Gitting out of this lab - director resigns over discrimination policies.

[AngryBeaver]

13 minutes ago, mr moose said:

 

You seem to have missed the point, their own departments said there was no risk in hiring from china, so when the company refuses to hire from china (for whatever reason) that is called discrimination.   I don't care if people like it or not, actively choosing not to employ someone based only on their location is discrimination.

 

And as leadeater pointed out, artificially reducing your talent pool is not good for a company.

Their own departments might not be privy to information to actually make a valid decision. If their GRC rep is taking that stance it is a little alarming in and of itself. The article posted already seems to have a very firm bias on their opinion.

 

Now all of that aside and you don't have to take my word on it (I encourage everyone to do their own actual research), but there are some very real risks with employing with those countries right now. Some of it is disclosed information, some of it can not be disclosed. Just because you don't hear of an actual war taking place doesn't mean there isn't an active cyber war going on right now every day. China for example steals secrets and then tries to improve on it or just copy it in general. They were able to get aircraft plans for example from our own country and have used that to leap forward their air support capabilities. Russia has used its nation state to mess around with USA elections. Those are just common known incidents that are available to the public. There are many many MANY more that are not available for the public that take a security clearance to get access to and even then only if you are in a position where you need to know it (not many people).

 

These countries can and will demand inside information from people that live there. If they do not provide was it needed they will use their crazy laws to find a reason to either lock you up for life, get the information from you, or end you all  together. There are many documented occurrences of this for anyone that takes the time to look for it. 

 

https://threatmap.fortiguard.com/   There are plenty of these. This is just one flavor. Look at the amount of active threats and APT happening directed at the USA.

[mr moose]

1 minute ago, AngryBeaver said:

Their own departments might not be privy to information to actually make a valid decision. If their GRC rep is taking that stance it is a little alarming in and of itself. The article posted already seems to have a very firm bias on their opinion.

That's an assumption.  All we know is their own departments who are responsible for risk analysis say it isn't a risk, therefore going against company policy and discriminating is non nonsensical.   Either dispose of the policy or provide evidence it is a risk. 

 

[AngryBeaver]

21 minutes ago, mr moose said:

That's an assumption.  All we know is their own departments who are responsible for risk analysis say it isn't a risk, therefore going against company policy and discriminating is non nonsensical.   Either dispose of the policy or provide evidence it is a risk. 

 

Ok I went back and read the whole dumb article and the reddit article. 

 

First I didn't see a lot of employees saying it wasn't a risk. I saw Cerisi saying it wasn't, but even then her arguments were invalid. She said -

Quote

"This is contradictory. If the concern is the contribution of employees from these regions, could we not find a more moderate solution such as ensuring that the contributions of those employees are vetted before release?"

For example. Which if you have to spend the money, resources, and time to vet their work that is ALREADY a big issue. So she is in a way acknowledging their argument at this point.

 

Then if you actually look up what they are doing they are not making it so no one from those companies can work for them. They are making it so that they don't hire from those countries for roles that come in to contact with sensitive information like PII or source code. This is done for the vast majority of companies. You also notice that the government has been leaning on them to do this... more than likely was homeland security. So since they are headquartered in California which is in the USA there is a very high likely hood that this was more than just a suggestion.

 

Since she was the Director of GRC she was also the problem. She was probably told she could either adapt the new stance or resign. With the venom she is using to speak out on this I am pretty sure that was the case.

 

Oh wow. This gets even more weird. I looked her up on linked in and noticed she was a 2nd level contact. We actually share some contacts and I have even met her in person at a conference before. So let me clarify. Her background is not in security, she is more of a legal consultant that helps guide compliance to employment and workforce laws. She is not familiar with the threat landscape unfortunately. So looking at that I can see why she feels that way and takes that stance, but in the end I don't think she was properly informed on the risks... if she had been then her stance on this wouldn't be in the companies best interest.

 

So no one claims I am making it up....

[mr moose]

8 minutes ago, AngryBeaver said:

Ok I went back and read the whole dumb article and the reddit article. 

 

First I didn't see a lot of employees saying it wasn't a risk. I saw Cerisi saying it wasn't, but even then her arguments were invalid. She said -

For example. Which if you have to spend the money, resources, and time to vet their work that is ALREADY a big issue. So she is in a way acknowledging their argument at this point.

 

Then if you actually look up what they are doing they are not making it so no one from those companies can work for them. They are making it so that they don't hire from those countries for roles that come in to contact with sensitive information like PII or source code. This is done for the vast majority of companies. You also notice that the government has been leaning on them to do this... more than likely was homeland security. So since they are headquartered in California which is in the USA there is a very high likely hood that this was more than just a suggestion.

 

Since she was the Director of GRC she was also the problem. She was probably told she could either adapt the new stance or resign. With the venom she is using to speak out on this I am pretty sure that was the case.

 

Oh wow. This gets even more weird. I looked her up on linked in and noticed she was a 2nd level contact. We actually share some contacts and I have even met her in person at a conference before. So let me clarify. Her background is not in security, she is more of a legal consultant that helps guide compliance to employment and workforce laws. She is not familiar with the threat landscape unfortunately. So looking at that I can see why she feels that way and takes that stance, but in the end I don't think she was properly informed on the risks... if she had been then her stance on this wouldn't be in the companies best interest.

 

So no one claims I am making it up....

Again,  if the issue is security then change policies, if it isn't then explain why it is being used to sidestep the policies.

 

[ravenshrike]

1 hour ago, mr moose said:

again, you first have to prove that in gitlabs position the security issues are higher in those countries than the US.  The documents linked in the OP claim that is not the case.  So first we must show why that is not true before we can use it as reasoning in the argument.

Security issues in terms of hackers is not greater in those countries. Security issues in terms of the government suborning the employee themselves is orders of magnitude greater than in other countries.

[mr moose]

3 minutes ago, ravenshrike said:

Security issues in terms of hackers is not greater in those countries. Security issues in terms of the government suborning the employee themselves is orders of magnitude greater than in other countries.

That still doesn't change the internal analysis that the risk was the same as in the US.

[ravenshrike]

4 hours ago, mr moose said:

That still doesn't change the internal analysis that the risk was the same as in the US.

Do tell how they quantified that risk.

[mr moose]

10 minutes ago, ravenshrike said:

Do tell how they quantified that risk.

Why?

 

It is not possible for you or I or anyone outside of that company to be able to know how they concluded what they did.  So until proof surfaces that their own risk assessments are wrong it is an assumption to claim they are.

 

 

 

[Trik'Stari]

15 hours ago, elfensky said:

(•_•)  I guess they were...
( •_•)>⌐□-□
(⌐□_□) Outfoxed.

I'm not sure I understand the issue.

So GitLab is a completely work-at-home company, so there are no offices, and people just remote into a server from home, is that correct, and they are against people from China and Russia having access to their servers?

I mean I can see how that can seem discriminatory, but even I find that to be a fairly reasonable and understandable policy? It's one thing to hire a Russian or Chinese in the US, there's much less potential risk there as he or she has a citizenship, life and given the person moved away probably doesn't love his home country all that much.
Meanwhile, having someone from those places have remote/admin access, makes it much easier to get a mole in. All they have to do is fake their own country's documentation.

I completely understand both Gitlab and gitlab's enterprise customers reason for doing so. It's not as much hackers in the "lone blackhat" sense that they seem weary of, it's major intellectual property theft on a governmental level. At least that's what I feel like.

 

Based on history, it's a risk to hire Chinese personnel outside of China as well. There have been plenty of incidents where the person in question (a person from China) did in fact steal proprietary information and then vanished back to China where they either sold that information to the government or some local corporation.

 

This is discrimination, but it's discrimination that makes sense to some extent. China is known for being an extreme violator of intellectual property laws.

[Sauron]

Well, she has a point.

13 hours ago, mr moose said:

it's not a matter of security in this case though, that's the whole point if it being a problem. 

bUt ChInA bAd

12 hours ago, leadeater said:

Well the solution is actually simple, tear up the company anti discrimination policies and stop flying that flag. It's only actually an issue if you claim to be and act differently.

I would say it's an issue on its own merit, anti-discrimination policies aren't something you just get to have or not have depending on your mood and pretend it's all the same.

12 hours ago, amdorintel said:

besides its better to hire within their own country!

And why is that?