Comment by scottlamb
19 hours ago
> [Opexus] said that “the individuals responsible for hiring the twins are no longer employed by Opexus.”
Getting close to the classic Monty Python line: "Those responsible for sacking the people who have just been sacked, have been sacked."
Jokes aside, stuff like this sucks because I suspect many employers will take from it the most extreme, dehumanizing lessons, e.g.: (a) make firings [edit: including lay-offs] as abrupt as possible including terminating all access immediately, (b) never give second chances to anyone with any sort of criminal record (even say decades old marijuana posession or something).
I'd prefer a more balanced version: limit unilateral access to sensitive systems in general (not just of recently-fired employees), when someone is fired immediately shut off particularly sensitive credentials if they do exist (but not their general-purpose login/email account), avoid hiring people convicted of wire fraud as sysadmins, hash your @!#$ing passwords, etc.
Terminating access and rotating passwords (if needed) while the person is in the meeting but has not yet found out they are being let go has been SOP for at least the last 20 years
Heh, a place where I worked some guy who left kept committing code for months (he went to work for a company we were a vendor for). Some of my teammates knew and just thought it was no big deal, he was fixing bugs and adding features.
The color the director turned when he found out!! Oh man.
Was his name … Milton?
1 reply →
so he was doing free labor for your company? What's he getting out of that?
10 replies →
This story deserves a movie, or at least a long video essay!
Haven’t laughed this hard in a long time.
2 replies →
I have door codes and passwords for a major organisation that I last worked for somewhere in the region of 20 years ago. They haven't rotated a damn thing. I still know people who work there, and I guess technically I still support things for them in an informal question-over-a-pint kind of way, but damn me, put in some effort guys.
Is this specific to US culture? And what about your work environment makes it such a risk?
Where people are laid off here (Norway), they're still employed by law for 3 months. Most companies don't force you to work all that time, but it's pretty common to finish up your tasks, do offboarding etc for a few weeks. Never considered it an issue. Maybe it's a high trust society thing?
I have had this (garden leave) specified in contracts in Norway too - it's not strictly a requirement that you're allowed to serve out the full 3 months, but the default unless specified is 3 months. In the cases I had it in the contract, the contract generally framed it as if some other perk (like shares) served as consideration for giving my employer the right to put me on garden leave.
It is common in the UK for people in certain jobs. I think the commonest reason is to make it harder for them to take clients with them.
>Is this specific to US culture? And what about your work environment makes it such a risk?
It's called garden leave, it's popular everywhere, especially if it's a big international company with diverse workforce, sensitive to IP rights, since there's been plenty of cases of people taking company IP on USB drives to the new employer, like that Indian guy who took IP from Valeo to Nvidia and got his home raided by the police because the Valeo guys saw him share it on a Teams call lol. Same for companies in finance or that handle sensitive information. Norwegian trust doesn't fly anymore when it comes to multinational corpos.
Companies run on liability and risk mitigation. If something bad happened once (IP theft or sabotage from someone they let go), then they have to prevent from ever happening again, not keep blindly trusting people while letting it happen.
2 replies →
My first task at my last job was removing access to an employee being let go. I had just gone through onboarding so I knew every (documented) service we needed to handle. We live tested it on my own accounts, measured the time before I noticed, and then proceeded to successfully go through the checklist.
Except not everything was properly documented, and it turned out the employee had given admin rights on some resources to a contractor which proceeded to wreak havoc on their behalf (the 'rm -rf' kind). Eh!
Amateurs. My employer does mass layoffs by terminating access to everything except their email account at 3am, and then sending an email to the victim saying “you were let go at 3am”. Managers get to figure out who’s left on their team by pinging everyone when they learn about it at work.
Google powerwashes your corp Chromebook when they let you go. A friend was composing an email on the train when their screen went black and the device reset itself to factory settings.
They even send the “you’re being fired” email to their personal email they have on file. Didn’t even schedule a meeting.
10 replies →
If you're talking about Oracle, the large round previous to that they did had individual meetings with employee, manager, and HR. With so many layoffs it took a week+ to do, effectively torturing an entire set of employees who had no idea if they'd have a job by the end of the hour, let alone week.
I'm not sure there's any good way to lay off large amounts of staff (besides not getting yourself into the situation in the first place where you have to)
22 replies →
Oracle?
I experienced that once. The parent and the parent's parent company were from the USA. The top CEO and CTO came over and fired everyone. My laptop was controlling a job that had to run pretty long on a 16 core server, but I did as asked: I shut down the laptop and left it on my desk. That was at least $50k down the drain.
The reason they fired the whole dept. was that they were going to centralize development, as they had 200 other developers. After 5 years, they still hadn't developed a new product. Then they bought a competitor and rebranded it. The old product had to be kept running for years after. I guess they finally switched all their clients, because the web sites now open with <!--eslint-disable @angular-eslint/template/prefer-self-closing-tags-->. Who puts that in their HTML?
But I'm guessing that doesn't work with someone who's been collecting other logins:
> Muneeb had been assembling usernames and passwords—5,400 of them taken from his own company’s network data.
There's the classic article by Matt Ringel and Tom Limoncelli back from 1999:
https://www.usenix.org/legacy/event/lisa99/full_papers/ringe...
Though you'd want to make sure there's no essential information that only this employee knows, because that action might terminate that employee's desire to cooperate with the company.
I've turned off my own access at least three times when being let go from different jobs
When you are talking about access like they had "make firings as abrupt as possible including terminating all access immediately" not doing this is incompetence. This is absolutely a standard and has to be for these kinds of positions. I've never worked anywhere where it wasn't for the majority of IT staff. You meet with HR, someone clears your desk, and security walks you out.
There is a middleground, but it requires conscious effort to prop-up, support, and maintain over the long haul: off-boarding centers.
I worked for a Big Tech company that actually did this, and it made the transition a lot easier. You could still access corporate resources necessary for the transition (HR, benefits, internal job postings, training offerings, expense reporting, etc), check-in with colleagues 1:1 (who would be warned this person was no longer part of the org, attachments could be blocked to prevent exfil, etc), and still send/receive email internally (though external was blocked by default and required justification).
You can safeguard your corporate infrastructure without actually cutting everything off entirely and sending someone home to stew angrily about it. In fact, there might be (as yet undocumented) advantages to letting folks exist in that transition period on that segmented infrastructure, so as to identify potentially bad actors before they can do harm and see about mending bridges.
Of course all of that requires conscious investment in projects with no clear quarterly/yearly KPIs to measure cost or success against, so most employers will never remotely consider it.
Your last sentence sums it up. I was blown away by the system you described that would allow for such a humane transition through such a difficult time. At least process wise it seems like a good place to work.
1 reply →
you left out the people who enjoy the suffering and pain of the person it is being done to, while they supervise (and film it, in some cases)
> When you are talking about access like they had "make firings as abrupt as possible including terminating all access immediately" not doing this is incompetence.
You're proving my point—employers take the most extreme lesson and it's considered expected practice. They absolutely should have immediately terminated the credentials that granted unilateral access to sensitive databases. (Ideally those would never exist in the first place—there are two-person schemes. A pair of bad actors...well apparently happens according to this article...but is far more unusual.) But employers regularly (but shouldn't) terminate all access including credentials that allow last email to colleagues exchanging personal contact info or something.
For most of my career (over 30 years now) where I've had sufficient access privileges to matter, I've fairly diligently maintained a "Important credentials and access" list, which I've sent to my employer when leaving, strongly advising them of the need for them to disable or rotate those credentials.
This especially includes creds like root or admin level access to AWS/GCP/whatever-cloud-or-hosting-service, and other critical creds like user/password management, domain name registrations, AppleStore and GooglePlay accounts, source code repos, documentation and internal tooling, external services like observability/analytics/crash-trcking. It also keeps a current(ish) list of all clients/projects where I've had any access at all, listing things like API keys, ssh keys and bastion hosts, project or platform admin creds, as well as systems like databases (SQL and KV caches), firewall rule specific to me.
I also try to list anything else I could, if I were a malicious disgruntled ex employee, use to cause grief to the employer or their clients.
I point out in this email that if I were to be rouge, I'd most likely have intentionally left something out or left behind backdoors or timebombs, and while I am not that kind of person and I have not done those things, they owe it to themselves and their clients to have someone else senior and experienced enough to carefully audit everything to ensure I cannot access anything.
I send this from a personal email account, so I still have timestamped records of having sent it. If an ex employer ever gets hacked shortly after I leave, I want evidence I did everything I reasonably could to remind them to lock me out.
(Writing this down reminds me it's been a while since I updated this - I guess thats something I'll ned to get on to soon.)
The first option is flipping one switch. The second option is flipping some switches now, and flipping the rest later. Of course the safest (first) option is the correct option from a liability standpoint, which is all a company should operate on since it's first responsibility is to protect the company for those that are still there. There's plenty of ways to communicate with ex-colleagues that don't involve company resources or opening the company up to liability.
7 replies →
Yeah I don't see why that's necessary. I'm sure you can always reach out to HR and ask (I have facilitated this in the past, pulling contact lists and phone numbers) but that also gives them ways to exfiltrate data. It's company data. Just think of all the info you have in your inbox. Unless you've managed offboarding for high level IT positions it seems harsh, but the risk is just too high to allow the user to do that stuff themselves.
3 replies →
If you don't trust your people so much, why to hire them in a first place?
Looking at it from Europe - it is such a weird inhumane practice.
Someone decided your position is redundant. Okay, shit happens, economic downturn, etc. Then you have extra 3-6 months of work to pass your knowledge, train replacement and document everything.
sometimes you fire because you trusted them then they gave reasons to stop. At company I work at it happened, but the more common way is just getting info few weeks later then working normally till the end date
>Looking at it from Europe - it is such a weird inhumane practice.
Pretty standard practice in many technology(not just IT) and finance companies in Europe as well.
>If you don't trust your people so much, why to hire them in a first place?
It's not about trust, it's about risk, and most companies operate on liability and risk mitigation. If society ran on trust alone, we wouldn't need contracts, door locks, passwords, IDs, judges, security cameras, jails, police, etc.
You can verify someone's performance at the job interview, you can't verify their trustworthiness, especially once they've learned they lost their job, even trustworthy people react irrational once emotions hit making snap decisions they'll later regret without thinking of the consequences on the spot, and you see innocent people suddenly turn vengeful or violent and break the law (just look at relationship breakups and domestic violence).
You can't predict such reactions, so best to prevent them instead of chasing damages from them later through the court system.
Put yourself in a business owner's position for a minute. Nobody wants to be the "this former employee set my building on fire after I gave his notice, by leaving him in the flammable material warehouse unsupervised, because I wanted to show him that despite the layoff I still trust him".
For some businesses and jobs the trust alone is enough, for other jobs that involve access to sensitive data or money, it's straight to paid garden leave because nobody wants to risk it.
>Then you have extra 3-6 months of work to pass your knowledge, train replacement and document everything.
Yeah, that happens sometimes like for CxO's, managers, execs who get generous golden parachutes/severance packages, but for rank and file workers in the trenches, having to show up to a workplace you know you'll soon loose, for several more months of work till it's finally over, feels like torture unless you're getting a crazy severance package. That's like your wife telling you "honey, I'm divorcing you, but I still want you to live with me for 3-6 more months, and perform your regular duties".
5 replies →
Looking at it from Europe, this definitely also happens. It depends on the situation. I know of ppl who were kept bcs the parting was in good faith (which was less a firing and more an agreement that parting is in everyone's interest), but I also know of ppl who had their access revoked before firing bcs it wasn't. The latter had unilateral system access as well, which added to it. It's not about humane or inhumane, it's about risk. The 3-6 months being nice is also a fairytale that I have only ever heard in a positive light from employees who are not particularly ambitious or awake or in any way satisfied with their jobs or the prospect of a future job. On the other hand from the perspective of employers it's consistently hard to effectively restructure, it's expensice and awkward to have to pretend to want to keep someone around that you or they don't want around.
It's just one of these rules that unfortunately in Europe allow people to view life purely as the time between jobs. I'd never tell that to someone's face but it's simply a fact that the world stops of people don't work and no matter what the ideal world looks like in your dreams, working is the only real way forward for anything. It's part of the reason why Europe is falling behind on everything.
10 replies →
Yeah but if you defense against somebody erasing a database is "we remove their access when they're fired" then your defense is garbage.
Like there's so many other attack vectors besides an upset ex-employee.. Like all those articles about NK employees who presumably are trying very hard not to be fired. Or employees using company provided insecure email software leaving them vulnerable to ransomware et al.
I'm talking about off-boarding not general day to day security.
1 reply →
I suppose that's a very powerful way of preventing "accidents" on termination. But isn't that just theatre? I mean - as though termination is the one and only case where an employee with the power to destroy the company gets angry and might do something really stupid?!
It's not theater, it's defense against aggrievement. Termination is a traumatic event that threatens your ability to exist or provide for dependents. People [rightfully] don't handle exile well.
Someone with an interest in scuttling your company could just as easily maintain a low profile and do it at any time. Termination forces execution into a more-predictable timeframe. Once notified, the malevolent only have opportunity to exfiltrate or sabotage whatever they can reach in the time it takes to walk them out the door.
European laws require us to give people something like two months' notice. Even then we don't trust them; we pay them their salary and tell them to stay home.
2 replies →
Having people with that level of access without some form of two-person-control is already a sign of incompetence.
Twins can defeat two-person control (okay I know one of them was locked out).
2 replies →
Maybe they did, but since they were twins...
1 reply →
Last time I was laid off they let me keep my laptop for the rest of the day. I gave it to them immediately to avoid any accusations of sabotage.
Eventually I tried to log into one of my old cloud accounts, to find it was only disabled since 9 days after my layoff. Pretty sloppy.
Last time I resigned, I got to keep the laptop and got to promise I had deleted everything work-related.
There is another thread elsewhere on the first page about low-trust USA.
Sadly, behaviors and expectations converge toward one another.
I work in government. If you think that is incompetence, then I have stories that could make your skin crawl.
I think mature sysadmins accept there's a certain .. bushido to their security-critical role. It is after all their job to respond to security threats, including by revoking credentials, and to recognize that they might fall on the wrong side of that some day.
But things are different both in small companies, and non-US environments where minimum notice periods or redundancy consultations are a thing. You may put people on "gardening leave" where they're still paid but not actually working. Or it may be the case that the sysadmin is the one person who knows and controls a lot of stuff, and the employer has ended up relying on them for a smooth handover. Password and role management for the "root" of things is a real problem.
They do all of that now though...
In the US, they'll terminate your access while you're on the Teams Meeting behind the scenes and if you have any gaps, issues, blips, or smudges in your resume it gets thrown into the recycle bin by some AI agent.
the problem is that its so challenging to figure out what the person actually has access to. Have they ever done a export with sensitive information, that is now sitting on their local machine? Any important clients they still are in contact with over email that they may try to sabotage? Any other creative endeavors you haven't thought through?
The most fool proof way is just to nuke the computer in its entirety.
Privileged access should only be temporary in context of break glass with approval. People can go ballistic with core systems for reasons other than firing.
nah give the access to LLM, what can go wrong
In an age of malicious agentic AI, this level of access is negligent. A lack of engineering controls preventing this from happening at all means that a simple phishing or supply chain attack could easily have resulted in the same outcome or worse.
I don't think you understand how this works. The second person was hired because the first one wined at his manager until he was hired. Presumably this was part of a whole chain and that would make me understand why “the individuals responsible for hiring the twins are no longer employed by Opexus.” was a good idea.
Jokes aside, stuff like this sucks because I suspect many employers will take from it the most extreme, dehumanizing lessons, e.g.: (a) make firings [edit: including lay-offs] as abrupt as possible including terminating all access immediately
The employee is always the last to know. This is standard fare.
> a more balanced version: <bunch of weedy ACLs, judgement calls, liability/>
Too complicated and subjective, stinks of more risk.
Also, I don't think it's dehumanizing it all (having been on the receiving end of it way back when during a layoff, and involved in the process more times than I care to count). It's standard practice for involuntary terms at all companies we work with, whether employee is IT or not. If a company is not doing this already, I'd encourage them to.
> Too complicated and subjective, stinks of more risk.
I actually think there's less risk, because it's not as narrowly focused on what a just-fired employee can do. That's not the only scenario of concern.
> Also, I don't think it's dehumanizing it all (having been on the receiving end of it way back when during a layoff, and involved in the process more times than I care to count).
Interesting. Thanks for the perspective. I've been fortunate enough to not be on the receiving end of a lay-off, knock on wood. It's happened to my teammates/reports though. Wasn't my decision. :-(
Then Opexus fired the one who said it.
Leaving no one to say anything anymore on their behalf.