The blog post mentions "Someone else who knew you had to add it", but this is not exact (or no longer exact). An employee can send an email to a special address with the content, and it will show up when they leave the company.
That's what I did. That said, I can't double-check to see if it worked. :)
You are both right. Originally you could not email, and like the OP I kind of liked the ceremony of entrusting someone with a message to send from beyond the grave. But someone contributed the code to make the email work, likely after the OP's time.
It was still going at the time I left (~2y). Most of the work of keeping it alive had been done by others for the last decade, so I hope someone else is still carrying the torch.
We had the occasional HR interaction but to my recollection never anything nasty.
It was there when I left several months ago, so I assume so. Or maybe I shouldn't, they started shuttering a lot of these kinds of things after layoffs.
Initially it was a combination of just for the fun of it (it's a small script, as OP described). Secondarily there was the feeling of "everyone is going to go work at [major competitor]" and I was curious whether I could collect the data to show it. (I never ended up looking into this, but maybe HR did.)
As a dumb script it was not designed to be especially flexible. One thing I remember needing to fix was that by its nature it was archiving old data and preserving it, which meant that it was accidentally deadnaming trans people. My recollection is this was a small code fix, but an interesting lesson in social consequences of oblivious software.
I do something similar but instead of `|| exit 0` I use `--allow-empty` on the `git commit`. I don't mind the empty commits this creates, as they let me know that there was a successful automated run that happened to be empty, rather than having failed to run for whatever reason.
Thanks for this, much more "intent revealing" than my (up to today) standard practice of `... || true` to keep my `set -e` from killing my script for this "error-but-not-really"
I used your exact technique to start generating a diffable archive for the Finnish easy language news broadcast. It's been a huge help in gathering high quality comprehensible input for me, thanks!
I've been seriously considering using Git for all sorts of oft-changing-but-rarely-majorly data. Lists of books in my bookshelves.
The other problem is that I sorta want transactional-database features on top of these things. Git does this well. I also want fast indexing on parts. Git does not do this well. I am considering writing a "standard" for the dumping of sqlite to git, so that I can just delegate this out; Any transaction can be expressed as a git commit, and I can run both at once for both the durability and the reasonable indexing; The sqlite database can be re-created and reindexed whenever, and it also sorta works for backups...
Definitely just spinning my wheels, though. We'll see where databases take us next.
Specifically the fossil repo is a sqlite database.
I have a cron script stashing whatever is currently in an obsidian vault into a fossil repo. There's a fossil addremove command that makes that very easy. Thus distributed backups of said vault.
What does "somewhat git-compatible" mean? Can it sometimes use existing git repos, or is the mental model close enough to pick up without learning much?
> is the mental model close enough to pick up without learning much?
I would say git core concepts are pretty similar to fossil concepts, but actual plumbing implementation details are pretty distinct.
The major difference that I remember from a day-to-day "git porcelain" perspective is that rebases and other types of history rewriting are very discouraged.
In your git & sqlite setup, I'm not sure which way round you are thinking - which is the SSOT (Single Source Of Truth) and which is the handy cache.
I've been working on a tool that treats the git repo as the SSOT then lets you dump out all kinds of formats for data work including a sqlite DB. I haven't had as much time as I would like on it but it's at https://pypi.org/project/DataTig/
If anyone is coming in late, I have discovered https://immudb.io/ , which claims to be a lot of what I'm looking for. Transactional SQL database, indexed, yet immutable data and verifiable chains of transactions.
A colleague of mine would do a sort of temporal-network analysis of this data to see which people either enjoyed working with (or for) each other or which did not, based on how people would switch groups over time.
I'm fairly certain they used it to gauge future project opportunities as our work was often multi-disciplinary across departments. It was probably also useful for validating people's stories if they came up. For example, if someone wanted to switch into your group 'A' from group 'C' and they had been working on a project with X, Y, and Z, then you could get a strong sense of why that might feel that way.
if git is-there-anything-to-commit; then git commit ...; fi
'is-there-anything-to-commit' is aliased to '! [ -n "$(git status -s --porcelain --untracked-files=no)" ]'
I made a tool to track ldap like that [0]. LDAP is a treasure chest of info and great for stalking. for some reason i find it fascinating to see people leaving, and if possible, see how long they worked there for. seeing friends get fired via LDAP before they even knew about it was certainly interesting, too.
I noted in the readme..
Know what's going on in your LDAP directory on-demand with Slack webhook integration.
See new hires, leavers, and promotions as they appear in LDAP.
Monitor when and what HR is doing.
Detect unauthorized changes in LDAP.
Monitor for accidentally leaked data.
Detect when users are logging in and out of LDAP.
There's also LDAPmonitor[1] which is designed for Microsoft and Active Directory which does effectively the same thing.
Layoffs in the WFH era are weird. Back in the day you had a pretty good idea of who got laid off because you saw them walking out the door with a box of their stuff. You could go up to them and say, "hey let's meet at $local_watering_hole and hang out". You could swap contact info if you didn't already have it.
You could get closure.
Now, one day a bunch of people just stop replying to email. You have a to wait a while to figure out if they are actually gone or just busy. And if you're waiting on them for some output to work on your project, they may just never deliver and you won't know why for a while.
The company directory, if there is one, often still shows them for 60+ days because of the WARN act. And it seems most companies won't make a "layoff list".
It's really hard to get closure if they won't even tell you who got let go, and if they don't give the people a chance to say goodbye by cutting off their access before telling them they are laid off.
Watching people’s accounts go into deactivated status in Slack with no goodbye is sad.
The most toxic boss I ever worked for would request access to former employee’s Slack accounts under the guise of looking for data to transition their job. Their accounts would periodically go green when he logged in as them. Spooky to see ex-coworker accounts go green and know the boss is scouring their private messages.
I know companies can get slack messages anyway, but seeing your boss do it in real time is extra creepy.
One company I worked for used to have an unofficial “ex-company” slack setup, where people would get invited to by others that have already left and were in there, it was kinda nice since you form bonds with people and suddenly they’re just gone. You might have not managed to connect with them in any other form.
But you login to “ex-company” slack workspace and here they are - everyone that went through the company. I mean lots of people would stop responding after a while, but there was enough time “buffer” to allow people to connect with other means.
I am in a Discord of full people that all got laid off from the same place in 2019 (I actually left on a Wednesday for a new job, and everyone else got their pink slips Friday that same week). At first it was pretty lively, as you can imagine, but its settled into a wonderfully cozy online space and I'm so glad I'm a part of it. It's good to have connections to people with whom you have shared experiences but no real ongoing professional relationship (these are called "friends"). It's also good for networking, since we're all in the same industry. In some ways it just feels like a continuation of the Jabber rooms we all shared when we worked together, but it's also something more.
I am a part of one such group! It started as a WhatsApp group for all ex-employees, but has now morphed into a discord server. It's a great way to remain connected to friends you make at work, and recently, it has also become a way to share job openings to your network to help laid-off people.
"We wish you well on your departure; as you embark on new adventures your about to open your eyes for the first time.
This may be a shock to some of you as you may discover that the world is more dystopian than you've may of seen from your altered reality mind-implants.
We would like to thank you for your service as a tool at the corporation."
The rules on this vary across Europe, though broadly speaking accessing an employees mailbox is “something you only do after speaking to legal”.
The patchwork of national laws and national interpretations of EU regulations is quite interesting, and rather confusing especially if you do offensive security work or DFIR.
As an example, when doing consultancy we would do the usual phishing as part of an assessment. Usually this is followed by dumping the users mailboxes to look for further credentials/access to corporate resources (eg: are they emailing passwords around?) - but in some countries such as Germany that’s often explicitly ruled out due to fear of breaching privacy regulations.
It's pretty much only allowed if there's an important reason for it. For example, to recover something invaluable (contract, code, report) that isn't available somewhere else and cannot be replaced. In that case that's also the only thing that them employer can look for. They can't open obviously unrelated e-mails. So before talking to legal, make sure you have a valid reason.
Difficult, very difficult on deed. As with most corporate and whize collar crime, the investigation rate is extremely low. That being said, worker councils and unions. The former has to involved in these things, if the exist. The latter pushes for the former.
What? First, Europe isn't a single country and there are large difference between legal systems.
Second, what you said is just plain wrong in at least one. In France (which is known for strict worker protections) the employer can go through any employee's mailbox or files on their work computer/account provided 1. that the messages/files in question aren't clearly marked as personal 2. that the conditions for the access are laid down in advance with proper notice. When an employee is let go, they need to be given time to empty their mailboxes etc of private correspondence or files. https://www.cnil.fr/fr/lacces-la-messagerie-dun-salarie-en-s...
I had some DM’s which were of personal nature that were rifled through after a contract ended. How do you "clearly mark a DM as personal"? It was creepy, and further illustrated that anything you say in Slack can and will be viewed by the whole company. If not literally, then that’s how you should treat it.
You might be right that it’s not illegal, but it would be nice to have those kinds of protections. Trying to talk to anyone at work in the WFH era is a field of landmines, because you never know at any given time whether what you say will make it back to the person you’re discussing. Discussions like that are a normal and healthy part of socializing with coworkers, and it happens at every company. Except in the WFH era everything you’ve typed is a permanent record, whereas previously you’d be able to say something to a coworker without worrying that someone else will someday hear it.
But, it’s a new era. It’s easy to adjust. Just don’t get personal at work. It sucks, but work is designed to suck, or else it wouldn’t be work.
The way this was communicated to me in the past was "don't say/write anything using company resources that you don't want to see on the front of <insert major news publisher>". All communications on employer-operated platforms are subject to discovery.
Senior leaders tend to skirt this by using the telephone or video calls predominantly. However the infiltration of machine learning and AI means transcripts of calls, etc are now possible too.
In addition, the growing use of "disappearing" messages despite litigation holds has come up in more legal cases recently.
A video call on a company account isn't ironclad but, unless you're discussing something actually illegal, it's probably good enough for most purposes. Maybe not as good as personal cell phones or in-person, but a lot better than anything written--especially on company systems.
Most large companies will tell you two contradictory things:
First of all, they'll tell you that even the most junior helpdesk workers can remote onto your machine, reset your password, disable your 2FA, and monitor all your web browsing and chat history.
Second of all, that this unannounced product, this not-yet-filed patent, this big planned layoff, this prospective hire background check result, these upcoming financial results, this employee's reason for needing medical leave, this pentest result document, and this forthcoming change to pricing are Strictly Confidential. You shouldn't discuss them even with your own boss, unless you've first confirmed they're on the need-to-know list, and that certainly doesn't include level 1 helpdesk workers.
Most large companies, to address this contradiction, will say access is possible but rarely used, tightly controlled and carefully audited.
Private != personal. At least I never ever imagined one could even assume DMs on work IM are personal private conversations. They're organizationally grouped as chat between to accounts, as opposed to group chat, but they're at work, for work, using work-provided tools...
Or put another way: why would anyone consider work Slack to be different in this regard than company e-mail? Much like with e-mails, the difference between DMs and group chats is whether the number of participants is > 2.
I guess the cognitive dissonance is that I used to be able to say things to a coworker in-person which wasn’t recorded and tracked, using my voice. This was always a normal part of work, and I didn’t give it a second thought until it was gone. Nowadays it feels like someone is constantly standing over your shoulder whenever you’re at work, and there’s never a private moment. This is especially strange during holidays, since personal conversations tend to spontaneously happen around those times.
You’re right of course. I just wish we had something to fill the void that was left by in-person interactions vanishing. I think I’ll be doing WFH pretty much the rest of my life, and I absolutely hate going into an office in general, but there are definitely some aspects I miss. Being able to chat off the record with a coworker is one of them.
That's funny, because as someone who has worked mostly remotely, I consider the recording of every chat a feature. For example, I have been able to use this to figure out why code I wrote a decade ago is the way it is.
Call! Yes, most communication can be done with chats in slack or teams, but take the excuse to call and chit chat a bit before getting down to business.
Unless all calls are transcribed and recorded, it’s pretty “watercoolerish”.
At that point, the bigger risk is that someone repeats something to someone that you wish they hadn't. But I've had that happen with an in-person conversation.
What the said boss did sounds to me like impersonation, which is not only illegal, but a crime. Accessing records kept on company assets is one thing, logging in to someone's account in a communication software is another.
I agree with you, Europe has different countries and some of them are not in E.U. so different rules may apply.
However, since France is in E.U. what you describe should be illegal. The article you refer to is 15yrs old btw....
The "article" is published by the French data protection authority. They update them when regulations change. They didn't update this one. Make a deduction, now.
> However, since France is in E.U. what you describe should be illegal.
What's the regulation or directive you're talking about?
You can’t get private Slack messages easily if you don’t have direct access to the account.
There is an audit feature on the Enterprise version that allows it, and you can appeal to slack to open the messages due to a crime or similar - but AFAIK on the normal plans you are out of luck of you want to read private messages as workspace owner.
Hah, that would be the trick wouldn't it. My old manager used to get all of his former employees work emails forwarded to an account he had access to. Ostensibly it was a precaution against accidentally missing anything critical from a vendor or partner.
I know that legally, employee data has no expectation of privacy. But I'd like to gently push back here.
The word "private" means "having privacy" in the normal, everyday sense. Using that word to describe something that isn't private is lying. You and I both know there do exist many people who suffered consequences for not understanding the definition of that word.
In my opinion, the ethical thing to do is to use a different word when no expectation of privacy applies. And the upside is powerful: transparency gains trust.
Slack did this well: they call them "direct messages".
The correct mental security model here is “if you used an account on a company issued laptop/phone/any hardware” == “the company technically already has or can get access to the data”. There are so many ways for a company to do that.
Granted, some of these ways might be legal or not depending on jurisdiction, but then lots of company will thread or cross the legal fine line if they are happy with the risk/benefit trade off.
We tried at first, but we were so overwhelmed by the rate of deaths from the earliest moments of the pandemic that the org couldn't keep reporting them. It was a demoralizing effort for HR to try to put something, even a few words together for everyone, and it's left a lasting pallor where vibrant personal touches once were. People continue to vanish, and there's still no notice that, or how, they've moved on.
Our General Counsel and I met for the last time during the early months of the pandemic. Like most people during the shutdown, he hadn't seen anyone outside his immediate family or had a chance to tell a good story in a few months, which would have eventually killed him, anyway, and I got an earful as he unloaded all the work he was wrapping up. After, as lawyers excel at, he wrote a great letter to our CIO about it that led to probably my favorite exchange between us.
Six months later, someone called me to say they were headed to Legal because someone had died, and I was struck by an immediate sense of dread. I searched our website for any word, then our directory, and then for local obits and found nothing. Even the grapevine was silent, so I called his admin who pretty casually told me our GC had died six weeks prior.
Almost a year to the day later, the mechanisms caught up, and the org put out a "Remembering $generalCounselor". By then, we'd missed his funeral, his family had relocated, and many felt awkward trying to send condolences so late. Watching other's surprise, shame, and sadness wasn't reassuring, even if it told me I wasn't the only one.
We're not small, but we're personal, and each death has left a little void that we collectively haven't acknowledged or addressed. We still don't have a way to handle the losses and haven't talked about it. Having old saved contacts pop up after their extensions are reassigned is inevitably like a call from the grave. I try to keep in touch to keep track, but little by little, the connections are fading, and the memory and history of us with them.
It's one thing I miss from the work from office lifestyle - the more human connections. People stopping by your desk to chat about life, the joking - I'd never laughed so hard in my life. Closer connections in general, and being sad when people left, but happy when they were for greener pastures.
WFH feels so sterile and impersonal in comparison.
I've been WFH since 2015 or so, so this isn't a RTO endorsement, just reminiscing.
This really highly depends on the people that you work with.
At a previous employment (a 100% WFH position) I had most of my colleagues in India, roughly 4 time zones away from my own so we almost never met in person, and we'd have personal chit chat sessions while working.
Then I've worked with people who weren't present even when you were sitting right next to them. They'd come into the office, say "morning", put on their noise cancelling head phones and be gone for the rest of the day (modern open space office life in a nut shell).
That's of course true, but then there's a large group of (I assume) introverts with whom it's kinda difficult to get close with, but once you do, you can have a great relationship with them. It's an order of magnitude harder problem to break ice remotely with such people.
Speaking as one of those introverts, it's actually much easier for me to get to know people over video calls than it is in person, at least if there's an actual task at hand.
In-person I tend to be a little more no-nonsense, whereas over video calls I'm sitting comfortably at home with a cat in my lap, already relaxed and much less uptight as an emotional starting point.
Until the pandemic, we would regularly eat lunch together somewhere. For years, this was a standard routine in my life. It was a perfect way to get a feeling what others were doing, what the problems were, how the general mood in the team was, what was going on in their lives. I invited everyone to my wedding during lunch. I told them I was becoming a father during lunch. 2 people told us they were leaving during lunch.
In the beginning of the pandemic, we even switched to cooking at the office kitchen. Now there are only 2 people left on the floor, and eating lunch has stopped completely. Most of my colleagues I only see 1 or 2 times a year (Christmas party and work stuff that requires physical attention).
I noticed that it is much harder now for people to integrate when they are new. There is no real forum left for beginners to ask dumb questions they would rather not see in some chat log.
> There is no real forum left for beginners to ask dumb questions they would rather not see in some chat log.
this is a key point; employees who have been together a long time can easily switch over to maintaining that same level of connection while WFH (I've experienced that). But it's very hard for a "new guy" to integrate if s/he has never interacted, or only occasionally, with their coworkers in person.
There is nuance to this as well. The company size and culture make a dramatic impact. I recently joined a small company which is fully remote. Everyone has been helpful and supportive as I have been onboarding.
I miss that too. Some of my best friends are former co-workers. Especially from when I was younger and we spent nearly every waking hour together either at work or at a bar after work.
I don't miss it enough to want to go back to an office though!
The way I see it I go to work to exchange my skills for money. Often that involves working with others, but I’m not there to socialize and make friends. I have friends.
So given that outlook, WFH seems just kind of more “pure.” It’s distilled work, unencumbered by phony pseudo-friendships and awkward water cooler chit chat about sportsball. When we start a zoom meeting I can just launch right into the agenda without having to do that offtopic pre-meeting banter ritual. To me it’s work without waste. I feel like with WFH I get more done per hour and that means more time for me to do what I enjoy: things that aren’t work.
I also have friends, but I rarely see them on workdays. Having other people around me on those days feels good, I don't like being alone for several days. I totally can do and have done that, but I prefer to not be alone.
Additionally, my colleagues and I share big parts of our life: every damn workday. None of my friends are capable of talking as long and nuanced about things happening at my workplace.
They don't really want to hear emotional rants about bullshit projects because they have no way to relate to those feelings.
But I want to rant about bullshit projects and thankfully, I have colleagues that like hearing such rants from time to time, as they totally can relate.
When I am mad about some shit, start talking about it and they ask "oh, was that XY who said that?" and it totally was XY, that is comforting.
I have friends, yes, and I don't need to meet my colleagues after work. But I still have healthy social relationships to them.
Man, i have different friends than you. I have listened to a friend rant for 3 hours about a BS project at a company I haven't worked at. Another friend rant over weeks and I wasn't even in the same industry.
I talk to my friends during the day. I'm lucky that we're all remote, but honestly even my in office family members can chat sometimes at work.
When I was in the office, I rarely connected with coworkers. I was often the youngest and/or just not in the same life stage. I could exchange pleasantries and that was about it. I have a grand total of 2 friends from work after over a decade of work across several companies. My social life is still vibrant outside of that.
I don't even understand where people think you can't connect to peolle WTH. I just had an hour long chat with a coworker about nothing at all. Sometimes people just need to chat about nonsense and VC people. Peoppe seem to be afraid of that, but I don't see why. We can work and talk. We did it in the office.
So when you've earned your f-u money you stop showing up for work?
That's not what we see in practice. Most people with a sudden windfall (stocks, lottery winnings etc.) keeps showing up for work. Because how else would you stay socially meaningful in our society? Nobody really wants to sit at a beach sipping drinks the rest of their life, accomplishing nothing.
There is clearly a social aspect of work, at least for the majority that we can call socially functional. And it's at least as important as getting paid. Work is also a social role, and it hurts many people if they are left out of it. It's not easy.
Absolutely, there are plenty of ways to be social, on my terms, with the people I choose. If I didn’t have to trade my time for money there are plenty of ways I can fill my days without corporate bullshit.
As someone who has enough social interactions and friendships outside of work I am very happy with this attitude. My co-workers are not my friends and I'd like to keep it that way.
Indeed nowadays I have seen many articles publishing that it is even more prominent idea with Zoomers entering workforce and have a clear boundary between co-workers and personal outside-work friends. The companies actually do not like this because this means that those people have literally 0 loyalty to the company and only care for the money. Which is shocking, I know. \s
I worked at a large web dev company and for years they had this attitude.
Then one designer put in his two weeks and spent the majority of the time downloading all the site files for all of the sites the company had built over the two years he was there. We're talking hundreds of static sites where he took the all the design docs and static HTML/CSS/JS files one would need to recreate them somewhere else.
Instead of going after the guy legally, they passed and then instituted the same policy. You put in your two weeks? Nah, you're out the moment you hit send on that email. Manager alerts security, who then come over to your desk. You get your jacket and whatever you walked in with and get walked out. The one designer totally ruined the company from ever letting someone stay for their two weeks.
Anyone could have done that at any time. The two weeks isn't magic.
It could have been unannounced and they just stop showing up.
You either trust your people or you don't. If you don't, get rid of them and lock them out. If you do and you still have to let them go then don't worry about it.
People are far too inhuman in professional relationships and I strongly dislike that tendency. You likely spend as much time with your colleagues as your spouse, make it a real connection.
Of course it increases. That's why you have permissions and guard rails on the employees in the first place. Those should be sufficient.
Also if you want to work with the people you like again but need to actually downsize because of external pressure, good luck trying to get them to come work for you at your next venture after some fucked up bridge burning ceremony.
You also have the situation where the boss usually KNOWS who might do things that he shouldn’t - but you can’t have policies that only apply to some, so they get applied to all (there are still unofficial ways around this, of course, like letting someone know unofficially before they’re officially laid off).
But once they receive the bad news, their motivation for revenge increases, which is why similar policies exist in many workplaces. Trust isn’t a univariate, piecewise defined function like you suggest.
I think people in general are a lot better about being fired if it doesn’t happen at the drop of a hat. Unfortunately in the US it seems like you can go from gainfully employed to jobless in the space of an unfortunate 10 minutes. That’d piss me off too.
Right, if you're being a dick then sure. I'm advocating for not being one in the first place. That's the challenge.
If you can't meet that use keycards instead of keys, voip instead of real phones, lock file cabinets, I mean go all the way.
Corporate America loves pretending. Pretending you're part of the family and then treating you like you're trying to rob the place at the drop of a hat.
That's the messed up thing. Be consistent and don't be fake. People can deal with you for being overly formal and paranoid but probably not for being a phony backstabber, that's how you grow haters.
The hardest thing for a brand to shake off is a bad reputation, whether they justly deserved it or not. You don't want haters in the Internet age.
> We're talking hundreds of static sites where he took the all the design docs and static HTML/CSS/JS files one would need to recreate them somewhere else.
You make it sound like he poached your clients or extorted your company. As they didn't go after him legally, I assume that didn't happen.
I assume all the files are on a thumb drive in his drawer, unopened, just in case he wants to remember how "that cool animation" was implemented. And when that moment comes, he will not find the thumb drive, anyway.
And all that security charade will accomplish is that people who care enough about their work, will make a copy the day before they quit. Congratulations, your policy achieved nothing, except get rid of their two weeks notice and everyone feel a bit worse working for you.
One thing I noticed is we got in the last few years a lot stories of the form "Adobe donates Photoshop 1.0 source code to Computer History Museum, saved because early programmer kept it on a floppy disc in his house". Or games especially we get a lot of this.
It feels like if an employee did this with modern projects, they would at the very least be summarily fired, if not have legal action taken against them.
These days, we use centralized source control, instead of emailing zip files and patches back and forth. Having all the source on a random piece of media was a lot more normal back then.
I don't know the details but so long as its not some top secret IP, taking copies of various work you've personally done seems pretty reasonable. Good idea to do it periodically as you go along though.
> You put in your two weeks? Nah, you're out the moment you hit send on that email. Manager alerts security, who then come over to your desk. You get your jacket and whatever you walked in with and get walked out.
This will work for the first 5-10-20 people, then word of mouth goes out about this policy and your evil designer is downloading everything the day before sending their resignation mail.
Or “your sales guy is making a little backup of the leads from the CRM before handing in notice”.
Though with sales orgs I think this is almost an expected practice - sales people are often hired on the tactit, never officially acknowledged basis that they will bring their leads list.
Years ago I got a job through a recruiter, left company A for B. She called me after a few months and asked me for the Compsny A internal directory - which I declined to provide and she got kind of nasty about it. Maybe ten years later I was at company C and my manager mentioned hiring a recruiter - same person. I mentioned our previous interaction (not out of spite, just a naive narrative) and they stopped working with her immediately. My point being - your behavior has a long tail, so don’t be trying to take advantage.
> The one designer totally ruined the company from ever letting someone stay for their two weeks.
No, it's the over-reaction by whoever instituted that policy that ruined the company. They should've cut their losses and ignore the outlier, perhaps make it tad more difficult to copy off data en masse without being noticed, and/or do many other things addressing this risk without ruining the workplace for everyone else.
This is the organizational equivalent of autoimmune disease. Works at every scale. On national/international scale, this is what terrorist organizations are exploiting - do an X amount of damage that may even be counterproductive to their goal, and watch the victim do 1000X damage to itself by overreaction.
> You put in your two weeks? Nah, you're out the moment you hit send on that email. Manager alerts security, who then come over to your desk. You get your jacket and whatever you walked in with and get walked out.
The only thing that that accomplishes is that people don't put any notice.
In the UK, and most European countries, locking someone out during their notice period is really rare. Big companies exist and are not destroyed by disgruntled employees.
If someone is fired for cause then they go immediately, but if they are given notice then they are usually trusted with access, and it rarely goes wrong.
Stealing IP is rare because it's hard to benefit from it. If stolen IP is offered to another company, usually they report it to the owner to cover their backs legally. Funders are not going to want to invest in a company that is based on stolen IP, where their investment can become worthless overnight.
So I think these stories about how 'we have to treat employees like they are potential criminals' (not accusing parent of that, but you hear them) are bugos. Treating people like human beings is both right and economically efficient.
Get a DLP system in place for god sakes. I’ve even seen off shore people work from VMs only where they can’t download or store any file locally, much less dump everything to a USB stick.
Top search result is from Gartner: alarm bells ringing. Data loss prevention seems to be enterprise speak for doing as much intrusive monitoring you can do, in as neutral speak as possible.
1984 is so appealing for so many people, it seems like it is just a book about the tendencies that power can take when it is not guided by sane principles. I have always been employed in a high trust capacity since I was a young adult, there is not a technically feasible system in the world that could prevent me from wrecking havoc in a company. Social ones though, they are extremely effective.
Every so often a client asks if we are using a DLP, and if not, why not.
All the DLPs rely on, effectively, regular expression searches of traffic.
This is fine if what you need to protect are SSNs, phone numbers, credit card numbers... but if your data is not easily recognized that way, they don't work.
If you ask the DLP vendors about their threat model -- and the salespeople generally don't know what a threat model is -- it's always a set of stories about a salesperson who clicks the download-as-CSV button on a CRM system, a DB reporting specialist who generates a report full of raw passwords and credit card numbers, and an off-shore programmer who sends AWS credentials via email.
Hopefully you can spot the non-DLP prevention mechanisms for all of these...
If you really want protection you don't want a DLP, you want a (limited) air-gap.
Basically the machine is not allowed to access the internet and USB drives do not work. Only specific locked down applications like the email app, web browser, and so forth have internet access. Downloads are allowed but uploads are not.
A permissions interface is available for say legitimate transfers of data to a flash drive or a web upload, in that case the user will have to add a valid reason and the specific files into the form. Once that's checked and approved by a higher-up the files are temporarily placed in a special folder that permits transfer out. The same thing goes for external emails that aren't on a whitelist, they'll need approval before they get sent.
If you're running a VM you're storing the whole state of the VM on the host machine, there's nothing technically stopping you from copying all the data, and worse, there's no way to even know that it happened.
What VMs are helpful for is cross-contamination and spyware attacks from other clients a contractor is working for.
Between jobs is the only time you touch LinkedIn, lest HR sees some activity on your profile and buckets you into a "actively job-searching" risk group.
In the company I knew, it’s usual for people to send an email telling others “hey, it’s my last day, thanks for all the memories. Here is my contact info if you want to.”
Others colleagues would also usually organise a virtual envelope with money inside to wish you farewell.
We had biweekly team videocalls, so I just announced my last week in my last call.
I find it hard to imagine you have no such contact at all, or that you would say nothing in those meets. You are planning work every now and then, aren't you?
>You are planning work every now and then, aren't you?
In the past, I've tried to give key people on longer-term projects I'm working on a heads-up. But I trusted them and it was longer-term. At the end of the day, I'm not going to let the word out before I'm ready if I'm worried it has the potential to bite me financially, e.g. because of vesting.
In a large enough company, the experience will be exactly the same even if you do go to the office. It might take weeks or months before you have a reason to reach out and finally realize that you haven't seen someone around for quite a while. And "large enough" is surprisingly small.
For close colleagues leaving, WFH makes absolutely no difference though. Those you keep track of regardless.
I work at a large corporation. Most of the people have transitioned to WFH now.
At least five times I can say I had no idea someone had been laid off or sacked until weeks later. I just assumed they were on PTO or something, and then in the middle of a meeting, I'd say something like, "Yeah, where's James been, I haven't seen him online for a few weeks now." Then the manager would chime in and say they got laid off or let go several weeks ago and they were waiting to announce it to everybody.
Twice my director had a meeting with the team and forgot to include myself and two other devs to announce someone had been let go - which is scary AF when we're all on Teams wondering why they just randomly left us off the meeting, which then made us all paranoid AF for a few weeks.
The whole process with laying people off or people getting sacked has just been handled in such a ham handed way, it doesn't inspire confidence at all, and people are constantly looking over their shoulder when a team loses people and have to pick up the slack immediately.
Office layoffs are weird too. A friend worked for Oculus. One day they went to lunch and the manager muttered something quietly about the whole team being laid off then ran off. A team of like 10-15 people had to stand outside and wait for security to bring out their stuff. Sounds pretty awkward.
Another large company I worked for sent out random meeting with the CIO, if you got the meeting you were laid off. At least the CIO did it himself.
I've seen a company during WFH let a laid off employee (who asked) keep their access for an hour, to post a goodbye message.
It's not good practice for all situations -- you need some trust, despite the stressful situation, when people tend to show character and weaknesses -- but in this case, it worked out.
The departing employee posted a message of encouragement to the remaining people.
You can get nearly the same result with less trust: let the employee draft a goodbye message and have the boss (or so) forward that to the other employees.
> A man moves from East Germany to Siberia, where he knows his letters will be censored. He establishes a code with his friends: anything written in blue ink is honest and true; anything written in red ink is false and only there to get the truth past the censors. A month goes by and the man’s friends receive a letter written in blue ink: “Everything is wonderful here. Stores are full of good food. Movie theaters show good films from the West. Apartments are large and luxurious. The only thing you cannot buy is red ink." [1]
Good idea. Though I think the fact that they trusted the departing person, and the departing person delivered -- if it plays out that way -- is much more positive message than effectively implying that the company didn't trust the person.
The company letting a manager relay a message, with any censoring, is certainly better than the person having no way to get their contact info to people, and they might also say something nice for morale.
You are right that the other way sends a stronger signal.
My suggestion was meant as something that's feasible even for a company that already got burned by vengeful leavers; and also something that an individual manager has an easier chance of pulling off, without having to change all of corporate policy.
Surprisingly enough, as toxic as Amazon is, after I got Amazoned and made my choice to “leave Amazon and get a nice severance” instead of “try to work through the PIP and still get fired and only get a third of the severance amount”, they let me stay for a week to finish up a customer project. I worked in Professional Services.
I told them that I really wanted to finish the work for a customer (large state organization) because I liked the customer. They let me stay for a week.
Of course that was bullshit, I took the time to have back channel communications with the customer to see if they would hire me as an independent consultant after I left and to start interviewing.
I’m sure they would have. But I gor a full time offer less than two weeks later.
Sorry about getting Amazoned. They don't have a reputation as a place inspiring loyalty. But, at least in non-Amazon contexts, I absolutely know people who would say they wanted to finish up some work, and they'd mean exactly that.
At Amazon, when someone was laid off their Slack still worked for the 60 day WARN period. It was actually a problem because you would Slack them and get mad that they didn't reply. The only way to know for sure was to ask their manager, but you didn't want to do that because if they weren't laid off you didn't want to throw them under the bus!
That's effectively how it ends up, except with a slight advantage to the company. They cut you off and tell you that you don't have to work anymore, but in the off chance you get a job within 60 days, they don't have to keep paying you. They can also preserve their cashflow by not paying you up front.
But since you technically have to be "on the books", if something like Slack is tied to your status in the company directory, it's easier to just leave it.
Just an FYI - you can still get paid the WARN severance even if you take another job, just don't "quit" during warn. Your employment contract may or may not say you can't do side work, but (1) what, will they fire you? (2) it probably just says that you can't do work that interferes with your current employment, which is not a problem.
The WARN period exists to give you the money, but also keep you on for insurance and 401k vesting purposes (and similar). Getting cut off immediately, and suddenly losing insurance would be much much more disruptive, even with COBRA.
My org had a big cut last year but nobody would tell us how many people were laid off for some reason.
I happened to remember the total number of people who were in our org’s giant slack channel before the layoffs and thus was able to do some hardcore detective work subtracting the new number of people in the channel from the previous amount to get the answer…
Yeah, whenever I want to find out if someone still works at the company, I just search them on Slack. If it has "(deactivated)" after their name, they're no longer employed here.
The attributes that would let one reliably eyeball a person who got fired doing their walk of shame also made for a soul-sucking workplace.
That "back in the day" algorithm required an office that emphasized butt-in-seat, lacked flexible working hours, and lacked both personal offices and multiple exit points.
During layoffs session last year, the company I work for immediately removed people from the corporate directory, and then went to the guy who had made the unofficial facebook and made him hide them in his tool too. They still technically worked there during the WARN period, so they didn't have epitaphs either. That went over about at well as you'd expect.
This time around, the laid off people show up as on vacation. If you see a team of people all on PTO until the end of May, you can presume that team is donezo.
I worked at AWS in the Professional Services department and people got cutoff in the middle of customer conference calls during the first round of layoffs and then found out about their layoffs.
The infuriating part is when they spin this as some sort of employee privacy move, as if the employee (now ex-employee? But not really, because of WARN) has no input in that decision.
This is just a natural consequence of WFH. Communications are work tasks are so isolated and transactional, there's no reason termination would be any different.
I had an old boss with a Powershell script that auto-ran each morning and did a diff with the employee list in Outlook or something (can't remember what)to see who got terminated or left. I think it was the only sure fire way to know.
Also the language everyone uses to tip toe around saying people got laid off. Some employees 'were affected' or were 'part of the RIF' or whatever other acronym is currently popular.
On the first project where I was team lead one of my team members was laid off and nobody told me. I worked with her on Thursday, took a PTO on Friday, and on Monday around noon noticed she hadn't been in at all. I asked the guy who sat in the space next to her, and he told me she had been laid off on Friday. I had no idea there had been any layoffs as there wasn't an email sent out like in earlier rounds. Turned out she was the only person laid off. Really weird way of handling things.
After going through my first layoff (not affected personally, I just saw people who were), I just started posting my personal contact information preemptively. I've seen others start to do the same. It's kind of depressing but I think it really helps to be able to reach out after the termination is done.
When someone new comes on board, I make it a point to send a LinkedIn connection. While I'm no fan of LinkedIn per se, it's neutral enough that nearly all of those connections are accepted. If necessary, it then becomes a non-company channel for having safe (ish) discussions about the company.
I don't understand the secrecy about firing somehow. If I were an employer, I'd want my remaining employees to know that what the fired person did was unacceptable.
Companies very rarely do not want to open themselves to liability so they usually go for the blandest possible description, even laying off and paying unemployment for someone who should be fired for cause.
I'm sorry you had a bad experience, but most people get laid off Friday morning (it's the most common time).
> Anyway, welcome to the corporate world.
I've been in the corporate world for 27 years, and been through many layoffs (usually as a survivor, sometimes as a victim). The ones during WFH have all been worse.
"Incidentally, if someone gets mad about you running this sort of thing, you probably don't want to work there anyway. On the other hand, if you're able to build such tools without IT or similar getting "threatened" by it, then you might be somewhere that actually enjoys creating interesting and useful stuff. Treasure such places. They don't tend to last."
> Incidentally, if someone gets mad about you running this sort of thing, you probably don't want to work there anyway.
If you do want to work there, though, maybe check the legal situation first...
I am almost certain, this counts as unauthorized processing of personal information. Just because you have access doesn't mean it's fair game to do whatever you like with it. Especially archiving, keeping a history or linking (external) data is not the intended use for such an interface. If you take the information home with you, e.g. on your work laptop, that may be a whole nother can of worms. May even count as business secrets you're exfiltrating.
At least in Europe, abusing such an interface likely would be illegal, certainly if you keep a copy/diff. Your employer may have to act against you, or become liable. Or they may use this misconduct later to conveniently terminate your contract (lol, especially, if you use your insights as leverage).
I presume the larger the network, the more likely this will get you in trouble. Conversely, collecting the data has little use otherwise.
How about you organize with your colleagues to voluntarily share employment information to gain collective leverage?
Are you trying to be pedantic? A diff by itself does not necessarily contain any information at all. However, it should be fairly obvious a complete diff in relation to a reference contains all the information of a prior state. So it's functionally similar to a copy.
Yes, if it contains employment information. A bunch of diffs can cross the threshold into event sourcing and if you have enough of them you might end up with a copy of the directory.
I already have a copy of the entire source code for this application, including all of the secret database logins. Why would having a copy of the employee directory be a bigger problem? (To be clear: I'm trying to understand the issue, not dismiss it)
> Why would having a copy of the employee directory be a bigger problem?
In jurisdictions where people have the right to be forgotten, they could ask for all their information to be erased. How would that work if you keep a copy of the employee directory? That is one example.
Another example would be a proposed bill in my jurisdiction which will force employers to disclose all information it stores about employees at the request of any employee. This will make you (someone who has a copy of the employee directory) some sort of data processor, which comes with new requirements about how you store that data and for how long.
As someone else said somewhere in this thread, if you can see information, this does not automatically mean that you can store it.
First off, the article is about processing and metadata analysis, not just a mere "copy". Then, let's clarify: You legally stream a movie, you are also "copying" files to your computer, yet keeping "a copy" of the entirety would be considered illegal. Pedantic, naive technicalities are a ill-advised legal defense, and so is the expectation of object-oriented jurisprudence. Not everything is categorically same, because of a shared attribute. Intent matters.
With your argument you are conflating intellectual property and business assets of your company, with privacy and informational self-determination of your colleagues. The latter isn't necessarily in the direct interest of your employer, but rather a right given by ethics, or governmental entities. Never mind metadata, a simple copy could mean transferring sensible information to a context where access control for unauthorized parties isn't implemented. Eg. you could have your take-home work laptop stolen, or compromised while watching porn. Legislative example: Under the GDPR, a doctor or therapist is not allowed to handle any patient data on private devices, which extends to contact information stored on their private phone. Context matters.
Not everything is about money, or monetary damage. Privacy rights are about freedom and self-determination of the individual.
Although, the organizational structure and history of a corporation certainly has implications for operational security as well. Try mapping and exfiltrating employment graphs and collected personal metadata at a defense contractor and see where that gets you. Mind you, OP's respective metadata analysis has little informational value in a ten peopled start-up, where you talk to everyone anyway. We're here considering corporations large enough for the individual employee to miss operational oversight by direct means. Corporations large enough, that meta-data would be valuable for third parties, too. Trust matters.
GDPR definitely applies to employees as well. It applies to all handling of personal data.
One of the most important rules in GDPR is the requirement for companies to have an up to date list of all places where personal data is being stored, the reason it's stored there and what it's used for and the retention policy.
So an employee creating their own lists of previous employees could potentially get the company in trouble if it was discovered during some external audit if it wasn't listed.
Not speaking about GDPR, but your post is triggering me (my issue, not yours).
Here’s what is crazy to me about employee PII (personally identifiable information) being considered sensitive.
Say in a well designed system you can audit who made each change or the last change to each business record. As an example, each database table has a login ID of who modified the last record/row most recently.
Now every single such table is polluted with PII?
I get having a list of all the places where personal data is stored, but some people think we need a list of all the places a pointer to personal data is stored (ie an identifier that enables linking; that is what “PII” literally means) and that is just such a bigger dataset I don’t think it is appreciated how deep the rabbit trail goes applying policy to technology.
Every email in an organization contains PII and every system emails can get saved and attached to.
Back to your comment, does GDPR require just listing the personal information locations, or also the (PII) identifiers to it? Is a name alone considered personal information (if I sign my emails with my name does that go on the list and if so, can companies just declare huge subsystems as having personal information?)
Depending on the business, employee data can be more of a concern than customers.
A business probably handles sensitive private data on employees (e.g. medical conditions, family records). Employees know this, and could report an ex-employer out of spite, especially if they're aware of poor data security.
They don't need to be a citizen, they don't need to have any sort of contractual arrangement with the data processor. If they're alive and identifiable, the GDPR applies.
>This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons.
It's not part of the operative text of the regulation, but it provides for a clarification on what a "natural person" is, and the principal prohibition in the regulation is the processing of data about an identified or identifiable natural person.
I would also assume, but I'm not 100% sure, that there's some case law from the CJEU around whether or not the definition of "natural person" includes dead people, which is why it's not in the main body of the text.
Amazon fired a guy that shared an LDAP query to find folks affected by a round of layoffs....after the layoff happened. So it's not like he was leaking information.
A way to confirm this is to look for HN comments who posture the same. After the Overton window widening, they forget to hold back, and will openly say what we know: it's an abuse of the system that turns an outmoded address book into a gossip rag, to the surprise of the actual people involved.
Citations:
"First I just cared about which accounts got deactivated. Then I started tracking title changes, last name changes (people getting married), department sizes, company head count over time etc."
"LDAP's full of secrets. And to think that you can get nearly all of it with anonymous access. Team or department mergers before they were announced? Yep, I've caught those. Secret mailing lists for internal projects? Check who's a member and you can ferret out what's going on. Bonus if the list mail address gives some of it away."
"Lots of weird things depend on the LDAP tree being broadly accessible. It's just that it leaks more information than most people think."
"Monitor when and what HR is doing.
Detect when users are logging in and out of LDAP."
LDAP's full of secrets. It's a great way to keep tabs on what's going on in a company. And to think that you can get nearly all of it with anonymous access.
Team or department mergers before they were announced? Yep, I've caught those. Secret mailing lists for internal projects? Check who's a member and you can ferret out what's going on. Bonus if the list mail address gives some of it away.
`ldapsearch' is good if you know your way around LDAP. Apache LDAP Studio is a great UI tool if you just want to explore.
Everyone should know enough about LDAP to build a login service that binds against it for internal apps. You can exploit the groups the sys admins maintain to control permissions in your app. It's very powerful and an easy way to get up an running in no time.
I'm still flabbergasted when a company lets me index their entire AD tree as a random (or, holy crap, anonymous) user. Very nice of them, but still.
It's also often the only way to get information that doesn't exist in an Intranet page, like, literally what teams are there in IT, where are their offices, who's somebody's manager, and of course, what distribution lists am I not on that some other user is on that's causing one of us to have issues accessing some internal company portal.
It has to be public (or at least not too locked down) or things like Address Book in outlook would stop working. Lots of weird things depend on the LDAP tree being broadly accessible. It's just that it leaks more information than most people think.
Still, it's a tool made for another era. It would be sufficient to let it return one search result at a time, or complete specified group aliases, in order to work for groupware clients. Applications mostly needs to authenticate a specific user.
The ability to walk the tree is something else. Just like we don't allow zone transfers for dns anymore, there should have been similar best practice changes to ldap if people just gave it some love.
> Everyone should know enough about LDAP to build a login service that binds against it for internal apps. You can exploit the groups the sys admins maintain to control permissions in your app. It's very powerful and an easy way to get up an running in no time.
It's amazing how many people came to the same idea independently. At my old gig I created "the sackinator" (getting sacked = getting fired). It was a cronjob that dumped the entire AD directory nightly and then a script to diff the output of any two days.
Since the data was dumped, you could always go back and do more analysis. First I just cared about which accounts got deactivated. Then I started tracking title changes, last name changes (people getting married), department sizes, company head count over time etc.
> Incidentally, if someone gets mad about you running this sort of thing, you probably don't want to work there anyway. On the other hand, if you're able to build such tools without IT or similar getting "threatened" by it, then you might be somewhere that actually enjoys creating interesting and useful stuff. Treasure such places. They don't tend to last.
Hahahahaha... So, I um have a very similar script that I manage for 'KTMJ' - it's not to find deactivated users, but to synchronize certain ldap attributes to another system. This organization is large enough (300k+ users) that typically, between the time that the script queries ldap, prepares the synchronization file, then actually performs the synchronization import which validates if each user still exists, there are already several hundred accounts that have been deactivated during that window and reported in an 'error' log file. (The actual synchronization and 'error' log file are outside of my direct control)
Why did I laugh maniacally?
Due to 'budget constraints' my contract is being terminated (they have just been through several rounds of layoffs, I was expecting this), my account will be one of the ones deactivated on the next monthly cycle - prior to that, I will have to handover the processing and expected 'deactivated' users 'error' logging behaviour to my replacements...
So negative! Where I work this tool is called “new-hires”. It uses a restricted read-only API key to our third-party people tool. It was given to me by our People Director. Sometimes there are lines beginning with - but the tool is named for the lines beginning with +.
new-hires is built on top of the “people” python module / cli in our monorepo. That tool is so much more useful than just a way of diffing the org chart. Who is in what team, where are they, are they working today, is it time to celebrate their anniversary, etc. It also follows what I coin the “ZFS litmus test” for good CLI tools by providing -pH for parseable, headerless output.
I tried to make one of these systems at my first job, but my manager expressly forbade me after hearing about it.
Later that company would go on to lay off 15% of software engineers in a day. The support team created tickets in the public issue tracker to decommission employee accounts, so a lot of people found out that way before anyone reached out for a meeting.
True true true. Especially if people are building quirky cool stuff in smaller orgs, its simultaneously a great place to work and has a higher extinction probability.
There was an automated tool like this someone built at Twitter. At first it was cool just to see who the most tenured people were. Then the layoffs happened and it became essential due to the absolute 0 communication happening thanks to the Cool New Management. I remember we used the count of people in one of the default Slack channels to keep track of how many people got the axe. Woof.
Is it common in the USA that employees just disappear without getting the chance to say goodbye to their colleagues? At most places I worked, people tended to send a goodbye email to everyone@company and got a chance to say personal goodbyes, even when there was a negative reason for them to leave.
Yes it is common when the employee is being terminated. It may depend on the industry, but it's always been like that at the 10+ companies I worked at.
Honestly, I much prefer it to the long notice (sometimes 3 months!) you get in say some European countries. Just rip the band aid and move on. Most likely you'll have a way to connect with former coworkers easily on LI and such.
At my last company they had no system for letting us know if someone had been let go. At one point they laid off the VP of sales and it came up almost by accident in an all-company meeting (not a massive company, <100 but >50) and people were surprised he had been let go.
I was young, with nothing to lose (or rather just no self-preservation), and so I spoke up that the policy of saying nothing was silly and potentially very dangerous. If that VP, who I saw around regularly, had emailed me for a list of our clients I would have sent it to him, if he had been waiting at a door telling me he had forgot his keycard I would have let him in, etc. You could argue "You should have always asked up the chain before doing that or refused to let him in on your keycard", but then I'd just shake my head at you. When a VP tells you to do something it's not a great career move to throw up roadblocks, even if it's company policy, in my experience.
Going forward the company agreed to send out bland, generic "X is no longer with the company" for "legal" reasons (as in they couldn't say "was fired", "left of their own accord", etc). Which was better for sure. I never thought to scrape our company directory, that's a clever way to do that for sure.
Back when I was at DigitalOcean they were laying off/firing people from the company but not announcing any departures. You'd just go to message someone and their Slack account was deactivated. This was over the course of several weeks. I built a Slack bot to post when accounts got deactivated and learned of some new departures well before those impacted actually did.
I worked at a company that had an internal website that showed all people, departments, teams, and had a filter you could use for new employees or employees that left. It was sort of a double edged sword: you had enough information to start asking questions about what it meant if a team member or coworker was on the list. What was more interesting is that it almost became ritual for some people to logon first thing in the morning and check the list, every morning.
A former company I was at was really weirdly tight-lipped about people leaving.
I'm sure totally unrelatedly, we got dinged a bunch on our SOC2 reports improper "off-boarding" and not removing access from terminated folks since no one knew to remove them.
Once we added quarterly SOC2 controls to make sure only employees had accounts it was always a shock to see who had to be removed.
I know the intent was to improve morale, but it had the opposite effect.
I've had companies use privacy concerns as an excuse, which was hilarious. They couldn't tell us who left because they wanted to respect the laid-off people's privacy so the entire company spent the day compiling a list of all the deactivated Slack accounts. Great job!
In Germany it's also a very good idea to monitor the "Handelsregister" (register of all companies) and see who currently is really the CEO, who can sign things etc. This shows early ripples in the force (e.g. founders on their way out, willfully or forced).
At one role our GitHub access was mediated by a CI job that would export users and groups from Google Workspaces and apply them to GitHub. The script would helpfully print a list of actions taken, and we had a general policy of CI logs being world-readable - and this job was no exception.
It was a useful way to keep tabs on any skulduggery that was going on.
Unrelated, but Confluence has very powerful support for email alerts on changes. These include notifications of deletions, and the email includes the diff of the deleted content. One thing I do at any org that uses confluence heavily is set up notification rules on some interesting spaces and check in from time to time.
Can they monitor for such a thing? Does say, Azure AD show whenever someone downloads data? Does Outlook make a similar call to figure out the name dropdowns?
Perhaps for small orgs. We’ve got thousands upon thousands of people so little chance of grabbing the entire AD or leveraging some outlook dropdown.
Is be surprised if any competently run large org allows that anyway. Just takes one rogue dude trying to make a quick buck by selling the info to spammers and you’re dealing with that for the next decade
There's a very common problem with systems that use SSO, where the 3rd parties that accept SSO logins cache the login information, sometimes indefinitely. A user can leave the company but their login placeholder account stays in the 3rd party, and active login sessions are maintained basically indefinitely. So you can leave the company and lose your AD account, but still access the 3rd party. As Rachel says it's kind of a hard problem to solve (but not that hard).
In most cases wouldn't that session info be tied to physical hardware to which the employee no longer has access? Sure, tick all of your boxes, but I would think that losing the company laptop/phone/VPN would be a pretty significant barrier to maintaining access to other systems.
I refuse to BYOD, so I am not familiar with the nuances, but wouldn't the corporate controlling entity wipe/reset/deauthenticate the corporate partition of the device?
I once worked at a large bureaucratic org that tried to keep it secret when people left (if quit or were fired) because they thought departures were bad for morale. So it was just a big secret. Are they here any more, are they on PTO, are they out sick, who knows! Can't talk about it. It caused way more gossip and bad morale than it would have just to be straightforward letting us know that so and so was gone.
If it's in my team/department, I'll know about it one way or another. If not ... Why would I care? People come and go, and if we're friends outside of work, we'll have other channels.
Besides that, most companies I worked at don't even maintain the LDAP/whatever properly. I've seen contacts from people that left/were fired stay around for years.
On an individual level: maybe you don't work closely but know the name, might be interested to know ahead of suddenly realising you haven't seen/heard from them for weeks/months; or maybe you used to but they moved to a different group, you're not in touch but vaguely interested if they've left.
On a more macro level: you might be interested in an apparent layoff/significant restructuring.
Someone used to (/maybe does) run this as an email service ('orgdiff') at Arm. I wouldn't have gone out of my way to do it myself, but it was something to skim with a Monday morning coffee.
> Incidentally, if someone gets mad about you running this sort of thing, you probably don't want to work there anyway. On the other hand, if you're able to build such tools without IT or similar getting "threatened" by it, then you might be somewhere that actually enjoys creating interesting and useful stuff. Treasure such places. They don't tend to last.
Epitaths is a Google thing. I had a friend at Qualcomm who wrote a script to sample the employee phonebook every morning before work so he'd know if he were laid off. We used "ph" from UIUC and the company strangely laid people off not by deleting them but instead by putting them into department 700, "The laid-off department".
The web UI allowed elaborate queries so the first time there was a big layoff the ph web page almost went down because everyone was querying to find out who was laid off. Management got mad at this but they really shouldn't have; its correct that you shouldn't work someplace that tries to hide attrition no matter what the source!
My friend never got put into dept 700 because i recruited him into Google a few years later ...
Speaking from the other side (the side that does the termination), as long as your IT team is actually good a simple ldap diff isn't going to be enough.
Why? Because a good termination process is sensitive to there needing to be a communication about a termination that can happen well after the actual process of eliminating their access and telling them it's their last day.
So a better termination process is something like:
1. Employee goes to a physical space (preferred) where they don't have their work equipment or talk to their manager and/or HR using something that isn't work controlled (phone call, etc.).
2. A manual or scripted process executes that forces sign outs of all work things (computer, slack, google, whatever). Credentials get reset and not disabled. Perhaps someone can try to look for password reset metadata or other things that might indicate a departure, but it's a lot harder than looking for disabled uids.
3. After the person leaves or has finished their conversation remotely, the team that works with this person gets a broader communication from someone to tell them about the departure. If the company is small enough, maybe there's a broader communication to more people.
4. The rest of the termination process gets fired off that does disable accounts, etc.
Why don't all IT departments do this? Well for a lot of reasons:
1. They don't care, don't have incentives, or haven't been told by HR, etc. to care about handling the termination process in a more sensitive way.
2. For any sufficiently complex company, the number of edges cases of systems where you can't force a logout or handle a password reset increase over time. It takes a lot of testing to make sure a process works because vendors have bugs all the time or unintended behavior.
3. The risk of poorly communicated terminations increase as the number of people that either perform or can troubleshoot the automated process to terminate increase. As others commented, you don't want some ticketing system that is readable by a wide amount of people to see termination requests, so now how do you communicate a termination without too many people knowing about it?
Strangely enough, I think trying to achieve the most sensitive but automated process is good because it forces the company to communicate and acknowledge a departure before the full termination process fires off, but maybe I'm in the minority.
Did this for a supermarket delivery company, they had an API that exposed their exact stock level for products, scraped the data every 30ish seconds, diffed and repeated :D
There were some interesting orders for sure (cigarettes + soap + 1 beer)
Ha, I did this about 10-15 years ago at a prior company. The turnover was so high (especially in the sales staff) that there would be at least a handful of people mysteriously disappearing each week.
I automated a small newsletter called "The Weekly Diff" for a few close trusted coworkers and sent it out each Friday with a list of who's new and who was missing from the company directory. And I kept a scraped database including phone numbers in case anyone wanted to reach out to anyone after they'd been removed.
Sometimes you make the best out of a failing company culture. Kept a lot of friends that way just by reaching out with some words of support :)
I’ve done this multiple times, and have two instances running right now which have been active for years. One is simple and watches a smaller org:
ldapsearch … > new; diff old new > updates; mail … < updates
(On phone, pseudo code, definitely wrong)
The other is perhaps more interesting. I built a tool for a tool for a population of specialists in a large company. The tool requires ldap data synced in, and I capture the diffs. That sampling approach provides surprising insights into what’s active/hot/declining, even when the total size of the company would making tracking every employee change quite difficult.
I wrote a script that is looking at the git log of a git repository, it tries to sum up how many commits per author/number of lines changed etc, when the author was active. This also gives some indication on the 'turnover rate' or whatever. (I know lines changed and number of commits is a very bad indication, but it is some indication)
I'm a WFH worker. My company is fully remote. They are really great at managing departures and make sure everyone's aware and has a chance to say goodbye.
However I can't shake this feeling that the mindset that got us from treating servers like pets to treating them like cattle is creeping into workforce planning, and the WFH movement is making it that much easier.
Why plan capacity when you can scale resources up and down on-demand on a whim? With the emotional and morale implications of letting people go hugely reduced it becomes easier to think like that.
> Incidentally, if someone gets mad about you running this sort of thing, you probably don't want to work there anyway.
Well that depends I guess. A lot of companies/orgs have privacy policies that prohibit accessing services out of "curiosity." I.e. if you're working at a university it's OK to access student information if you're doing it for a specific work-authorized purpose but you can't go casually looking at people's information just to satisfy some personal interest.
This is a very fun thing to do, unfortunately where I work (France), the HR team send out weekly/monthly emails with somes HR updates, and at the end the list of everyone who is hired (this includes conctractors), and everyone who leaves (resigned or fired), so it would not add any information to run LDAP searches and dumps/diffs.
It's always kinda stressful to open this email and find out if one colleague you liked has decided to leave, but most times, this colleague informed you before the email arrives.
I did this before. I ran a cron job once a day that counted the number of active entries in a particular file. It was neat to see the number bump up after an acquisition or drop after a layoff. It was neat to see the overall growth of the company I worked for.
I eventually decided that someone _might_ decide that, although freely available, in aggregate, this material could be _sensitive_. I stopped doing it. I deleted years of interesting data...
Scanning, dumping, and diffing of active directory also helps seeing when people got promoted. ("Software Engineer" -> "Software Engineer II" -> "Senior Software Engineer" etc). Useful for figuring out stats on "promotion velocity" in one org vs other.
Wouldn't work at "a certain company" if such company now made all their levels secret by default of course.
This is funny... I thought I was the only one who did this. I work in an org of over 1000 people and have found doing a programmatic dump of the org chart gives me insights I would never get from reading our status update. Often it is the only way I learn about colleagues who have left (and returned!) because not everyone sends goodbye messages or even has the opportunity to.
I was at a large company during the dot com bust. Someone added a world readable field (I assume by accident or because they didn’t realize we could all read it) to our LDAP called “Departure date”, which let you look up who was going to be laid off in the next few weeks. :/
When I was working on a small sized startup. We used to write “obituaries” for people who resigned in a newspaper format. We would add some insider jokes as a side article and some parody ads about their new company on the page if the person resigned already found a new company.
IIRC, it started from my resignation. Then we kept doing it for future leavers
> if you're able to build such tools without IT or similar getting "threatened" by it, then you might be somewhere that actually enjoys creating interesting and useful stuff. Treasure such places. They don't tend to last.
Advice I wish I'd been given before graduating, second only to "get everything in writing".
Adam Savage's recent video said large companies don't like to lay off big blocks of employees so they just do it in small batches over the year. They fire the last person who made any mistake.
That doesn't fit my experience. Google's stock price increased after a large block of layoffs. And they were making every effort to put as many as possible in a single block. For example, my department was "impacted by the layoffs" but given 9 months to keep working and possibly transfer out. If they didn't want to announce a large number at once they easily could have waited.
To function in day to day tasks you need to be able to read stuff in AD. I have solved interesting problems this way like: How do I get access to X thing when the security groups are not documented? Find someone with access and recurse their MemberOf and diff your own.
There's data and there's also the behavioral / psychological stuff which is the bigger tell in my experience. Things like delivering half assed work despite having a good track record, and not caring about problems that need to be solved in the mid term.
We had this internal web application. It had its own separate username/password table. I was asked to make it so you could login with your regular password instead.
It wasn't hard to solve the password part. I could make the web app consult the main system to verify your password at login. But... I couldn't eliminate the web app's user table entirely. It was too fundamental.
So I built a thing that ran periodically, got a list of users from both places, diffed the lists, and then did the required create/update/delete operations on the web app's user table. Thus the web app's user table mirrored the main login system.
I rolled this thing out and babysat it, keeping an eye on its log file. Naturally my code logged operations done on the user table. And I was like, "Hey, this is telling me who is joining and leaving the company!"
It even gave me a little additional info. The web app had certain roles and permissions, and these needed to correspond to organizational structure, which I got from the main login system. So if a user's web app roles changed, it was a clue they may have switched teams or got promoted.
I felt like I needed to be a bit careful with this info. Not that I wasn't allowed to have it, but I don't think IT expected anyone to have a tool that would make it that easy to notice changes as they happen. Potentially, I could have known someone was fired before their manager told them or something like that.
TLDR: Tried to streamline operations, accidentally developed a signals intelligence capability.
I once discovered that a very large org had AD configured in such a way that you could see “last seen at” timestamp for everyone profile in the company.
It would have been trivial to track everyone’s hours using this, which would likely have been unpopular.
Fun fact: back when I was a contractor for Apple many years ago (while Steve Jobs was CEO), I learned through their directory service that Steve Wozniack was still an employee and reported to then-CFO Peter Oppenheimer.
We used to use Sametime and I’d periodically search for “Deleted - “, which would show me everyone who was deleted over the past few months, before they fell out of the system.
Just be aware that your company will be logging this behavior and it will seem suspicious. They can make a good case for termination with this evidence.
Since we're a puppet shop, the user account definitions are largely (albeit not exclusively) kept in hiera (i.e. yaml), tracked in Git.
We haven't used this for the purpose of writing epitaphs, but we could. In fact, since such changes need to go through code review, someone could theoretically author their own removal and add an epitaph of their choice in the commit message; after they leave, the change can be approved and merged in their absence.
I wonder how long it would take them to figure it out. Bonus point if it is a two stage, where the compiler contains the real logic but some innocent tool looks like it is the culprit. And of course per the original you modify the compiler in such a way that an attempt to recompile it will reinstall the gimmick. And maybe redirect the distribution downloader to the point that it uses a locally cached devtools copy that ... you get the idea...
I postulate that if your company uses LDAP, and you are here on HN, you're going to be laid off within the next 12 months. The existence of LDAP at a company implies that the company is likely highly um "mature" and isn't amenable to the kinds of hackers who have actual interest in the programming field.
You'd have to define "sad" but naturally there's a sense of emptiness immediately after a friend disappears from your life. Someone you've learned to know and share jokes and interests with. Not every colleague is a friend though.
It's like saying sorry for someone getting divorced.... in all likely hood you should be happy for them and congratulating them on ending a toxic relationship.
I find this super weird and almost borderline invasion of privacy?
I mean, a job is your professional life and you’re there to work, not go directly make friends or stalk people… I mean sure I’ve made a few people whom I’d call friends in previous jobs and current one too and I’d like to believe that we’d have enough confidence in the friendship to tell each other about quitting. But seeing that potential info about anyone feels very weird…
Most likely real. In LDAP, the "uid" attribute is commonly used to store the Unix account name. The numeric Unix uid/gid are stored in the "uidNumber"/"gidNumber" attributes.
Given the context of the post, the uid info is likely populated from a central source. I log into one box anywhere in their infrastructure and see who has what uids, it is evidence about who is permitted to that part of the infrastructure at that time.
Edit: OP said "Layoffs in the WFH era are weird"
Yes they are, but people here don't suddenly go offline quite as weird is what I was trying to get at.
Here in Sweden if you are FTE there is usually a 1-3 month layoff period (upppsägningstid) where you work and get paid still. At the end of the period you leave.
People usually email the team and even the entire company with "hey im leaving here is my info"
Now people CAN get fired day of, but that has to be VERY grounded.
Again, Not a WFH thing. This is a USA thing!! I notice this time and time again where people complain about IT or WFH, but it's just that you're in the USA, land of the exploited.
Yes, but in cases where a disgruntled employee can do real damage, companies can and do simply ask employees to go on gardening leave with immediate effect, while paying them the rest of their notice period.
Yup, same in Denmark. It’s called “fritstilling” - basically they pay you severance equally to the amount of months you should have gotten advanced notice (3-many months).
But there has to be a very good reason. Such as theft, or actual security worries.
Gardening leave is usually a term for a paid non-compete. I.e. you're not allowed to work in the same industry for 6 months, and you're paid salary for those months.
Yes, it's normal in IT in Europe to fire someone, revoke their access and still pay them for 1-3 months. On the other hand many IT professionals work b2b so some of the normal employment policies do not apply. On b2b contract the other side usually is obliged to pay for 1 month.
I work with identities.
I've worked in Spain, France and uk.
99% of lay off are agreed and there is no need for account termination, my current company let's you have your account open 30 days after your last day, so you can move data out to your next company.
Presumably things like "your credentials to the account that we deposit RSUs into" or "your picture of the beer they served in the cafeteria one time that you liked".
Of course we fire people in Sweden pay them and revoke their access, this is very uncommon I have only seen it once myself. Would like to note that, simply speaking, the rules change the more responsibility you have.
When I quit my work at Goldman Sachs (a very American company), they made me work the whole three months of my notice period.
(Just as one example. The American economy is a big and diverse place. Though in the interest of full disclosure, I was working for Goldman in Singapore, but they were just following global corporate policy; and our labour laws in Singapore defer more to contracts than the US one. Eg no WARN act here.)
> Here in Sweden if you are FTE there is usually a 1-3 month layoff period (upppsägningstid) where you work and get paid still. At the end of the period you leave.
This is only part of the story. They can just pay you the 1-3 months and mark your firing as "effective immediately". Absolutely legal in Sweden, EU and US, and indeed even better for the person fired - 3 months of pay for no work.
When Europeans quit their jobs, they're often required to stay on for 1-3 months, as well, and many if not most employers actually hold employees to that when they get new jobs. In the US you can leave same day, and it's considered rude but meh; 2 weeks is almost always fine unless you're super senior.
We also make 2-3x what you do for exactly the same work, sometimes up to 5-10x in tech.
There are tradeoffs, but in my experience European workers are more likely to wish that they could come to the US to work than vice versa. When contracting in Europe I've had clauses written into my contracts on multiple occasions that forbid me from disclosing my rate even to the people managing my work, because I was making more in one month than they (as senior project leads) did in a year...
This is not a particularly helpful comment. I work at a California-based company, though we have employees all over the world. In our layoffs, typically employees stick around for weeks, months, even 6 months sometimes.
How are we supposed to know? Sometimes people put cryptic slack status icons or messages. Sometimes they slack the team or close contacts or something. But in a company with thousands of people, unless an employee sends a email to the entire company, how are you supposed to know? The layoffs happened months ago, why would it occur to me that the person I am working with today will be gone tomorrow, unless they start every conversation with "hey, so I got laid off..."
Nobody really wants to relive that trauma over and over again. It's frankly MORE confusing the longer coworkers stick around after the 'event'.
> Here in Sweden if you are FTE there is usually a 1-3 month layoff period (upppsägningstid) where you work and get paid still. At the end of the period you leave.
That might be very local. There is a long layoff period in Austria too but I don't think any company will let you back into the office. You just get paid without access at home.
Small correction. When you’re getting laid off they pay you for whatever termination time is in contract. Usually it’s something pretty long, like 3 months, with some contracts structured in such a way that this period grows with your tenure at the company. My “notice” period grew from 1 month during first half a year to 3 months afterwards.
Once a layoff is declared you get paid for the remainder time plus often a severance package (about 6-12 months of salary in total is customary). You are expected to work these 3 months, though, just like you would work for 3 months (and get paid) if you decide to charge jobs.
In practice it means working with people who will leave a company soon is pretty common, having these people as your bosses, as your subordinates, see them at company social gatherings etc etc is all part of working culture. They aren’t perceived as a threat to business or to company morale. Handover of responsibilities, knowledge transfer, hiring or training a replacement: all these processes tend to spread out gradually over months, and the resulting transition is often pretty painless.
It’s a stark contrast to US business practice and people working across the ocean or relocating from one continent to the other need time to adapt.
Europeans pointing such differences on a website does not necessarily constitute “triggering”. If you knew all of this already, great. But someone reading this thread may learn about it for the first time, and there’s no downsides to sharing the knowledge.
On this very website I see people having heated debates about whether curly braces or indentation are insane or brain damaged, and that's just a "nerd" rant and that's ok.
But suddenly, when the debate is whether it's being so paranoid about disgruntled employees nuking prod or stealing IP during layoffs instead of handling a transition gracefully, that's suddenly enters the domain of nationalism and it's no longer the "right" kind of rant to have?
Yeah sometimes people will use unnecessary direct language, which btw is also a cultural thing (see "Culture Map - Breaking Through the Invisible Boundaries of Global Business" by Erin Meyer), but I don't think you should perceive this as an attack on you personally.
This is not just a US site, and even if it was, it's still useful to learn about how stuff works elsewhere in the world. Curious people want to learn and that's why many come here.
OP is wrong and reads too much reddit - US bad, EU good. It is definitely possible to get fired "effective immediately" in EU/Sweden and 100% legal. I've seen it myself. (The company would just pay the 3 months salary)
Yea, but getting 3 months pay without having to work sounds even better for the employee. Now, there will still be the issue of dropping off Slack and hand off etc.
I do read too much Reddit, but I also live in Sweden lol
