Feeds

back to article Security audit finds dev OUTSOURCED his JOB to China to goof off at work

A security audit of a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet. The firm's telecommunications supplier Verizon was called in after the company set up a basic VPN system with …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

Urban legend

Wasn't there a story of somebody at HP/IBM/etc that interviewed with two different divisions on different floors of the same building - got offered both jobs - and took them

By leaving his jacket on the back of the chair and always attending meetings - he got away with it for a long time!

3
0
Silver badge

Re: Urban legend

Are you thinking about the Michael J Fox movie "The Secret of my Success"? If you haven't seen that, it's a "must watch".

4
0

Free Trade!

C'mon, if it was a factory job everyone would be cheering about the increase in "productivity." I'm waiting until we can outsource the politicians.

8
0
Anonymous Coward

Sauce, goose, gander. Apparently then, programmers can easily out-compete the management in the deadwood companies they work for, who knew?

Nice one Bob, the management would probably have outsourced you in the end, to the lowest-cost no-hopers they could find to boost their golf slacks budget, (and you might have had to debug their crap code or train the no-hopers for a while) so presumably you hired some rather better ones to cut down on debugging time!

9
0
Silver badge
FAIL

"Sauce, goose, gander. Apparently then, programmers can easily out-compete the management in the deadwood companies they work for, who knew?"

Errrrm, He was outsourcing his work for others to do. He would only have been "deadwood" if he hadn't done that or any productive work himself.

2
0
Silver badge

Office Space

Bob has 'management' written all over him.

11
0

Re: Office Space

I think this is what can happen when bright people are told things like "You're too technical for management so that's why we are placing an arts graduate with no relevant experience in charge of the team".

2
0
Thumb Up

Award for brilliance

http://www.theregister.co.uk/Design/graphics/icons/comment/thumb_up_32.png

So it's okay if the company throws people out of work by outsourcing to China but not when a worker does it? Everyone wins here - the company was satisfied with the results and what it cost them; Bob is happy because he is paid lots of money to do nothing but manage his source and verify the work before it's submitted, and China is happy because China always wins.

What really needs outsourcing is management.

8
0
Silver badge

Re: Award for brilliance

You are right in principle, Michael, but the devil is in the details. China trains one hell of a lot more engineers than the USA, but when it comes to lawyers the USA is top dog by a long, long, long way. What lawyers mostly do is arbitrate the division of the spoils, and since rich employers can afford more and better lawyers, the arbitration usually routes 99% of the money to said rich employers. (All perfectly legal, of course - it's bound to be when you can afford to HIRE the law. Also the people who make the law, of course - but that's another story).

9
0

Re: Award for brilliance

The clue's right their at the top of the article: "critical infrastructure". Bob's job was in the US, and not already outsourced, because of security implications. Bob "outsourced" himself by granting access to a secure network to people not adequately vetted to connect to it. He has not only breached his contract of employment, but he has brought his employer into breach with their clients, a breach which will no doubt lead to a very, very expensive audit of every single line of the codebase.

6
0

What's the problem?

He got the job done, and he took the pay on offer to get it done. Who cares how he got it done?

4
2
Bronze badge

Re: What's the problem?

Probably anyone involved in network security or data protection or even software licensing.

- He fedexed a two-factor authentication token to an unknown Chinese person to use.

- He provided them with VPN access into the internal company network.

- They were writing software (which should now, by rights, all be audited), which was deployed into the company network and nobody now really knows for sure what it did historically or what it does today.

- At any point, those Chinese programmers might have been culling other company's proprietary code to use for that job (illegal!), or similarly taking the company's code and selling it on to Chinese companies etc.

The man is a genius. But he's a genius that broke several contracts and (quite likely) a few laws in doing what he did. The company might choose not to do anything about it, depending on the work they did and the data they processed, but it's not as clear cut as "good luck to him". A lot of people will now have to do a lot of work auditing code and explaining themselves to data protection agencies. Basically all the work he did will now have to be undone at great expense, unless the company is really willing to turn a blind eye to it (which may be illegal too!).

It's like finding out that there's been a guy coming into your office, because he always came in with a certain employee, and logging onto the corporate network for years and now people find out that NOBODY has any idea who he is or what he was doing and that he was nothing to do with the company. It's serious stuff.

11
0
Pint

Re: What's the problem?

I'm inclined to agree. Managers are always talking about focus on 'results' and 'efficiencies'. On paper, this is exactly the kind of initative they demand from employees.

I suspect they're just pissed because they couldn't manage external contractors that well if they tried.

6
2

This post has been deleted by its author

Silver badge

Re: What's the problem?

Certainly, in finding the easiest way of getting his work done he completely and utterly ignored everyone else's interests (and the law). But then, everyone has been saying he's management material. This confirms it.

1
0
Silver badge

Re: Breaking Laws And Contracts

You can't make an omelette without breaking eggs.

0
0
Bronze badge
Boffin

Re: What's the problem?

"The man is a genius. But he's a genius that broke several contracts and (quite likely) a few laws in doing what he did."

I take your point.

Suppose 'Bob' had set up some kind of system at home that the contractors he hired could check code into and then make it appear that all VPN traffic was coming in from his home address. Would he have been caught?

Is there a 'style' or 'code signature' that you can use to identify a programmer?

0
0
Bronze badge
Joke

Re: Breaking Laws And Contracts

Until this very moment, I never had a response to that cliche. But now...

Oh yes you can: Tap the shell with a syringe, suck out the contents, make omelette, patch shell after filling with density-equivalent.

Now, as for over easy, sunny side up, and similar, where the yolk cannot be malformed....

JKJKJKJK

1
0

Re: What's the problem?

"It's like finding out that there's been a guy coming into your office, because he always came in with a certain employee, and logging onto the corporate network for years and now people find out that NOBODY has any idea who he is or what he was doing and that he was nothing to do with the company. It's serious stuff."

I worked for that company, and those people were 2 a penny! In fact I think I was one of them for a while!

0
0
Bronze badge

Re: What's the problem? It's serious stuff.

Agreed, however, it does show just how much companies depend upon trust. I suspect that many companies 'authorised' use of sub-contractors (offshore or onshore) are not fully policed with respect to security and confidentiality implications...

0
0
Anonymous Coward

Why not?

The management would do it to the programmers without missing a heartbeat anyway - he's just getting his outsourcing in first. The only bonus is that he's managed to find outsourcing resources who are actually good at their work.

Ex-BT employee here - who's had his job outsourced to numpties (since the management never bothered to manage the outsourcing like Bob did).

8
0

This post has been deleted by its author

Big Brother

Fallen star

Really , really suprised that if this guy was *a star programmer* that he didn't realise that security audits of logins would take place after making VPN/work at home available! Standard security practice - check up where your workers are logging in from - home network or offsite. Tsh!

1
1

Re: Fallen star

Doesn't surprise me, I worked with some genius devs who, once outside of the pure programming world, didn't seem to know one end of a computer from the other.

4
0
Silver badge

Re: Fallen star

Yes, if he'd been a tad smarter he would have invested some of his copious spare time in cultivating the security people. Take them for drinks, make friends with them. That way he might have got a heads up, or even been able to avert discovery.

1
0
Anonymous Coward

Re: Fallen star

Seconded: in my experience (as a sysadmin) I find all too often developers are clueless about the wider systems they code for, even down to how basic networking works sometimes!

5
0
Silver badge
Happy

Re: Fallen star

Security people don't have friends, just risk lists....

1
0
Trollface

If he'd remembered to put cover sheets on his TPS reports he'd have gotten away with it for years!

6
0
Happy

I believe...

You have my stapler?

3
0
Happy

New Book Coming Soon - How to Fool HR For Dummies.

Nothing more to say.

0
0
Thumb Up

Brilliant

Firing him out of shame is stupid. I'd promote him into management and let him outsource a lot more.

2
1
Meh

Is this a Verizon press release?

I smell a fish - this is straight out of a Dilbert strip. Someone that smart wouldn't have let his subcontractor connect directly. And when did the Chinese subcontractor actually connect? In the middle of the night? And why did this "star programmer" actually bother going in to work to surf the web all day, presumably at the same time that "he" was connected externally? And is Verizon a bit like the US version of Vodafone? If so, what sort of moron would ask them to do a security audit?

Someone's taking you for a ride, Mr. Reg.

8
1
Anonymous Coward

Re: Is this a Verizon press release?

"That smart".

You can be perfectly good at programming.

You can get the bright idea of outsourcing.

You can stuff up by forgetting which audit log to delete/thinking you don't need to do an external contractor and let them in internally.

The "smart" persons downfall is how smart they think they are versus how smart they really are. (Which goes for this commentard too!)

6
0
Bronze badge

Re: Is this a Verizon press release?

>> Someone that smart wouldn't have let his subcontractor connect directly.

My thoughts exactly when I read it. It would be trivial to setup a VPN through his own machine and get the Chinese guy to connect with that before connecting to the corporate VPN so his home IP shows up as the one connecting.

2
0
Silver badge

Offshore working hours

Every offshore outfit I've dealt with makes a point that they will work whenever suits you - if you want them 9-5 GMT, they'll be there.

Personally I prefer to leave them do their own 9-5. Usually they are 4 hours behind, so you get the morning to inspect what they've done and have some peace & quiet, then after lunch you can liaise with them, and set them the next set of tasks to continue with after you go.

1
0

Re: Is this a Verizon press release?

"And is Verizon a bit like the US version of Vodafone? If so, what sort of moron would ask them to do a security audit?"

Probably because of their experience in cheating the system :)

1
0
Anonymous Coward

"4 hours behind GMT"

AFAICT the only people who are 4 hours behind GMT are central South America and Nova Scotia. Surely you don't really mean that your offshore outfits are all based there?

0
0
Silver badge

Re: Is this a Verizon press release?

Vodafone owns 49% of Verizon, so yes, they are the US version of Vodafone.

My PHB hires companies like that to do security audits because they are big companies, so they must be good.

2
0
Anonymous Coward

Re: Is this a Verizon press release?

Former PHB hired big-company accountants because they were no good and he was up to it!

0
0
FAIL

Re: Is this a Verizon press release?

Vodafone owns 49% of Verizon "Wireless", Verizon is MUCH bigger than that.

Also, for once, this is NOT Verizons fault:

"The firm's telecommunications supplier Verizon was called in after the company set up a basic VPN system with two-factor authentication so staff could work at home. "

So Verizon were the SUPPLIER of the network and they found the info on "Bob", they were not employing him.

1
0
Anonymous Coward

Re: "4 hours behind GMT"

"...central South America and Nova Scotia. Surely you don't really mean that your offshore outfits are all based there?"

He took "offshoring" literally. They work from a repurposed garbage scow adrift somewhere in the north Atlantic Ocean.

1
0

Re: Is this a Verizon press release?

Just an aside: Verizon is in fact 49% owned by Vodafone, and they'd like to own more.

0
0

Agreed. Bob's "typical work day" reads like a joke list of how a lazy employee would spend their time. The whole thing sounds like something you hear about from a mate of a mate. Plus the only source for this story appears to be a link to the Verizon blog, which is currently returning a database error.

1
0
Silver badge
Thumb Up

I don't see the problem

No, seriously. He's just being an extremely efficient manager - delegating work out, freeing up his time, providing excellent results.

In that respect, he's better than a good number of managers.

I applaud this effort.

2
2

Re: I don't see the problem

delegating work out, freeing up his time,

And yet failing - By wasting the free time and getting busted. If he had set up the VPN connection to forward form his work computer at home, then he could engineer some chronic and progressive medical reason to work more and more from home and then go travelling or *something* interesting instead of being at the office.

At least he got to keep the money and the Chinese contacts might be useful in the future.

1
0

Re: I don't see the problem

@Piro:

No, seriously. He's just being an extremely efficient manager - delegating work out, freeing up his time, providing excellent results.

In that respect, he's better than a good number of managers.

I applaud this effort.

You're assuming that:

1) he adequately security-vetted the outfit to whom he outsourced the work to ensure that they weren't a risk, and had suitable measures in place should a security issue arise.

2) he ensured that the code produced by the outsourced team was entirely their work and that they had the legal right to sell it to him under work-for-hire no-rights-reserved terms.

3) he ensured that the outsourced team did not make use of any data or infrastructure access provided by him to get up to Naughty Business

4) he performed quality-assurance on the code provided to ensure it was up to scratch and would not cause any problems within the explected deployment environment.

In the absence of proof that he did all this, and especially in the context of "freeing up his time to dick around on the internet", I thoroughly reject your assertion that this is laudable. I mean, yeah, in a pragmatic sense he allegedly got away with it for a while (assuming this isn't a bollocks PR narrative selling us the idea of Verizon's contribution to improved network security), but...well, screw this notion. If he'd done this to get otherwise-unmanageable amounts of work done in the face of a management structure that refused to properly locally resource their teams it'd be one thing. The character depicted in this story exhibits lazy parasitic bellendery and the fact that it's being applauded by a bunch of short-sighted twits is, sadly, about what I'd expect from at least some commentards.

2
0
Devil

Re: I don't see the problem

It may not be laudable in light of the rules, it is however lulzy as fuck.

0
0
Bronze badge

Re: I don't see the problem

>And yet failing

Agreed, he obviously didn't fully get one of the key points in "the 4-hour work week" - disappear from the office...

0
0
Thumb Up

"Bob"? Bit of an odd name...

It wasn't Robert Oliver Francis Howard by any chance was it?

3
0
Devil

Re: "Bob"? Bit of an odd name...

If it was he'd never have been caught - the security staff trying to investigate would have been smelling brimstone faster than you can say 'compulsion geas'

0
0

Page:

This topic is closed for new posts.