upvote
Absolutely, but just as it's not ok to enter someone's home just because they forgot to lock the door, it's not ok to exploit access at your old employer because their offboarding process missed something.

I do the same as GP does; I don't want there to be any chance that my former employer has forgotten to revoke access to something, so I make sure to clear out anything that might remain on any device that I don't return to them.

Who knows, maybe another former employee will decide to steal from them around the same time I leave, and me having access credentials on a personal device, even if I haven't used it, might arouse suspicion.

reply
But it's Apple, which is a huge target. Never mind these individuals, you will have China, Russia and other seeking to infiltrate it.

In any top r&d area, one wonders if they perhaps should be searching staff on way out and making then sign out and return CAD drawings etc.

reply
You get trustworthy people by trusting people. Generally when I was there there was a presumption of trust. Given how blatantly the defendants are alleged to have acted, that’s still the case.
reply
> Generally when I was there there was a presumption of trust.

The reality is, there has to be. And, if you can't trust someone then don't work with them.

I was talking to an amazing lawyer/business person I know one day and I asked about writing 'air tight' contracts which would never put you in a position to be screwed. He said something along the lines of, that's impossible. Someone could take you to court and you could still lose even if you think the contract is perfect. What he said next stuck with me over the rest of my career, 'if you truly can't trust someone, no contract will be fool-proof. The solution is simply to not work with or do business with them.'

reply
> You get trustworthy people by trusting people

Huh? Do FBI/CIA/etc run that way?

reply
Do they get trustworthy people?
reply
>it’s also that company’s responsibility

Is it? I mean legally. Obviously it’s dumb of Apple to have left this guys access open, but that doesn’t mean they actually had any legal responsibility to lock him out. As far as I understand, the law is pretty clear that you can’t access anything you’re not allowed to by policy, whether there’s a technical block or not.

reply
While it doesn't apply in this particular case, for healthcare organizations the HIPAA privacy rule implies a legal responsibility to lock out terminated employees from any access to protected health information.
reply
That doesn't absolve an employee (or ex-employee) of the covered entity going about and abusing the access they do have.
reply
> that doesn’t mean they actually had any legal responsibility to lock him out

If the property owner doesn’t make bare minimum effort to protect the property

Then how much effort and money should taxpayer spend to protect and prosecute regarding the same property?

It seems strange to imply that people that own nothing must through their taxes pay for protection of property of the people who do own everything.

reply
Crimes are crimes and must be prosecuted as such.

The phrase for what you’re doing is “victim blaming”. I don’t know what triggers some people to think this way other than a deep desire to find a contrarian take on a situation.

But no, when a person commits a crime the responsibility and accountability for committing that crime is entirely on the person who committed the crime. If you start blaming the victim or downplaying the crime based on the victim’s circumstances, you are backwards.

> It seems strange to imply that people that own nothing must through their taxes pay for protection of property of the people who do own everything

I don’t know what you think you’re implying here, but by the numbers the wealthy and corporations pay significantly more in taxes than the “people who own nothing”. Everyone should get equal protection under the law, ignoring how much they pay in taxes.

All criminals should be afraid of committing crimes equally, because crimes are crimes and society benefits when committing a crime is discouraged.

reply
> Crimes are crimes and must be prosecuted as such.

That would be nice but that is not the current situation, neither my stolen bicycle nor the fraud that caused 2008 had resulted in any arrests. Until such time that all crimes are crimes, it is a valid question.

> by the numbers the wealthy and corporations pay significantly more in taxes than the “people who own nothing”

This statement is highly misleading in three different dimensions:

Firstly, both in UK and in USA individuals pay like 5x more in income tax than corporations pay in tax. So people pay more tax and yet prosecutions against corporations are less than 1% of all prosecutions, that seems questionable.

Secondly, what is the statistics you are citing is actually saying? "Out of the people that declare income to government, those that declare the most income, pay the most tax". That's a bit self-evident, isn't it?

It does not address the claim that wealthiest people don't declare taxable income, and therefore pay little tax.

Thirdly, the measurement needs to be relative, not absolute. The claim "I pay less income tax than Facebook does' is true, but Facebook pays the effective tax rate of about 3%.

reply
Many devices are indeed locked down. But given that it's an OS company and hardware vendor, many employees have access to hardware with e.g. SoC fusing that allows them to install custom-signed firmware. It's very difficult to make an OS lock out the people whose job it is to build the platform that OS depends on.
reply
I once worked at a cybersecurity firm and they had a particularly botched rollout of MDM to Macs (which would regularly put the machine into an undesirable mode of 100% CPU usage plus max out upload bandwidth repeatedly trying and failing to backup the machine to some online backup service). I had work to do, so I simply disabled the MDM profile for the machine, installed an OS to my liking, and restored the apps I wanted to use, and went about things.

A year or so later the company hit hard times and we had a large layoff that affected me, and at the end of the video call, the directory of my department mentioned that they needed to wipe my laptops but it "wasn't showing up in MDM". I said I'd be glad to jump on a call with IT to fix that, but then he mentioned the IT staff were laid off too.

I then suggested I did get hired for my cybersecurity expertise, that I do take my obligations seriously, and he could just ask me to do whatever they were planning to do from the MDM console, and it would get done. He insisted that wouldn't be necessary since in his worldview the MDM was unbreakable and he just needed to reconnect to Wi-Fi or something.

Very amusing worldview. In the real world, where I live, I would assume a highly competent employee could exfiltrate trade secrets without me being able to catch them via standard / automated means. This particular Apple former employee got caught because he bragged about it, not because of technical means to catch him. As I've pointed out to a number of people, the very best DLP solution can be completely obviated by someone aiming a camera at their company-issue workstation's monitor.

reply
> then suggested I did get hired for my cybersecurity expertise, that I do take my obligations seriously, and he could just ask me to do whatever they were planning to do from the MDM console, and it would get done. He insisted that wouldn't be necessary since in his worldview the MDM was unbreakable and he just needed to reconnect to Wi-Fi or something.

> Very amusing worldview.

It’s ironic that you’re displaying the exact behavior pointed out by the GP:

> This is how you behave when you think you're so much smarter than everyone around you that consequences don't apply to you.

MDM is implemented to protect company assets regardless of the actions of the users. It would not be due diligence on the part of the director to trust you to wipe your own device.

It’s not clear to me what the point of your comment is other than illustrating that you’re smarter than your director.

reply
I don't think I'm smarter than everyone else, but instead attribute this to organisational dysfunction. The problem (that went on for weeks) of the default MDM deployed software making some computers unusable was one everyone who got afflicted by it just found workarounds for, and in particular, our incentives were to get our jobs done, not to make sure we continued to allow the MDM deployed stuff to do whatever it wanted that was actively harmful to the company's best interests.

Considering the MDM was not implemented properly (particularly in an environment where one hires cybersecurity professionals, who are more likely than most to be able to figure out workarounds to it), it would actually be much more prudent to hire trustworthy staff who can be trusted not to steal company assets, trade secrets, and so on versus thinking you can conduct a zoom call on said company asset and then fire off a command via the MDM to wipe the laptop when the call is over.

I actually think the director was pretty smart, since he managed to avoid having an extended conversation about the lack of working MDM and ability to follow the procedure in front of the other person on the zoom call. Sometimes it's very important to be able to read between the lines of what someone is telling you.

Relying on remote wipes to secure company data is not a particularly strong plan, either (as this Apple saga should make clear); a determined person would simply be either constantly exfiltrating data, disconnect a machine from the network before it can be wiped, or other various plans (and do so without detection). I should know, since my job duties there were to advise customers on how to move towards a zero trust environment.

reply
I once had work MDM on a Mac just... disappear one day. They definitely didn't intentionally remove it, nor did I do anything to remove it, but one day it just wasn't there. Maybe accidentally removed from the MDM management console for some reason?

Either way, everything still worked exactly as before, just now my Mac wasn't reporting back to the company at all. This went on for over a year until eventually I left the business, handed my laptop in physically and went on my way. I assume they noticed at that point, but before then they apparently had no idea.

I probably should have told someone, but since I hadn't done anything I didn't feel bad about it, and it was a lot easier to get stuff done without the corp stuff breaking everything

reply
See my sibling comment - Apple MDM is, or at least was fragile, and trivial to bypass.
reply
Sounds like the boss's response was not to insist the proper procedure be followed, but to assert that the technology had to work as intended, and as soon as he figured out the issue on _his side_ the standard operating procedure could be followed.
reply
> I then suggested I did get hired for my cybersecurity expertise, that I do take my obligations seriously, and he could just ask me to do whatever they were planning to do from the MDM console, and it would get done. He insisted that wouldn't be necessary since in his worldview the MDM was unbreakable and he just needed to reconnect to Wi-Fi or something.

Which is hilarious. They've fixed (or at least made it more robust), but until at least Ventura, you want to know how to circumvent MDM entirely on Apple Silicon?

Do a fresh install with Internet access. When the machine goes to do the first reboot during the process, null route three hostnames on your router/DNS: deviceenrollment.apple.com, mdmenrollment.apple.com and iprofiles.apple.com.

Complete setup and get logged in.

You can now remove the null routing. Your machine will never phone home again for MDM enrollment. You can upgrade, all the way to Tahoe. No issues.

As of the more recent releases, the installer does do some checks to ensure connectivity to those hosts, that I haven't bothered or needed to try to circumvent... but yeah, the idea of Apple ensuring their MDM to be unbreakable, durable, robust is laughable.

reply
It is NEVER any other persons responsibility to prevent you from commiting crimes. Never.

They MAY make it harder for themselves, but at no point are is anyone required to make sure you're not a criminal.

That's a difference between living in a society that robs you on every step and one where you can leave a laptop on a table in a cafe and it stays there.

reply
In relationships, offloading personal responsibility onto someone else (aka blaming another person for your choices and behaviors and thoughts and actions) is something like projection, blame-shifting, codependency.

This makes any healthy relationship impossible, as no one can be responsible for someone else's decisions and actions.

Many emotionally immature folks appeal to this and use guilt and shame to get another person to believe they are responsible for someone else's emotions & choices. It's textbook toxic.

reply
Um, no. Why would it be their responsibility? There are laws regarding IP theft. If you willingly break them you can't just say "well your security wasn't good enough".
reply
Apple is obviously the victim but prevention is easier than what is happening now, which is potentially going to court, discovery, etc.
reply
There's really no way to prevent an employee from taking a piece of paper or a digital file from one place to another. The most you can prevent is accidental transfer. If they are malicious they will find a way no matter what guardrails you put.
reply
And they can get you for theft, etc, if you do. Sometimes the social and legal controls are far more effective.
reply
[flagged]
reply
Huh? This analogy makes no sense. It’s beside the point anyways.

The utility of laws isn’t in stopping something from occurring, it’s in establishing remedies for when they do. Someone illegally transferred IP to a competitor that had knowledge they were stealing, and now Apple is seeking their remedy.

“They could have prevented it” is victim blaming.

reply
If you leave your house unlocked and someone steals your stuff AND is never caught, you're SOL.
reply
Okay but why assume the latter part? In this case the perps were clearly caught.
reply
what part of "Mr. Tan warns them not to tell Apple that they have taken jobs at OpenAI, so they can stay at Apple as long as they can." did you miss?
reply
[flagged]
reply
Mr Tan was not the one who retained the Apple-issued laptop:

> Liu also failed to return an Apple-issued laptop after his departure.

reply