While in office you're connected to internal network, supposedly within internal domain and IT dept. would have direct access to push updates automatically. When outside you're suppose to connect via a VPN (best case) or communicate via encrypted something (email, ftp etc) but you'll need to enter your credentials somewhere.

Also, please remember, it's not your laptop, it's company's laptop, merely given to you to do your work on it. Anybody within the company with correct credential would have the right to touch that laptop.

> While in office you're connected to internal network

Not all companies do it this way. Many use a clear network and make services encrypted.

> Also, please remember, it's not your laptop

It is if you work for a bring-your-own-device company.

Bring your own device is bad for companies. Any of them using this approach are just begging to have their talent pool drained. If I do work for company on my own device there absolutely no difference between my personal research and the company research and in eyes of the law these companies will always lose if they try to enforce some "secret sauce" to not go to their competition. Wondered why FAANG companies never did this, those that will lick every penny from whatever corner they can? Exactly because they know too well they'll lose badly. Just look at that guy that got bankrupted by Google after he went to Uber - HN had an article a few weeks back.

I wasn't saying it was good or bad, just that some companies do it.

Shouldn't that exactly be appealing to the talent, not having to worry about the company claiming their side projects as their own?

I very often work on my side projects and it is quite an annoyance having to move around with 2 laptops or paranoidly erasing my personal work from company computer.

Also from my experience working at a fang like company they definitely don't seem to lick every penny. We have company laptops because of security reasons, but phones are bring your own which they pay for. Also they pay for WFH office equipment as long as you can reason it makes you more productive or is good for your health. Basically anything that makes you more productive or sustainable they will pay for.

use a VPN to work on your own server/computer from the company issued device. This way there is no need to keep anything of your on their.

> Any of them using this approach are just begging to have their talent pool drained

citation needed

> FAANG companies never did this

Actually it's allowed in 3 FAANGs that I know of.

> Also, please remember, it's not your laptop, it's company's laptop

Correct.

> Anybody within the company with correct credential would have the right to touch that laptop.

That is only partially correct. In many European countries people enjoy quite some protection also in work life. So in order not to do anything illegal the employer has to carefully control access rights to your PC. And the ones who have access rights cannot do whatever. Reading emails is typically illegal, yes emails on the work account! (Just to mention the legal concepts; of course in today's architecture emails are rarely stored on your PC)

I understand in the US employees enjoy little protection while at work. I could guess video surveillance in the toilets could still be unacceptable. Just to make the point, even if the location, paper and water is paid by the employer and more importantly the time is paid, it shouldn't be like that that the employer controls everything. (Although there have been reports that Amazon warehouse workers in the UK use bottles for their needs, because the employer does not provide for more human arrangements in practice. Some employers are always worse than others and that's why I have stopped ordering from that company.)

Most companies will have a firewall on their corp network so new domains, or malicious-categorized websites will usually be blocked which offers additional protection above working from home. You can obviously use an always-on-VPN for wfh companies, or tools like Cisco Umbrella, ZScaler or Netskope, but many companies haven't done that yet.

Someone at my work (before lockdown) recently avoided a phishing attempt because they turned to their colleague and asked, "Why would the high-rank-officer email me?"

Gitlab is a remote-only company, I don't know why this article is choosing to highlight that fact so much though.

I think there's some sort of anti-work-from-home agenda going on here. It's completely irrelevant to the story. If you were in an office you'd get exactly the same email and presumably respond to it in exactly the same way.

It's relevant to the story because so many people are currently in their first months of WFH so a headline that mentions WFH will be more interesting to them than one that doesn't. Another way to put it would be "WFH pioneer gitlab phished its own staff", nothing wrong with that.

How is it different from the same attack done while you are in the office?

In offices you have the ability to monitor and filter the network connection, so it's plausible to detect and/or prevent the malicious connection after the phish succeeds.