San Fran and one of them was living in a lower cost of living city, at the end of the day, even though you're doing the same work, one of you is taking home a lot more income than the other, simply because of your location difference. I can understand how the person in San Fran would be like, "Well, we're doing the same work, but because I'm based here, whether that's through choice or not, I'm not actually earning as much. My earning power is a lot less." I think there are so many different variables here that you can argue for and against. I have no idea which one is in the right. I think that's probably going to be something that is going to be worked over.
CW Unfortunately, we can't solve the world's problems on this podcast.
MK What? Not in a half hour podcast?
CW When a recruiter says, "Do you have any salary expectations, or what's a range that you expect for the role?" How do you respond?
MK I typically try and fire back. There's a really good article, I'm not saying this had cult status, but it went viral. It was somebody who was negotiating with Airbnb, Google, Facebook, and a few others. I can't remember the name, but I will drop the link in the show notes. He was basically showing his negotiation process and how he leveraged the offers and I think he got it up from like 120 initial offer to 300,000 at Snapchat or Airbnb or something like that. It's a multi-page essay of exactly what he did, the strategies that he took, scripts that you can use for when a recruiter asks you what your salary expectations are. I think the one thing that I picked up from that is, typically an easy way to fire back from that is to say, "Well, what is your budget? What is the range for the role?" And then that puts the recruiter on the back foot. And you basically do this dance to see who anchors first. It sucks that you have to go and learn all of this stuff as somebody who just wants to build things, but it is important to know.
CF Yeah. Well, my tactic, which isn't a good one, is just to say something that's slightly higher than what my current salary is, which probably isn't going to get me the most money, to be honest.
CW That's a common one.
CF Yeah. A lot of people will ask the question with another question. "What's the range that you had in mind?" I'm always too scared to do that, though. Straight up, like super nervous. I hate the idea of negotiating. In the back of my mind I'm always thinking they're going to be like, "Who does she think she is? You know what? Nevermind. We don't want you anymore because you thought you had the audacity to ask for more money." And I'll just be like, "Wait, no, I need a job." That's always running in the back of my mind. So I'm really not a big fan of me negotiating. I think it's cool that some people have the guts to do it and end up getting themselves way more money than they would have otherwise, but I'm just so terrified of doing it.
CW The most confident response I've ever given to a company who asked that, and I was like shaking, but I did it, was, "I trust you to pay me fairly. And if you give me a good offer, an offer that I can't refuse, I won't refuse it. I don't want to have to negotiate and do the back and forth dance. So pay me fairly and we don't have to worry about that." It generally worked, so it was fine, but that's probably the most confident I've ever been in one of those conversations.
MK We have one more topic to cover today. That is a bit of a security booboo that happened over at Okta. Cassidy, you're very excited to talk about this, so why don't you jump in and introduce the topic?
CW Oh heavens. Are we in trouble? We don't know! As of today, it has been announced that Okta, the single sign-on solution, was hacked. Not only was it hacked, it was hacked a long time ago. And so, at the time of recording, we're towards the end of March, and the hackers have had access to Okta and all of the softwares and stuff connected to it for about two months, which is bad, and it's bad for two reasons. Where one, it could be that Okta didn't tell anybody that they were hacked, or two, Okta didn't know that they were hacked. Both of those are very, very bad things that we need to figure out. And for those who don't know what single sign-on is, that means that if you have Okta enabled in your organization, you can sign into your email, Figma, GitLab, Docs, and other various tools, pretty much any tool your company uses could probably be enabled with Okta. And so if you have your Okta hacked, which is everybody who uses Okta, they might have access to all the employee records, emails, contents, everything. It's not great.
MK There is an updated statement from Okta, which I just found. Their statement, or their stance as of March 22, 2022, is that the Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by customers. Which was different from the earlier report which said that a laptop was stolen by a certain organization. Okta are claiming that the laptop in question that was compromised was one for support engineers who do have access to limited data, for example, Jira tickets, and lists of users that we're seeing in screenshots. They're also able to facilitate the resetting of passwords and multifactor authentication for users, but are unable to obtain passwords. On the other side of the fence, of the nefarious folks, they're saying this wasn't a support laptop. This was something that actually had access to a whole bunch of other things.
CW I can't tell what's real because if you look at the article which we have linked in the show notes, and The Verge, they have Okta's statement saying, like you say that it was very limited, but then a half hour later, the hacker group says, "Oh no, we had access to more than that," and also showing like AWS keys and contents and slack channels and stuff. So once again, I don't know how real things are, but it's nerve-racking. Security is a scary thing.
MK It's not taken as seriously as it should be by a lot of companies and the resources and understanding of it from a general technology perspective, isn't quite baked into the standard workflow of getting things done, which is a bit terrifying.
CF Yeah. I also feel like the level of knowledge you need to do security well is just so much that I think that prevents a lot of people, even on the individual level, from doing things that are safe, cyber safe, if that's the phrase I can use. And just multiply that a million times the bigger the organization is. So yeah, I think it's a huge issue, and I think that we're totally unequipped to deal with it, unfortunately. And I'm not a security person, so I have no idea what's the best solution to prevent stuff like this happening. There's a security breach every couple months for different stuff all the time, from stuff like this to one of your credit card companies or your bank app or something getting hacked or something like that. This kind of stuff happens so often, and I really don't know what a good solution for it is. I'm sure this isn't something we just have to deal with moving forward, like we just have to put up with the fact that we're just going to have a couple of hacks happening every now and then. Right?
CW Yeah. It's tough too, because sometimes it's affecting just big organizations and you have to just hope they don't have your data. But I think the very real issues are when it affects people who don't know how to protect themselves from that. Even for example this past weekend, I was talking with my parents and I was telling them how to enable two factor authentication on some stuff. And luckily they already had that set up with some things, but someone they knew, their bank account was hacked into because they used a weak password just this past weekend. And they were freaking out because they didn't know about this type of basic personal security stuff. And then on top of that, with things getting hacked into, then I have to answer these questions for again, my parents, various people in my life who aren't as tech savvy. And I'm sure this is something that a lot of tech people have to do, figure out how to explain in layman's terms, here's how you protect yourself. People will always be hacking and all you can do is put together these best practices.
MK I have a wild story. One of my only information security lecturers at university, he was working for the Nigerian government for a period of time. So he was over there working, doing information security stuff. He was a professional, very good at what he does. And he was moving from Nigeria back to New Zealand. And skipping over a whole bunch of details, he had a bank account set up somewhere, he was getting paid in Nigeria, sending all this stuff over to another international bank account. And then when he moved to New Zealand, wanted to get a house deposit, and he transferred all of his cash over. He looked at his bank balance and wondered why there was 14 cents in his account. What turned out happening is he was the victim of a man in the middle attack where essentially a lot of the information that he was saying to verify his bank account, all that kind of stuff, that was being interrupted by a third party who were then forwarding that onto his bank, essentially acting as a proxy. And they were taking all the information, changing certain figures and bank accounts within the email. What saved him, and this is the kind of level that you need to be at to be able to understand these things. When he was negotiating with his bank and setting up transfers and that kind of thing, he said only make a transfer if you provide a four digit pin. This is the four digit pin, only make transfers when this happens. He did not provide the four digit pin when he was making that transaction and neither did this nefarious party who were communicating with the bank. So what ended up happening was the bank was then liable, because that was part of his contract for the transfer because they didn't authenticate the pin. So he managed to get all of his house deposit back. If that had been anyone else, if that had been me, goodbye house deposit. All of that hard work– gone. So when you're thinking about taking your internet security flippantly, please don't. Be very aware of what you're doing online, especially when it comes to online banking and everything else. So please be careful.
[music plays]
MK Okay, so that wraps up the topics we have for today. We'll move on to the recommendation section as well as the lifeboat. Cassidy, do you have a recommendation for us today?
CW I do. So I have been playing around with this AI bot called MidJourney, and you can find their Twitter. And it's a research lab around just generating images from certain keywords and descriptions. And we've all seen AI-generated things before, where you might have like a cat with 12 eyes or something, and it looks a little creepy. Which it does that, but at the same time, it makes some really interesting things. And I have been able to generate some art that is, I don't want to say museum quality, but is nice enough that I would hang it up in my house. It has been really, really cool. And if you check out their Twitter you can see throughout their account what people have been experimenting with and what people have been making. And it has been really, really interesting to play around with. So that is what I recommend people check out.
MK I've been playing a lot of Elden Ring, like a lot of the internet recently, and I absolutely adore it.
CF I don't know what that is.
CW Could you describe what the game is? Like, is it an RPG? Is it roguelike? What is it?
MK It's an exercise in patience because you die at least once every five minutes or so. It's a high fantasy setting set in an open world. You've got a whole variety of really weird stuff going on. You'll talk to a pot called Alexander, who is an infamous warrior. And then you'll speak to somebody else who looks like they're kind of like a centipede sitting on a table giving you prophecies. And there's all sorts of really interesting weapons and characters and stories. There's no quest log for instance, so if you meet somebody within the world, you need to write down in a physical journal or a note pad what it is they said, what they want you to do, and where it is that you need to go back to see them. It's kind of like a mixture of old-school exploration, but also it's part of the soul's genre if anyone is familiar with that. I can't explain it terribly well, but it involves a lot of dying. You min-max your characters, you have certain builds of magic and all that kind of fun stuff. If you like Breath of the Wild, and you're wanting something I guess slightly more adult, then I would highly recommend checking this out.
CF Ahh. Now you're speaking my language. I'm like officially a gamer now.
CW Yeah, Breath of the Wild? I'm listening.
MK I should have led with that pitch. Moving on, we're going to do a lifeboat, and a lifeboat, for those of you who don't know, is an answer score of 20 or more to a question score of -3 or less that goes on to receive a score of 3 or more. Today's lifeboat is awarded to Subhajit, who answered the question, "Send HTML in email via PHP." Thank you very much for your contribution to the platform, and I think that wraps up the episode for today. Thank you very much everyone for listening. My name is Matt Kiernander. I'm a Technical Advocate here at Stack Overflow. You can find me online @MattKander.
CF My name is Ceora Ford. I'm a Developer Advocate, like I said earlier, at ApolloGraphQL. And you can find me on Twitter, I'm back to spending too much time there. My username there is @Ceeoreo_.
CW And I'm Cassidy Williams. You can find me @Cassidoo on most things.
MK Thank you very much for listening and tuning in watching, and we hope to see you in the next episode.
All Bye!
[outro music plays]