throwawaypolicy's comments

And on the flip side, compensation plans that encourage people to stay to arbitrary dates are probably a mistake.

That's where I'm at today. There's a lot of money resting on my staying at a company for a year. I don't feel like I've been working effectively with the culture or team, and I'm pretty sure both me and the employer would be better served by my leaving, except the financial incentive, sunk cost, and avoiding having a "I worked here for only 6 months" on my resume is enough to justify me staying an extra 6 month.

Potentially not coincidentally "percent of engineers who stay a year" is one of the key metrics of the team that sets up the compensation structure...

It was certainly not my intent to mislead with that, I apologize if it was less than clear.

I get the impression you're taking what you know of attacks against consumers, and just assuming that attacks against large organizations work the same way. They (generally) don't.

With a consumer attack it's get execution on a computer, encrypt some files, and ransom them back. This might earn a few hundred dollars per computer, and isn't worth putting a whole lot of effort into any individual.

At a corporate level it's get some level of access, use that access to get control of a whole lot more access - and also to get control of servers that actually matter instead of users workstations that mostly don't. Maybe try and delete the backups, often exfiltrate a bunch of data, then encrypt things. If you exfiltrated the data the ransom potentially includes not just the offer to decrypt things but also a promise not to distribute the exfiltrated data.

This is all reasonably high touch "work". They've got to figure out how to move laterally inside that specific companies network. They've need to figure out what data is actually important (especially if the goal is to sell it). And so on. Unfortunately it appears to pay well enough to justify the effort. Companies are routinely paying millions of dollars in ransom.

I don't have stats to back this up (internal or otherwise), but my impression is that most successful attacks against enterprise targets are phishing attacks targeting employees to steal credentials.

Why hospitals? They have lots of money (same as any big organization) and a very good reason to pay up. It would be far from the first time a hospital was attacked. It wouldn't even by the first time it directly resulted in a death [0]. Unfortunately ransomware operators aren't very ethical.

Considering the timing it could also be geopolitical unfortunately, people dying from a ransomware attack could substantially raise the general tension level in the US.

Lots of high value malware is actually targeted. Things like running phishing campaigns to try and steal credentials from someone inside the institution.

It's substantially less likely, especially if you don't buy the geopolitics angle, but potentially these criminals even have some unpatched vulnerability in a common deployed piece of software, which would allow them to skip the phishing part entirely.

[0] https://www.zdnet.com/article/first-death-reported-following...

Disclaimer: The company I work for is involved in detecting ransomware as a side business.

> But you can't make foreign intelligence assets "stay in the US" as it were

You can though, it's called defecting. There's a long history of it. E.g. see this list of defectors from the soviet union: https://en.wikipedia.org/wiki/List_of_Soviet_and_Eastern_Blo...

Moreover, even if they were legitimate, was the press a legitimate place to raise them?

Generally, if you want to whistleblow you should blow the whistle to the regulators. Probably the EPA or a similar agency for any supposed environmental concerns, and the DOT, NHTSA, or a similar agency for any safety concerns related to vehicle's battery packs.

You don't get to leak to the press in violation of your NDA just because you disagree with your employer. Maybe it becomes legitimate if you think that the government and your employer are conspiring to keep issues secret, but I don't see any suggestion of that here.

China has very publicly ran DDOS attacks against GitHub when GitHub did some things they didn't like. Specifically they used infrastructure co-located with the GFW to run a MITM on connections to Baidu and serve malicious javascript. The malicious javascript used users computers to DDOS GitHub.

https://citizenlab.ca/2015/04/chinas-great-cannon/

Changing your country of residence when you get a new job is perfectly normal. Changing your nationality is not.

More likely, "Sorry, we either need you to relocate or move to a new role within the company".

Companies forcing employees to relocate isn't exactly new...

There were basically two "scandals" recently.

- GitLab announced that they were going to start including third party telemetry. This predictably annoyed developers. They made it substantially worse by originally announcing that it would be included in self-hosted enterprise versions as well (a really big no-no from many companies perspective), and by tone deaf comments from the CFO that made it clear they were going to violate the GDPR.

- GitLab started talking about not allowing people working in support rolls to live in China, Russia, and Ukraine because of security concerns brought up by a customer. No one ever really came up with a good justification for why Ukraine was on the list, so it was removed (but you will still see references to it in some of the earlier discussions). Someone noticed the discussion and posted it here (and elsewhere). Communication around what they're actually planning on doing has been pretty poor, likely partially as a result of this being noticed on their public-yet-internal issue tracker instead of being released via clearly written messages. Some people have legal concerns about it (see: anti boycott laws), some have ethical issues, others think it sounds fine. Meanwhile the issue on gitlab itself has been subjected to intense astroturfing by largely new accounts which caused it to be locked. The new development today is that the director of compliance has resigned since they are of the opinion that what they are planning to do is illegal.

Personally I think they're still pretty well regarded, but these two events in such close proximity have definitely given them a bloody nose.

Anti boycott laws are a real thing, you can read about them here https://www.bis.doc.gov/index.php/enforcement/oac

I don't pretend to know whether restricting country of residence counts as discriminating on any of race, national origin, or nationality... but at least at first glance it seems very plausible.

Edit: And according to her linkedin she is a lawyer licensed to practice in (at least) Minnesota, i.e. she is (was) part of "legal".

You will have employees from foreign countries, but not employees living in foreign countries.

This not only changes the degree to which the foreign country can influence them, but it changes the degree to which other countries can retaliate if they act as spies.

For a recent example, see the twitter employees who were spying for Saudi Arabia.

> The fact that someone lives in China or Russia does not, by itself, make them an untrustworthy person, any more than someone living in the United States, Germany, Japan, or the UK.

It has nothing to do with "untrustworthy" and everything to do with "will be coerced without anyone even breaking the law".

I don't know if that will change your mind, but it's an important difference, it's not a judgement of the people but of the state they are living in.

Consider the exact same scenario at any non-remote company.

If Bob wants to move to China, where the company doesn't have an office, he's going to have to resign or take a leave of absence.

This decision on Gitlab's part would be moving their incredibly generous "you can work from anywhere you want except places where we legally can't let you like Crimea and Iran" to a nearly as generous "you can work from anywhere you want except places where we legally can't let you like Crimea and Iran, and places that are known to coerce people into spying for them like China and Russia".

Most companies operate on a whitelist of places where you can work (where they have offices), not a blacklist. Even many remote companies operate on a whitelist (e.g. "Remote, US only"). Really, I'm amazed they feel that they can operate on a black list approach at all and not accidentally violate tons of local laws.

I've been told (at a different company based in a different country) "don't bring your work laptop to China, don't bring materials to China without authorization, we'll provide what is effectively a burner device for whatever you are bringing to China (I believe they re-used them as different employees went to China)".

I imagine Gitlab would have a similar but less restrictive policy, "don't bring a work laptop <with credentials that gives you access to one of these roles> to China, ...".

I don't see why a policy against residing/working in China would care about who you are married to or where they live.

I think that more effective than voting with your wallet is voting in your elections and communicating with your politicians. Even voting with your wallet by donating to support political action.

Collective action is more effective when it's done via law because that removes the incentive to defect for personal gain. It means that people not paying attention aren't accidentally contributing to immoral causes.

In a case like this collective action means things like putting tarrifs on goods from China, so that their workforce isn't important, and banning exports to China, so that their market isn't important. More direct laws like "no censoring what China wants you to censor" are problematic because it's hard to detect in most cases, and it often violates freedom of speech.

And yes, I'm suggesting a very painful thing to do economically.

It more than "looks like" Blizzard is taking China's side. They have outright said that they are in their chinese language statement

> We strongly condemn the player and the casters on what happened in the game last weekend ,and we firmly DISAPPROVE people to state their own political POV in any tournament. The player will be banned from the tournament,and the casters will never be granted the chance to cast any official tournament from now on. Besides,we will firmly PROTECT THE PRIDE OF THE COUNTRY just like what we always do.

(translation taken from another comment on HN, google finds lots of sources with similar translations, including news articles from reputable papers)

I interpreted "non believers" to be "not believing in the party" not "not believing in religion".

"the Chinese government doesn't interfere in personal religious beliefs" is quite the claim though, considering they literally have concentration camps full of Muslims.

> First of all, we hurt members of our LGBTQ+ community when they felt they couldn’t participate authentically and we didn’t respond quickly or strongly enough in supporting them. Worse, through our handling of this situation, we made them a target for harassment as people debated their right to express themselves and be addressed according to how they identify.

So wait - what are they apologizing for?

If I understand this situation correctly there are basically two sides:

- The people who put in place the new code of conduct, who think that they "hurt members of our LGBTQ+ community when they felt they couldn't participate authentically..." by not putting this code of conduct in place fast enough.

- The moderator who fired/the people who resigned who think they "hurt members of our LGBTQ+ community when they couldn't participate authentically..." when they put in place the new poorly thought out policy

Is this intended to double (triple? quadruple?) down on the original position? Or apologize for it and move to the second?