> So much this. It's not news this is a thing, it's a problem of a cost -- if there is not way to remotely id a person, remote company has to pay for a flight ticket and is at disadvantage compared to competitor who hires locally when it comes to hiring costs.
As long as the fully loaded ongoing cost of remote workers is lower than the fully loaded cost of in-person workers, you'll still come out ahead to send people an airplane ticket, hotel room, and meals. And long term I fully expect remote hiring/identity validation as a service companies to emerge.
Anybody can sue anybody, and this someone in your example would likely have standing, so why not?
A single person self representing against a company that is essentially one of the largest law firms on the planet, and can outspend them tens of thousands times over - what's to be gained?
> That does not mean there aren't serious drawbacks that are more worth pointing out such as why bother with a very complex and noisy backdoor when you can just covertly create enough nodes to do traffic correlation.
to be fair tor project is monitoring new nodes so it would need to be done slowly over time. still its the biggest threat to the network hence everybody should consider running no/low risk guard and middle nodes.
Some of the prior works in this paper[0] address noise in anonymity networks, but in general: you either add noise at the link level which malicious nodes can identify & ignore, or you add noise by injecting fake chaff packets that are dropped somewhere inside the network which are statistically identified when you look at packet density across the network.
This might or might not extend to VPN nodes depending on your threat model - I'd personally assume every single node offered to me by a company in exchange for money is malicious if I was concerned about privacy.
The threat actor most use to talk about this is a global passive adversary: a threat actor who can see all relevant traffic on the Internet but who can't decrypt or adjust the traffic.
This adversary would have the ability to ingest massive amounts of data and metadata[0] it acquires from tier 1 ISPs all over the country[1] and the world[2]. They'll not see raw HTTP traffic because most everything of interest is encrypted, but can store and capture (time, srcip, srcport, dstip, dstport, bytes).
From there, it's a statistical attack: user A sent 700 kilobytes to a VPN service at time t; at t+epsilon the VPN connected to bad site B and sent 700 kilobytes+epsilon packets. Capture enough packet flows that span the user, the VPN, and the bad site and you can build statistical confidence that user A is interacting with bad site B, even with the presence of a VPN.
This could go other directions too. If bad site B is a Tor hidden site whose admin gets captured by the FBI and turns over access, they'll be unmasking in reverse – I got packets from Tor relay A, which relay sent packets at time-epsilon to it, (...), to the source.
There's very little you can do to fight this kind of adversary. Adding hops and layers (VPN + VPN, Tor, Tor + VPN, etc.) can only make it harder. It's certainly an expensive attack both in terms of time consumption, storage, and it requires massive amounts of data, but if your threat model includes a global passive adversary, game over.
I'm bearish on introducing noise[0] to resist traffic analysis, and I'm exceptionally bearish when the only layer managing noise injection is "a for-profit entity that can be legally compelled to do things"
But every layer helps; I'd feel more than happy torrenting over Mullvad alone, and I'd definitely use it as an additional layer of defense with other tools to keep me private if my threat model needed to consider stronger risks.
Synchronous packet transfer only solves the problem if you build a truly constant rate network. Traffic monitoring works when variances exist; your flow has to be fully homogeneous to provably secure against it. That means in your model your users would need to transmit and receive exactly 96kbps at all times when on net, and your nodes would talk to each other at 1024kbps at all times when on net. Otherwise, consider A->onion1->onion2->B – an attacker could potentially see the flow from onion1->onion2 decrease to 1 PPS sec when A isn't talking, and increase when A is.
Truly constant rate anonymity networks dramatically add resistance to passive traffic analysis, but they move users from a low-latency/high-throughput network to 56k dialup speeds :) Not only does this suck so most people won't use it, but the people who do chose to use it will glow neon bright to adversaries. The use of the system will be a strong indicator that, even if you don't know what the user is doing, the user is doing _something_ interesting.
And even if there was desire, these networks are intrinsically limited in size and scale if they want to maintain constant rate. Herbivore[0] is an interesting proposal in this space - use a DC-net partitioned into smaller cliques to give in-group anonymity but mass participation. And most use chaff packets – A has nothing to send so sends encrypted random data to maintain the constant rate guarantee... I'm trying to find the paper I read that suggests a global passive adversary who goes "hands on" in the network could use a combination of watermarks generated through packet dropping/artificial queues + knowledge of which packets are chaff to build a trace, but I'm struggling. If I do I'll drop it here.
If your main complaint is product bad, yet you personally buy products you have no real need for, the meme is true. Stop telling everyone else how making unnecessary things is evil if you are the person buying them. Its like complaining about consumerism next to your funko-pop wall.
Their negative feedback consists of stating the obvious, with such gems as the economy makes things that go to waste, and the economy should make happiness, instead of products. They are stating blatantly obvious things. Yeah, everyone wishes things didn't go to waste. Everyone wishes they were happier. Say something new or stop being a hypocrite; pick one to be taken seriously.
"They" are not always stating that which is obvious to everyone. "They" are usually suggesting better ways and these ways are often enough based on engineering and science. What is put on the front page of media is, of course, the obvious, the nonsense, the sensational, the clickbait.
You don't have to say something new to a younger generation if that younger generation hasn't understood or even heard the old, the obvious, yet.
Youngsters might have heard some of it but their brains are often high enough on punched drugs (food and drink and media) that fuck with their brains to make them think 'I don't care', 'People don't care', 'nobody cares' ... and then there are the 'media-sigmas and cool kids' who sing that shit in choirs and canons.
A lot of things go to waste and yet there is tons of useful stuff coming out of recycling and up-cycling and that's just two methods with a very small "margin" and undeveloped.
There are those design and architecture blogs and firms and there is cool shit all the time and wonderful projects everywhere but the pointlessness of the over-engineered financial reasoning behind yearly sursurpluspluses is stacked against that.
You don't catch and bring a culprit to justice if you drop the investigation, which might have to circle long enough for some other brain or pair of eyes to find the final puzzle piece.
And not everyone wishes they were happier.
There's enough to criticize about anarchist, leftist critiques and groups and collectives as well, though, just as much exploitation of youth, gullibility and pain and crisis, and problems, really, but not systemically.
And there's that fallacy, something ad hominem, I think, so we should focus on what is said and written and, if obvious but unsolved, get to the bottom of it instead of saying "I don't care", "nobody cares", "human nature in the 21st post marketing psychology and decades of punched food, drink, drugs, meds and media century"
And this investigation consists mostly of just repeating the same thing over and over again? Acting like work or having to put it real effort to survive is some new invention is stupid and incorrect. To live fairly, you must work. To pretend otherwise is foolish. Once again, say something new or give a new way to solve this "problem". This anti-work bs is stupid and has been stupid for all of time, in all of the many forms it has taken.
Ironically, the first two panels in this comic are themselves a meme, i.e., a sort of lampshading. It is of course at least a little bit hypocritical to use your iPhone to post about how terrible Apple is. The second two panels are just strawmen.
Taking a valid and correct observation and then strawmanning it with a crappy comic strip does not turn it into a invalid and incorrect observation.
The whole article above reminds me of when my brother went through his "I don't know why everybody works. They are so stupid" phase in late teens. Except this guy never grew out of it and he is now 30-something.
Stuff like this:
> Poverty is not an objective condition, but a relationship produced by unequal distribution of resources. There’s no such thing as poverty in societies in which people share everything.
The problem with this line of thinking is the line of thinking of "poverty exists because rich people exist". It treats the economy as a zero sum game were wealth is determined by access to natural resources and capital. That in order to for some people to be rich they need to restrict access to those productive and natural resource, thus condemning others to poverty.
A better way to think of poverty is 'privation'. Humanity has struggled against privation for as long as humanity has existed.
The natural state of humanity isn't being rich. When everybody had equal access to everything and there was no private property... It was true that everybody was equally wealthy, but they were also impoverished. It just meant that they were equally likely to die from what we would consider now a minor injury or inconvenient disease. It meant that you could starve to death if you badly twisted your ankle or broke your arm.
Poverty is the default. Anything else is a improvement.
It took 10s of thousands of years of struggle and fighting and dying to get to the point were large percentages of the population dying from communicable diseases and starvation wasn't considered a normal cyclical thing that was simply part of the natural order.
This wasn't that long ago.
We are still at the tail end of the moral panic of "People are no longer dying off faster then they can reproduce in the cities. How are we going to feed all these people? Are they not just going to descend onto the fields and consume the world like locusts?" (which is ironically reflected in some of the statements in the above article)
Now I am all for a person who doesn't want to exist as a cog in the corporate machine. I am also on the side of the person who is willing to accept a lower income in exchange for pursuing better personal relationships or gaming or art or whatever. Great. Go for it. You have only one life live how you want to. If you don't need to put in the government-imposed standard of a 40 hour work week... then by all means don't.
But if somebody writes a small book with the premise of "everybody in the world is a idiot except me"... then I have a pretty good idea on the odds of that statement being true. (hint: they are not good}
> If you don't like the modern world, stop being a hypocrite make the first move and throw away the computer and go live in the woods.
You, with derision:
> Taking a valid and correct observation and then strawmanning it with a crappy comic strip does not turn it into a invalid and incorrect observation.
> The whole article above reminds me of when my brother went through his "I don't know why everybody works. They are so stupid" phase in late teens. Except this guy never grew out of it and he is now 30-something.
So... Is it okay to decide to change on a personal level to not work or does that make you a dingus like your brother?
The whole point is that we have achieved insane productivity without the commensurate increase in quality of life and leisure due to the idiotic status quo.
> But if somebody writes a small book with the premise of "everybody in the world is a idiot except me"... then I have a pretty good idea on the odds of that statement being true.
I've only recently started using AI, and have discovered my use or rejection of it is predicated on my feelings for the task. This argument of "authenticity" really resonates.
I'm a manager, so when I'm sending emails to a customer or talking with one of my reports, I care deeply - so you might get some overwrought florid prose, but it's my overwrought florid prose.
On the other hand, I have to lead a weekly meeting that exists solely to provide evidence for compliance reasons, something out of the CIA's sabotage field manual that David Graeber has probably written about. But is now a thirty second exercise in uploading a transcript to ChatGPT, prompting for three evidentiary bulletpoints, and pasting the output in a wiki no human will ever read.
I was thinking about the authenticity of my writing earlier this week and wondering why I have no problem accepting code from an AI and committing it, but I find the idea of passing off an AI's writing as my own feels not just wrong, but immoral on the level of purposeful plagiarism. I feel a distinct difference, but I'm not particular clear why. I'm okay with sharing AI writing, but only when I've clearly communicated it was written by AI.
Probably related to why I can copy a piece of code from elsewhere (with sufficient work to verify it does what I expect and only what I expect) but I don't copy a quote and use it as my own. My words are my words. My code doesn't have the same guarantee.
Code uses a simplified set of instructions to instruct a computer to do things. Hopefully these instructions can be understood and maintained by a human.
Writing uses the entire breadth of human language to convey information between human beings with unique and complex understandings of the universe. If those words come from a machine that is not you - that is not someone - you ought to disclose it.
It's probably because communication is a complex dance between humans, where you're constantly signaling that you're part of some group with the other person. Think of any profession or team, where members share common ways of speaking: jargon, inside jokes, terms of art, terms of endearment, etc. It's useful for cohesion, trust, and efficiency because you're assured that the person you're talking to is indeed "one of us."
If you use an AI to communicate, then you either fail to mimic those group membership signals and you look like an idiot. Or you succeed and show that a machine can fool humans at this game. Any grifter can come along and establish trust in a group by relying on this tech. This dance that humans have been doing since the dawn of time suddenly breaks down, and that doesn't feel good.
That's also what I do. I hand-write every email because these words have my name under them. On the other hand, if I'm asking the tax office to issue a specific document, I let AI handle it.
I wonder how people feel about "dumber" tools like hemingway.app that make mechanical suggestions for readability like suggesting simple synonyms and highlighting sentences that are too long. I've used it for writing documents that important and I knew a lot of people would read.
Squint enough and you'll see a cellphone consists of two primary chipsets: a main SOC/stack that runs the operating system, and a modem/software stack that pushes cell packets. Power the phone down and you (may) fully shut down the OS/processor; you likely aren't powering down the modem.
"Near a user" is also a big assumption. I'm ~200 miles to ORD and ~500 to IAD, but my ISP's peering & upstream arrangements mean Cloudflare serves my traffic 700 miles from DFW.
But, at the same time: Cloudflare isn't going to serve me a cache from Seattle, Manchester, or Tokyo. Pinning down an unknown Signal user to even a rough geographic location is an important bit of metadata that could combine to unmask an individual. Neat attack!
It's also quite insidious as you don't need to control anything on any server to get this information; as long as you can get your target to load a unique URL never before loaded by anyone else, you can simply later poll it with an unauthenticated HTTP GET from different locations, and find which one reports a Cloudflare HIT (or, even if they hid that information, finding the one that returns with lower latency).
If you're allowing user uploaded content, and you use Cloudflare as a CDN, you could mitigate and provide your users with plausible deniability by prefetching each uploaded URL from random data centers. But, of course, that's going to make your Cloudflare bill that much more expensive.
Cloudflare could allow security-sensitive clients to hide the cache-hit header and add randomized latency upon a cache hit, but the latter protection would also be expensive in how many connections must be kept alive longer than they otherwise would. Don't do anything on a personal device or account if you want your datacenter to be hidden!
Pre-fetching also becomes an issue for apps that are meant to be e2e encrypted, since it requires the server to download (read) every attachment. But if the app is already caching the attachment then they’re effectively reading it anyway.
(EDIT: Apparently signal e2e encrypts images prior to upload, so pre-fetching the encrypted blob from one or multiple servers would in fact be a mitigation of this attack.)
I do wonder if Telegram is as invulnerable as the author assumes. They might not be using Cloudflare for caching, or even HTTP, but the basic elements of this attack might still work. You’d just need to modify the “teleport” aspect of it.
Telegram doesn't use local CDNs for caching. All users are associated with one of about five telegram DCs, and upload files to their local DC. If a file was uploaded by a user on another DC, users connect to it temporarily to download the file.
The DC that a user is associated with is exposed by the API - you don't need to get them to upload a file to discover it - but it's so broad that it's not much of a deanonymizing signal. (Knowing that your target is in DC1, for example, just means that they're probably somewhere in North or South America. Or that they registered using a phone number that said they were.)
> Going forward uploaded content should never go through cloudflaire and it never really needed to.
The problem in this case isn't cloudflare. The problem is that these images load without the user's interaction and the person sending it gets to choose if it's cloudflare or not. So your statement within this context doesn't really work.
The person receiving it chooses to download images or whatever automatically though.
I dunno, I'd still say the problem is at least 50% cloudflare. Why should they make which datacenters have a resource cached be obvious public knowledge? I do agree though, one could still end up inferring this information noisily by sending an attachment, waiting a while, and then somehow querying a lot of DCs and trying to infer times to see if it's cached or not.
Personally, I've never been a fan about so many things like URLs being so public. I get the benefits of things like CDNs and what not and the odds of guessing a snowflake value and what not, but still...all attachments in Discord are public. If you have a URL, you have the attachment. And they're not the only ones with this kind of access model.
Isn’t that because the URL parameters are so long that by design they effectively _are_ the password protection for the resource ? They shouldn’t be able to ‘leak’ to unintended recipients.
Personally, like you I’m also not a huge fan of this, but URLs like that basically should be treated as the passwords. Don’t post them publicly / don’t give them out to people you don’t trust.
There's a part of me that's fine with it for a short-lived URL which contains a temporary access key but for a forever URL with a forever access key I'm not entirely happy with it.
I use it to share memes and shitpost but definitely not something to share sensitive content IMO.
For signal then the issue becomes saving who owns what image (so that you can re-issue “passwords”) and THAT is much more dangerous to the users than simply allowing users to grab semi-anonymous links into their cdn with enough of a url to be nearly impossible to iterate through every combination without hitting tons of rate limits. (Ignoring this location cache timing issue.)
Edit: Actually... (in signal's case) it might be possible to provide the user's device 2 tokens, 1 to access the url and 1 to issue new access links. Then the user can request a new access link with their second token when their url access token expires. Signatures would help prevent it from needing to be stored in the database. It would be interesting to try.
Edit2: Also I am now curious... does this mean only text messages are e2ee? yikes.
My main gripe is that if someone finds a vulnerability that gives you a list of urls the model falls apart. I’ve seen this happen in organisations :/
But agree with your statement here and others about the lifetime of the data - if something is sensitive or secret you want proper access controls applied, not just openssl rand -hex 8
Note that CF will also route relative to the sites' plan. Enterprise sites are almost always routed to the closest DC, while if that DC is overloaded then lower tier websites, typically just Free sites, will get routed elsewhere (I suppose this is achieved via different anycast ranges where a specific DC is excluded). Although Discord, Signal, etc are almost certainly Enterprise sites.
I doubt how useful it would be as an attack. As a single point of info it tells you next to nothing. As part of a composition of other indicators it would be the weak link in the chain probably just causing noise for the not un-likly scenario where the person you're targeting is using a VPN.
If it was any less specific we'd be talking about a deanonymization attack that outs whether or not a target is still on Earth.
Oh, this attack would be a useful tool for e.g., identifying whistleblowers that travel a lot (e.g., in academia, military). If you know their Signal ID, you could send them images from time to time and then compare their coarse locations with travel information for a number of suspects.
I believe they'd have to accept the chat request before any images would be loaded?
Looking at the app options it seems to be possible to disable media auto-download entirely; there's tickboxes for Images/Audio/Video/Documents via Mobile Data/Wi-Fi/Roaming.
Yes, I agree. This attack won't work on competent / paranoid people. What I had in mind when writing the comment: a whistleblower who wants to inform the press about illegal practices in their company and installed Signal to communicate anonymously with journalists. Somehow, a detective working for the company got their Signal ID and contacted them, impersonating a journalist.
> not un-likly scenario where the person you're targeting is using a VPN
Do you think a large proportion of Signal users also use VPNs? I'd expect it would be a higher proportion than the general population but still only a small minority.
Being 'interesting' doesn't make you more likely to understand VPNs and opsec. I expect it makes you more likely to try, but there's a good chance of doing it ineffectively.
I disagree, it does significantly increase the likeliness. Like having cancer makes you significantly more likely to know a lot of medical facts about cancer.
If you fear for your life you are much more likely to have spent time researching how to protect yourself digitally.
There's a lot of nonsense too. In another HN thread, someone was explaining to me that email is more secure than Signal, and desktops more secure than phones - and they had a link to someone's blog to prove it.
That's a HN reader. For the non-technical, it is a minefield.
for "normal people", that's a pain, but with enough resources,...
Although. it has edge usecases even for "normal people":
Eg. you suspect your coworker to be catfishing you on eg. discord, you know that he's in your city now, verify, then wait for him to leave for a vacation to somewhere abroad, check again.
This is actually pretty smart, and shows that this exploit could be chained with other information to identify a specific individual. This could also be used to e.g. check which world-travelling reporter is communicating with you.
It's not an edge case. Using multiple sources of information to paint a more complete picture is the norm. That's how marketing profiles work, for example.
Cloudflare does serve me from France. When I'm in Australia. (My ISP bought some IP addresses that were original regional France, back in the early 90s.)
So though this does have implications, the assumptions they utilise, like always, are not universal.
> The second mistake they made is assume that companies would prioritize being lean and trimming the mediocre & bottom 5%. There are other considerations, combined productivity is more important than having individual superstars working on the shiniest features.
I'll add a perverse incentive too that I've talked about elsewhere – hiring is a goddamn mess right now.
If I trim the bottom 5% of my org (in my case, 2-3 engineers), I may not get a backfill for them. Or I'll have to drop their level from L5->L4 to make finance happy, or hire overseas or convert a FTE to a contractor.
I also have to be ready for the potential of RIFs happening, which means having an instantly identifiable bottom 5% puts me at the advantage of being ready when my boss says "give me your names".
So the time value of a staffed engineer is way higher right now than it might be in a few months. It'll never be zero, because proactively managing people out makes all of our managers happy. But for now, I definitely need my low performers.
I think the value of low performers becomes much more obvious when you separate out the concept of a toxic employee. Toxic employees hurt the team or organization whether low performing or high performing, and with rare exceptions it’s almost always worth getting rid of them. Toxic employees are the people getting into arguments and conflicts all the time, dragging others down constantly. Or they’re the managers who cause attrition or can’t retain their team or lie to their peers and own leadership until it catches up to them, often dramatically.
However, low performers are not always toxic. Often, low performers are just kind of lazy, or they take longer than they should to finish their work, or they take too long to reply to emails or messages, or their work needs extra review and checks and balances, or they are only capable of delivering on a relatively small set of fairly simple tasks, or they just want to work on the same part of the same product forever and can’t emotionally handle change, or …
Non-toxic low performers can be great because they’ll often do the unglamorous work for you for relatively low pay, and all you have to do is not bother them too much. The worst thing you can do with non-toxic low performers is try to force them into high performers. It won’t work, because they’re either not capable or they just don’t care. For some people, their work just isn’t that important to them, and there’s nothing you can do to change their perception of the relative importance of their job to the other aspects of their life. What might look like low performance in a corporate environment can just be someone setting boundaries and refusing to let work infringe too much on their personal life.
This is a great point. Toxicity is entirely orthogonal to performance. And you rarely have to worry about toxic low performers: if you're unlucky enough to hire them, they don't stay around for long.
But toxic top performers are IME one of the biggest challenges a manager will have to deal with. You have to root them out the moment they land in an organization because given enough they'll push out the non-toxic top performers, leaving you with a toxic asshole and a bunch of flunkies. And you have to convince everyone outside the team that yes, they get things done, but they're enough of an asshole that you'd rather risk hiring someone to deliver less but also destroy less.
All this reminds me of the quote attributed to everyone under the sun (Clausewitz, various US civil war generals, Omar Bradley, you name 'em) but apparently was said by Kurt von Hammerstein-Equord[0]
> There are clever, hardworking, stupid, and lazy officers. Usually two characteristics are combined. Some are clever and hardworking; their place is the General Staff. The next ones are stupid and lazy; they make up 90 percent of every army and are suited to routine duties. Anyone who is both clever and lazy is qualified for the highest leadership duties, because he possesses the mental clarity and strength of nerve necessary for difficult decisions. One must beware of anyone who is both stupid and hardworking; he must not be entrusted with any responsibility because he will always only cause damage.
For leaders, Kurt von Hammerstein-Equord‘s advice reigns supreme. The diligent idiot is always the biggest threat, and the stupid and lazy are awesome as long as they stay in their lane.
> What might look like low performance in a corporate environment can just be someone setting boundaries and refusing to let work infringe too much on their personal life.
Another is poor fit between the employee and the job. One the lowest performers in a role can sometime be a great in another because they do/don’t care about clean code, long hours, spelling / grammar issues, minor aesthetic issues, minor bugs, speed, etc etc.
The universally perfect employee basically doesn’t exist as much as organizations want everybody to be interchangeable cogs.
Or the fit between employee and manager. I've come into many teams where the employee on a PIP went to being one of my best performers while those I was given the ravest reviews for were just mediocre under me. Or even just cultural. I had to change how I managed/my expectations as I moved positions around the country or when offshore teams were brought on.
I agree with your shocking premise that people are not machines and expand it to include that they are also not numbers in a spreadsheet or HR system.
> What might look like low performance in a corporate environment can just be someone setting boundaries and refusing to let work infringe too much on their personal life.
After killing myself at a FAANG because it was what was expected (to my mental health detriment), I have exactly this attitude since. At the end of the day, I'm done. I'm gone. I don't care. Even while I'm there, I'm only doing the amount outlined in the job and nothing extra. When I have a task to complete, I do my best to do it well. But I also don't care and don't sweat making sure it's perfect.
This has worked out great. I think I do a good enough job to be viewed as pretty good at what I do. That's good enough for me. I don't want advancement. I don't want more responsibility. Just give me a cost-of-living bump every year and we're good.
this exactly! everyone should find the bare minimum which does not get you fired and just do that - nothing more. salaried employees just don’t grasp the simple truth that putting in more than bare-minimum-required-to-keep-the-job is absolute waste which only benefits the employer. if I have no equity or vested interest in company’s success - this is the way!
> Toxic employees hurt the team or organization whether low performing or high performing, and with rare exceptions it’s almost always worth getting rid of them. Toxic employees are the people getting into arguments and conflicts all the time, dragging others down constantly.
Often such people have good arguments, they are just vocal about them and not the "docile" kind of people. For example the great engineer who is willing to fight to keep the code well-architected and clean.
Of course managers hate this kind of "non-docile" employee, and thus invent terms like "toxic" to be capable of bullying (and perhaps having a "socially accepted" reason for firing) them.
> they take too long to reply to emails or messages, or their work needs extra review and checks and balances, or they are only capable of delivering on a relatively small set of fairly simple tasks, or they just want to work on the same part of the same product forever and can’t emotionally handle change
As someone on the ASD spectrum, who has struggled in the workplace, I resemble that remark! I found my coding job to be ok before the app was converted to be web-based, then found it to be death by a 1000 distractions as I became more senior and found the web project to be too messy, too many checkins of bad code by the overseas team, team too big, etc. Anyone have tips to help someone like me?
Talking about a "toxic person" is starting on an ontological track that is deprived of any possible way to make everyone satisfied. Instead it’s possible to think about toxic behavior. Now, maybe a behavior is so deeply enshrined in a person that abrogating it is out of reach for the social organization that is considering this person behavior as a source of nuisance. But this is not necessarily the case and maybe there are option to help the person change and become part of a more harmonious social structure.
Using a "isolate poor performers" and "excellent beings" has well known backfire consequences that history largely document.
Lazy employees are most times unmotivated for what ever reasons. Either it’s the work they do to just very hard to motivate such people. Slow employees maybe too risk adverse so they go slowly, or they don’t know to seek out better ways to do things.
I think one should be careful with the word toxic. I’ve seen every manner of dishonesty and unscrupulousness and in some cases outright sociopathy and I’ve seen all these things done with an eye to optics: the right language, the right audience, the right timing to present stuff somewhere between “unsavory” and “fraud” in a fashionable light. This is locally non-toxic in the sense that it is unlikely to ruin the financials next quarter. It’s globally toxic in the sense that it’ll just kill your company over years or sometimes decades.
I’ve seen aspy nerds be the squeaky wheel (and very often be correct) in the long tradition of neuroatypical people who care more about an ideal than about fashionable niceties that fluctuate like hemlines called toxic way more often over the last few years. This is locally toxic in the sense that it can be temporarily disruptive until either the problem gets fixed or the aspy nerd gets fixed. But it’s in no way globally toxic: it never kills your business unless it’s one of two founders, and often saves your business from getting hit by an asteroid when the subject matter changes abruptly. Back when there was real competition at the apex of the software business you were cooked without those people around.
5-10 years ago Elon Musk was so popular in SV that people were buying up Teslas and posting every SpaceX launch and all but naming their kids after him. Today he’s anathema in huge parts of the Valley culture. Same guy, same behavior really. Good or bad? Eh, I don’t know, seems complicated.
Palmer Luckey was forced out of Meta for giving like eight grand to a conservative PAC, today he’s the darling of everyone with a family office.
Linux was built by a Linus that would call people “fucking brain damaged” on LKML, he’s mellowed but he built one of the longest-running and most successful engineering artifacts in all of human affairs acting in the “locally toxic, globally enlightened” mode.
The thing is that bad behavior at scale, bad behavior with real, lasting, irreversible consequences is almost never called toxic. This is the globally toxic behavior of those with power.
Transient words are routinely called toxic. This is the locally toxic, globally enlightened behavior of those with little.
This doesn’t seem like a word we use in a way that is either practically useful or morally sound.
You’re naive. God bless you for not encountering one of these people.
People like this are masters at working the system and will make everyone around them miserable. They crave attention and love to wield power.
The most toxic person I can think of spent most of his career broadly filing complaints for various forms of discrimination, which insulated him from accountability because any attempt to fire him would be seen as retaliation. His parting shot was to call the FBI and accuse a coworker of trading illicit porn on his work computer.
...what? It's not a claim to be falsified, it's a hyperbolic metaphor. I don't particularly like it either as it's been thrown around so much as to have lost much of its meaning (like "gaslighting", "gatekeeping", "narcissistic", etc.) but it's absolutely a thing. If you call a coworker who doesn't perform while falsely accusing you of incompetence in public Slack channels "toxic" then everybody knows exactly what you mean.
> I'll add a perverse incentive too that I've talked about elsewhere – hiring is a goddamn mess right now.
Not to take away from any of your points...
But this statement has been made every year for as long as I've been in the industry (about twenty years). I suspect it's been made much before that too.
There isn’t a way to fix it, a new hire is always an unknown factor by definition. And if you aren’t FAANG, people usually aren’t lining up at your door to work for you, so you have to make do with what you get.
Pair that with the fact that the new hire won’t reach full productivity until at least 6 months in, it’s always going to be messy.
>a new hire is always an unknown factor by definition.
sure, that's why the entire hiring factor is an industry comprised of HR, recruiters, and hiring managers. you're supposed to minimize the odds of a bad hire. Similar to any other business that is an unknown factor until you do research.
Life's all about dealing with known and unknown unknowns.
>And if you aren’t FAANG, people usually aren’t lining up at your door to work for you, so you have to make do with what you get.
Not in this current economy. That's part of the frustration with the current market. Everyone is lining up, few are getting hired, but hey it's okay unemployment is low and the economy is great!
>Pair that with the fact that the new hire won’t reach full productivity until at least 6 months in
well that's also mitigatable. Make your process public and let candidates study to your tools and process. But that will never happen because it's more important to hide your process from competitors than get qualified candidates to ramp up quicker.
Just as a curiosity, are those 2-3 people "underperformers" or simply "Not as high performers"? In an org that size I can imagine everyone pulls their weight, but there will simply be others who are inevitably more productive for a variety of reasons.
>hiring is a goddamn mess right now.
Any insight you can give on why? I know enough from the hirees end, but how's it on the other side?
The vast majority of underperformers I've managed are people who are less motivated to perform, less technically skilled, not aligned to the team, have different values, etc. Almost always the answer is to keep them around and try to squeeze what value you can get. One engineer I have really values on-call firefighting which is great, except my entire org is aligned around avoiding that. I'm getting value out of him by letting him do the firefighting he likes, but ensuring he drives the postmortem process so we can avoid fires in the future.
At the end of the day, all I care about is getting an acceptable level of output compared to pay from an employee who knows the business and isn't particularly fussy. So I'll try to find the path to get low performers upskilled, find what interests them, or find another role in the company that fits & do some horse trading. Or I'll let them coast and replace them when it's easier for me to hire.
>> hiring is a goddamn mess right now.
> Any insight you can give on why? I know enough from the hirees end, but how's it on the other side?
Someone smarter than me might know the true answer. I've heard three compelling arguments:
* tons of companies were irrationally exuberant and overhired, cut roles, and now we're seeing the impact of those workers looking for new work
* increasing shareholder greed means running a threadbare team and driving the company into the ground is better than staffing appropriately if it means next quarter looks good
* most companies are big dumb herd animals and hey, if the big guys are downsizing, so should we
But even though the market is saturated, profitability is now king, so if I'm going to hire someone I need to have a compelling answer to finance saying "how does this new role guarantee us ROI?"
All I really know and can see is the knock-on effect: I posted the same role in 2022 and last month. In 2022, I had to recruit like crazy, to the point that I had external vendors placing below-average employees at above-average salaries. Last month I had the pleasure of sifting through 700 applications, and plenty were "pass: overqualified, won't stick around".
So it seems there are tons of people out there competing for fewer roles.
FYI: I assume RIF means "reduction in force" (involuntary layoffs).
From the view of senior management (and yours), would these layoffs adversely harm your business model or profitability? If the answer is no, then layoffs are probably the economically correct decision. (Of course, there are many other factors to consider.)
> But for now, I definitely need my low performers.
Firing people if you can't get backfill is illogical, obviously. Once a company institutes a hiring freeze, low performers get locked in until forced layoffs. You'll see some people stop working and start job searching because they know that any contribution they make at all is better for their manager than having them fired.
However, deliberately keeping low performers around as a buffer becomes a self-own on a longer time horizon. Smart managers will negotiate hiring exceptions to replace a low performer now rather than keep that headcount occupied for safety. Yes, it's frustrating to have to lay off a good performer, but it's more frustrating for everyone to have a poor performer dragging the team down for some invisible game of chess that goes on for potentially years without resolution.
> However, deliberately keeping low performers around as a buffer becomes a self-own on a longer time horizon. Smart managers will negotiate hiring exceptions to replace a low performer now rather than keep that headcount occupied for safety.
This is a "the times are good" play, and it can absolutely work. But the real trick is understanding
> Once a company institutes a hiring freeze
that if you as a manager are reacting here, the die is already cast. There are plenty of unofficial "we're frozen but aren't saying it out loud" moves I & peers in other companies are seeing right now: downleveling, additional approval gates added to slow things down to a more favorable time, you name it.
Yes, over a long enough time horizon ballast will weigh down the boat, but theta is on my side right now.
As long as the fully loaded ongoing cost of remote workers is lower than the fully loaded cost of in-person workers, you'll still come out ahead to send people an airplane ticket, hotel room, and meals. And long term I fully expect remote hiring/identity validation as a service companies to emerge.