And on the flip side, compensation plans that encourage people to stay to arbitrary dates are probably a mistake.
That's where I'm at today. There's a lot of money resting on my staying at a company for a year. I don't feel like I've been working effectively with the culture or team, and I'm pretty sure both me and the employer would be better served by my leaving, except the financial incentive, sunk cost, and avoiding having a "I worked here for only 6 months" on my resume is enough to justify me staying an extra 6 month.
Potentially not coincidentally "percent of engineers who stay a year" is one of the key metrics of the team that sets up the compensation structure...
I get the impression you're taking what you know of attacks against consumers, and just assuming that attacks against large organizations work the same way. They (generally) don't.
With a consumer attack it's get execution on a computer, encrypt some files, and ransom them back. This might earn a few hundred dollars per computer, and isn't worth putting a whole lot of effort into any individual.
At a corporate level it's get some level of access, use that access to get control of a whole lot more access - and also to get control of servers that actually matter instead of users workstations that mostly don't. Maybe try and delete the backups, often exfiltrate a bunch of data, then encrypt things. If you exfiltrated the data the ransom potentially includes not just the offer to decrypt things but also a promise not to distribute the exfiltrated data.
This is all reasonably high touch "work". They've got to figure out how to move laterally inside that specific companies network. They've need to figure out what data is actually important (especially if the goal is to sell it). And so on. Unfortunately it appears to pay well enough to justify the effort. Companies are routinely paying millions of dollars in ransom.
I don't have stats to back this up (internal or otherwise), but my impression is that most successful attacks against enterprise targets are phishing attacks targeting employees to steal credentials.
Why hospitals? They have lots of money (same as any big organization) and a very good reason to pay up. It would be far from the first time a hospital was attacked. It wouldn't even by the first time it directly resulted in a death [0]. Unfortunately ransomware operators aren't very ethical.
Considering the timing it could also be geopolitical unfortunately, people dying from a ransomware attack could substantially raise the general tension level in the US.
Lots of high value malware is actually targeted. Things like running phishing campaigns to try and steal credentials from someone inside the institution.
It's substantially less likely, especially if you don't buy the geopolitics angle, but potentially these criminals even have some unpatched vulnerability in a common deployed piece of software, which would allow them to skip the phishing part entirely.
Moreover, even if they were legitimate, was the press a legitimate place to raise them?
Generally, if you want to whistleblow you should blow the whistle to the regulators. Probably the EPA or a similar agency for any supposed environmental concerns, and the DOT, NHTSA, or a similar agency for any safety concerns related to vehicle's battery packs.
You don't get to leak to the press in violation of your NDA just because you disagree with your employer. Maybe it becomes legitimate if you think that the government and your employer are conspiring to keep issues secret, but I don't see any suggestion of that here.
China has very publicly ran DDOS attacks against GitHub when GitHub did some things they didn't like. Specifically they used infrastructure co-located with the GFW to run a MITM on connections to Baidu and serve malicious javascript. The malicious javascript used users computers to DDOS GitHub.
- GitLab announced that they were going to start including third party telemetry. This predictably annoyed developers. They made it substantially worse by originally announcing that it would be included in self-hosted enterprise versions as well (a really big no-no from many companies perspective), and by tone deaf comments from the CFO that made it clear they were going to violate the GDPR.
- GitLab started talking about not allowing people working in support rolls to live in China, Russia, and Ukraine because of security concerns brought up by a customer. No one ever really came up with a good justification for why Ukraine was on the list, so it was removed (but you will still see references to it in some of the earlier discussions). Someone noticed the discussion and posted it here (and elsewhere). Communication around what they're actually planning on doing has been pretty poor, likely partially as a result of this being noticed on their public-yet-internal issue tracker instead of being released via clearly written messages. Some people have legal concerns about it (see: anti boycott laws), some have ethical issues, others think it sounds fine. Meanwhile the issue on gitlab itself has been subjected to intense astroturfing by largely new accounts which caused it to be locked. The new development today is that the director of compliance has resigned since they are of the opinion that what they are planning to do is illegal.
Personally I think they're still pretty well regarded, but these two events in such close proximity have definitely given them a bloody nose.
I don't pretend to know whether restricting country of residence counts as discriminating on any of race, national origin, or nationality... but at least at first glance it seems very plausible.
Edit: And according to her linkedin she is a lawyer licensed to practice in (at least) Minnesota, i.e. she is (was) part of "legal".
You will have employees from foreign countries, but not employees living in foreign countries.
This not only changes the degree to which the foreign country can influence them, but it changes the degree to which other countries can retaliate if they act as spies.
For a recent example, see the twitter employees who were spying for Saudi Arabia.
> The fact that someone lives in China or Russia does not, by itself, make them an untrustworthy person, any more than someone living in the United States, Germany, Japan, or the UK.
It has nothing to do with "untrustworthy" and everything to do with "will be coerced without anyone even breaking the law".
I don't know if that will change your mind, but it's an important difference, it's not a judgement of the people but of the state they are living in.
Consider the exact same scenario at any non-remote company.
If Bob wants to move to China, where the company doesn't have an office, he's going to have to resign or take a leave of absence.
This decision on Gitlab's part would be moving their incredibly generous "you can work from anywhere you want except places where we legally can't let you like Crimea and Iran" to a nearly as generous "you can work from anywhere you want except places where we legally can't let you like Crimea and Iran, and places that are known to coerce people into spying for them like China and Russia".
Most companies operate on a whitelist of places where you can work (where they have offices), not a blacklist. Even many remote companies operate on a whitelist (e.g. "Remote, US only"). Really, I'm amazed they feel that they can operate on a black list approach at all and not accidentally violate tons of local laws.
I've been told (at a different company based in a different country) "don't bring your work laptop to China, don't bring materials to China without authorization, we'll provide what is effectively a burner device for whatever you are bringing to China (I believe they re-used them as different employees went to China)".
I imagine Gitlab would have a similar but less restrictive policy, "don't bring a work laptop <with credentials that gives you access to one of these roles> to China, ...".
I don't see why a policy against residing/working in China would care about who you are married to or where they live.
That's where I'm at today. There's a lot of money resting on my staying at a company for a year. I don't feel like I've been working effectively with the culture or team, and I'm pretty sure both me and the employer would be better served by my leaving, except the financial incentive, sunk cost, and avoiding having a "I worked here for only 6 months" on my resume is enough to justify me staying an extra 6 month.
Potentially not coincidentally "percent of engineers who stay a year" is one of the key metrics of the team that sets up the compensation structure...