A couple years ago, in our old office at the top of the Monadnock building, I'm working on code for a product we're doing while Vitaly is working on a pentest for a big Rails client, and, like, 5 other people in the office are working on 5 other things.
I'm procrastinating while noodling through some stupid Riak thing and so I hear Vitaly say something about how some request he sent to the app produced binary gibberish in the response.
It turns out I'd rather noodle around with Vitaly's app than figure out how to make Riak do whatever basic thing I want it to do, so I walk over and look at the response. Vitaly has already noticed that the "binary gibberish" is actually corrupted in the response headers; the response is corrupt.
We both agree out loud that this is unusual and bad. A couple other team members walk over. In the span of about 4 minutes we figure out that the bug is triggered by inputs that include NUL bytes, and responses appear to be corrupted at the point where the input is, in the headers, echoed in the output. And a few reloads show that what looks like gibberish is actually stale server memory.
This is that nginx bug that came out back when. It's approximately as bad as Heartbleed, except that it only affects nginx (and it has a more complicated trigger condition, albeit one that applies to virtually every web application). And because we were all together in the same room when Vitaly found it, we isolated, analyzed, and weaponized it in minutes, rather than in hours or days.
(Ironically, someone else had noticed the same bug on the same day, and [fair enough!] got the reporting credit.)
Stuff like that happened all the time at Matasano. The in-person requirement is one the company is unlikely to let go of --- not that I have any say in it anymore. ;)
"And because we were all together in the same room when Vitaly found it, we isolated, analyzed, and weaponized it in minutes, rather than in hours or days."
It wasn't because you were all together in the same room, it's because you were communicating effectively and you're assuming there is no way to replicate that level of effective communication without being in the same room.
With proper tools and training, everything you did in that room could have been done over the internet instead. There are communal whiteboarding apps, collaborative code editing apps, amazingly expressive chat apps like Slack, not to mention good old fashioned audio/video chat tools.
It can be done. It is done frequently, every day. It makes me sad to see so many people on a place like Hackers News, dedicated to building the internet's Next Big Thing repeatedly claim that it's not possible to collaborate as effectively on the internet.
I'm sure there's some amount of money and time Matasano could spend to make extra-office communication so fluid and effective that the sort of serendipitous collaboration I just talked about would happen with any two people on the planet. But, like most companies, they haven't. Meanwhile: they value that collaboration. So, there you are.
While is it true that the tools exist to collaborate equally well online vs. in person, the culture of an organization also needs to support it.
It is nearly impossible to just throw a new toolkit at a company and expect them to be able to thereby switch from an in person culture to a remote one.
It requires a transition of culture, which in turn requires both vision and support of the switch from the leadership of an organization.
Certainly remote collaboration works. But there is more to it than just flipping a switch or adding some tools.
Another aspect to consider is that given the sensitive nature of our work and access to what is often crown-jewel intellectual property, we have several clients who require we work from their offices. They are sometimes unwilling to cover travel costs. With a more geographically distributed base of employees we'd either have to eat the costs of bringing someone remote in for these projects, or rely more heavily on the now smaller subset of our staff that is present in these geographies. Neither is a desirable scenario.
Most of us like working in an office close to home, and don't like traveling a lot. It works for us.
"The in-person requirement is one the company is unlikely to let go of"
That's too bad, since this is a place that looks like it'd be very interesting to work at, but with no degree there's no chance in hell I'd be allowed to work in the US (at least so previous attempts have told me), and it looks like remote is a no-go.
For what it's worth, we often sponsor VISA candidates. I don't know the particulars of your case, but we have a number of employees who have come to the USA to work for us and do everything we can to support them.
A couple years ago, in our old office at the top of the Monadnock building, I'm working on code for a product we're doing while Vitaly is working on a pentest for a big Rails client, and, like, 5 other people in the office are working on 5 other things.
I'm procrastinating while noodling through some stupid Riak thing and so I hear Vitaly say something about how some request he sent to the app produced binary gibberish in the response.
It turns out I'd rather noodle around with Vitaly's app than figure out how to make Riak do whatever basic thing I want it to do, so I walk over and look at the response. Vitaly has already noticed that the "binary gibberish" is actually corrupted in the response headers; the response is corrupt.
We both agree out loud that this is unusual and bad. A couple other team members walk over. In the span of about 4 minutes we figure out that the bug is triggered by inputs that include NUL bytes, and responses appear to be corrupted at the point where the input is, in the headers, echoed in the output. And a few reloads show that what looks like gibberish is actually stale server memory.
This is that nginx bug that came out back when. It's approximately as bad as Heartbleed, except that it only affects nginx (and it has a more complicated trigger condition, albeit one that applies to virtually every web application). And because we were all together in the same room when Vitaly found it, we isolated, analyzed, and weaponized it in minutes, rather than in hours or days.
(Ironically, someone else had noticed the same bug on the same day, and [fair enough!] got the reporting credit.)
Stuff like that happened all the time at Matasano. The in-person requirement is one the company is unlikely to let go of --- not that I have any say in it anymore. ;)