You could make the case that "stealing" talent is in terms of targeting hiring people where the training and research costs were footed by someone else.
Then again, as you pointed out, you could also make the case that they weren't properly compensated.
In Moscow, major Asian companies like Samsung, Huawei, LG all have research centers where they hire some of the best science students from top universities, in particular by organizing joint study programs. This seems to be a widespread practice around the world for them, and actually profitable for both students and universities.
Interesting observation about Moscow having a lot of research labs. I never thought to wonder why Moscow had so many but this is an interesting point. What do you mean by join study program? Can you explain? Also, is there anything that stops top talent from moving to Silicon Valley (or some place else?) after they finish school?
Many top universities here are not like self-contained research universities of the West — they mostly deal with education, and research is conducted at non-educational academic institutions. So, for their Masters work, and maybe earlier, students do research in various organizations that have contracts with university. These are either academic institutions or commercial research departments or tech companies like Yandex.
As for SV, it’s not that simple, it seems — most emigrants that I know either got job at something like Swiss Google after building a solid resume here or got into some academic program (PhD or postdoc) abroad.
If I'm not mistaken it should be mostly fine as long as you trust the desktop/phone versions of Bitwarden not to send off the (unhashed) key to the server
The few tickets I've been interested in, their answers have been along those lines. I've mentioned this before, but Bitwarden has been broken in Firefox's private mode, and to this day they're just blaming it Mozilla for deprecating some APIs due to privacy concerns. Mozilla has given a safer alternative, but they're refusing to fix it. Someone even raised a PR to fix it, but they had some feedback. The PR has since gone stale.
Note also that the bitwarden desktop app has a remote code execution vulnerability that the developers refuse to fix, which means that the developers can, at any time, replace your local copy of the bitwarden desktop app with a different version that could steal all your passwords in exactly the manner you describe.
You can patch the bitwarden client (and also take the opportunity to remove the spyware they have embedded in it, as well), or use a program like LuLu or Little Snitch to block it from communicating with anything but your own selfhosted bitwarden_rs instance.
Do you have more information on this? A link maybe?
EDIT: Never mind, found it - https://github.com/bitwarden/desktop/issues/552. This isn't exactly an RCE. You can say the same about anything. By your logic Microsoft auto-updates are RCE. Same with pacman/apt-get/yum package managers. Same with pretty much anything else.
I'm not saying they're not valid concerns, however, if you're this worried about all of these things, maybe cloud-based software isn't for you.
Just checked, should be available on the self-hosted version as well. [0] And the author of bitwarden_rs seems to be planning to tackle it over the weekend!
Edit: [0] is also a much better source than BBC in this case.
[0] https://www.vice.com/en/article/wx5xpx/hackers-steal-data-el...