And on the flip side, compensation plans that encourage people to stay to arbitrary dates are probably a mistake.
That's where I'm at today. There's a lot of money resting on my staying at a company for a year. I don't feel like I've been working effectively with the culture or team, and I'm pretty sure both me and the employer would be better served by my leaving, except the financial incentive, sunk cost, and avoiding having a "I worked here for only 6 months" on my resume is enough to justify me staying an extra 6 month.
Potentially not coincidentally "percent of engineers who stay a year" is one of the key metrics of the team that sets up the compensation structure...
Same thing happens with relocation expenses. Many employers make you pay them back if you leave within a year. That's normally quite a sum, and can be even bigger if the employer paid closing costs or otherwise made a new hire whole for selling a home in order to move.
Why hospitals? They have lots of money (same as any big organization) and a very good reason to pay up. It would be far from the first time a hospital was attacked. It wouldn't even by the first time it directly resulted in a death [0]. Unfortunately ransomware operators aren't very ethical.
Considering the timing it could also be geopolitical unfortunately, people dying from a ransomware attack could substantially raise the general tension level in the US.
Lots of high value malware is actually targeted. Things like running phishing campaigns to try and steal credentials from someone inside the institution.
It's substantially less likely, especially if you don't buy the geopolitics angle, but potentially these criminals even have some unpatched vulnerability in a common deployed piece of software, which would allow them to skip the phishing part entirely.
I'm not experiencing any surprise that the hospitals are attacked, I know that happens, I am experiencing surprise at three government agencies hanging out in a chatroom where hackers are credibly discussing attacking a bunch of hospitals with ransomware.
My understanding is that the ransomware operators just take a look at computers that are infected, and then negotiate based on who they appear to be.
I get the impression you're taking what you know of attacks against consumers, and just assuming that attacks against large organizations work the same way. They (generally) don't.
With a consumer attack it's get execution on a computer, encrypt some files, and ransom them back. This might earn a few hundred dollars per computer, and isn't worth putting a whole lot of effort into any individual.
At a corporate level it's get some level of access, use that access to get control of a whole lot more access - and also to get control of servers that actually matter instead of users workstations that mostly don't. Maybe try and delete the backups, often exfiltrate a bunch of data, then encrypt things. If you exfiltrated the data the ransom potentially includes not just the offer to decrypt things but also a promise not to distribute the exfiltrated data.
This is all reasonably high touch "work". They've got to figure out how to move laterally inside that specific companies network. They've need to figure out what data is actually important (especially if the goal is to sell it). And so on. Unfortunately it appears to pay well enough to justify the effort. Companies are routinely paying millions of dollars in ransom.
I don't have stats to back this up (internal or otherwise), but my impression is that most successful attacks against enterprise targets are phishing attacks targeting employees to steal credentials.
> It would be far from the first time a hospital was attacked. It wouldn't even by the first time it directly resulted in a death [0]
Just pointing out that this is a little misleading. The link you're referencing refers to the first ever reported hospital death related to a hospital's ransomware attack, and this article was from just a month ago (I remember, I read it on Hacker News too). But the juxtaposition of these sentences might suggest that death-by-ransomware-in-hospitals has been a common occurrence for quite some time.
Moreover, even if they were legitimate, was the press a legitimate place to raise them?
Generally, if you want to whistleblow you should blow the whistle to the regulators. Probably the EPA or a similar agency for any supposed environmental concerns, and the DOT, NHTSA, or a similar agency for any safety concerns related to vehicle's battery packs.
You don't get to leak to the press in violation of your NDA just because you disagree with your employer. Maybe it becomes legitimate if you think that the government and your employer are conspiring to keep issues secret, but I don't see any suggestion of that here.
China has very publicly ran DDOS attacks against GitHub when GitHub did some things they didn't like. Specifically they used infrastructure co-located with the GFW to run a MITM on connections to Baidu and serve malicious javascript. The malicious javascript used users computers to DDOS GitHub.
I don't have the numbers of course, but I would imagine the number of remote gitlab employees who changed their country of resistence upon employment to be close to zero, so it's definitely not normal.
- GitLab announced that they were going to start including third party telemetry. This predictably annoyed developers. They made it substantially worse by originally announcing that it would be included in self-hosted enterprise versions as well (a really big no-no from many companies perspective), and by tone deaf comments from the CFO that made it clear they were going to violate the GDPR.
- GitLab started talking about not allowing people working in support rolls to live in China, Russia, and Ukraine because of security concerns brought up by a customer. No one ever really came up with a good justification for why Ukraine was on the list, so it was removed (but you will still see references to it in some of the earlier discussions). Someone noticed the discussion and posted it here (and elsewhere). Communication around what they're actually planning on doing has been pretty poor, likely partially as a result of this being noticed on their public-yet-internal issue tracker instead of being released via clearly written messages. Some people have legal concerns about it (see: anti boycott laws), some have ethical issues, others think it sounds fine. Meanwhile the issue on gitlab itself has been subjected to intense astroturfing by largely new accounts which caused it to be locked. The new development today is that the director of compliance has resigned since they are of the opinion that what they are planning to do is illegal.
Personally I think they're still pretty well regarded, but these two events in such close proximity have definitely given them a bloody nose.
I don't pretend to know whether restricting country of residence counts as discriminating on any of race, national origin, or nationality... but at least at first glance it seems very plausible.
Edit: And according to her linkedin she is a lawyer licensed to practice in (at least) Minnesota, i.e. she is (was) part of "legal".
That seems to mostly focus on declarations of being non-Jewish which is a thing in some countries and the enforcing of a boycott against Israel.
Technically it could be made to apply to employing people in Russia or China but such restrictions are found with some regularity, if they are problematic that does not just affect GitLab but also lots of other companies.
You will have employees from foreign countries, but not employees living in foreign countries.
This not only changes the degree to which the foreign country can influence them, but it changes the degree to which other countries can retaliate if they act as spies.
For a recent example, see the twitter employees who were spying for Saudi Arabia.
That's where I'm at today. There's a lot of money resting on my staying at a company for a year. I don't feel like I've been working effectively with the culture or team, and I'm pretty sure both me and the employer would be better served by my leaving, except the financial incentive, sunk cost, and avoiding having a "I worked here for only 6 months" on my resume is enough to justify me staying an extra 6 month.
Potentially not coincidentally "percent of engineers who stay a year" is one of the key metrics of the team that sets up the compensation structure...