On Friday the Washington Post's live updates on the Russia-Ukraine situation included the story of a tech firm trying to get its employees out of Kyiv: John Sung Kim, chief executive of the software outsourcing company JetBridge, has been communicating with his 24 employees in Kyiv, all software developers, through Slack. Half of them are trying to leave Ukraine, but Kim says he is struggling to help them and has been unable to get them train tickets, a rental car or gasoline.

"The other half of my team wants to stay and fight," said Kim. "I got on an all-hands with them this morning and told them it's not their responsibility to be soldiers and there's other ways they can contribute since they're software engineers, but there's nothing I can say to dissuade them." Kim said JetBridge's clients are almost exclusively Silicon Valley tech companies that are publicly traded or have raised venture capital financing. "The universal issue other than transportation logistics seems to be grandparents. 'My babushka' is the common theme of why they're torn from actually leaving," he said. The fallout from Russia's invasion has also impacted JetBridge's employees in Belarus. "The males in Belarus are scared that there's going to be military conscription, and unlike the Ukrainians, my Belarusian engineers have zero desire to pick up a rifle. Zero," he said.

In anticipation of European Union sanctions on Belarus, Kim said JetBridge has started paying employees in bitcoin.

NATO Secretary-General Jens Stoltenberg said Friday that cyberattacks could trigger Article 5 of the organization's charter, the so-called "commitment clause" that considers an attack on any NATO ally an attack on all. NBC News reports: Stoltenberg's comment comes as national security professionals and cybersecurity industry professionals remain on high alert for any major attacks. While conflict on the ground in Ukraine continues to escalate, little has been seen thus far in terms of major cyberwar activities. Still, some hacker and activist groups have sprung into action. One ransomware group announced Friday that it supported the Russian government and would respond to cyberattacks on Russia by going after "critical infrastructures of an enemy." As for attacks on Ukraine, the country's computer emergency response team said Friday that it had seen a large email phishing campaign from Belarus targeted at military personnel. The statement comes amid a major cyberattack on Nvidia that was initiated at the same time as the Russian cyber warfare division started their offensive against Ukraine. Security researchers are concerned that somebody could put something malicious in one of the software updates that are then sent out to Nvidia's clients.

An anonymous reader quotes a report from Wccftech: NVIDIA has seemingly been hit by a major cyberattack that may have completely compromised parts of its business, reports The Telegraph. In their exclusive report, The Telegraph reports that the cyberattack was initiated at the same time as the Russian cyber warfare division started their offensive against Ukraine. All Nato allies have announced major sanctions on Russia and this could potentially be why Russia has decided to target major companies such as NVIDIA.

The report further states that the cyberattack on NVIDIA has completely compromised parts of their business and there are already reports from several users coming in regarding services disruption. The scale of this attack is currently unknown but it clearly seems to be a major one as NVIDIA had to take several systems offline to pacify the intrusion before it could spread further: "'The ultimate concern is that somebody may have put something in one of the software updates,' Dr Woodward said, pointing to the devastating SolarWinds hack that exploited American software companies to gain access to US government computer systems. 'They'll be going through trying to make sure to see if there's any indication that anything has been changed in their software that they then shipped to their clients.'" NVIDIA's mail servers were also partially operational during this time so it's entirely likely that there might have been a breach in confidential documents. But it is not confirmed yet if any data was stolen. In a brief statement, an Nvidia spokesperson confirmed the report, saying: "We are investigating an incident. We don't have any additional information to share at this time."

Ukrainian cybersecurity officials have warned that Belarusian state-sponsored hackers are targeting the private email addresses of Ukrainian military personnel. From a report: Announcing the activity in a Facebook post, Ukraine's Computer Emergency Response Team (CERT-UA) said that a mass phishing campaign is targeting the private i.ua and meta.ua accounts belonging to Ukrainian military personnel. "After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages," it added. "Later, the attackers use contact details from the victim's address book to send the phishing emails." CERT-UA has attributed the ongoing campaign to the UNC1151 threat group, which Mandiant formally linked to the Belarusian government in November 2021. Mandiant also linked the state-backed cyber-espionage group to the Ghostwriter disinformation campaign, which has been involved in spreading anti-NATO rhetoric and hack-and-leak operations throughout Europe. "The Minsk-based group 'UNC1151' is behind these activities. Its members are officers of the Ministry of Defence of the Republic of Belarus," CERT-UA wrote.

The government of Ukraine is asking for volunteers from the country's hacker underground to help protect critical infrastructure and conduct cyber spying missions against Russian troops, according two people involved in the project. From a report: As Russian forces attacked cities across Ukraine, requests for volunteers began to appear on hacker forums on Thursday morning, as many residents fled the capital Kyiv. "Ukrainian cybercommunity! It's time to get involved in the cyber defense of our country," the post read, asking hackers and cybersecurity experts to submit an application via Google docs, listing their specialties, such as malware development, and professional references. Yegor Aushev, co-founder of a cybersecurity company in Kyiv, told Reuters he wrote the post at the request of a senior Defense Ministry official who contacted him on Thursday. Aushev's firm Cyber Unit Technologies is known for working with Ukraine's government on the defense of critical infrastructure. Another person directly involved in the effort confirmed that the request came from the Defense Ministry on Thursday morning. Further reading: Washington steels for Russian cyberattacks.

Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year's Galaxy S21. Threatpost reports: Researchers at Tel Aviv University found what they called "severe" cryptographic design flaws that could have let attackers siphon the devices' hardware-based cryptographic keys: keys that unlock the treasure trove of security-critical data that's found in smartphones. What's more, cyber attackers could even exploit Samsung's cryptographic missteps -- since addressed in multiple CVEs -- to downgrade a device's security protocols. That would set up a phone to be vulnerable to future attacks: a practice known as IV (initialization vector) reuse attacks. IV reuse attacks screw with the encryption randomization that ensures that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts will each be distinct.

The design flaws primarily affect devices that use ARM's TrustZone technology: the hardware support provided by ARM-based Android smartphones (which are the majority) for a Trusted Execution Environment (TEE) to implement security-sensitive functions. TrustZone splits a phone into two portions, known as the Normal world (for running regular tasks, such as the Android OS) and the Secure world, which handles the security subsystem and where all sensitive resources reside. The Secure world is only accessible to trusted applications used for security-sensitive functions, including encryption.

Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute, explained on Twitter that Samsung incorporated "serious flaws" in the way its phones encrypt key material in TrustZone, calling it "embarrassingly bad." "They used a single key and allowed IV re-use," Green said. "So they could have derived a different key-wrapping key for each key they protect," he continued. "But instead Samsung basically doesn't. Then they allow the app-layer code to pick encryption IVs." The design decision allows for "trivial decryption," he said.

Samsung responded to the academics' disclosure by issuing a patch for affected devices that addressed CVE-2021-25444: an IV reuse vulnerability in the Keymaster Trusted Application (TA) that runs in the TrustZone. Keymaster TA carries out cryptographic operations in the Secure world via hardware, including a cryptographic engine. The Keymaster TA uses blobs, which are keys "wrapped" (encrypted) via AES-GCM. The vulnerability allowed for decryption of custom key blobs. Then, in July 2021, the researchers revealed a downgrade attack -- one that lets attacker trigger IV reuse vulnerability with privileged process. Samsung issued another patch -- to address CVE-2021-25490 -- that remoged the legacy blob implementation from devices including Samsung's Galaxy S10, S20 and S21 phones.

A swath of major American businesses -- from major banks to utility companies -- is preparing for possible cyberattacks against their computer networks as Russia on Thursday threatened "consequences" for nations that interfere with its invasion of Ukraine. From a report: Their concerns, echoed in C-suites and around Washington, follow recent warnings from the Biden administration that U.S. firms should harden their defenses against potential cyberattacks that could disrupt the nation's critical infrastructure. American officials say there are no current threats against the U.S. But they have nonetheless urged organizations to plan for worst-case scenarios and more aggressively monitor their computer networks for possible intrusions.

"Right now, everybody needs to be at a heightened alert in the event this continues to escalate, and Russia tries to sway political opinion by causing damage in the United States and its Western allies," said David Kennedy, the chief executive officer of security firm TrustedSec. He said companies should be going through their computer infrastructure "with a fine-tooth comb" to ensure previous intrusions can't be used to cause future, more damaging, attacks. Major U.S. banks, for instance, fear aggressive cyberattacks if Washington imposes deeper financial sanctions on Russia, said two banking executives who spoke on condition of anonymity to discuss private conversations. CEOs of major financial firms and their cybersecurity experts recently met with Treasury officials as Russian threats of war intensified, according to the executives.

Web3 is Going Great reports: The popular Tom's Hardware and PC Gamer websites both ran articles about a utility called "Nvidia RTX LHR v2 Unlocker", which claimed to increase the artificially-limited cryptocurrency mining performance of its RTX graphics cards. These graphics cards are shipped with performance-limiting software to reduce the GPUs' attractiveness to cryptocurrency miners, whose thirst for GPUs has made it difficult and expensive for gamers and various others to acquire the hardware. Unfortunately, both publications had to run a second article just a day later to warn their readers away from the software they had just advertised.

An anonymous reader quotes a report from Motherboard: A Chinese cybersecurity company accused the NSA of being behind a hacking tool used for ten years in a report published on Wednesday. The report from Pangu Lab delves into malware that its researchers first encountered in 2013 during an investigation into a hack against "a key domestic department." At the time, the researchers couldn't figure out who was behind the hack, but then, thanks to leaked NSA data about the hacking group Equation Group -- widely believed to be the NSA -- released by the mysterious group Shadow Brokers and by the German magazine Der Spiegel, they connected the dots and realized it was made by the NSA, according to the report.

"The Equation Group is the world's leading cyber-attack group and is generally believed to be affiliated with the National Security Agency of the United States. Judging from the attack tools related to the organization, including Bvp47, Equation group is indeed a first-class hacking group," the report read, referring to the name of the tool the researchers found. "The tool is well-designed, powerful, and widely adapted. Its network attack capability equipped by 0day vulnerabilities was unstoppable, and its data acquisition under covert control was with little effort. The Equation Group is in a dominant position in national-level cyberspace confrontation." Further Reading: Anatomy of Top-Tier Suspected NSA Backdoor Code (The Register)

Several Ukrainian government websites were offline Wednesday as a result of a mass distributed denial of service attack, Mykhailo Fedorov, head of Ukraine's Ministry of Digital Transformation, said in his Telegram channel. From a report: The attack, which also impacted some banks, began around 4 p.m. local time, according to Fedorov. He didn't say which banks were attacked or what the extent of the damage was. Websites for the Ukrainian Ministry of Foreign Affairs, Cabinet of Ministers and Rada, the country's parliament, were among those down as of Wednesday morning Eastern time. The government sites were offline as officials attempted to switch traffic elsewhere to minimize damage, he said. A DDoS attack is when a hacker floods a victim's network or server with traffic so that others are unable to access it.

In a Google support forum post, Chrome's Support Manager Craig announced that mobile Chrome 100 will do away with the browser's data-saving feature -- the release is due to make its way to the stable channel on March 29, 2022. From a report: The mode will also stop working on previous versions of the browser from that day. Besides several improvements to Chrome over the years to reduce data usage and improve page load times, Google has also seen mobile data costs decrease in many countries. Thus, it believes the data saving mode is no longer relevant in today's world.

An anonymous reader quotes a report from TechCrunch, written by security editor Zack Whittaker: Consumer-grade spyware is often sold under the guise of child monitoring software, but also goes by the term "stalkerware" for its ability to track and monitor other people or spouses without their consent. Stalkerware apps are installed surreptitiously by someone with physical access to a person's phone and are hidden from home screens, but will silently and continually upload call records, text messages, photos, browsing history, precise location data and call recordings from the phone without the owner's knowledge. Many of these spyware apps are built for Android, since it's easier to plant a malicious app than on iPhones, which have tighter restrictions on what kind of apps can be installed and what data can be accessed. Last October, TechCrunch revealed a consumer-grade spyware security issue that's putting the private phone data, messages and locations of hundreds of thousands of people, including Americans, at risk. But in this case it's not just one spyware app exposing people's phone data. It's an entire fleet of Android spyware apps that share the same security vulnerability.

On the front line of the operation is a collection of white-label Android spyware apps that continuously collect the contents of a person's phone, each with custom branding, and fronted by identical websites with U.S. corporate personas that offer cover by obfuscating links to its true operator. Behind the apps is a server infrastructure controlled by the operator, which is known to TechCrunch as a Vietnam-based company called 1Byte. TechCrunch found nine nearly identical spyware apps that presented with distinctly different branding, some with more obscure names than others: Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy. Other than their names, the spyware apps have practically identical features under the hood, and even the same user interface for setting up the spyware. Once installed, each app allows the person who planted the spyware access to a web dashboard for viewing the victim's phone data in real time -- their messages, contacts, location, photos and more. Much like the apps, each dashboard is a clone of the same web software. And, when TechCrunch analyzed the apps' network traffic, we found the apps all contact the same server infrastructure. But because the nine apps share the same code, web dashboards and the same infrastructure, they also share the same vulnerability.

The vulnerability in question is known as an insecure direct object reference, or IDOR, a class of bug that exposes files or data on a server because of sub-par, or no, security controls in place. It's similar to needing a key to unlock your mailbox, but that key can also unlock every other mailbox in your neighborhood. IDORs are one of the most common kinds of vulnerability [...]. But shoddy coding didn't just expose the private phone data of ordinary people. The entire spyware infrastructure is riddled with bugs that reveal more details about the operation itself. It's how we came to learn that data on some 400,000 devices -- though perhaps more -- have been compromised by the operation. Shoddy coding also led to the exposure of personal information about its affiliates who bring in new paying customers, information that they presumably expected to be private; even the operators themselves. After emailing 1Byte with details of the security vulnerability, the email address was shut down along with "at least two of the branded spyware apps," according to TechCrunch. "That leaves us here. Without a fix, or intervention from the web host, TechCrunch cannot disclose more about the security vulnerability -- even if it's the result of bad actors themselves -- because of the risk it poses to the hundreds of thousands of people whose phones have been unknowingly compromised by this spyware."

In a separate report, security editor Zack Whittaker explains how one can remove common consumer-grade spyware.

An anonymous reader quotes a report from Krebs on Security: Missouri Governor Mike Parson made headlines last year when he vowed to criminally prosecute a journalist for reporting a security flaw in a state website that exposed personal information of more than 100,000 teachers. But Missouri prosecutors now say they will not pursue charges following revelations that the data had been exposed since 2011 -- two years after responsibility for securing the state's IT systems was centralized within Parson's own Office of Administration. [...]

On Monday, Feb. 21, The Post-Dispatch published the 158-page report (PDF), which concluded after 175 hours of investigation that [St. Louis Post-Dispatch reporter Josh Renaud] did nothing wrong and only accessed information that was publicly available. Emails later obtained by the Post-Dispatch showed that the FBI told state cybersecurity officials that there was "not an actual network intrusion" and the state database was "misconfigured." The emails also revealed the proposed message when education department leaders initially prepared to respond in October: "We are grateful to the member of the media who brought this to the state's attention," was the proposed quote attributed to the state's education commissioner before Parson began shooting the messenger.

The Missouri Highway Patrol report includes an interview with Mallory McGowin, the chief communications officer for the state's Department of Elementary and Secondary Education (DESE). McGowin told police the website weakness actually exposed 576,000 teacher Social Security numbers, and the data would have been publicly exposed for a decade. McGowin also said the DESE's website was developed and maintained by the Office of Administration's Information Technology Services Division (ITSD) -- which the governor's office controls directly. "I asked Mrs. McGowin if I was correct in saying the website was for DESE but it was maintained by ITSD, and she indicated that was correct," the Highway Patrol investigator wrote. "I asked her if the ITSD was within the Office of Administration, or if DESE had their on-information technology section, and she indicated it was within the Office of Administration. She stated in 2009, policy was changed to move all information technology services to the Office of Administration." The report was a vindication for Renaud and for University of Missouri-St. Louis professor Shaji Khan, who helped the Post-Dispatch verify that the security flaw existed. Khan was also a target of Parson's vow to prosecute "the hackers." Khan's attorney Elad Gross told the publication his client was not being charged, and that "state officials committed all of the wrongdoing here."

"They failed to follow basic security procedures for years, failed to protect teachers' Social Security numbers, and failed to take responsibility, instead choosing to instigate a baseless investigation into two Missourians who did the right thing and reported the problem," Gross told The Post-Dispatch. "We thank the Missouri State Highway Patrol and the Cole County Prosecutor's Office for their diligent work on a case that never should have been sent to them."

An anonymous reader shares a report: The OnePlus 10 Pro is out in China, and while it has some flagship specs, including a Snapdragon 8 Gen 1 processor and a 5,000mAh battery, it turns out it might not be the most durable phone on the market. YouTuber Zack Nelson, creator of the popular JerryRigEverything channel, put the OnePlus 10 Pro through his usual durability test, and when he pushed on the middle of the phone to try and bend it, it snapped nearly in half. See for yourself -- the bend test for the portion of the video starts at 6:57. When Nelson first pushes on the OnePlus 10 Pro, the back glass begins to crack, and many of the cracks appear under the phone's stovetop-like camera bump. When he pushes again, those cracks turn into a full-on break, causing the top part of the phone to begin to fold over.

The UK is ready to launch cyber attacks on Russia if Moscow targets Britain's computer networks after a Ukraine invasion, the defence secretary has threatened. The Independent: In a Commons statement, Ben Wallace pointed to the "offensive cyber capability" the UK is already developing from a base in the north west of England. "I'm a soldier -- I was always taught the best part of defence is offence," he told an MP who urged him to "give as good as we get back to Russia" if necessary. Mr Wallace also stepped up UK threats by saying sanctions will be imposed for aggression that stops short of crossing the Ukraine border -- amid criticism they have not yet been used.

Russian companies with links to the Kremlin and Vladimir Putin's regime will be targeted if, for example, a no-fly zone is imposed in Ukraine, or ports blockaded "Many of these aggressive moves -- like a no-fly zone, a blockade to free trade -- would absolutely warrant a response ranging from sanctions and others," the defence secretary said. "Russia should be under no illusion that threatening the integrity of a sovereign nation, whether that is in the air or on the sea, is exactly the same as threatening it on the land." Sanctions have not yet been imposed in order to coordinate with the European Union, which has yet to announce what its package will be, Mr Wallace suggested.

"On Saturday, attackers stole hundreds of NFTs from OpenSea users, causing a late-night panic among the site's broad user base," reports the Verge.

"A spreadsheet compiled by the blockchain security service PeckShield counted 254 tokens stolen over the course of the attack, including tokens from Decentraland and Bored Ape Yacht Club." The bulk of the attacks took place between 5PM and 8PM ET, targeting 32 users in total. Molly White, who runs the blog Web3 is Going Great, estimated the value of the stolen tokens at more than $1.7 million.

The attack appears to have exploited a flexibility in the Wyvern Protocol, the open-source standard underlying most NFT smart contracts, including those made on OpenSea. One explanation (linked by CEO Devin Finzer on Twitter) described the attack in two parts: first, targets signed a partial contract, with a general authorization and large portions left blank. With the signature in place, attackers completed the contract with a call to their own contract, which transferred ownership of the NFTs without payment. In essence, targets of the attack had signed a blank check — and once it was signed, attackers filled in the rest of the check to take their holdings.

"I checked every transaction," said the user, who goes by Neso. "They all have valid signatures from the people who lost NFTs so anyone claiming they didn't get phished but lost NFTs is sadly wrong...."

Writing on Twitter shortly before 3AM ET, OpenSea CEO Devin Finzer said the attacks had not originated from OpenSea's website, its various listing systems, or any emails from the company. The rapid pace of the attack — hundreds of transactions in a matter of hours — suggests some common vector of attack, but so far no link has been discovered.
An update to OpenSea's smart contract was scheduled the day before (to remove old and inactive listings from the platform), and the scammer mimicked a genuine OpenSea email, according to The Street. A user who posted the text of the phishing email online explains that the scammer "then got a number of people to sign permissions with WyvernExchange. No exploit, just people not reading sign permissions as normal."

CEO Finzer told Bloomberg that some of the stolen NFTs have actually been returned, with no further malicious activity seen from the attacker's account. "He also dispelled rumors of a $200 million hack, saying the attacker has $1.7 million of Ethereum in his wallet from selling some of the stolen NFTs."

And PC Magazine shares this update about the wallet: CoinDesk reports that Etherscan, which bills itself as "the Ethereum blockchain explorer," has flagged the account that appears to be connected to these NFT thefts. (The public name of which is, fittingly enough, "Fake_Phishing5169.")

Linux programmers fixed bugs faster than anyone — in an average of just 25 days (improving from 32 days in 2019 to just 15 in 2021). That's the conclusion of Google's "Project Zero" security research team, which studied the speed of bug-fixing from January 2019 to December 2021.

ZDNet reports that Linux's competition "didn't do nearly as well." For instance, Apple, 69 days; Google, 44 days; and Mozilla, 46 days. Coming in at the bottom was Microsoft, 83 days, and Oracle, albeit with only a handful of security problems, with 109 days.

By Project Zero's count, others, which included primarily open-source organizations and companies such as Apache, Canonical, Github, and Kubernetes, came in with a respectable 44 days.

Generally, everyone's getting faster at fixing security bugs. In 2021, vendors took an average of 52 days to fix reported security vulnerabilities. Only three years ago the average was 80 days. In particular, the Project Zero crew noted that Microsoft, Apple, and Linux all significantly reduced their time to fix over the last two years.

As for mobile operating systems, Apple iOS with an average of 70 days is a nose better than Android with its 72 days. On the other hand, iOS had far more bugs, 72, than Android with its 10 problems.

Browsers problems are also being fixed at a faster pace. Chrome fixed its 40 problems with an average of just under 30 days. Mozilla Firefox, with a mere 8 security holes, patched them in an average of 37.8 days. Webkit, Apple's web browser engine, which is primarily used by Safari, has a much poorer track record. Webkit's programmers take an average of over 72 days to fix bugs.

San Francisco mayor London Breed "is working with business leaders to push San Francisco employers to start bringing more workers back to downtown offices at some point in March," reports the San Francisco Chronicle.

"Breed said she was developing a strategy with the Chamber of Commerce and other groups to help turn around the city's once-bustling commercial core." San Francisco's downtown has been hit hard as most employees have stayed home during the pandemic.... Breed's comments reflect the pressure she's under to revive San Francisco's struggling downtown where weekday foot traffic remains sparse, small businesses have shuttered and massive office towers sit largely empty nearly two years after COVID-19 sent most workers home indefinitely. Some workers are likely to stay remote because they're concerned about being exposed to the virus or for other personal reasons.... San Francisco officials predict that around 15% of office workers will stay remote when the economy is expected to stabilize in 2023, a major shift that would permanently hurt business tax revenue, according to a report released last month....

Despite rampant commercial vacancies and an abundance of employees choosing to work remotely in perpetuity or leave San Francisco entirely, Breed said she was encouraged by a number of businesses that have signed new leases or are looking at new opportunities in the city. "Working from home has been so convenient and so comfortable, let's be honest," Breed said. "But at the same time, people miss people. They miss being out in the streets. They miss being at places and restaurants."
John Bryant, CEO of the Building Owners and Managers Association of San Francisco, tells the newspaper that downtown San Francisco's buildings are only about 20% occupied now. And that this year he hopes to see that double — to 40%.

Thanks to Slashdot reader nray for sharing the story...

Bloomberg reports: A decade from now, offices shall be used for one thing and one thing only: quality time with colleagues. This seemingly bold prediction comes from Prithwiraj Choudhury, a Harvard Business School professor and expert on remote work. âoeWe will probably in 10 years stop calling this âremote workâ(TM). Weâ(TM)ll just call it work,â he said....

His research showed that a hybrid workforce is more productive, more loyal and less likely to leave. With companies from Twitter Inc. to PwC now giving employees the option to work virtually forever, Choudhury said businesses that donâ(TM)t adapt risk higher attrition... "For employers, itâ(TM)s a win as well because you are not constrained to hiring from the local labor market â" where you have an office... This is a once-in-a-generation moment when people are not going to be forced to live where they donâ(TM)t want to. Some people will find a permanent place to live; some will move around. The digital nomad revolution is going on...."

"We should not care about how many days or hours anyone works. Every job and task should have objective metrics, which are output based, and if an employee can perform those metrics in two days, so be it. I am a firm believer that we should stop counting time. We should give people the flexibility to work when they want to, whichever hours they want to, whichever days they want to, and care only about their work."