Welcome to The Long View—where we peruse the news of the week and strip it to the essentials. Let’s work out what really matters.
This week: Wipro fires 300 for moonlighting at competitors, Python has a nasty 15-year-old bug, and companies are finding new ways to lay people off without calling it a “layoff.”
1. Wipro Gets Tough on 2-Jobbers
First up this week: Do you know anyone who secretly works two jobs from home? DevOps-for-hire outfit Wipro is fighting back against the trend.
Analysis: Fair enough, if working for competitors
Wipro’s cracking down on people working a second job on the side. If an employee was also working for, say, HCL, then you can see the point.
Manish Singh: IT services group Wipro fires 300 employees moonlighting for competitors
“Quietly taken up a second job”
Rishad Premji, the chairman of Wipro, which employs more than 250,000 employees in over five dozen nations, said at a conference Wednesday that the company finds moonlighting for competitors an “act of integrity violation. … There is no space for someone to work for Wipro and competitor XYZ.”
[It’s] a practice that has gained momentum across the globe as firms incorporate work-from-home norms. … A growing number of white-collar workers, spanning from tech to banking industries, have quietly taken up a second job … while working from home.
u/Inevitable_Concept36 almost sounds envious:
Getting fired from Wipro is probably a blessing. … This Indian version of a Victorian era British workhouse of a company … don’t want you to work for one of their competitors—like say Infosys or HCL, which equally suck—but they have absolutely no problem with shoving you on multiple end clients, as long as they get paid, [Even] if their end clients are direct competitors, like say if they put you on contract with Toyota and Hyundai at the same time.
I frequently see postings from HCL amongst others, and they seem to do everything that pisses me off and I never want to work with them. … 10 people call/email from that company for the exact same posting, but all with different rates.
It’s nothing new, says backslashdot:
This happened over 20 years ago: … One of the moonlighting people I knew once had a call where his second job’s company had to provide some tech support to his first job and although he wasn’t the lead he had to provide input on the call. His bosses were on the call but he still managed to pull it off such that neither boss caught on. In fact the boss from the first company said he appeared well researched.
2. Python Bug Squeezes 350,000 projects
A nasty 15-year-old vulnerability in Python has been rediscovered, causing chaos for at least 350,000 projects. The bug is old news, but was never actually fixed—merely documented.
Analysis: Software supply-chain weak link
You share responsibility for components’ security—you can’t abrogate it. Time to wake up to the fact that this “supply chain” analogy is bunkum. Call it what it is: Code reuse.
Ionut Ilascu: 15-year old Python bug allows code execution in 350k projects
“Rediscovered the bug”
Disclosed in 2007 and tagged as CVE-2007-4559, the security issue never received a patch, the only mitigation provided being a documentation update warning developers about the risk. … Code that uses un-sanitized tarfile.extract() function or the built-in defaults of tarfile.extractall() [suffers] a path traversal bug that enables an attacker to overwrite arbitrary files.
While there are no reports about the bug being [exploited], it represents a risk in the software supply chain. … Researcher Kasimir Schulz, who rediscovered the bug … found that open-source code vulnerable to CVE-2007-4559 “spans a vast number of industries.” [He] estimates that there are more than 350,000 vulnerable repositories, many of them used by machine learning tools (e.g., GitHub Copilot) that help developers complete a project faster.
They “fixed” it in the docs? This Anonymous Coward is incensed at the Python team:
“The software does this really dangerous thing to anybody who is even slightly less than completely diligent all the time but it’s not a bug because it’s documented” is an attitude that should have died out decades ago. [Now] we’ve got a dangerous security risk [in] 350,000 individual projects, [even] assuming those projects are being actively maintained.
Do the math. Sadly this attitude seems to show no sign of declining, which is why security needs to remain a discipline distinct from coding.
But it’s the fault of each of the 350,000 consumers—and the consumers of those 350,000—says lrvick:
I do software supply chain security consulting for several high risk companies and largely agree … that we must stop expecting devs to have any responsibility for code they produce. The responsibility is on those that consume it.
If your company chooses to use open source code that does not have capable, paid, full time professionals reviewing it for security and quality, then your company is signing up for that responsibility. If you make no reasonable attempt at vetting your supply chain and harm comes to users as a result, then IMO you should be liable for negligence.
This should not be controversial, but it is. Washing hands in hospitals was once controversial too.
3. Forget Quiet Quitting — Here’s the ‘Lite Layoff’
Remember when I asked last month if it’s 1973 all over again? Meta, Google and others are finding new ways to lay off staff, without using the L-word. It involves forcing people to apply for new jobs internally, but giving them a deadline.
Analysis: Slimmed staffing
Of course, there’s nothing new in euphemisms that disguise layoffs. Let it be a reminder that nobody owes you a job.
Jeff Horwitz, Salvador Rodriguez and Miles Kruppa: Meta and Google Are Cutting Staff. Just Don’t Mention Layoffs
“Being pushed out on a regular basis”
Meta Platforms Inc. … has begun quietly nudging out a significant number of staffers by reorganizing departments and giving affected employees a limited window to apply for other roles. … The moves come after weeks of Meta executives publicly discussing the need for … “ruthless prioritization” … while avoiding use of the word layoffs.
Among some Meta employees, the process of reapplying for jobs within a limited window internally is known as a sort of human-resources purgatory they call the “30 Day List.” … The hustle to get rehired is well under way.
“Realistically, there are probably a bunch of people at the company who shouldn’t be here,” Mr. Zuckerberg said at a company town hall in June. [But] employees and managers say [even] workers with good reputations and strong performance reviews are being pushed out on a regular basis.
But don’t call it a “layoff.” TigerPlish proposes alts:
Time to upcycle old nuggets, such as:
o Reduction In Force (Riffing)
o Optimizing Headcount
o Personnel Realignment
o Reorganize (Re-org)
I can’t keep up. Neither can Michael Hoffmann:
How quickly the clocks have been turned back. Executives everywhere must be clinking their champagne glasses. Only within a few months we went from a changed work reality and the Great Resignation back to, “Work, serf, or be fired to be replaced with another serf who works twice the hours for half the pay.”