That is not what the terms mean. Firing implies let go for cause and laid off implies it wasn’t for cause. Being laid off doesn’t imply you could be rehired, perhaps you are thinking of the term “furloughed”.
These terms have accepted meanings and I looked it up just to be sure.
"Being fired means that the company ended your employment for reasons specific to you. Getting laid off means that the company eliminated your position for strategic or financial reasons and not through any fault of yours."
"Laid off" didn't really come into common use until the late 80's and early 90's when companies started caring about the PR hit from firing lots of people all at once. Think steel companies and car companies and coal mining companies.
Before that, you got "fired" whether it was your fault, or not. If you were lucky, you company specified you were "fired without cause," but that wasn't always expected.
In the 70's, my mother lost her job when an entire hotel was closed down. She wasn't "laid off." She was "fired." Although she called it "shit-canned."
I recently came across another term for it that they used in the 1940's, before "fired," but I can't remember it right now.
Are you saying that when “laid off” began being used 30-40 years ago it implied you’d be rehired? Because that’s the claim being made above about the current meaning of the term.
Edit: Wikipedia agrees that this is a generational difference and the term laid off used to imply it was temporary. Today I learned…
The credit reporting triopoly in the US really needs to be looked at, and likely restructured in some fashion. Three private enterprises should not have this much control over a consumer’s ability to interact with the economy.
As always, call and write your legislators and the CFPB. Regulatory bodies and legislation are the only ways such disenfranchisement get fixed.
In this person’s case, they should’ve reported Chase’s actions to their state’s attorney general, their state’s financial services regulatory body, the CFPB, the OCC, and the Federal Reserve, in order to generate a robust and and comprehensive paper trail. Sometimes, this resolves an issue when compliance becomes aware a paper trail has been started. Failing that, it’s easier to hand over reference and case tracking numbers to legislators to reference and obtain documentation directly versus your own complaint package.
Also, just don’t use Chase. They’re a garbage too big to fail institution. Lots of better banks out there, but also don’t report security vulnerabilities yourself for your banking relationships. Provide them to an arms length third party to report them who can’t be impacted by retaliatory behavior.
Full disclosure I work for TransUnion, but the following are my own thoughts.
Yes, there are 3 companies that aggregate your credit information. However, the scores used by lenders are generated by 1 company, FICO. All TransUnion, Equifax, and Experian do is receive your credit information from lenders (lenders can choose which bureaus they report to) and make FICO scores available for lenders to purchase. As some else mentioned the lenders chose this. Lenders decided that they wanted to know what people’s lending history was with other lenders before they would be willing to lend. Obviously if a lender looks at your full credit report they get more info but plenty of lenders have decided to set internal rules were if your score doesn’t meet a certain threshold they don’t bother looking at the rest of your report. There are states that have started proposing legislation limiting what credit checks can be used for (such as not being able to use them as a requirement for renting an apartment). But honestly unless lenders either stop caring about your credit history or they are told they can’t check it there isn’t really anything to be done.
There is one alternative that might help from a credit score standpoint in Canada the CreditVision scoring algorithm is used instead of the FICO score. From what I understand CreditVision is a more sophisticated algorithm that weights trending data more so it helps people who are improving their credit have a higher score sooner. From what I understand Canada moved to it because it is supposed to be more fair than what they were using previously.
> Keep in mind there is no “one” credit score. It is important to know that you do not have just “one” credit score and there are many credit scores available to you as well as to lenders. Any credit score depends on the data used to calculate it, and may differ depending on the scoring model, the source of your credit history, the type of loan product, and even the day when it was calculated.
Edit: It looks like the government might mandate FICO scores for taxpayer funded home mortgages:
> When you apply for a mortgage, lenders will generally request all three of your credit reports (one from each credit bureau) and a FICO® Score based on each report. However, the type of FICO® Scores they request are often older versions, due to guidelines set by government-backed mortgage companies Fannie Mae or Freddie Mac.
> There are exceptions, though. Mortgage lenders could use different credit scoring models for loans that aren't secured or bought by Fannie Mae or Freddie Mac. You might even be able to get a mortgage if you don't have a credit history or score at all.
The scores you see when you log into those institutions is whatever is written into the contract with whichever bureau they pay to provide consumer credit monitoring. For Mint, Amex, CapitalOne and others it is a VantageScore 3 score provided by TransUnion. I thought I had previously seen a warning on a site that provided VantageScore 3 scores that they were just for educational purposes, but currently I’m just seeing disclosures similar to the one you quoted above. So yes you are right there are other scoring algorithms, but I believe FICO is still the one used by most lenders. Even if large financial institutions don’t generate their own scores they still have a copy of your credit report to use to make more detailed decisions. That is how you can have an incredibly high credit score and have a bank or a car dealership tell you that you don’t have enough lines of credit to qualify for the loan you want.
>I’m pretty sure all the big financial institutions also calculate their own scores. I can see it when I login to BoA, Chase, Citi, etc.
When I log into my Wells Fargo account, I get a FICO 9 Score from Experian data. When I log into my Citibank account, I get a FICO Bankcard 8 Score from Equifax data. When I log into my PenFed account I get a FICO 9 Score from Equifax data.
The amount of control those three agencies have over consumers is overrated. I've lived my whole life with terrible credit (starting when I bought a shirt for my first job at Nordstrom's and screwed up the credit card thing), and apart from it being very difficult to get a credit card (amusingly, my bank wouldn't issue one to me even as the proceeds from the sale of my company were sitting in my checking account), it's had practically no impact at all.
I was for the first half of my adult life a renter and never once had a problem getting a lease; I bought a condo in Chicago, then later a house in Ann Arbor, and then a house in Chicagoland where I am now; again, no credit-score-related problems. I've been able to rent cars. Buying things on credit has been the only sticking point --- and I don't understand why people do that.
> apart from it being very difficult to get a credit card (amusingly, my bank wouldn't issue one to me even as the proceeds from the sale of my company were sitting in my checking account)
I ultimately ended up getting a secured card, just so I could rent cars from more car rental places; that card, presumably still secured, is my only credit card. I don't understand credit cards, at all.
I don't get "easy access to credit" with debit cards. Which is the part I don't understand! There have been many periods in my adult life where cash flow has been a significant problem for me and my family, but it has never even occurred to me to use revolving credit as part of a solution to those problems.
I'm not litigating whether unequal access to financial products is a bad thing. Inequity is a bad thing. We're on the same page there.
But when discussions like this come up and people imply that a bad credit score is somehow life-changing --- that just doesn't connect with my life experience? Like I definitely didn't come up rough or anything, but I feel like to the extent that there's value in access to these particular financial products, I'm well within the cohort of people who would perceive that value. And... I just don't get it? Like: a debit card from a good bank has actually pretty solid fraud protection? And lack of access to 2% rewards doesn't seem life changing?
> There have been many periods in my adult life where cash flow has been a significant problem for me and my family, but it has never even occurred to me to use revolving credit as part of a solution to those problems.
I don't support paying interest on credit card bills either, but some cards come with a "0% on balances for ~12 months" welcome offer [1], which might help a little if cash flow is tight, but the borrower knows that some income will be guaranteed in the coming months.
Day to day, there is Chexsystems, which is a whole ordeal. If you get on their naughty list, you will have trouble opening a bank account at all.
at my level of income, I am not really concerned, I have enough buffer that all my transactions can shake out no problem. At lower incomes, consumers are very sensitive to transactions settling too fast or too slow. A bill is due on the same day as payroll? Probably a 50% chance to collect either an overdraft fee or a late bill fee and you have no control over it. Get enough of those and your only resort will be fee-laden prepaid cards or cash-only.
Almost 2/3rds of Americans are 'paycheck to paycheck'. Do not scoff at this. Access to simple electronic payments needs to be equitable.
At least in the US, if you are unable to get a credit card due to having a bad credit score or no credit record at all, it certainly matters in that you miss out on rewards. Cash back of 1-5% is not nothing over a long enough time, and the folks paying with cash or debit are indirectly financing the rewards for the credit card users.
Per my understanding, these sort of rewards program dont really exist in other countries though.
It sounded like OP experienced the drop because they had to get new cards. But once they have new cards, the score doesntayter amymore. That's why I usually don't get the obsession over the credit scores.
There is almost no reason to be obsessed over credit scores themselves. However, if one is interested in obtaining credit in the future, they should maintain a good history of re-paying debts (such as student loans, auto loans, home loans, revolving credit card balances, etc).
Obviously, if you’re a lender and someone comes up to you and you know nothing about their history of repaying debts, you would ascribe them a higher risk than someone who does have a history of repaying debts.
There are a few other factors that could cause you to look riskier, so it also makes sense to not go out and get an auto loan and sign up for a few credit cards before applying for a home loan, since now that you just borrowed a bunch of money, you’re a higher risk, and hence will pay a higher interest rate.
Build a decentralized version. If it was built on blockchain you could: 1) save the original agreement in IPFS; 2) encode the payment terms into a smart contract; 3) record all payments on the blockchain as proof of payment. This could all be abstracted from user.
How does any of that help though? All you have done is move the existing system to blockchain. But if creditors still want to pull FICO scores to determine if someone is suitable it will still be the same result. Also the ability for information to fall off your credit report over time or for hard inquiries to be grouped together is a feature not a bug. If you went with a blockchain approach that bankruptcy from 11 years ago will always be on your report but with the current system it isn’t there because it is no longer determined to be relevant.
Yeah I get e-mails every once in a while on a (non tech) website I run asking if we can do a guest post for money. It's a common advertising program I'm sure.
I'm a huge fan of MikroTik. The RB4011 is fantastic router at the price point and even has a 10G SFP+ port. Great hardware.
The configuration UI isn't the best, but they also have a full scriptable CLI that isn't too bad. Huge future set. I just wish they would move the newest version (7) along quicker in development.
Big fan of MikroTik myself, but the scripting language can be pretty finicky and has a somewhat steep learning curve. I won't claim I've mastered it, but after a couple of months of working with it, I still feel handicapped by the syntax, quirks, and general lack of usability.
For example, this is how I'm finding the subnet mask from a string like "192.168.1.0/24" in a script I recently wrote (I think I got this from a forum post, but I can't find it anymore.)
IMO, the UI/UX isn't too bad (not great either). The per-line thing makes sense if you have multiple individuals on the account and want to opt in (I've never heard of such people, just saying). The toggles are straightforward although this is a rank lower in UX compared to the standard email "unsubscribe" pages, IMO. The more egregious thing is this is opt-out instead of opt-in ... probably something we need legislation to solve.
> "Another downside," our source added, "is that some clients block Trello which can be really disappointing after you've just built a big board together."
Some industries have regulations that require specific controls, audit logs, and security for any of their data. When employees use uncontrolled 3rd-party tools, they’re inevitably putting some of that controlled data into uncontrolled systems. This can open the company up to massive fines or leave them vulnerable in the case of legal action, so they go ahead and block unapproved project management sites, communication tools, and so on.
Never work in a heavily regulated industry if this type of thing bothers you, because it exists at every level of those companies.
The part that bothers me the most about this is that our app has all of the certifications and controls that they would need - they just don't know that. Soc2/3, ISOs, Fedramp, etc (trello.com/security). But as you point out, you have to get it approved and that requires navigating a lot of internal roadblocks.
I think you misunderstand the roadblock. Especially for any higher security like FedRAMP it is up to the FedRAMP certified holder to vet and have a very solid understanding of that remote service or system they are using at a moderate to deep level. Most sec people will do enough research to know if the service provider are at least an immediate no or not, but even if they are same-or-better FedRAMP level you still need to document them in your SSP (a system security plan for your whole org from HR to Engineering). This also doesn't prevent the situation that you then need to do a deep dive with this other organization to find out how FedRAMP their FedRAMP program like this, because more often than not organizations hide a lot of skeletons on what features/services are actually FedRAMP and what are features they intend to have FedRAMP 6-10 months from now.
Then you have to keep on them forever, and stay apprised of features people would like you to use but aren't FedRAMP appropriate yet or do not have appropriate controls. I think you would be surprised how many SaaS providers really don't meet the muster under scrutiny, or your engineering teams are trying to use features that just haven't been brought into compliance yet. For example, the number of times I have had to use https://aws.amazon.com/compliance/services-in-scope/ (click the FedRAMP tab) as a hammer is extremely high. Then you get on the phone with AWS and you find out that only a certain subset of the service that meets their FedRAMP do not provide adequate controls for your usage of the service. There's a lot of defer to vendor and defer to user games being played by both sides and you have to go line by line and figure out who is responsible for what. More often than not the service's people that are catering to the customer are not appropriately educated too, so there's layers of escalations by a security team just to get someone who can answer security questions accurately.
So no, a security person can only see from most organizations that you tried to attest to some of these random certifications, but that doesn't mean I have an accurate map of how I'm supposed to meet my compliance goals with your stuff.
(This is not aimed at any one provider in particular, just my personal feelings on where this 'internal roadblock' argument falls apart).
We have blocked Trello accounts in our org, mainly because SSO and enforced 2FA was locked behind Trello Enterprise. The department that wanted to use it couldn't get budget approval for that plan, which leaves no alternative but to block it.
(And as I understand it, Trello Enterprise doesn't even get you SSO without paying additionally for Atlassian Access? The website seems to be inconsistent on this point.)
We have teams that would definitely like to use Trello, but $4200/month as the minimum tier was too much.
It's the other way around. You only need to buy Atlassian Access to get the SSO + enforced 2FA for your Trello (and also any other Atlassian product) users.
Trello Enterprise (optionally) would secure your content (i.e. attachment restrictions, power-up restrictions, token restrictions, audit logs, team management).
I'm sorry it's confusing. It's trying to say that SAML SSO is provided via Atlassian Access - but you don't need to buy Enterprise to buy Atlassian Access - it's a totally separate product (and does not require Enterprise). We are in transition right now (formerly SSO was provided by Enterprise) and so our final pricing page isn't quite where it needs to be.
It’s not just about having the right certifications and controls. Any approved app has to be worked into the system, included in audits, reviewed periodically, and so on.
It becomes overhead for the teams involved in maintaining security and compliance. The cost of that overhead is likely several orders of magnitude higher than Trello’s relatively simple monthly fee.
If the whole company goes in on Trello, that’s one thing, but jumping through the hoops to get and maintain approval for a small number of people just isn’t worth it. That’s why the behemoth, everything-to-everyone tools dominate at heavily regulated companies.
Trello is fantastic on the personal end, would love to have an AWS GovCloud offering. So many projects tired of using over-complicated JIRA and Github/Gitlab Issues are not enough... Alas we are stuck using Wekan as a shoddy drop-in for now.
We were significantly more productive with Trello as our project management tool (and this was way before, when checklists were a major new feature) than anything since. We’ve tried all the major ones.
Unfortunately Trello did not satisfy management because it didn’t easily give them metrics that serve little to no purpose other than changing the team’s incentives from encouraging a great product to meeting metric targets.
My experience at large companies is that you have some team who is responsible for securely using third-party software. Making sure that it actually authenticates right so that only employees can see it, that sort of thing. This team doesn’t want to support literally every SaaS application in the world, so they try to choose one supported application per category. Pick either Dropbox or Box, don’t use both of them. Etc.
But... "after you've just built a big board together."
"together" meaning with the client... How did you do that if it was never approved in the first place? Or maybe they just realized they never should have done it?
It was a pretty confusing and vague quote, at least to me.
Maybe security? Bigger Companies don't trust external tools much and prefer to hold their data inhouse. But this reads a bit out of context to me. There might be something more to it.
Speaking as someone involved in this, Shadow IT is a nightmare.
Users will sign up for Dropbox accounts, share the credentials with others in the company, disable MFA and them load it full of confidential data. Users will do things like using personal email addresses for apps that become critical to business processes, then quit without transferring the account.
Additionally as a European company, we are bound by the GDPR to know where confidential data is being stored and processed, to have assessed any third parties and put them in our data processing agreements.
Consequently we end up in this situation of having to be the bad guys, blocking otherwise useful sites with proxies/CASBs to save users from doing dangerous things.
Web app developers could do a lot to help security departments but I suspect they intentionally don't because they perceive that it would harm adoption.
In my experience users generally do this when their computers are locked down and IT departments are not responsive enough to meet their needs in a timely fashion. It's a paradoxical case of more restrictions making things less secure.
Unfortunately user expectations tend to be that they want the account set up immediately, and anything beyond that and someone will try and circumvent it.
It doesn't help that SaaS companies tend to put the things required for security (OIDC, mandatory 2FA, organisation support, sharing restrictions) on the expensive enterprise plans, which mean that IT need to go back to the user and say if they want to use it, they need budgetary approval for the $15k/month version. This either kills it (and makes them sneakily sign up for the personal one) or means it won't get approved until their departments next quarterly budget meeting.
While I understand that SaaS companies want to find unique areas they can use to upsell enterprise customers, I feel pretty strongly about basic security features being used as that leverage. Especially as there are many SMEs like us that work in a regulatorily complex environment but don't necessarily have the budget for the top tier just to get that security (UK finance, so we have GDPR/ePD/PECR as well as PCI-DSS, MIFID II, POCA, and a bunch of other FCA regulations to comply with).
Ultimately this means we end up saying no to users more than we say yes, which as you say, frustrates them and pushes them into shadow IT. Then we need to deploy proxies/CASB to catch users trying to use shadow IT and blocking sites.
Under some circumstances, I sympathise a lot with users who are trying to do their jobs, identify a tool that will help them to do their jobs, and then get told "no" by IT, particularly if IT is being obstructive for no apparent reason except throwing its weight around.
However, when you're talking about something like external hosting and transferring data outside of your organisation, I think there is a line that has to be drawn, partly just as a responsible corporate citizen and partly because of the potential liability when laws and regulations such as those you mentioned attempt to mandate that sort of responsible behaviour.
In an obviously sensitive field like finance, healthcare or law, bypassing the rules and setting up shadow IT really should be a serious disciplinary matter, possibly even a firing offence. It is, after all, potentially causing the company to break the law, not to mention creating severe security and privacy risks, and the damage that can be done by a small group or even a single individual can be catastrophic.
Yup. And then IT departments will use users doing it as an excuse for further lockdowns, you can't trust those users after all, look what they do. Vicious circle of mistrust.
I have only two employees and it’s already a nightmare. Notes-taking apps outside of our intranet, people mixing their Facebook cookies with their work (I specifically say they must have two separate Chrome profiles during onboarding), infinite number of Chrome extensions which means any extension can harvest their passwords to any site...
Unless I become the bad guy, it feels like they are trying to inventory every possible way to leak our GDPR data. And this is how you get micromanaged or fired.
On-prem does tend to have fewer GDPR/security concerns, but a SaaS is fine provided it is adequately controlled, and usually quicker to set up and lower maintenance cost.
Relatively simple things that SaaS companies could do to make our lives easier include:
* Ability to "claim" email domains to corporate ownership - that is, if any user tries to register with one of our email domains, they are automatically added to the corporate account with appropriate sharing and security controls (to be fair to Trello, I believe they do this - as do Apple, Google, Microsoft and a few others)
* Making OIDC/SAML/SSO a standard option rather than something you have to pay for the super-duper $15k+/month enterprise plan that you can only get after weeks of conversations with sales (if anyone from Twilio happens to read this...)
* Ensuring there is "organisation" support - with security/billing admins that can manage the account, set mandatory 2FA.
* Even just something in the sign up flows where it asks if they're setting up a business account, and if so, asks for their security/IT contact and pops them an email. Most users aren't being intentionally malicious, just they aren't aware we'd like to know (despite repeated communication that they tend to ignore!).
Long term, I think we need better industry-wide solutions to Shadow IT that don't involve invasive proxies. I haven't fully thought through what that would look like, but something like a Do-Not-Track header, but to disable users setting up accounts. Or TXT records on DNS hosts which would cause any attempt to set up an account with that email to automatically fire off to an admin user for approval, etc... See how Google forces mandatory safe-search for schools: https://support.google.com/websearch/answer/186669?hl=en
