>that Reddit employees have the ability to edit messages with no audit trail and no governance.
Help me understand this. Reddit is a private company. Is there some sort of contract somewhere that says they won't edit messages and will maintain an audit trail? I mean, I might not like that they are doing it, but I'm also not paying a dime for Reddit (and I have all ads blocked, so they doubly aren't making any money off of me) so I don't see where I can be upset if Reddit does this. You get what you pay for.
If we want governance and audit trails, it either needs to be maintained as a public resource, paid for out of tax dollars, or needs to be a fully paid for product that involves entering into a 2 way contract. Otherwise, I think they are free and clear to do whatever they want to do with any subreddits, posts, or comments.
> Is there some sort of contract somewhere that says they won't edit messages and will maintain an audit trail?
Legal contract? No. Social contract? Yes.
> Otherwise, I think they are free and clear to do whatever they want to do with any subreddits, posts, or comments.
I'm surprised this is where you went with your rationale. The parent was clearly saying that the intent of the communities is the ability for people to freely speak each other. Any function, especially by authority, to undermine that will erode confidence and thus eventually cause people to use the site less.
Social contract? Seriously? Who in the world is using Reddit because they have confidence in it? That is insane. It's an anonymous black hole of posts and comments and come and go like dust in the wind and have no lasting permanence or value. It's not social. There is no contract. Nobody in their right mind should have confidence in Reddit or believe that anything on there is real or authentic.
> dust in the wind and have no lasting permanence or value
You mean like the massive russian "troll farms" that have effectively coerced people into political beliefs, or places like /r/RedPill that have galvanized young males to be ant-feminine, or WSB where thousands of people have placed savings into Gamestop. Want me to go on?
So yes there is most definitely a social contract. Just because you don't believe the information, doesn't mean others don't as well.
When you go to Disneyland it involves losing a lot of money but people usually enjoy it. Same thing here. People are not being quoted in the news or testifying to Congress that they lost their retirement and Mr. DFV has not lost his SEC broker registration.
You are right up until you end the sentence with the wrong cranberry. A vast majority of content on Reddit is shockingly real (going by Occam's razor), it is one of the reasons why in light of this whole debacle I'm considering never setting foot on that platform ever again.
The content of Reddit comments have been used in legal proceedings. It's a huge deal that the CEO has edit permissions in the main Reddit site database, they simply shouldn't have that access at all.
It's like Mark Zuckerberg personally (and invisibly) editing your facebook posts, for which you're legally culpable. I don't really get how people here just brush it off.
The fact that Reddit comments are admissible in a court sounds insane to me. I can't believe people actually take Reddit that seriously. It's like taking preschoolers yelling at each other seriously, but with anonymity thrown in. The fact that adults can take it seriously enough to use it in court cases is crazy.
Just because you don't know the reddit user in real life doesn't mean other people don't know each other in real life. If someone says they're going to kill someone for a comment, and then that user ends up dead, I don't see why it would be shocking that might be used as evidence in a court case.
It was a pretty common occurrence on Twitter back when people posted their gang crap everywhere.
> It's a huge deal that the CEO has edit permissions in the main Reddit site database
Surely you jest! Do you know how programs work? You don't think HN comments can't be edited by anyone with access to the DB and permission to make changes?
Frankly the idea that people on HN thought that people who run a website can't edit the content on it is one of the most bizarre, disingenuous things I've read on here.
You all know it can be done. Why is everyone pretending otherwise? Is it performative?
I think the expectation is that spez (and, ideally every other Reddit employee) would not have credentials to the prod database. Definitely not _write_ credentials.
In a system as large as Reddit, there's rarely a good reason for a human to be running hand-written SQL commands in prod.
There's a large amount of process in place at traditional companies to prevent this kind of tampering. Commonly, it involves separation of powers, with an "Operations" team that runs the software and an "Engineering" team that runs the software. This way, theoretically, nobody who has the knowledge of how to abuse the system would have access to abuse it. Making "unwanted" changes to software would require the consent of two parties at odds - One on Ops, one on Eng.
In practice, it was impossible to debug software if you didn't have knowledge of how it ran and it was impossible for teams to cooperate when designed as antagonistic. "Operations" people needed to know enough programming and SQL to be able to audit engineering access, or they became blind drones parroting the actions that the Engineering team took. A useless layer of signaling that added no substance. And it was easy to align bad actors in Ops and Eng, at least in places where it mattered - Usually with money.
My career in DevOps has been breaking down these barriers, promoting a "shared ownership" model where it's devs are directly oncall and have production credentials to their services. Still, there are serious protections in place: The passwords to the production databases are stored securely, not typically visible to devs - They have to jump through hoops of using a auditable bastion box to run SQL commands directly on the production databases. Not that it's not possible, not that it's not done (Though good engineering practices make it an uncommon task, I think we've actually used the ability half a dozen times in the last year), but as the commands are being typed they send out logs to a third-party service that's instructed to archive them. It's not hard to get access, but it would be easy to see the trail.
That said: This is on a mature team. That doesn't come out of the box and we didn't get there easily. Many teams, even with all of that protection, don't actually audit the logs, and do generate a lot of logs because of poor system behavior.
Knowing the engineering talent at Reddit, I doubt that it's a concern. Whether by malice or naivete, it has likely never crossed their mind that anyone would break protocol and access databases directly for anything other than legitimate debugging purposes. I'm convinced that the SF bay has some of the narrowest focused minds... and also many of the most malicious.
At a technical level it is always possible somehow but the point people are trying to make is that there should be access controls and protocols in place. The CEO should not have absolute unconstrained access in all matters.
The person I would trust the least to run raw SQL at (easy to find if you care) has the most privilege to do so: The "Growth Hacker" business operations person. Probably reddit is among the few companies where the CEO is technical enough to be doing raw SQL queries themselves, but it's trivial for a CEO to generate a purpose for credentials to be stored in their remit: Business reports. The bizops people with direct ties to the CEO will do whatever they're asked.
Still, agreed - The fact that they've now shown, multiple times, to have insufficient auditing and repercussions for the administrative abuse is sobering.
C* executives are normally prevented from accessing these systems directly for accounting reasons. I'm certain the person meant that it was inappropriate for the CEO of Reddit to have the ability to edit the production database, not that they didn't understand how DB ACLs work.
I've worked on production DBs that have had these kinds of restrictions- like, an alert gets sent if an SVP accesses a system. There are a lot of good reasons for this but most of them come down to avoiding fraud.
Yes, like many people, I use my real name on HN. (But not on Reddit, of course.) And people frequently identify themselves on HN by linking to their blogs or projects. I wouldn't call those people stupid.
You're missing the point. No one is saying that they're not legally allowed to do it. The issue here is that it's possible, and that it was done at least once.
What if it was done constantly all day long every day? How would that be any different than having been done once? This is reddit, the bastion of anonymous inanity.
Help me understand this. Reddit is a private company. Is there some sort of contract somewhere that says they won't edit messages and will maintain an audit trail? I mean, I might not like that they are doing it, but I'm also not paying a dime for Reddit (and I have all ads blocked, so they doubly aren't making any money off of me) so I don't see where I can be upset if Reddit does this. You get what you pay for.
If we want governance and audit trails, it either needs to be maintained as a public resource, paid for out of tax dollars, or needs to be a fully paid for product that involves entering into a 2 way contract. Otherwise, I think they are free and clear to do whatever they want to do with any subreddits, posts, or comments.