Can we remove this? While this war is a horrible tragedy, I’m of that opinion that we should not discuss geopolitics on this site unless it’s directly impacting the core topics we are all here for.
It’s too soon to know, but this could make 3-year H-1B renewals hugely problematic. That would be a major blow to the program. I was fortunate to get mine in 2014 without a single problem. There’s no way I’d expect someone to get through this process today. And realistically, most companies aren’t going to pay such a large premium just for a typical software engineer.
If the job was easy to effectively outsource, it would have been much cheaper for hiring organizations to outsource years ago rather than bring employees in on H-1Bs before this announcement.
> most companies aren’t going to pay such a large premium just for a typical software engineer.
Isn't that the idea tho? Stop companies abusing the h1b for "regular" staff? It's supposed to be for talent you can't find locally. So "exceptional" would fit, no?
It’s ultimately a numbers game. The more malicious seeds are planted, the higher the likelihood that one of them will be pulled into a real-world build pipeline. Platforms like GitHub, NPM, and other open repositories are ideal staging grounds because very few engineering organizations are willing to block traffic from them. That makes them near-perfect hiding spots for malicious content.
And the asymmetry is stark: attackers only need to succeed once. It takes just a single developer installing a compromised package to trigger a breach with potentially massive downstream consequences. So while I agree that quantifying impact is critical, dismissing large-scale seeding campaigns because “no one might have downloaded it” ignores the risk.
> The more malicious seeds are planted, the higher the likelihood that one of them will be pulled into a real-world build pipeline.
Sure, but you still need to show the impact. Not all "seeds" are equal; that's why we categorize attacks as either opportunistic or targeted (and within that, there's the kind of "lazy" opportunism of package spam versus "motivated" opportunism of trying to trick developers into using a specific compromised package).
(And to be clear, I'm not ignoring the risk here! I believe we can do better about qualifying the risk, which does exist.)
In a world where PR-focused organizations (not saying it's right or that's how it should be, but that 'it do be like it is') actively work to hide breaches on occasion? Should they not publicly success a win and support 'open source' while celebrating a dub, while giving them a sales tool / credibility?
This is a surprisingly common issue. In my day-to-day work, we analyze millions to look for malware, and it’s well-known in the security community that attackers frequently leverage “trusted” websites to host and deliver malware as an evasion tactic.
The technique is so pervasive that I did an extensive research on it. In fact, there are several well-funded and widely used applications, some generating millions in revenue, that unknowingly host malware on their infrastructure. In more concerning cases, these platforms are even repurposed as command-and-control servers for data exfiltration. We're increasingly seeing enterprises take the proactive step of blocking traffic to these high-risk domains entirely to strengthen their security posture (e.g. it's completely common to block all traffic from network to Dropbox or other file hosting services).
It would be very positive for the entire startup ecosystem if this deal goes through. It would also be a strong signal from the new administration about support of our current startup ecosystem.
> To illustrate this in dollar terms, consider an acquihire exit. At 1% of $10 million, the acquihire nets the Founding Engineer around $100,000, enough to buy a nice Tesla. Meanwhile, the founders net $4.8 million, enough to buy a house in Palo Alto, a small yacht, and two nice Teslas.
I stopped reading after this paragraph. Why to take advice from articles that is presenting delusional scenario about the returns? $100k after tax is good enough for Model 3.
