Security audit finds dev outsourced his job to China to goof off at work A security audit of a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor – and was spending all his work time playing around on the internet. The firm's telecommunications supplier Verizon was called in after the company set up a basic VPN system …
""...it just shows how cheap it is to outsource, if he can outsource his job and still pay the rent."
Verizon's investigations turned up "hundreds of invoices" from the Chinese subcontractors and suggested that he had been doing the same thing with some other companies in the area - so his total take was probably considerably more than a single salary. I am surprised he had any time for social media and the like if he was managing several people working on different projects for different clients and handling the management reporting, invoicing, etc.
Maybe he should have hired a security expert to ensure that he wasn't leaking any evidence of the Chinese subcontractors. Personally, I would have used a KVM system to attach to the client-supplied notebooks (and onward via their VPNs) and my own VPN for the connections from the subcontractors to the KVM system. That would avoid the need for any unusual connections to either the client networks or their notebooks or for any unusual software to be installed on the notebooks.
Initiative? Who hasn't thought of this dodge? It used to be a regular joke around the office back in the early '90s, before it grew old.
I'd always assumed only a combination of ethics, aversion to risk, and sloth (the recipe for most law-abiding behavior, IME) kept most developers - at least those working on suitably mundane projects - from doing it.
Depends if he is staff or contract. If the latter, a 'right of substitution' clause, sometimes used as part of the IR35 fight, could mean they would be unable to terminate his contract for this.
If he was staff, he should now hire himself out as a contracting company and charge higher rates.
"Depends if he is staff or contract. If the latter, a 'right of substitution' clause, sometimes used as part of the IR35 fight, could mean they would be unable to terminate his contract for this"
Technically , in the UK , when a company hires a contractor they're hiring his company , NOT him. A small legal point but an important one , because in means the contractor can legally hire someone else to do all his work. Though obviously the client would have to be informed of this. Something "Bob" conveniently forgot to do.
Whilst there is definitely a dependency on type of contract as to whether there is a 'right of substitution' or a prohibition on sub-contracting, from the information given,'bob' almost certainly breeched the Confidentiality clause, Security Policy and the Computer Use Policy, through his actions of: not disclosing the use of a sub-contractor, giving access to internal company systems etc to an unauthorised third-party. Mis-use of company property by using his workstation to manage his engagements with other companies.
I suspect that a result of the publicity associated with this case and books like "The 4-hour work week" that we'll see some significant changes in both employment and contractor contracts.
But thanks to the publicity we can learn and improve on Bob's efforts.
I wonder if Bob declared the sub-contractor as a business expense to the IRS ...
... is that they didn't think of it first...
I did, on several occasions. But I've been too lazy to find appropriate subcontractors.
oh, yeah, and the ethics, this was another strong factor to dissuade me. NOT.
After all the jobs I do are structured like this:
A client sends a job to their agency, who take a cut and send it to their contractors, who take a cut, who send it to their subcontractors who take a cut and who then, send it to me (and take a cut). The rest of the money is money. Minus what the cut taken by the taxman, of course.
Why, therefore should the sub-sub-sub contracting stop with me?
And, coming back to the morals, why am I supposed to bend over and get fucked by all those above me in the chain who are happy to do fuck others below me and applauded for being a dynamic and sharp business enterprise, etc, etc.?
in fact, I wouldn't be fucking those I'd be subcontracting, I'd be extending a helpful hand, giving them employment they lack in this harsh economic climate, blah blah blah :(
p.s. not, I can NOT cut the middle man / men and go to the top of the chain, because none of them deal with individuals, too much bother.
"oh, yeah, and the ethics, this was another strong factor to dissuade me. NOT."
You know, on this site, there are plenty of people who post as AC because they are drama queens and somehow think, for example, that if they criticize this or that politician or institution or policy then either the CIA or FBI or MI5 or MI6 or the Mossad is going to, well, you know. And so they post as AC's. And it's kind of pathetic, really, because they seriously believe they are "that important". And some people post as AC just to avoid having mean or insulting or silly posts tied to them specifically. I've done this myself, actually.
But your post might be the first post that I have seen on this site for which posting as AC is appropriate. And it was a good post! : )
(Obviously that's hyperbole but sometimes only hyperbole gets the point across....)
I was going to reply to this comment, but unfortunately my outsourced Chinese posting avatar is currently undergoing breathing difficulties due to the smog. Normal service will be resumed when circumstances permit. Thank you for your understanding.
Oh my how you've over estimated why people post AC. They do so not because of fear of the government in the countries you mentioned but fear of their friends, neighbors and colleagues who can and DO use such matter of stated opinion against and AC is the real world. Dog eat dog relies on two dogs who at least minimally know each other and know they are after the same thing.
"But your post might be the first post that I have seen on this site for which posting as AC is appropriate"
I've used it only once to describe something that happened at a "past" (honest!) employer in a certain condition which they might not have liked publicly broadcasting, thus avoiding me getting fired. Only time I've ever used it. Suspect that's what it's mostly for unless you live in Syria.
It seems pretty unlikely management haven't at least considered outsourcing. It's hardly a new concept.
Perhaps they didn't outsource to China because that's where there main competitor is based. Perhaps Bob has been outsourcing to staff at a competitor who are returning decent code but learning a ton of trade secrets at the same time. So while Bob rakes it in, he puts the jobs of all his co-workers in jeopardy.
If all the employer is willing to pay six figures for a US coder, there's a good chance there are reasons they don't want someone overseas doing the work.
"So while Bob rakes it in, he puts the jobs of all his co-workers in jeopardy."
Bob's attitude is that of the people described in "Snakes in suits."
He's probably a psychopath. He'll tell you whatever you want to hear in order to get what he wants.
The real question (apart from BS) does he have any real skills at all?
The difference is he's not in management.
This stuff makes a great setup for a film comedy. IRL they create havoc for those around them. And note that "His bosses loved him." I'll be the people who supported work he wrote didn't.
Doesn't matter. They probably put in some skilled people from their foreign intelligence department, not from the company itself. Getting an authorized VPN-channel into a critical infrastructure, getting all sorts of system specs, getting to write code incorporated into these systems and then even getting paid for it must have been a no-brainer for them.
On the other hand, they probably would have been smart enough to use a U.S.-proxy then. But now that the contractor is out of business with this client, they probably sell all the information they gathered to the highest (chinese) bidder.
There was no reason to be angry at him.
The real reason he was fired was fear!
Can you imagine if he'd been successful and shown the difference it makes having someone who knows about IT in charge of outsourcing? The work would be crawling with unemployed 'managers'.
He should think himself lucky he didn’t fall off his balcony.
"A client sends a job to their agency, who take a cut and send it to their contractors, who take a cut, who send it to their subcontractors who take a cut and who then, send it to me (and take a cut). The rest of the money is money. Minus what the cut taken by the taxman, of course.
Why, therefore should the sub-sub-sub contracting stop with me?"
I like it. The entire IT world could collapse one day when we realise that everybody has subcontracted everyone else's subcontracts and there is nobody actually doing the work.
Then the taxpayer would bail us out
But, this sort of thing is EXACTLY why management there needs to be called on the carpet, too. How can a star programmer at a presumably well-off company NOT randomly quiz him or drag him in on tough calls to deal with live, on-the-spot, not "I'll get back at cha in about 2 hours with some of "my" results or ideas", to prevent bullshit artists from deceiving all number of key personnel.
But, he should get an award of some sort for cunning. Wait, steady employment for a year was probably reward, since he had multiple employers. Now, if only other companies did that (or, do some?), it could become a weird pyriamid scheme for non-temp agencies.
I wonder whether he will be sued for breach of trust/faith; unlawful disclosure of proprietary info; falsification of work; misrepresentation of fact; etc.
This goes to show that NOT ALL companies monitor their staff as vigilently and regularly as they should. Legal will probably have a FIELD DAY with the execs, and maybe IT as well.
randomly quizzing him might not trigger any filters-- after all, odds are good the guy probably *was* a pretty strong programmer since he'd presumably need to audit and clean up all the code he was outsourcing. Generally you get what you pay for, so if he was paying 1/6th of his salary for multiple contractors, quality was probably pretty low before receiving the Bob filter.
Clever bastard, but his company missed a trick-- they should have put him in management.
Two things strike me as odd. First, the code he was producing was apparently good. Second, he was "working" for multiple companies.
It sounds as if his management skills would be worth paying for, just not as extravagantly.
Or maybe Verizon has a lousy idea of what good code is.
Hungry Sean, I gave you a thumbs up because you made me realize what a glaring flaw I made by not considering or positing that he had to know *something* or have decent skills to pull this off.
Actually, IIUC, in the USA, work assignments generally tell employees they must to their own tasks and if unable, seek out their manager or team leaders, etc.
In some countries, like South Korea, an egomaniac in a team might have the swagger and fearsome personality to induce others to produce impressive work, then he (usually a he) submits the work as his own. I have several Korean friends who said they eithr know of or were subjected to this themselves. They despise such people who take the credit and don't share it.
But, in Bob's case, he farmed out work, making those downstream contractors happy.
I wonder how many of his surviving bosses secretly wish they could rehire him and buy him rounds of drinks.
You're assuming he didn't have the skills.
Assuming he did, and that he'd built relationships with people he trusted and could monitor their work, the only real issue is legal / security.
If it wasn't for the breach of trust, I'd offer him a job. It's harder to find decent technical managers than it is to find decent programmers.
The problem is that most companies have got rid of the old 'people manager' the person who kept an eye on staff, monitored the work, did all the staff management duties, appraisals, training etc. etc.
Those people largely don't exist any more, Instead you have a manager that's only interested in how good he or she looks to the guy above them and maybe the guy above them too.
As long as there are not sh*tstorms heading their way they don't care what the staff are doing.
I and my other colleagues used to have to submit a lengthy and tedious weekly progress report. After a few weeks of doing this I took a gamble and started just submitting the same report every week with just the date changed at the top. Never got noticed.
If you have to do reports like that try it. Just create a an actual report for that first week just in case it gets noticed (oops I sent the wrong one!) and then send in last weeks weeks. If it works carry on. If it happens for several months and then gets noticed you have the comeback of advising them would it be worthwhile for everyone else to be made aware that their reports were not being looked at most of the time?
"I wonder whether he will be sued for breach of trust/faith; unlawful disclosure of proprietary info; falsification of work; misrepresentation of fact; etc."
probably not. Taking him to court would leave the company open to shareholders (esp institutional investors) questioning the management and security of the firm, as he had been doing this for months, so the management would be under fire after that.
Employee calls boss, faking illness, sniffling, "Sorry, Mr. Smith, I cannot come in today. I've got this terrible cold..."
"Don't worry... BOB can handle it!"
"Who's 'Bob', sir?"
"Don't worry! We've got it COVERED!"
"Wh... Wh... (throat miraculously clears up) I am FEELING BETTER already. I can be in in 15 minutes."
"THAT'S OK. YOU stay home and recover. BOB will handle EVERYthing...."
Well, THAT IT BOB took his employers for an expensive, unaccountable and embarrassing ride.
I am betting it might be time to go check Alice's machine next, since she was the number 2 programmer I am betting her and Bob have been communicating between each other and nobody knows about it yet.
Or maybe Bob is Alice, or Alice is Bob
Maybe neither of the really exist? lol
Ghost in the machine?
Are Bob, Alice, and Kate a sort of Hybrid?
Sorry, but this just BEGS for a BSG segue, hehehehe:
"Two protons expelled at each coupling site creates the mode of force, the embryo becomes a fish that we don't enter until a plate, we're here to experience evolve the little toe, atrophy, don't ask me how I'll be dead in a thousand light years, thank you, thank you. Genesis turns to its source, reduction occurs stepwise though the essence is all one. End of line. FTL system check, diagnostic functions within parameters repeats the harlequin the agony exquisite, the colors run the path of ashes, neuronal network run fifty-two percent of heat exchanger cross-collateralized with hyper-dimensional matrix, upper senses, repair ordered relay to zero zero zero zero. (Torn)"
"Gestalt therapy and escape clauses. Throughout history the nexus between man and machine has spun some of the most dramatic, compelling and entertaining fiction. [2]
(Grasping Baltar) Intelligence. A mind that burns like a fire. Find the hand that lies in the shadow of the light. In the eye of the husband of the eye of the cow. [3] "
" Thus will it come to pass. A dying leader will know the truth of the Opera House. The missing Three will give you the Five who come from the home of the Thirteenth. You are the harbinger of death, Kara Thrace. You will lead them all to their end. End of line. (Faith) "
=========
When IT, Legal, HR, the Execs, and the Site Security caught up with him....
"At last, they’ve come for me. I feel their lives, their destinies spilling out before me. The denial of the one true path, played out on a world not their own, will end soon enough. Soon there will be four, glorious in awakening, struggling with the knowledge of their true selves, the pain of revelation bringing new clarity, and in the midst of confusion, he will find her. Enemies brought together by impossible longing, enemies now joined as one. The way forward at once unthinkable, yet inevitable. And the fifth, still in shadow, will claw toward the light, hungering for redemption that will only come in the howl of terrible suffering. I can see them all. The seven, now six [5] , self-described machines who believe themselves without sin, but in time, it is sin that will consume them. They will know enmity, bitterness, the wrenching agony of the one splintering into the many, and then they will join the promised land, gathered on the wings of an angel. Not an end, but a beginning. Come in Major. I've been waiting for you for a long time. "
============
And, just as they escorted him out the door, he had his final line:
"There are secrets within lies, answers within riddles. Lay off the ACS, you betcha Galen. Open your mind and hear what your heart wants to deny. End of line."
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
