A finished dish tells you nothing about the kitchen it came from.
You sit down, the plate arrives, looking great. Tastes even better. You have no way of knowing the sauce was reheated from Tuesday, that someone dropped the steak on the floor and plated it anyway, or that the cook skipped washing his hands after using the bathroom. The customer only ever meets the plate. The plate is the result, engineered to be eaten. Everything that would make you push it away already happened behind a door you’re not allowed through.
With software it’s the same thing. You see the app, the login screen with its nice little padlock, and you believe (or hope) it’s secure and trustworthy. You don’t see the code someone approved without reading at 6pm on a Friday, or the “we’ll fix it later” that never became a ticket, or the decision somebody made to ship now and think about the consequences later. You meet the plate. You never meet the kitchen. At least not as a mere user.
Whoever’s inside the kitchen knows which ingredients weren’t fresh and which steps got skipped, long before the plate reaches the table. And often they know which problems are coming long before they happen. Honestly, that’s one of my biggest frustrations as an engineer (or cook, in this analogy). Knowing something is going to break, flagging it to management, and getting ignored, because fixing what only the kitchen can see is never the priority.
I’ve worked on teams of every size and quality level. On all of them people brag about how secure and smart the systems are, and I, knowing the code and the internal processes, don’t always share the same view. Some of those places genuinely care. Others not so much. But the confidence on the sales slide is identical in both cases.
A good example of this is Meta. One of the FAANG, the dream company for a lot of people, the place where you grind LeetCode for years to land a spot. The kitchen everyone assumes is spotless because it demands the highest engineering standards.
A few days ago, hackers took over the Instagram accounts of prominent people in the US by talking to Meta’s own support chatbot. No malware, no stolen password, no brute force. Just asking. They asked the bot to add a new email to the victim’s account, the bot issued a verification code, they handed the code back, and the bot proactively asked if the hacker also wanted to change the password and handed over a reset button. The most infuriating part of this hack is that at no point did anyone need to get access to the victim’s email. All it took was asking politely.
Meta says it already fixed the problem. But I keep wondering how many accounts were affected by this flaw and how long it had been going on. More than that, did nobody internally question the decision to give an AI agent access to the authentication systems? Everyone in the IT industry is already aware of the dangers of prompt injection. I literally wrote about it yesterday. Did nobody think this could happen?
I’m not saying everybody lies. Nor that every mistake is unforgivable (I’d be the first one out on the street). Nor that there’s nobody out there doing it right, there is, plenty. I’m saying that from the outside, you have no way to tell a good kitchen from a bad one. The plate is built to inspire trust, and trust is exactly the thing the plate can’t prove.
At the end of the day, the plate is just a marketing piece. The kitchen is where the truth lives, and you only see the kitchen if you work in it.