> [Opexus] said that “the individuals responsible for hiring the twins are no longer employed by Opexus.”
Getting close to the classic Monty Python line: "Those responsible for sacking the people who have just been sacked, have been sacked."
Jokes aside, stuff like this sucks because I suspect many employers will take from it the most extreme, dehumanizing lessons, e.g.: (a) make firings [edit: including lay-offs] as abrupt as possible including terminating all access immediately, (b) never give second chances to anyone with any sort of criminal record (even say decades old marijuana posession or something).
I'd prefer a more balanced version: limit unilateral access to sensitive systems in general (not just of recently-fired employees), when someone is fired immediately shut off particularly sensitive credentials if they do exist (but not their general-purpose login/email account), avoid hiring people convicted of wire fraud as sysadmins, hash your @!#$ing passwords, etc.
Terminating access and rotating passwords (if needed) while the person is in the meeting but has not yet found out they are being let go has been SOP for at least the last 20 years
My first task at my last job was removing access to an employee being let go. I had just gone through onboarding so I knew every (documented) service we needed to handle. We live tested it on my own accounts, measured the time before I noticed, and then proceeded to successfully go through the checklist.
Except not everything was properly documented, and it turned out the employee had given admin rights on some resources to a contractor which proceeded to wreak havoc on their behalf (the 'rm -rf' kind). Eh!
Amateurs. My employer does mass layoffs by terminating access to everything except their email account at 3am, and then sending an email to the victim saying “you were let go at 3am”. Managers get to figure out who’s left on their team by pinging everyone when they learn about it at work.
Google powerwashes your corp Chromebook when they let you go. A friend was composing an email on the train when their screen went black and the device reset itself to factory settings.
They even send the “you’re being fired” email to their personal email they have on file. Didn’t even schedule a meeting.
If you're talking about Oracle, the large round previous to that they did had individual meetings with employee, manager, and HR. With so many layoffs it took a week+ to do, effectively torturing an entire set of employees who had no idea if they'd have a job by the end of the hour, let alone week.
I'm not sure there's any good way to lay off large amounts of staff (besides not getting yourself into the situation in the first place where you have to)
>I'm not sure there's any good way to lay off large amounts of staff
Someone on HN once wrote that after the dot.com bust, Yahoo! HR had 1-1 meetings with every single employee that was part of the mass layoffs back then, and they did this for hundreds of workers. Boy what I wouldn't give to go back to such state of affairs, even though I wasn't yet part of the workforce back then.
An older family friend of mine who started working in tech around 2003-2005, told me "back in my day, to get a job, you'd just send your CV to HR@corpo.com, and in 2-3 days you'd get a call asking you when you're free to come over for an interview". Now today you're lucky you get an automated reply back from 50 CVs sent, just for the opportunity to do an impersonal take home assessment as part of the seven stage interview process. It's like screaming into the void of AI bots and automated CV screening systems, while you spin the barrel of the revolver to play the next round of Russian roulette.
And the crazy part is, that when people talk about "the good old days", we're talking about events from recent history, just 10-25 years ago, that a lot of current workers experienced in their lifetime, not stuff from when boomers were kids.
The massive sudden shift in the commoditization of human workers and turning them into faceless labor resources that can be inhumanely disposed of with a keystroke, is real and noticeable to everyone, that I'm envious for you guys who are set to retire soon out of this shitshow.
What comes after this? Have we reached rock bottom, or will it get even worse?
Either your dates or experiences are off, because I've been working in software since 1999 and the easiest time to get a job was quite recent, in the back-half of COVID. The early 2000's were decent, but I didn't experience - or know anyone who did - any sort of "free jobs' period. Also pay was relatively decent but much less than what you saw even 5 years ago. It's only the in the past year or so that the world has appeared to be ending for developers, and I think that pronouncement is premature.
>Also pay was relatively decent but much less than what you saw even 5 years ago.
IDK, I'm not from the US/Bay-Area, nor does my country have any big-tech/FANG jobs to distort the market for what constitutes a "high wage" in tech, it's all the same.
>in the back-half of COVID.
Sure, but Covid was only a short blip, a temporary exception, not a baseline norm for wage/job growth, like the years prior which was a longer period of getting a job was easy, like 2012-2020.
For me where I live now, the career depression I saw came in 2023 already when jobs become less abundant and harder to get, and it only got worse later when mass layoff started. So we're already 3 years in the decline, longer than the Covid boom lasted and things aren't going better yet.
I entered the workforce in around 2012-2014 and it was significantly easier to get a callback from sending a resume than it is now where it's mostly automated rejections. When I say "easy" I also mean you didn't need 7 stages of interviews to get a job back then, you'd have 2 stages and those were pretty chill and get a call back from every 2-3 resumes sent. Now you need to send dozens. I guess "easy" is relative.
>Also pay was relatively decent but much less than what you saw even 5 years ago.
When you are talking about access like they had "make firings as abrupt as possible including terminating all access immediately" not doing this is incompetence. This is absolutely a standard and has to be for these kinds of positions. I've never worked anywhere where it wasn't for the majority of IT staff. You meet with HR, someone clears your desk, and security walks you out.
There is a middleground, but it requires conscious effort to prop-up, support, and maintain over the long haul: off-boarding centers.
I worked for a Big Tech company that actually did this, and it made the transition a lot easier. You could still access corporate resources necessary for the transition (HR, benefits, internal job postings, training offerings, expense reporting, etc), check-in with colleagues 1:1 (who would be warned this person was no longer part of the org, attachments could be blocked to prevent exfil, etc), and still send/receive email internally (though external was blocked by default and required justification).
You can safeguard your corporate infrastructure without actually cutting everything off entirely and sending someone home to stew angrily about it. In fact, there might be (as yet undocumented) advantages to letting folks exist in that transition period on that segmented infrastructure, so as to identify potentially bad actors before they can do harm and see about mending bridges.
Of course all of that requires conscious investment in projects with no clear quarterly/yearly KPIs to measure cost or success against, so most employers will never remotely consider it.
Your last sentence sums it up. I was blown away by the system you described that would allow for such a humane transition through such a difficult time. At least process wise it seems like a good place to work.
> When you are talking about access like they had "make firings as abrupt as possible including terminating all access immediately" not doing this is incompetence.
You're proving my point—employers take the most extreme lesson and it's considered expected practice. They absolutely should have immediately terminated the credentials that granted unilateral access to sensitive databases. (Ideally those would never exist in the first place—there are two-person schemes. A pair of bad actors...well apparently happens according to this article...but is far more unusual.) But employers regularly (but shouldn't) terminate all access including credentials that allow last email to colleagues exchanging personal contact info or something.
For most of my career (over 30 years now) where I've had sufficient access privileges to matter, I've fairly diligently maintained a "Important credentials and access" list, which I've sent to my employer when leaving, strongly advising them of the need for them to disable or rotate those credentials.
This especially includes creds like root or admin level access to AWS/GCP/whatever-cloud-or-hosting-service, and other critical creds like user/password management, domain name registrations, AppleStore and GooglePlay accounts, source code repos, documentation and internal tooling, external services like observability/analytics/crash-trcking. It also keeps a current(ish) list of all clients/projects where I've had any access at all, listing things like API keys, ssh keys and bastion hosts, project or platform admin creds, as well as systems like databases (SQL and KV caches), firewall rule specific to me.
I also try to list anything else I could, if I were a malicious disgruntled ex employee, use to cause grief to the employer or their clients.
I point out in this email that if I were to be rouge, I'd most likely have intentionally left something out or left behind backdoors or timebombs, and while I am not that kind of person and I have not done those things, they owe it to themselves and their clients to have someone else senior and experienced enough to carefully audit everything to ensure I cannot access anything.
I send this from a personal email account, so I still have timestamped records of having sent it. If an ex employer ever gets hacked shortly after I leave, I want evidence I did everything I reasonably could to remind them to lock me out.
(Writing this down reminds me it's been a while since I updated this - I guess thats something I'll ned to get on to soon.)
The first option is flipping one switch. The second option is flipping some switches now, and flipping the rest later. Of course the safest (first) option is the correct option from a liability standpoint, which is all a company should operate on since it's first responsibility is to protect the company for those that are still there. There's plenty of ways to communicate with ex-colleagues that don't involve company resources or opening the company up to liability.
Let’s not forget the third option: proper security practices and principle of least privilege. No one should have been able to do this in the first place. Why were they able to get plaintext passwords with a simple query? Why did they have delete permissions on production db tables? Why were they able to modify system logs and delete backups?
I'd argue that failing to segregate things so that there's a switch for the sensitive stuff and a separate switch for the not-sensitive stuff is an operational failure. A rank and file employee having access to his email account should never pose a serious liability to the business.
> Of course the safest (first) option is the correct option from a liability standpoint, which is all a company should operate on since it's first responsibility is to protect the company for those that are still there.
Isn't this an unrealistically black-and-white mode of thinking? Humans are complicated and have many values and perceived responsibilities. It's not healthy for them to throw them all out and act as if they only have one responsibility that needs to be maximally upheld at all costs. They should balance their actions thoughtfully.
System security is not a human value. Access key rotation effective immediately is a compliance requirement, and completely orthogonal to human decency, which is delivered trough garden leave or severance, not extended system access
Yeah I don't see why that's necessary. I'm sure you can always reach out to HR and ask (I have facilitated this in the past, pulling contact lists and phone numbers) but that also gives them ways to exfiltrate data. It's company data. Just think of all the info you have in your inbox. Unless you've managed offboarding for high level IT positions it seems harsh, but the risk is just too high to allow the user to do that stuff themselves.
> Just think of all the info you have in your inbox.
Meh? Sure, stuff that would help assemble a credible phishing attack, but not customer SPII or huge amounts of intellectual property or anything. If the assumption is that employees' inboxes are full of dangerous things, I would focus on fixing that.
No you don't get it, we have to take a harsh approach to firing people because we keep pallets of high explosive in the break room and management doesn't want to change that. /s
I suppose that's a very powerful way of preventing "accidents" on termination. But isn't that just theatre? I mean - as though termination is the one and only case where an employee with the power to destroy the company gets angry and might do something really stupid?!
It's not theater, it's defense against aggrievement. Termination is a traumatic event that threatens your ability to exist or provide for dependents. People [rightfully] don't handle exile well.
Someone with an interest in scuttling your company could just as easily maintain a low profile and do it at any time. Termination forces execution into a more-predictable timeframe. Once notified, the malevolent only have opportunity to exfiltrate or sabotage whatever they can reach in the time it takes to walk them out the door.
European laws require us to give people something like two months' notice. Even then we don't trust them; we pay them their salary and tell them to stay home.
If you don't trust your people so much, why to hire them in a first place?
Looking at it from Europe - it is such a weird inhumane practice.
Someone decided your position is redundant. Okay, shit happens, economic downturn, etc. Then you have extra 3-6 months of work to pass your knowledge, train replacement and document everything.
Looking at it from Europe, this definitely also happens. It depends on the situation. I know of ppl who were kept bcs the parting was in good faith (which was less a firing and more an agreement that parting is in everyone's interest), but I also know of ppl who had their access revoked before firing bcs it wasn't. The latter had unilateral system access as well, which added to it. It's not about humane or inhumane, it's about risk. The 3-6 months being nice is also a fairytale that I have only ever heard in a positive light from employees who are not particularly ambitious or awake or in any way satisfied with their jobs or the prospect of a future job. On the other hand from the perspective of employers it's consistently hard to effectively restructure, it's expensice and awkward to have to pretend to want to keep someone around that you or they don't want around.
It's just one of these rules that unfortunately in Europe allow people to view life purely as the time between jobs. I'd never tell that to someone's face but it's simply a fact that the world stops of people don't work and no matter what the ideal world looks like in your dreams, working is the only real way forward for anything. It's part of the reason why Europe is falling behind on everything.
Europe is not falling behind on anything that is not reasonable.
The increased growth in USA the last decade have largely been created by means that one day will be quite costly for you (debt).
The USA under MAGA is falling apart. EU and others are actively minimizing risk by selecting non-US IT providers. EU and others are actively selecting non-US defence aystems.
I say that it is very positive to protect your citizens. Russia (sending their citizens en masse to a certain death on the front lines) and USA have more in common politically than USA and EU.
> It's part of the reason why Europe is falling behind on everything.
I read a news article that Orange Telecom in France was being sued by a woman they had on payroll for the last 20 years doing nothing, because due to a medical condition she suffered, she became unable to do her job, and since they couldn't fire her due to France unions and labor laws, nor did they have any available job that could fit her current condition, they just kept paying her for 20 years to do nothing at work, and now she's suing them for the depression she got to get paid for no work.
It felt like reading a Monty Python skit.
But Europe is failing due to a myriad of compounding issues and structural deficits, not just because firing workers can be a Kafkaesque nightmare in some countries. European workers' unions and labor protections were even stronger 20-25 years ago and in 2004 the Euro stock market was worth more than the US stock market, while now it's worth half the US one. But that's whole different discussion where pages have to be written to encompass the whole context and cover all aspects of European economic decline. Boiling it down to crazy labor protections would be reductionist and incorrect.
They couldn't find anything for her to do? Hard to believe, but if there's a reason not to fire her then then pay her the money she's owed and stop demanding she show up. Making someone come in with no tasks assigned is fun for a week and quickly turns into punishment detail. Putting someone on punishment detail because you're not allowed to fire them is Bad.
Unless she was allowed to stay home, in which case I take most of that back and it falls on her to go outside and find something to do. I can't find any articles with enough detail. But I'm still skeptical they actually couldn't find a job for her to do. It was 'just' paralysis on one side.
>Looking at it from Europe - it is such a weird inhumane practice.
Pretty standard practice in many technology(not just IT) and finance companies in Europe as well.
>If you don't trust your people so much, why to hire them in a first place?
It's not about trust, it's about risk, and most companies operate on liability and risk mitigation. If society ran on trust alone, we wouldn't need contracts, door locks, passwords, IDs, judges, security cameras, jails, police, etc.
You can verify someone's performance at the job interview, you can't verify their trustworthiness, especially once they've learned they lost their job, even trustworthy people react irrational once emotions hit making snap decisions they'll later regret without thinking of the consequences on the spot, and you see innocent people suddenly turn vengeful or violent and break the law (just look at relationship breakups and domestic violence).
You can't predict such reactions, so best to prevent them instead of chasing damages from them later through the court system.
Put yourself in a business owner's position for a minute. Nobody wants to be the "this former employee set my building on fire after I gave his notice, by leaving him in the flammable material warehouse unsupervised, because I wanted to show him that despite the layoff I still trust him".
For some businesses and jobs the trust alone is enough, for other jobs that involve access to sensitive data or money, it's straight to paid garden leave because nobody wants to risk it.
>Then you have extra 3-6 months of work to pass your knowledge, train replacement and document everything.
Yeah, that happens sometimes like for CxO's, managers, execs who get generous golden parachutes/severance packages, but for rank and file workers in the trenches, having to show up to a workplace you know you'll soon loose, for several more months of work till it's finally over, feels like torture unless you're getting a crazy severance package. That's like your wife telling you "honey, I'm divorcing you, but I still want you to live with me for 3-6 more months, and perform your regular duties".
All the couples I know who are divorced did continue living together after one of them said it was over, I think the longest time actually was about 6 months.
Yeah but did they still keep banging and cuddling like before the divorce announcement? They probably weren't doing much of that anyway if they got divorced but you get my point.
Yeah but if you defense against somebody erasing a database is "we remove their access when they're fired" then your defense is garbage.
Like there's so many other attack vectors besides an upset ex-employee.. Like all those articles about NK employees who presumably are trying very hard not to be fired. Or employees using company provided insecure email software leaving them vulnerable to ransomware et al.
But I'm talking about general day-to-day security as well as off-boarding. What stops a single disgruntled employee from doing this before being fired? And if you have a good story there, why do you need the most extreme approach to "off-boarding"?
It makes sense to terminate someone's high-risk credentials immediately when they're fired. But it's extremely worrying if every credential held by every employee is considered high-risk. It suggests a bigger failure. "Unilateral access to a database filled with plain-text passwords" shouldn't ever exist. "Email account filled with dangerous stuff" should at least be unusual.
You always have to be careful about overfitting to a specific scenario like "this but if they had also forgotten to lock out the other evil twin". I'd prefer a system that is robust to a malicious employee (more likely: compromise of an employee's credentials) but has a slight gap in the "evil twins" scenario over one that prevents all post-firing malicious access from twins but doesn't consider at all what happens if a current employee's credentials are compromised.
This takes the whole "you must mean my evil twin" to an actual example. Maybe this is more "you must mean my other evil twin". Part of me really wishes their names were Daryl
In the US, they'll terminate your access while you're on the Teams Meeting behind the scenes and if you have any gaps, issues, blips, or smudges in your resume it gets thrown into the recycle bin by some AI agent.
In an age of malicious agentic AI, this level of access is negligent. A lack of engineering controls preventing this from happening at all means that a simple phishing or supply chain attack could easily have resulted in the same outcome or worse.
Jokes aside, stuff like this sucks because I suspect many employers will take from it the most extreme, dehumanizing lessons, e.g.: (a) make firings [edit: including lay-offs] as abrupt as possible including terminating all access immediately
The employee is always the last to know. This is standard fare.
> a more balanced version: <bunch of weedy ACLs, judgement calls, liability/>
Too complicated and subjective, stinks of more risk.
Also, I don't think it's dehumanizing it all (having been on the receiving end of it way back when during a layoff, and involved in the process more times than I care to count). It's standard practice for involuntary terms at all companies we work with, whether employee is IT or not. If a company is not doing this already, I'd encourage them to.
> Too complicated and subjective, stinks of more risk.
I actually think there's less risk, because it's not as narrowly focused on what a just-fired employee can do. That's not the only scenario of concern.
> Also, I don't think it's dehumanizing it all (having been on the receiving end of it way back when during a layoff, and involved in the process more times than I care to count).
Interesting. Thanks for the perspective. I've been fortunate enough to not be on the receiving end of a lay-off, knock on wood. It's happened to my teammates/reports though. Wasn't my decision. :-(
I'm just amused how these people were even hired to begin with ? They don't seem to be Americans? How were they even allowed to work on sensitive systems? Why was this even allowed? So many questions.
At 4:58 pm, he wiped out a Department of Homeland Security database using the command “DROP DATABASE dhsproddb.”
At 4:59 pm, he asked an AI tool, “How do i clear system logs from SQL servers after deleting databases?” He later asked, “How do you clear all event and application logs from Microsoft windows server 2012?”
In the space of a single hour, Muneeb deleted around 96 databases with US government information.
They were born in Maryland, and apparently quite skilled (or at least skilled at cheating their way through their studies, if not genuinely technically skilled).
I would imagine they lied about having a felony conviction on their job applications, and that for whatever banal reason any background check service they used didn't flag it, or the contractor was so grossly incompetent they didn't even check.
A few other circumstantial things lightly hint at the twins not being typically American:
1. Obliviousness to local laws and oversight (and the combination of severity of punishment + likelihood of getting caught); most Americans of their intelligence would be aware, and would not engage in the sort of hijinks they did.
2. Working with sibling (anecdotal, but seems slightly more common among immigrant families than locals, which would make sense since, on average, immigrants have fewer local connections than locals so the likelihood of working with siblings increases)
3. Loyalty to family (evidenced through the brazenness in the way they helped each other in criminal acts without a second thought). Americans, on average, are more individualist and hesitate more when asked by family to do something criminal
4. A lot of immigrants eventually adopt anglicised names, which neither of these two did
If a detective looked at these facts, they'd keep an open mind as there's nothing definitive above, but it would be equally ignorant to ignore the circumstantial evidence.
Having said all this, do we care where they're from? (unless it's a potential case of foreign interference or theft from an untouchable overseas company, which doesn't seem to be the case here)
I take it you're not in HR at the CIA or FBI, which vet applicants' families for a reason. i.e. how long ago applicants and/or their families came to the US does help predict their loyalties... It might not be a strong nor fair predictor, but it's not zero either.
> "most Americans of their intelligence would be aware"
that would still leave up to 49% Americans not being aware. so how did you conclude that they were not Americans? Also, how did you measure their intelligence?
> "slightly more common among immigrant families than locals"
even if true, how did you conclude that these were not Americans?
> "Americans, on average, are more individualist and hesitate more when asked by family to do something criminal"
even if on average Americans are more so, how did you conclude that these were not Americans?
> "A lot of immigrants eventually adopt anglicised names"
from your sentence it seems a lot of them don't. so how did you conclude that these were not Americans?
It would be a disaster for immigrants in your area if you were ever hired into some kind of investigative/law enforcement role.
> that would still leave up to 49% .... how did you conclude?
This fundamentally misunderstands how predictive models work. A parameter is a potentially useful predictor if it's better than excluding it 50.000001% of the time (high frequency trading is good evidence of this).
> conclude
Conclusions? Absolutely not. Higher statistical probability? Yes. Based on evidence. To state your point, which is bleeding obvious, of course you cannot know how recently someone or their family came to America based only on their behaviour with regard to the law. But their behaviour with regard to the law absolutely can be a useful predictor.
(in fact, it's precisely this rationale that justifies in some cases giving foreigners lighter sentences where 'their culture' allowed for xyz but the local jurisdiction doesn't - roadrules in the UK is a pretty good example: local truck drivers get the full penalty; those from continental Europe often do not, since road rules are less likely to be known by them)
Alternate example: ask a Western drug smuggler busted in Indonesia or Vietnam how long they expected their jail sentence to be if caught (spoiler - it's a trick question: they'll say 3-5 years and instead are met with the death penalty; whereas most locals are well aware of this) - ignorance to local laws and customs does correlate with how long someone (or their family) has lived in the area, if at all.
> On March 12, 2025, a search warrant was executed at Sohaib’s home in Alexandria. Agents grabbed plenty of tech gear but also turned up seven firearms and 370 rounds of .30 caliber ammunition. Given his former crimes, Sohaib should have had none of this.
For god's sake, don't commit crimes while you're committing crimes.
I was kind of hoping he sprinted out his back door which happened to be on a state line and then mailed his guns back to his house, just to try to cover everything.
> At 4:58 pm, he wiped out a Department of Homeland Security database using the command “DROP DATABASE dhsproddb.”
This article is hilarious. The two bickering brothers remind me of the guys in the Oceans movies played by Casey Affleck and Scott Caan. It’s amazing they got this close to sensitive data.
> At 4:59 pm, he asked an AI tool, “How do i clear system logs from SQL servers after deleting databases?” He later asked, “How do you clear all event and application logs from Microsoft windows server 2012?”
> In the space of a single hour, Muneeb deleted around 96 databases with US government information. He downloaded 1,805 files belonging to the EEOC and stashed them on a USB drive, then grabbed federal tax information for at least 450 people.
Maybe whoever runs infosec at that place should also be fired?
I love how this leaks out the fact that the DHS is running production databases on operating systems that are months away from end of extended support.
Windows Server has 5 years of mainstream support, 5 years of extended support, and then an extra 3 years paid Extended Security Updates (ESU) support. For 2012 and 2012 R2 that ends in October 2026.
The three years of ESU exists only for organisations like government departments that would rather pay Microsoft millions of dollars for patches than pay a competitive wage and hire competent IT staff that can complete upgrade projects on time.
> The three years of ESU exists only for organisations like government departments that would rather pay Microsoft millions of dollars for patches than pay a competitive wage and hire competent IT staff that can complete upgrade projects on time.
I'm not going to say the wages are fine but the issue is likely not to be the competence of the IT staff, but rather the overbearing IT management processes the U.S. Federal government uses. "Enterprise change management" processes separate from the already-long cybersecurity review processes can add weeks or even months to system updates.
In that kind of construct, you optimize for fewer but larger changes and then it's no surprise to see that there's no time in the project update schedule to update the OS in addition to making all the other long-overdue library / middleware / application changes that also are pending once a change finally can be made.
The day-to-day operation of large government bureaucracies is surprisingly immune to elections. The same people stay in the same job for decades, the "churn" only happens at the highest levels, and even those positions tend to outlast changes in the current political party in charge.
Unfortunately this is a good example of kicking the can. Not to the next administration but to after the next elections. Some aspects are felt already but not all.
It's a good time to be kind to your neighbors. No matter their background, they're almost certainly not the ones to be upset at.
The tools we use are not neutral. A sword can be made to work like an axe, but we use axes for chopping wood because a sword makes a shitty axe. A sword is designed to kill people. The handle, the mass, the weight distribution, and every other aspect I am not qualified to get in to, means swords are designed to kill. They are a tool, and their use is not neutral.
This is a clear example, but I don't believe any tools are neutral. Your immediate fallback was to a hammer, not a mouse, with the obvious corrollary being to bludgeon, but the same line applies. Tools are not neutral, and that's why when you looked for something that causes harm, you grabbed something that's objectively been serving a dual-purpose for hundreds of years. Nobody's using a computer mouse to bludgeon someone to death; it makes a shitty bludgeon, and the design of the tool reflects that.
That's also why these comparisons always fall back to knives, or hammers, or the AK-47: they are dangerous tools that are designed to make killing easier. Nobody is making these comparisons to more benign tools, like desk lamps, coffee cups, or car stereos, and it's because tools are not neutral, and none of my examples are designed to make direct, bodily harm, easier.
My larger point is that nobody - nobody - defaults to telling us the coffee mug is unregulated, as AI allegedly ought to be. They always compare it to something much more commonly used as a weapon; something that, when asked to name a household object likely to be used as a weapon, the average person would guess.
Instead of comparing AI to any other tool, especially one closer to "useful with a computer", the common comparison is always a weapon of some kind.
If the design of tools are neutral, one tool should do as well as another in this common comparison. But the useful application of tools is inherent in their design.
If tools were neutral, as so many on this site claim, why is AI only ever compared to knives and hammers?
Parent has lots of links to other common objects causing harm, why are they never used as the example when tools are allegedly neutral? That would be a stronger argument opposing AI regulation - ethernet has less regulations that knives, but can still be used as a murder weapon
One of my favorite lines "Peligroso es mi nombre medio" (which of course is not grammatically correct in Spanish) and then his short inspirational speech invoking general Zapata were great.
> it does follow from the simple fact that a fired employee with access to company systems is a security risk.
No, employees that can wipe 96 databases are a security risk, even when they're employed. But of course it's easier to go the inhumane route of cutting everything off at employment end rather than fix it properly
I don’t know where to start with this other than to point out that there is no way in hell these two clowns had the security clearance necessary to access a prod DB at DHS. I can only assume they stole creds from another employee who had that level of clearance. Also, tax records are not stored in a DHS domain .
I think this story has been sanitized to mask some details which is ok I guess but I ain’t buying the back story.
About 25 years ago we had layoff at a company I worked for. One of the DBA's got fired along with others. Back in the day they didn't revoke access and you had your work computer available until the end of the day. Most, who were fired, just packed and went on their way.
The fired DBA however, stayed behind and finished backing up the databases he was assigned to backup.
How did they get access to 5k passwords? Are they being sent/stored in cleartext? This is the most baffling part of the article for me.
The second part I'm unclear about is how you could pass SOC2 when you aren't terminating account access simultaneously with the employment termination.
From the article, it sounds like the passwords are indeed stored in cleartext:
> On Feb. 1, 2025, Muneeb Akhter asked Sohaib Akhter for the plaintext password of an individual who submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal, which was maintained by the Akhters’ employer. Sohaib Akhter conducted a database query on the EEOC database and then provided the password to Muneeb Akhter. That password was subsequently used to access that individual’s email account without authorization.
I've been through a handful of SOC2 audits and they've never asked us to _prove_ that we aren't storing passwords in plaintext or with reversible encryption (we weren't).
This is why so much of vetting & compliance is toothless. You can have robust change management, physical security, network security, identity management, etc. policies but absolutely nobody wants to spend enough on audit & enforcement to make them meaningful.
The gov't will make you _claim_ that you do all of these things before awarding a contract, but they won't ever check.
Good actors will do the right thing regardless because they know the consequences of cutting corners.
I'm pretty shocked as well. I thought every company stopped doing this like 20 years ago? Even for a legacy system that is a long time to continue storing credentials like that.
First of all, it is viral, and it is almost never adopted based on its own technical merit.
Second, it has lots of levels. The first level is “we wrote down a plan explaining how we’re going to secure stuff”.
The second level is when you start implementation or maybe tracking or something.
The key thing is that first level: When your SOC2 dept says you have to do something idiotic for SOC2 compliance, it is because someone at your company invented the idiocy, and should be fired. However, you still need to follow their dumb plan because that’s the process.
In this case, the “how do we fire people” process, and “how do we prevent one llm from dropping 96 prod DBs in a single session” very well could have had answers in the plan, the plan could have been implemented, and therefore the company is still soc2 compliant, and this is exactly what a working soc2 process is supposed to look like.
The tighter your security is, the more inconvenient it is for legitimate users, and the more you have to do audits because it's easy to justify going around security in the name of efficiency.
It's not just information security, either. I've seen vault doors propped open because the people working inside didn't want to do all the sign-in/sign-out paperwork to take a leak.
SOC2 requires an audit. But one of the weaknesses of SOC2 is that the audit mostly checks to determine that you are following whatever your policy is. It doesn't verify that your policy is rigorous.
And how exactly do you want to store passwords if not in plain text (and then encrypted of course)? 5k is a lot, the authorization process is broken, but this is not related to how the passwords are stored.
The only solution is correct access segregation and a bastion
You should never store passwords in plain-text, encrypted or not, you should always use a one-way cryptographic hash like bcrypt [0], scrypt [1], or PBKDF2 [2], combined with a single use salt [3] and optionally a pepper [4], and then store the output of the hash in the database.
To confirm a user supplied password matches you run input into the same hash function again with the salt+pepper and compare it to the value in the database.
That way if the database is stolen, the attacker cannot recover the contents of the passwords without brute forcing them. Encrypting passwords is not recommended because too often attackers are able to recover the encryption keys during the same attack where the password data is extracted.
Typically you store a hash of user passwords instead, then when logging in you hash the user password client-side and compare the hashes. This acts like a one-way function that protects the password while letting the user authenticate themselves.
Also, you need to add salt. Otherwise every person using "Password123" has the exact same hash. Before they broke their search engine, it was common to google the MD5/MD4 hashes to "decrypt" or "unhash" them.
Hashing passwords client-side is generally a bad idea, since it means that the hash effectively becomes the password. For example, if I have a database row that has the hash of the password and a bad-guy gets access to the database, they will get the hash. The benefit of a hash is that it is a one-way operation, I can't figure out the plaintext from the hash, so my account is safe. If the password is hashed on the client, and sent to the server the attacker doesn't need to reverse the hash, they can just send the hash in the request. Instead, you should send the password to the server (using TLS encryption) and do the hash and compare on the server.
You actually want to one-way passwords both client-side, for transport, and again server-side, for storage/comparison.
Otherwise, there's a hole, between the end of the TLS connection and where the server-side encryption happens, where the password is in plain text. Think logs and load-balancers and proxies.
While the client-side hashing doesn't help protect your site a lot (as you say, the hashed value the client sends effectively becomes the password), it helps protect the users who use the same password across multiple sites.
Notice in this case, that's exactly what the brothers are accused of doing: using credentials harvested from their site to log into other, potentially more lucrative accounts.
I didn't see if that's the hole the brothers exploited but it very well could have been.
The client-side encryption may have been all that was missing in this case.
Hashing client side is sufficient because the only service you can breach with the hash is the one you already had to breach in order to read the database.
Of course performing an additional server side hash on top of the client side one is good defense in depth because there's at least some chance that it might make things more difficult for a rogue insider and doing so costs approximately nothing. But it certainly isn't critical because by the time you're dealing with a rogue insider things are already looking quite bad.
Hashing client-side is a good idea. You must also hash server-side, for storage/comparison.
Otherwise, an insider may be able to harvest the original password, from logs, proxies, load balancers, etc. that requests pass through after the end of the TLS connection, on the way to the db.
They can then try the credentials on other, perhaps more lucrative sites. That's what the brothers are accused of doing here, so client-side hashing (or just simple encryption) may have been the missing piece of security that would have thwarted the credential stealing.
I wonder how common are setups where an internal person has access to the TLS private key part of the certificate or access to a network equipment that all traffic passes through, yet they cannot access the inputs required for hashing/encryption client-side?
This seems to mostly prevent accidental logging and is thus a matter of defense in depth, stopping malicious actors from exploiting it later — but an actively malicious IT person would not be deterred.
Yes, and that's not uncommon, IME. There's generally a lot of logging that's at least potentially available, and it gets turned on, and the logs shared when there's a problem that needs to be fixed (especially when it needs to be fixed quickly, which is usual).
This is going to make more sense for "enterprise"-type deployments, where there's a significant distinction between the people who might have access to request logs at times, and the people who can push code to production.
Yes limited protection against insiders is good defense in depth but not the primary purpose which is to protect end user accounts on other services in the event that you are breached.
My question still stands: how do you disallow cleartext password extraction if you are breached, assuming all your IT infrastructure and code is now accessible to an attacker?
I am talking about not logging them ever, using internal TLS and strong hashing in general, and wondering what exact value is added on top with client side hashing.
There are substantial differences between database access, snooping the logs, internal (no TLS) wiretap, and full MITM of the frontend.
Hashing client side minimizes the risk of any blast radius exceeding the bounds of your own service. There's obviously no way to prevent an adversary who achieves full MITM from gradually harvesting credentials over time. The only solution there is to use keys instead of passwords.
We are not disagreeing, but I am not getting my answer: how is client side hashing really helping, what are the circumstances it helps with if you do have the basics right?
In your enumeration, what is breached for this to be meaningfully impactful for other services where customers might be reusing credentials?
As opposed to what? Your question seems unclear to me.
I already answered you that if you assume full MITM of the frontend then it is physically impossible to prevent gradual credential harvesting. Did you have a different scenario in mind?
> how is client side hashing really helping
Compared to what? Server side hashing? It prevents the plaintext from ever hitting your infra which minimizes to the greatest extent possible an insider or intruder gaining access to the plaintext. Since preventing access to the plaintext is the primary purpose of hashing it's the sensible option if you're forced to pick only one.
Of course there's really no good reason to pick only one of the two. You might as well elect for defense in depth against rogue insiders with full db access even though it's difficult to imagine what use they would have for a password based login at that point.
I have no problem with my credentials being revoked everywhere before I know about a layoff. I don't really care how I learn about it, just please don't make me come in to the office.
I've never had a job with a permanent individual desk like this. The one in-person real job I had, it was only shared working space that different people used at different times of the day or on different days, and I think you were discouraged from leaving anything. The idea of there being "your desk" with a framed photo of your kids and favorite coffee mug seems like a nearly extinct piece of nostalgia. It must have been nice in a way, far preferable to the new style of open office at least.
Meh. Don't leave anything at work. Forgo the convenience and carry your things on your commute. Use a bag. If there's "too much stuff", that's a sign to pare back what you "need" at work.
I know this is not a good year on the job market, but if you are traveling to work with a "go bag" and not leaving coffee mugs on your desk to prepare for being laid off maybe it is time to carry that go bag to some other buildings...
The obvious middle ground is don’t leave anything valuable at your desk that you wouldn’t want to lose. You shouldn’t leave valuable stuff at your desk even if you don’t expect to be laid off. Unless you work in a very secure environment, you don’t really know who will be sniffing around your desk.
Go ahead and leave a coffee mug, who cares if you lose a coffee mug?
I would be devastated if a few of my coffee mugs were eaten by a firing/layoff. (But I would also not bring those specific coffee mugs to the office, either.)
God, if we're at the point where we're so paranoid about being laid off that we don't dare leave a single piece of personal property in the office then I think we're in a very dark place indeed. Can’t imagine the mental damage from considering losing your job every single day you wake up.
I never left anything valuable or personal at my desk when I worked in an office simply because I had a very nonzero number of colleagues who acted like animals. My fizzy waters, coffee, and snacks would be consumed without permission or replenishment. Chairs, monitors, and input peripherals would get swapped without asking. Desks surfaces would be sat on with chairs used as footstools. Corporate effluvia of all types would end up on my "unused desk" because I wasn't in at the exact moment some roving bandit walked by looking for a spot to dump their crates of paper and binders.
Some people simply have no regard for others and will mess with or jack your shit. Don't give them the chance.
I always thought it was weird that all of the equipment issued to me beyond the laptop was registered to me, such as the monitors and desk phone. Your comment enlightens me... That's wild to imagine folks just swiping things from other peoples desks. We even have storage rooms of office supplies where someone could drop off their crate of paper and binders if they had one for some reason.
well this did just happen to me. laid off while taking care of my father in laws estate and my personal belongings were thrown away. 7 years at the company as an EM ftr.
I had my gym stuff in a gym locker. The reason I was able to commit to a gym routine was being able to get off my desk, get down the elevator, enter the gym and change in gym clothes in literally 5 minutes. I would never be willing to commute with all that gear. And I never got that gear back.
Same, almost. When I was a student, I rented a locker near the showers so I could start my day at the school gym, shower, and go to my first class.
My workplaces have not had gyms, but I bought equipment for my home that maintains the streamline. I haven't been perfect at my routine because my work schedule isn't consistent which is annoying, but I do still get some exercise in at least twice per week with it. I doubt I'd be getting at least that otherwise.
Yes, I will bag my two tree-sized plants, 4 paintings, 1 old map, 2 posters, drawings of my kids, figurines and a few more things. Ah yes, the ball I sit on.
I spend in the office more time than at home so I want a nice environment.
So this was why the FBI Director Kash Patel was in a panic when he couldn't log in one day. Revoking credentials before firing someone makes a lot of sense in security.
no, becaus the simple and pragmatic solution for ANYONE who is subject to arbitrary termination, is to litter everything they build with caltrops and dead man triggers
and then hint that they will go into "consulting" when fired.
I know of one case where this was totaly unintentional, and a machinest at a local pulp and paper plant had self delegated to
write the software that controlled tension
on the giant machines in the mill, but as it was his only real forey into sofware, nobody else could operate it, and they fired him after a manegment reshuffle, and then after the next scheduled shut down, nothing worked right, greasy dusty ancient screen with a blinking cursor was what they had, plugged into the important bits of a half sqare mile plant.
still funny to think about!
Or if you don't want to booby trap your code, buy one of those tiny devices that make a cricket noise randomly every 5-15 minutes, and hide it somewhere in the restroom.
These are too obvious - 5-15 minutes gives your victim way too many opportunities to narrow down the location.
What you really need is one that chirps once every (multiple of) 20-28 hours (with weighting towards 23-25 to keep it roughly around the time you set it going and an infrequent skipping of a day.) Also with different volumes and, ideally, different chirps. Occasionally a double chirp just for extra insanity causing.
(A Michael Jackson "hee heee" would be another good option.)
> Muneeb and Sohaib Akhter, now both 34, had been in trouble before. Back in 2015, the brothers pled guilty in Virginia to a scheme involving wire fraud and computers. Muneeb was sentenced to three years in prison, while Sohaib got two.
After their stints in jail, the brothers worked their way back into the tech world. In 2023, Muneeb got a job with a Washington, DC, firm that sold software and services to 45 federal clients; Sohaib got a job at the same company a year later.
What in the actual fuck. I'm all for giving people second chances. But maybe some ringfencing?
No, this is exactly what giving people second chances looks like. It means taking a risk that they're the sort of person who is likely to commit a crime and who will commit a crime again after being given the second chance. The only way to prevent this is to have a blanket policy against giving second chances to people convicted of crimes, which harms people who genuinely intend to reform and not commit crimes again, and who you cannot systematically distinguish from chronic criminals.
There are literally thousands of occupations a former computer based wire fraudster can be given a second chance in that aren't here's a computer full of sensitive government files, with CRUD privileges.
Like... I think ex drugs dealer deserve a chance of legitimate employment, but perhaps doling out prescription drugs is best left to someone that doesn't need a "second chance" to demonstrate they're unusually trustworthy and unlikely to be tempted by the possible side incomes.
The fraud conviction seems totally inappropriate for a government contractor and yet... somehow totally appropriate for someone appointed to work directly for the upper echelons of federal government. Hell, everyone else hacking government officials emails and tax returns and randomly deleting stuff for the lolz in February 2025 was being paid by DOGE.
> Muneeb Akhter asked Sohaib Akhter for the plaintext password of an individual who submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal, which was maintained by the Akhters’ employer. Sohaib Akhter conducted a database query on the EEOC database and then provided the password to Muneeb Akhter.
I can understand wanting to be perceived as being on “the right team” but that comment is so silly that it undermines credibility. To put it otherwise, could you imagine a scenario where I had a labor, arbitrage opportunity that involved a higher paying job in Shanghai, China and that I had lived there for a few years to do that. Let’s also say that I was found guilty of some similar crime. Would you call me a good old fashioned red-blooded Chinese crook?
It’s OK to acknowledge that economic migrants are a thing, and that they likely have only transactional interest in where they live, such as a Bengali construction worker in Dubai, for example. That’s just part and parcel of labor mobility. For better or worse, shareholders, or middleman representing shareholders, have decided this sort of thing is a really good idea in the US, and now around half the population falls in that bucket. It’s a free country, and freedom means being free to choose short term interests. That also means you’re free to support such policies because they are good for Blue-team redistricting so we can provide free healthcare to all 8 billion people in the world somehow.
But please, nobody becomes a Yankee by the mere fact of standing on the ground. If you want that pejorative title, then you need to earn it.
Uhh... The guy in charge of the whole thing does things a foreign adversary would do. Has for years and he's back for round two. He even tried to overthrow the government once.
How on earth did someone previously convicted of what sounds like hacking get job access to so many prod government databases? Wild that it took them so long to get caught.
I had the same questions. Apparently discovery of the prior conviction is what lead to them being fired:
> When the company discovered Sohaib Akhter’s felony conviction, it terminated both brothers’ employment during an online remote meeting on Feb. 18, 2025
The company involved here is apparently based in Washington, DC, which has a "Ban the Box" ordinance that limits employment background checks for most kinds of jobs. And apparently DC's version of the law is particularly strict.
The prevents them from asking before extending an offer, but it seems they could (and should) have checked after.[0]
> However, an employer may ask about criminal conviction(s) after extending a conditional offer of employment (the employer can never ask about arrests or criminal acusations that aren't pending). An employer who properly asks about a criminal conviction can only withdraw the offer or take adverse action against the applicant for a legitimate business reason that is reasonable under the six factors* listed in the Act.
One of the six factors is "Fitness or ability of the person to perform one or more job duties or responsibilities
given the offense"[1], which they probably could have invoked after asking (though they never checked or didn't check thoroughly enough, so I guess it's moot).
Shouldn't this force companies that need to pass a SOC2 out of the district? Doesn't SOC2 require background investigation of personnel with access to sensitive systems?
And I recently couldn't get a job through a federal contractor for a federal position (requiring NO security clearance) because they didn't like something on my credit report.
> On Feb. 1, 2025, Muneeb Akhter asked Sohaib Akhter for the plaintext password of an individual who submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal, which was maintained by the Akhters’ employer. Sohaib Akhter conducted a database query on the EEOC database and then provided the password to Muneeb Akhter. That password was subsequently used to access that individual’s email account without authorization.
It should be a federal crime with prison time to make a DB for a federal agency and not hash and salt passwords or other auth credentials.
It's probably some sort of crusty old application written before salt and hash was SOP. No agency is going to spend money on hardening something non-critical unless there's an incident or there's free money to do so. And that application was likely written by some contractor who's no longer around or has the source code available so any fixes would require an entire redo. And while you're redoing the whole thing, let's add in a bunch of features and scope creep to balloon the cost and schedule. Oops, the new contractor writing the app is overrun so let's bail and go back to the old version.
These are the cases why I understand HR kicks people out immediately during a layoff. But then the employee cries inhumanity and desires that they have access for weeks, when they no longer need to. It’s a risk that’s proven unwise. Blame the layoff, not the access revocation
Not many people test their backups. I've encountered some situations where the backups didn't work. And one previous employer who was so lazy that he didn't rotate the backup tapes so that the one tape cartridge was used so long that the oxide layer was rubbed off of the tape - so it was no longer brown but was transparent instead (imagine adhesive tape with no adhesive).
Remind me of a forum a long time ago that sent me my password in clear when I used the "forgot password" link.
When I advised them that it was a bad idea to store password in clear, they answered that they keep it in clear so that they can send it when someone forget.
In my free time, I help maintain the web presence for a small non-profit org with memberships. The original system when I started helping was a bespoke system that was smart in many ways (essentially a static site generator with membership control years before SSGs were cool, with regular automated tests), but the guy who wrote it absolutely insisted on storing passwords in plaintext and could not be convinced otherwise. Eventually he had to drop the volunteer position due to other things in life, and the first thing we did was correct this issue.
There was a screenshot of some website floating around a few years ago, where if you entered the correct password but a wrong username, it would helpfully tell you which user the password is really for.
I've got a better one. I once had the same argument mentioned to me by my manager at the time when I pointed out that passwords were being stored in clear text. That it needs to be this way so that it is read/sent when the users forget their passwords(which happened a lot). I tried to explain that typically a "reset password" flow is used for that but that fell on deaf ears. That system contained healthcare data.
Something bad did end up happening due to that lax security and there were oh so many meetings about it.
> Something bad did end up happening due to that lax security and there were oh so many meetings about it.
This is the sort of thing that makes me want to check out of the whole circus. Here I am, telling you ahead of time, and you ignored me
So how there's a circus that we could have avoided and not only do I get zero recognition for identifying the threat ahead of time, the people who ignored me keep their jobs and turn it into a zoo where everyone is scrambling in endless meetings
And I've seen it play out a few times. After a point, why bother...
Yeah, I can relate. It's a problem if you don't bother since you won't be doing your job to the best of your abilities and it's a problem if you do since you might get in trouble with the management for not being a "team player" or some other silliness. Without meaningful consequences, I don't see this situation changing.
Circa 2012 the San Francisco water bill pay was able to send me my password in plaintext when I forgot it. I was scandalized. But the alternative was to not pay the water bill, so I just made extra sure the password was very random and wasn't one that got re-used anywhere... I think they fixed this issue in the years since.
> While this was going on, the brothers held a running conversation. (The government is not clear about whether this took place over text, instant message, or in person.)
Explain to me how we can have a transcript of a conversation without knowing whether it was in person or not. I'm baffled by this sentence.
Deleting data like that is a crime investigated by the FBI. In a very sad story, a brilliant former coworker made a mistake of deleting data after leaving employment and ended up in prison. Brilliant guy, momentary mistake. Overzealous employer.
This makes sense but also an employee who is dishonest is also a security risk; fired or not.
It's ridiculous that companies don't seem to care about ethics. They never seem to select candidates based on proven ethics. They don't even ask any such questions.
For example, I've been in at least 2 situations where I had the ability to inflict major damage to companies which had treated me very poorly and I could have legally gotten away completely whilst doing variants of 'the wrong thing' and profiting but I didn't do it because I have principles. Unfortunately it seems that few people do nowadays. Leaders are fooling themselves if they think they can completely factor out ethics and make it all about aligning incentives. Incentive alignment creates its own problems as this alignment requires constant maintenance and it's both expensive and detrimental in the long run. These people will tend to sabotage every aspect of their responsibilities which isn't directly measured... In order to gain leverage. It's not clever. It's crooked. Should not be rewarded.
My experience as a software developer is that managers alway have lots of blind spots and the wrong people will take advantage of all of them, even when it negatively impacts the company.
"Legal Eagle" has a new video about this. The administration's viewpoint is that the Presidential Records Act is unconstitutional, plus the President owns every document, so he can't be forced to return anything because it belongs to him.
if you personally believe there is a positive correlation between having an ethnic background (mexican or middle eastern or whatever) and doing bad things, I can't control your beliefs
Getting close to the classic Monty Python line: "Those responsible for sacking the people who have just been sacked, have been sacked."
Jokes aside, stuff like this sucks because I suspect many employers will take from it the most extreme, dehumanizing lessons, e.g.: (a) make firings [edit: including lay-offs] as abrupt as possible including terminating all access immediately, (b) never give second chances to anyone with any sort of criminal record (even say decades old marijuana posession or something).
I'd prefer a more balanced version: limit unilateral access to sensitive systems in general (not just of recently-fired employees), when someone is fired immediately shut off particularly sensitive credentials if they do exist (but not their general-purpose login/email account), avoid hiring people convicted of wire fraud as sysadmins, hash your @!#$ing passwords, etc.
Except not everything was properly documented, and it turned out the employee had given admin rights on some resources to a contractor which proceeded to wreak havoc on their behalf (the 'rm -rf' kind). Eh!
They even send the “you’re being fired” email to their personal email they have on file. Didn’t even schedule a meeting.
I'm not sure there's any good way to lay off large amounts of staff (besides not getting yourself into the situation in the first place where you have to)
Someone on HN once wrote that after the dot.com bust, Yahoo! HR had 1-1 meetings with every single employee that was part of the mass layoffs back then, and they did this for hundreds of workers. Boy what I wouldn't give to go back to such state of affairs, even though I wasn't yet part of the workforce back then.
An older family friend of mine who started working in tech around 2003-2005, told me "back in my day, to get a job, you'd just send your CV to HR@corpo.com, and in 2-3 days you'd get a call asking you when you're free to come over for an interview". Now today you're lucky you get an automated reply back from 50 CVs sent, just for the opportunity to do an impersonal take home assessment as part of the seven stage interview process. It's like screaming into the void of AI bots and automated CV screening systems, while you spin the barrel of the revolver to play the next round of Russian roulette.
And the crazy part is, that when people talk about "the good old days", we're talking about events from recent history, just 10-25 years ago, that a lot of current workers experienced in their lifetime, not stuff from when boomers were kids.
The massive sudden shift in the commoditization of human workers and turning them into faceless labor resources that can be inhumanely disposed of with a keystroke, is real and noticeable to everyone, that I'm envious for you guys who are set to retire soon out of this shitshow.
What comes after this? Have we reached rock bottom, or will it get even worse?
What I hear about today seems crazy hard.
IDK, I'm not from the US/Bay-Area, nor does my country have any big-tech/FANG jobs to distort the market for what constitutes a "high wage" in tech, it's all the same.
>in the back-half of COVID.
Sure, but Covid was only a short blip, a temporary exception, not a baseline norm for wage/job growth, like the years prior which was a longer period of getting a job was easy, like 2012-2020.
For me where I live now, the career depression I saw came in 2023 already when jobs become less abundant and harder to get, and it only got worse later when mass layoff started. So we're already 3 years in the decline, longer than the Covid boom lasted and things aren't going better yet.
I entered the workforce in around 2012-2014 and it was significantly easier to get a callback from sending a resume than it is now where it's mostly automated rejections. When I say "easy" I also mean you didn't need 7 stages of interviews to get a job back then, you'd have 2 stages and those were pretty chill and get a call back from every 2-3 resumes sent. Now you need to send dozens. I guess "easy" is relative.
>Also pay was relatively decent but much less than what you saw even 5 years ago.
Inflation also happened in that time.
https://www.usenix.org/legacy/event/lisa99/full_papers/ringe...
I worked for a Big Tech company that actually did this, and it made the transition a lot easier. You could still access corporate resources necessary for the transition (HR, benefits, internal job postings, training offerings, expense reporting, etc), check-in with colleagues 1:1 (who would be warned this person was no longer part of the org, attachments could be blocked to prevent exfil, etc), and still send/receive email internally (though external was blocked by default and required justification).
You can safeguard your corporate infrastructure without actually cutting everything off entirely and sending someone home to stew angrily about it. In fact, there might be (as yet undocumented) advantages to letting folks exist in that transition period on that segmented infrastructure, so as to identify potentially bad actors before they can do harm and see about mending bridges.
Of course all of that requires conscious investment in projects with no clear quarterly/yearly KPIs to measure cost or success against, so most employers will never remotely consider it.
You're proving my point—employers take the most extreme lesson and it's considered expected practice. They absolutely should have immediately terminated the credentials that granted unilateral access to sensitive databases. (Ideally those would never exist in the first place—there are two-person schemes. A pair of bad actors...well apparently happens according to this article...but is far more unusual.) But employers regularly (but shouldn't) terminate all access including credentials that allow last email to colleagues exchanging personal contact info or something.
This especially includes creds like root or admin level access to AWS/GCP/whatever-cloud-or-hosting-service, and other critical creds like user/password management, domain name registrations, AppleStore and GooglePlay accounts, source code repos, documentation and internal tooling, external services like observability/analytics/crash-trcking. It also keeps a current(ish) list of all clients/projects where I've had any access at all, listing things like API keys, ssh keys and bastion hosts, project or platform admin creds, as well as systems like databases (SQL and KV caches), firewall rule specific to me.
I also try to list anything else I could, if I were a malicious disgruntled ex employee, use to cause grief to the employer or their clients.
I point out in this email that if I were to be rouge, I'd most likely have intentionally left something out or left behind backdoors or timebombs, and while I am not that kind of person and I have not done those things, they owe it to themselves and their clients to have someone else senior and experienced enough to carefully audit everything to ensure I cannot access anything.
I send this from a personal email account, so I still have timestamped records of having sent it. If an ex employer ever gets hacked shortly after I leave, I want evidence I did everything I reasonably could to remind them to lock me out.
(Writing this down reminds me it's been a while since I updated this - I guess thats something I'll ned to get on to soon.)
Isn't this an unrealistically black-and-white mode of thinking? Humans are complicated and have many values and perceived responsibilities. It's not healthy for them to throw them all out and act as if they only have one responsibility that needs to be maximally upheld at all costs. They should balance their actions thoughtfully.
Meh? Sure, stuff that would help assemble a credible phishing attack, but not customer SPII or huge amounts of intellectual property or anything. If the assumption is that employees' inboxes are full of dangerous things, I would focus on fixing that.
Someone with an interest in scuttling your company could just as easily maintain a low profile and do it at any time. Termination forces execution into a more-predictable timeframe. Once notified, the malevolent only have opportunity to exfiltrate or sabotage whatever they can reach in the time it takes to walk them out the door.
European laws require us to give people something like two months' notice. Even then we don't trust them; we pay them their salary and tell them to stay home.
Looking at it from Europe - it is such a weird inhumane practice.
Someone decided your position is redundant. Okay, shit happens, economic downturn, etc. Then you have extra 3-6 months of work to pass your knowledge, train replacement and document everything.
It's just one of these rules that unfortunately in Europe allow people to view life purely as the time between jobs. I'd never tell that to someone's face but it's simply a fact that the world stops of people don't work and no matter what the ideal world looks like in your dreams, working is the only real way forward for anything. It's part of the reason why Europe is falling behind on everything.
The increased growth in USA the last decade have largely been created by means that one day will be quite costly for you (debt).
The USA under MAGA is falling apart. EU and others are actively minimizing risk by selecting non-US IT providers. EU and others are actively selecting non-US defence aystems.
I say that it is very positive to protect your citizens. Russia (sending their citizens en masse to a certain death on the front lines) and USA have more in common politically than USA and EU.
I read a news article that Orange Telecom in France was being sued by a woman they had on payroll for the last 20 years doing nothing, because due to a medical condition she suffered, she became unable to do her job, and since they couldn't fire her due to France unions and labor laws, nor did they have any available job that could fit her current condition, they just kept paying her for 20 years to do nothing at work, and now she's suing them for the depression she got to get paid for no work.
It felt like reading a Monty Python skit.
But Europe is failing due to a myriad of compounding issues and structural deficits, not just because firing workers can be a Kafkaesque nightmare in some countries. European workers' unions and labor protections were even stronger 20-25 years ago and in 2004 the Euro stock market was worth more than the US stock market, while now it's worth half the US one. But that's whole different discussion where pages have to be written to encompass the whole context and cover all aspects of European economic decline. Boiling it down to crazy labor protections would be reductionist and incorrect.
They couldn't find anything for her to do? Hard to believe, but if there's a reason not to fire her then then pay her the money she's owed and stop demanding she show up. Making someone come in with no tasks assigned is fun for a week and quickly turns into punishment detail. Putting someone on punishment detail because you're not allowed to fire them is Bad.
Unless she was allowed to stay home, in which case I take most of that back and it falls on her to go outside and find something to do. I can't find any articles with enough detail. But I'm still skeptical they actually couldn't find a job for her to do. It was 'just' paralysis on one side.
Pretty standard practice in many technology(not just IT) and finance companies in Europe as well.
>If you don't trust your people so much, why to hire them in a first place?
It's not about trust, it's about risk, and most companies operate on liability and risk mitigation. If society ran on trust alone, we wouldn't need contracts, door locks, passwords, IDs, judges, security cameras, jails, police, etc.
You can verify someone's performance at the job interview, you can't verify their trustworthiness, especially once they've learned they lost their job, even trustworthy people react irrational once emotions hit making snap decisions they'll later regret without thinking of the consequences on the spot, and you see innocent people suddenly turn vengeful or violent and break the law (just look at relationship breakups and domestic violence).
You can't predict such reactions, so best to prevent them instead of chasing damages from them later through the court system.
Put yourself in a business owner's position for a minute. Nobody wants to be the "this former employee set my building on fire after I gave his notice, by leaving him in the flammable material warehouse unsupervised, because I wanted to show him that despite the layoff I still trust him".
For some businesses and jobs the trust alone is enough, for other jobs that involve access to sensitive data or money, it's straight to paid garden leave because nobody wants to risk it.
>Then you have extra 3-6 months of work to pass your knowledge, train replacement and document everything.
Yeah, that happens sometimes like for CxO's, managers, execs who get generous golden parachutes/severance packages, but for rank and file workers in the trenches, having to show up to a workplace you know you'll soon loose, for several more months of work till it's finally over, feels like torture unless you're getting a crazy severance package. That's like your wife telling you "honey, I'm divorcing you, but I still want you to live with me for 3-6 more months, and perform your regular duties".
Like there's so many other attack vectors besides an upset ex-employee.. Like all those articles about NK employees who presumably are trying very hard not to be fired. Or employees using company provided insecure email software leaving them vulnerable to ransomware et al.
It makes sense to terminate someone's high-risk credentials immediately when they're fired. But it's extremely worrying if every credential held by every employee is considered high-risk. It suggests a bigger failure. "Unilateral access to a database filled with plain-text passwords" shouldn't ever exist. "Email account filled with dangerous stuff" should at least be unusual.
Eventually I tried to log into one of my old cloud accounts, to find it was only disabled since 9 days after my layoff. Pretty sloppy.
In the US, they'll terminate your access while you're on the Teams Meeting behind the scenes and if you have any gaps, issues, blips, or smudges in your resume it gets thrown into the recycle bin by some AI agent.
The employee is always the last to know. This is standard fare.
Leaving no one to say anything anymore on their behalf.
Too complicated and subjective, stinks of more risk.
Also, I don't think it's dehumanizing it all (having been on the receiving end of it way back when during a layoff, and involved in the process more times than I care to count). It's standard practice for involuntary terms at all companies we work with, whether employee is IT or not. If a company is not doing this already, I'd encourage them to.
I actually think there's less risk, because it's not as narrowly focused on what a just-fired employee can do. That's not the only scenario of concern.
> Also, I don't think it's dehumanizing it all (having been on the receiving end of it way back when during a layoff, and involved in the process more times than I care to count).
Interesting. Thanks for the perspective. I've been fortunate enough to not be on the receiving end of a lay-off, knock on wood. It's happened to my teammates/reports though. Wasn't my decision. :-(
https://www.somdnews.com/archive/news/19-year-old-twins-high...
1. Obliviousness to local laws and oversight (and the combination of severity of punishment + likelihood of getting caught); most Americans of their intelligence would be aware, and would not engage in the sort of hijinks they did.
2. Working with sibling (anecdotal, but seems slightly more common among immigrant families than locals, which would make sense since, on average, immigrants have fewer local connections than locals so the likelihood of working with siblings increases)
3. Loyalty to family (evidenced through the brazenness in the way they helped each other in criminal acts without a second thought). Americans, on average, are more individualist and hesitate more when asked by family to do something criminal
4. A lot of immigrants eventually adopt anglicised names, which neither of these two did
If a detective looked at these facts, they'd keep an open mind as there's nothing definitive above, but it would be equally ignorant to ignore the circumstantial evidence.
Having said all this, do we care where they're from? (unless it's a potential case of foreign interference or theft from an untouchable overseas company, which doesn't seem to be the case here)
that would still leave up to 49% Americans not being aware. so how did you conclude that they were not Americans? Also, how did you measure their intelligence?
> "slightly more common among immigrant families than locals"
even if true, how did you conclude that these were not Americans?
> "Americans, on average, are more individualist and hesitate more when asked by family to do something criminal"
even if on average Americans are more so, how did you conclude that these were not Americans?
> "A lot of immigrants eventually adopt anglicised names"
from your sentence it seems a lot of them don't. so how did you conclude that these were not Americans?
It would be a disaster for immigrants in your area if you were ever hired into some kind of investigative/law enforcement role.
This fundamentally misunderstands how predictive models work. A parameter is a potentially useful predictor if it's better than excluding it 50.000001% of the time (high frequency trading is good evidence of this).
> conclude
Conclusions? Absolutely not. Higher statistical probability? Yes. Based on evidence. To state your point, which is bleeding obvious, of course you cannot know how recently someone or their family came to America based only on their behaviour with regard to the law. But their behaviour with regard to the law absolutely can be a useful predictor.
(in fact, it's precisely this rationale that justifies in some cases giving foreigners lighter sentences where 'their culture' allowed for xyz but the local jurisdiction doesn't - roadrules in the UK is a pretty good example: local truck drivers get the full penalty; those from continental Europe often do not, since road rules are less likely to be known by them)
Alternate example: ask a Western drug smuggler busted in Indonesia or Vietnam how long they expected their jail sentence to be if caught (spoiler - it's a trick question: they'll say 3-5 years and instead are met with the death penalty; whereas most locals are well aware of this) - ignorance to local laws and customs does correlate with how long someone (or their family) has lived in the area, if at all.
I too am shocked at the level of federal access that was afforded to these non-Americans that clearly also hold a disdain for the country.
For god's sake, don't commit crimes while you're committing crimes.
This article is hilarious. The two bickering brothers remind me of the guys in the Oceans movies played by Casey Affleck and Scott Caan. It’s amazing they got this close to sensitive data.
So many red flags, I can't even.
Maybe whoever runs infosec at that place should also be fired?
Which MAGAts applaud. Emptying the swamp!
> "How do I clear chat logs from LLM?"
I guess?
Windows Server has 5 years of mainstream support, 5 years of extended support, and then an extra 3 years paid Extended Security Updates (ESU) support. For 2012 and 2012 R2 that ends in October 2026.
The three years of ESU exists only for organisations like government departments that would rather pay Microsoft millions of dollars for patches than pay a competitive wage and hire competent IT staff that can complete upgrade projects on time.
I'm not going to say the wages are fine but the issue is likely not to be the competence of the IT staff, but rather the overbearing IT management processes the U.S. Federal government uses. "Enterprise change management" processes separate from the already-long cybersecurity review processes can add weeks or even months to system updates.
In that kind of construct, you optimize for fewer but larger changes and then it's no surprise to see that there's no time in the project update schedule to update the OS in addition to making all the other long-overdue library / middleware / application changes that also are pending once a change finally can be made.
It's a good time to be kind to your neighbors. No matter their background, they're almost certainly not the ones to be upset at.
That said, they should have migrated it years ago.
The fact that they didn't already know how to do it is the crazy part.
This is a clear example, but I don't believe any tools are neutral. Your immediate fallback was to a hammer, not a mouse, with the obvious corrollary being to bludgeon, but the same line applies. Tools are not neutral, and that's why when you looked for something that causes harm, you grabbed something that's objectively been serving a dual-purpose for hundreds of years. Nobody's using a computer mouse to bludgeon someone to death; it makes a shitty bludgeon, and the design of the tool reflects that.
That's also why these comparisons always fall back to knives, or hammers, or the AK-47: they are dangerous tools that are designed to make killing easier. Nobody is making these comparisons to more benign tools, like desk lamps, coffee cups, or car stereos, and it's because tools are not neutral, and none of my examples are designed to make direct, bodily harm, easier.
Murder by ethernet cable: https://www.gainesvilletimes.com/news/dead-woman-found-in-pa...
Murder by laptop: https://www.riverfronttimes.com/william-lynn-gunter-sentence...
Murder by cellphone charger: https://lawandcrime.com/crime/pennsylvania-man-admits-to-str...
Murder by desk lamp: https://www.pressdemocrat.com/2009/01/08/man-beaten-to-death...
Stabbing by coffee mug: https://www.muscalaw.com/blog/north-port-two-women-attack-co...
If the design of tools are neutral, one tool should do as well as another in this common comparison. But the useful application of tools is inherent in their design.
If tools were neutral, as so many on this site claim, why is AI only ever compared to knives and hammers?
Parent has lots of links to other common objects causing harm, why are they never used as the example when tools are allegedly neutral? That would be a stronger argument opposing AI regulation - ethernet has less regulations that knives, but can still be used as a murder weapon
No need to knee jerk react to an argument that hasn't been made.
I was sort of admiring the devastation a malignant actor can cause with a good tool.
It’s usually used for morally neutral neutral or good work.
starting with Windows Server _2012_ :O
No, employees that can wipe 96 databases are a security risk, even when they're employed. But of course it's easier to go the inhumane route of cutting everything off at employment end rather than fix it properly
I think this story has been sanitized to mask some details which is ok I guess but I ain’t buying the back story.
The fired DBA however, stayed behind and finished backing up the databases he was assigned to backup.
Once the job was done, he packed and left.
True story!
The second part I'm unclear about is how you could pass SOC2 when you aren't terminating account access simultaneously with the employment termination.
> On Feb. 1, 2025, Muneeb Akhter asked Sohaib Akhter for the plaintext password of an individual who submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal, which was maintained by the Akhters’ employer. Sohaib Akhter conducted a database query on the EEOC database and then provided the password to Muneeb Akhter. That password was subsequently used to access that individual’s email account without authorization.
This is why so much of vetting & compliance is toothless. You can have robust change management, physical security, network security, identity management, etc. policies but absolutely nobody wants to spend enough on audit & enforcement to make them meaningful.
The gov't will make you _claim_ that you do all of these things before awarding a contract, but they won't ever check.
Good actors will do the right thing regardless because they know the consequences of cutting corners.
First of all, it is viral, and it is almost never adopted based on its own technical merit.
Second, it has lots of levels. The first level is “we wrote down a plan explaining how we’re going to secure stuff”.
The second level is when you start implementation or maybe tracking or something.
The key thing is that first level: When your SOC2 dept says you have to do something idiotic for SOC2 compliance, it is because someone at your company invented the idiocy, and should be fired. However, you still need to follow their dumb plan because that’s the process.
In this case, the “how do we fire people” process, and “how do we prevent one llm from dropping 96 prod DBs in a single session” very well could have had answers in the plan, the plan could have been implemented, and therefore the company is still soc2 compliant, and this is exactly what a working soc2 process is supposed to look like.
It's not just information security, either. I've seen vault doors propped open because the people working inside didn't want to do all the sign-in/sign-out paperwork to take a leak.
The only solution is correct access segregation and a bastion
To confirm a user supplied password matches you run input into the same hash function again with the salt+pepper and compare it to the value in the database.
That way if the database is stolen, the attacker cannot recover the contents of the passwords without brute forcing them. Encrypting passwords is not recommended because too often attackers are able to recover the encryption keys during the same attack where the password data is extracted.
[0] https://en.wikipedia.org/wiki/Bcrypt
[1] https://en.wikipedia.org/wiki/Scrypt
[2] https://en.wikipedia.org/wiki/PBKDF2
[3] https://en.wikipedia.org/wiki/Salt_(cryptography)
[4] https://en.wikipedia.org/wiki/Pepper_(cryptography)
Hashing passwords has been a thing for at least 50 years now. V3 unix had /etc/passwd which hashed all user passwords. Notably, these hashed passwords in early unix have been cracked: https://arstechnica.com/information-technology/2019/10/forum...
I guess you got your answer.
You store safely crafted hashes.
Otherwise, there's a hole, between the end of the TLS connection and where the server-side encryption happens, where the password is in plain text. Think logs and load-balancers and proxies.
While the client-side hashing doesn't help protect your site a lot (as you say, the hashed value the client sends effectively becomes the password), it helps protect the users who use the same password across multiple sites.
Notice in this case, that's exactly what the brothers are accused of doing: using credentials harvested from their site to log into other, potentially more lucrative accounts.
I didn't see if that's the hole the brothers exploited but it very well could have been.
The client-side encryption may have been all that was missing in this case.
Of course performing an additional server side hash on top of the client side one is good defense in depth because there's at least some chance that it might make things more difficult for a rogue insider and doing so costs approximately nothing. But it certainly isn't critical because by the time you're dealing with a rogue insider things are already looking quite bad.
Hashing client-side is a good idea. You must also hash server-side, for storage/comparison.
Otherwise, an insider may be able to harvest the original password, from logs, proxies, load balancers, etc. that requests pass through after the end of the TLS connection, on the way to the db.
They can then try the credentials on other, perhaps more lucrative sites. That's what the brothers are accused of doing here, so client-side hashing (or just simple encryption) may have been the missing piece of security that would have thwarted the credential stealing.
This seems to mostly prevent accidental logging and is thus a matter of defense in depth, stopping malicious actors from exploiting it later — but an actively malicious IT person would not be deterred.
Yes, and that's not uncommon, IME. There's generally a lot of logging that's at least potentially available, and it gets turned on, and the logs shared when there's a problem that needs to be fixed (especially when it needs to be fixed quickly, which is usual).
This is going to make more sense for "enterprise"-type deployments, where there's a significant distinction between the people who might have access to request logs at times, and the people who can push code to production.
I am talking about not logging them ever, using internal TLS and strong hashing in general, and wondering what exact value is added on top with client side hashing.
Hashing client side minimizes the risk of any blast radius exceeding the bounds of your own service. There's obviously no way to prevent an adversary who achieves full MITM from gradually harvesting credentials over time. The only solution there is to use keys instead of passwords.
In your enumeration, what is breached for this to be meaningfully impactful for other services where customers might be reusing credentials?
I already answered you that if you assume full MITM of the frontend then it is physically impossible to prevent gradual credential harvesting. Did you have a different scenario in mind?
> how is client side hashing really helping
Compared to what? Server side hashing? It prevents the plaintext from ever hitting your infra which minimizes to the greatest extent possible an insider or intruder gaining access to the plaintext. Since preventing access to the plaintext is the primary purpose of hashing it's the sensible option if you're forced to pick only one.
Of course there's really no good reason to pick only one of the two. You might as well elect for defense in depth against rogue insiders with full db access even though it's difficult to imagine what use they would have for a password based login at that point.
The minimum one can do is have a different randomized password for every service on a possibly completely offline password manager.
Yes, you will depend on a password manager at all times, but at least the blast radius is minimized to the affected service.
But how do you pick up the stuff from your desk? I once lost a nice pair of headphones this way.
I'm in my early 40s, and I've never had a job where we've "hot-desked" like that, even when a company was out-growing an office.
Every job I had before COVID back to when I started back in the early/mid 90s had dedicated desks.
Go ahead and leave a coffee mug, who cares if you lose a coffee mug?
Some people simply have no regard for others and will mess with or jack your shit. Don't give them the chance.
Many humans like to decorate their desks, keep personal stuff there. It's normal.
Still a net positive in my experience.
My workplaces have not had gyms, but I bought equipment for my home that maintains the streamline. I haven't been perfect at my routine because my work schedule isn't consistent which is annoying, but I do still get some exercise in at least twice per week with it. I doubt I'd be getting at least that otherwise.
I spend in the office more time than at home so I want a nice environment.
Ever tried to login with two factor and justify a maxed out company card while high as a kite and drunk?
It’s stressful.
I know of one case where this was totaly unintentional, and a machinest at a local pulp and paper plant had self delegated to write the software that controlled tension on the giant machines in the mill, but as it was his only real forey into sofware, nobody else could operate it, and they fired him after a manegment reshuffle, and then after the next scheduled shut down, nothing worked right, greasy dusty ancient screen with a blinking cursor was what they had, plugged into the important bits of a half sqare mile plant. still funny to think about!
https://annoyingpcb.com/
What you really need is one that chirps once every (multiple of) 20-28 hours (with weighting towards 23-25 to keep it roughly around the time you set it going and an infrequent skipping of a day.) Also with different volumes and, ideally, different chirps. Occasionally a double chirp just for extra insanity causing.
(A Michael Jackson "hee heee" would be another good option.)
After their stints in jail, the brothers worked their way back into the tech world. In 2023, Muneeb got a job with a Washington, DC, firm that sold software and services to 45 federal clients; Sohaib got a job at the same company a year later.
What in the actual fuck. I'm all for giving people second chances. But maybe some ringfencing?
Like... I think ex drugs dealer deserve a chance of legitimate employment, but perhaps doling out prescription drugs is best left to someone that doesn't need a "second chance" to demonstrate they're unusually trustworthy and unlikely to be tempted by the possible side incomes.
> “Smart idea,” said Muneeb.
Seems obvious they weren't destroying databases just out of malice (i.e. retribution for being fired), but in order to cover up something/s..
storing passwords in plaintext should be persecuted & having unlimited access to customer databases.
WTF?
The "after they were fired" sounds catchy, but isn't even the biggest failure.
This organization shouldn't be permitted anywhere near government, or any non-public, data/information.
It’s OK to acknowledge that economic migrants are a thing, and that they likely have only transactional interest in where they live, such as a Bengali construction worker in Dubai, for example. That’s just part and parcel of labor mobility. For better or worse, shareholders, or middleman representing shareholders, have decided this sort of thing is a really good idea in the US, and now around half the population falls in that bucket. It’s a free country, and freedom means being free to choose short term interests. That also means you’re free to support such policies because they are good for Blue-team redistricting so we can provide free healthcare to all 8 billion people in the world somehow.
But please, nobody becomes a Yankee by the mere fact of standing on the ground. If you want that pejorative title, then you need to earn it.
As opposed to...
In fact I’d guess they’re not, since they’ve been employed on government projects since a young age.
This does not mean they are from another country.
Hilarious in the context of this administration.
> When the company discovered Sohaib Akhter’s felony conviction, it terminated both brothers’ employment during an online remote meeting on Feb. 18, 2025
from https://www.justice.gov/opa/pr/federal-jury-convicts-virgina... which is a better source on this.
That prompts the question of why background checks are so lax that they were hired before this was discovered.
> However, an employer may ask about criminal conviction(s) after extending a conditional offer of employment (the employer can never ask about arrests or criminal acusations that aren't pending). An employer who properly asks about a criminal conviction can only withdraw the offer or take adverse action against the applicant for a legitimate business reason that is reasonable under the six factors* listed in the Act.
One of the six factors is "Fitness or ability of the person to perform one or more job duties or responsibilities given the offense"[1], which they probably could have invoked after asking (though they never checked or didn't check thoroughly enough, so I guess it's moot).
[0]https://ohr.dc.gov/page/returning-citizens-and-employment
[1]https://ohr.dc.gov/sites/default/files/dc/sites/ohr/publicat...
It should be a federal crime with prison time to make a DB for a federal agency and not hash and salt passwords or other auth credentials.
When I advised them that it was a bad idea to store password in clear, they answered that they keep it in clear so that they can send it when someone forget.
Defeated by such argument, I deleted my account.
Something bad did end up happening due to that lax security and there were oh so many meetings about it.
This is the sort of thing that makes me want to check out of the whole circus. Here I am, telling you ahead of time, and you ignored me
So how there's a circus that we could have avoided and not only do I get zero recognition for identifying the threat ahead of time, the people who ignored me keep their jobs and turn it into a zoo where everyone is scrambling in endless meetings
And I've seen it play out a few times. After a point, why bother...
I'd bet your account wasn't actually deleted, just marked as deleted or inactive.
Explain to me how we can have a transcript of a conversation without knowing whether it was in person or not. I'm baffled by this sentence.
I wonder how many government dbs store passwords in plaintext…
Also, these guys sound like sociopaths. I bet some of their peers felt constant discomfort and threat just being near them.
It's ridiculous that companies don't seem to care about ethics. They never seem to select candidates based on proven ethics. They don't even ask any such questions.
For example, I've been in at least 2 situations where I had the ability to inflict major damage to companies which had treated me very poorly and I could have legally gotten away completely whilst doing variants of 'the wrong thing' and profiting but I didn't do it because I have principles. Unfortunately it seems that few people do nowadays. Leaders are fooling themselves if they think they can completely factor out ethics and make it all about aligning incentives. Incentive alignment creates its own problems as this alignment requires constant maintenance and it's both expensive and detrimental in the long run. These people will tend to sabotage every aspect of their responsibilities which isn't directly measured... In order to gain leverage. It's not clever. It's crooked. Should not be rewarded.
My experience as a software developer is that managers alway have lots of blind spots and the wrong people will take advantage of all of them, even when it negatively impacts the company.
all with pardons waiting so they can't be convicted
they might not even wait a few years
still pretty gross of you though