Security audit finds dev OUTSOURCED his JOB to China to goof off at work
A security audit of a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet. The firm's telecommunications supplier Verizon was called in after the company set up a basic VPN system with …
This topic is closed for new posts.
Re: "Bob"? Bit of an odd name...
No, I don't think there has been any mention of the Laundry.
Thanks, guys, I thought TFM was a one-off, now I know better.
Pint for the nudge.
jacket on chair
25 years ago, I worked at an oil company in central London. One accountant with his own office, would come in, put his jacket on his chair and then, most days, toddled off to manage a shop he owned. It took one year for management to find out.
Re: jacket on chair
Even longer ago I worked for a large broadcasting organization in London. A few people there openly spent most of their time at work running their own businesses. In other words, management and HR was crap.
It seems that in some modern businesses management and HR is still crap.
It's a funny story with more than a whiff of bovine residue to it.
There's no way Bob would simply be let go after an incident like that; unless the company were utterly worthless (in which case why the audit?) they would now have to review all access to their network and audit all code. They would likely also have to at least consider dropping anything particularly clever done by Bob's subcontractors, since Bob's contract won't have allowed him to commission the work on a work for hire basis and he is unable to determine whether company code has been sold to other chinese firms as a result of his actions. He's also exposed their network to substantial risk which would also need to be audited.
(i know, I know, overthinking it etc. But if all the shortsighted capitalism-at-all-costs "good on him" remarks are valid then so is mine...)
Yes way. The company will seek to limit the damage as much as possible by covering up the incident internally and getting the "communications department" to run interference externally! Truth is that Nobody will care about safety of the code or the network any further than what is minimally required to be perceived as "having taken all the necessary precautions, procedures have been strengthened e.t.c.".
Part of the deal is that "bob" keeps his gob shut and don't go writing a book about "dumbass corprat america"
No way, unless all their policies are crap written by incompetent morons and enforced/applied by incompetent morons.
What you say is well and good until you've got a job or client with any kind of risk of industrial espionage (or, worse, a government contract with security implications). I've no doubt that such morons might simply blunder onwards through the contracts, answering erroneously or outright lying if necessary; the point being that they would then not only be running a vulnerable network that's open to exploitation or attack by malicious individuals and/or business rivals, but they would also be open to litigation of the "level all buildings to rubble and salt the earth beneath for good measure" variety.
Remember, we're talking about a story existing solely on the internet: which means it's complete and utter danglies until conclusively proven otherwise - which means the company needs to be named (the individual too, optionally) and the story needs to be covered in major news services over the course of several days. Unless that happens I'm assuming it's a promo for how Verizon can help your business be more efficient (And even help find hitherto-unnoticed security issues).
RE: ..unless all their policies are crap written by incompetent morons...
I bet that there are a lot of people who read your comment, and said to themselves:
Stop talking about my bosses that way!!!!!!
This kind of thing does happen
I was in the STB industry and there was one guy at another firm who apparently broke his leg skiing.
In fact he started working for another firm and somehow balalnced things so he was working for both for a long time.
Not that smart, think man-in-middle VPN
Well he should set it up with the VPN as it man-in-middle.
The Chinese connects to programers computer and his computer connects corp computer.
Sounds like my kind of day
9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch
1:00 p.m. – Ebay time
2:00-ish p.m – Facebook updates, LinkedIn
4:30 p.m. – End-of-day update e-mail to management
5:00 p.m. – Go home
Oh, here comes someone from IT towards my desk...
Nothing new here
Back in the day I ran a very small courier firm - just me and a few others on bikes - till we got bored of riding and got a cheaper firm to do our work for us while we sat in the cafe fielding calls and providing "quality assurance". Occasionally we'd knock out a few jobs ourselves, especially for a few key clients. Then we'd spend a merry hour each day in our rented office raising invoices, and go home.
I think it was ballsy of him, but it shines a bright light on how much money American companies could save by outsourcing. I'd wager this experience has educated the firm of the benefits of sourcing US jobs to foreign nations. Not what we need right now.
As has been highlighted, this was likely not being outsourced for a good reason! Maybe nothing to do with cost. It was found during a security audit.
I am based in the uk and I've had to be vetted before to download software from America that was subject to export restrictions. There could have been very good reasons why the code wasn't being done outside of the country.
I'm not altogether buying this story ... but assuming that it is basically true ...
All the failures here are with the management.
Even putting aside the fact that the relationship between the firm and the employee seems to have been horribly dysfunctional, outsourcing technical work typically costs well above 20% of US costs. So either he's a demon negotiator or the company were employing somebody at far too high a skill level and salary for what the job actually involved. That's business-threatening incompetence.
The only real failure on the part of the employee is that he appears to have been pissing his own life away on the interweb. He could have outsourced the dull but well-paid work and then spent his office hours doing something interesting and constructive. Or at least built a lego death star.
I still don't quite buy this version of events though. Somebody has sprinkled some apocrypha in there to make it more interesting.
"bob" sure it wasn't "BOFH"? Oh wait, he wouldn't have been caught...
I applaud the man for his ingenuity but I also understand why the company didn't like the idea.
Re: "bob" sure it wasn't "BOFH"? Oh wait, he wouldn't have been caught...
...because the investigators would be buried in the local tip, rolled up in old carpeting.
Re: "bob" sure it wasn't "BOFH"? Oh wait, he wouldn't have been caught...
..because the investigators would be killed in a freak lift accident.
or
..because the investigators would be killed in a freak generator mishap.
or
..because the investigators would be afraid of being repeatedly subjected to a cattle prod.
Outsourcing
Outscourcing, in my experience, is troublesome, slow and unreliable.
I considered this about 8 years ago as well when I was working with a firm in Chennai in India. The problem was that the programmers required exceptional well-written documents (you get what you specify) and the mistakes that they made were often culturally-based rather than coding-based. To add to that, the programmers rarely stayed long at the company. It was not unusual to " see a new face" every 6-9 months.
I reckoned that I would be spending as much time, if more, in order to get them prepared and then further to correct mistakes. They also had a strict one-week check-out policy and that made the meeting of deadlines difficult. I would have become a project manager and that wasn't for me.
Maybe if I had met a brilliant young programmer whom I could trust, I would have jumped at them like a shot. Otherwise one is trusting so much on teh grounds of greed.
Hmm
On one hand, he's living the dream of the BOFH. Many wouldn't think twice about doing the same.
On the other hand, he's committing fraud, and opening up his company / the US to potential security issues. Verizon is, in theory, a regional Tier 1 provider, and as such, functions as a backbone for a large section of the internet. Now, I do not think, contrary to current paranoia, that anything harmful has been placed into this code, nor do I think the people on the other end would act in such a fashion. However, the various parties in a contract do have the right to know who they are working with, and this is a violation of that principle. What more, the implications of an entire company, in a foreign nation, having direct access to such confidential information at such a high level at such a large company is mind-boggling.
On a secondary note, the problem with this fraud is that is has the unintentional side effect of possibly deprecating his fellow programmer's wages. By misrepresenting himself, he gave management at Verizon reason to believe that his fellow programmers were slacking, or somehow not worth their pay; this may have negatively affected their promotions and / or their salary / wage increases / bonuses. By using fraudulent means, he gave the appearance of doing the work of twenty or possibly hundreds of programmers, all by a single man; in all likelihood, excellent programmers were made to be in competition against that, potentially destroying themselves in an effort to compete; what more, good programmers were, no doubt, turned away, or unjustly downgraded / viewed as poor programmers for their inability to perform. The ramifications for this are huge.
The question now being pondered is thus: how many others are doing this? An isolated incident, or merely the first to get caught? Were the industry to find out that even a few star programmers were actually pulling the same trick, there'd be bloodshed.
Re: Hmm
I believe you may have misread the article.
Verizon is the company's communications supplier, and IIRC, it is in that capacity, did they discover what "Bob" was doing. The article did not imply (again IIRC) that "Bob" worked for Verizon.
Not so uncommon
This is quite common in larger businesses, but is wrapped up under the description of "Consultancy".
Check your accounts to see how much your senior management is spending on consultancy on every single decision they make ;-)
Dilbert predicted this'd happen in 2003
http://dilbert.com/strips/comic/2003-08-03/
Re: Dilbert predicted this'd happen in 2003
lol! Good find :)
Ridiculus
I wouldn't be mad at this particular character.
What annoys me is that there many cases like this already occurring which gives IT / Dev a bad rap --- hence the ones actually having a passion to do this work and all just get left out to cater to the ones doing bullshit work.
It's the logical conclusion of "globalization"
What's sauce for the employers is sauce for the employees!
Love it
I think its fantastic! I understand the security risks but look at the results...win win for everyone. Top work output from BOB (the company was happy), BOB was happy, the Chinaman was happy! Stuff like this goes on all the time. Most of all my clients either think I do the work or do not care as long as it gets done and done right. The rest is just details. I have a buddy who outsources almost all of his programming work for dirt cheap. No one knows and no one cares.
Obviously bob was sloppy and could of covered his tracks but his company should of made him head of HR using his creativity.
Love it!
"Killer BOB (or simply BOB) is a fictional character in the ABC television series Twin Peaks. He is a demonic entity who feeds on fear and pleasure. He possesses human beings and then commits acts of rape and murder in order to feast upon his victims."
Turns out he also outsources.
US firms know outsourcing.
Virtually the whole country is outsourced to China. If this company can get work based on US employee rates then there is a very good reason for it. If there is a good reason for it then outsourcing it without the company knowing is probably a bad thing. Just how bad we will probably find out in a few years when the doeing breamliner is launched by the China Airliner Corp or something similar.
Who's to say the chinese guy wasn't hiring someone else?
Double bluff...
Actually he was nearly caught accepting cash to aid Chinese intelligence into his employer's network.
Good cover story though.
Guerilla capitalism?
When companies do it, the market lauds them.
When individuals do it, they get the book thrown at them.
It would be nice if capitalism's little rules were evenly applied.
(cf. Aaron Swartz)
Why he was fired
His boss got nervous Bob would take his job.
Seriously, promote the guy! He's got "management" written all over him!
Make him the Secretary of Labor
THIS is how to solve the problems of employment, production, the environment, etc. all at once! Give this guy a Nobel! Or at least promote him to Vice President!
Go, go, all the Bobs in US of A!!!
so not surprised the thought about it, not surprised Verizon management is this stupid (yes, they are!), not surprised that Chinese contractor(s?) made him look like a star programmer, etc... not surprised at all of any of this... as much as you would like to disagree the fact of the matter is that most of the jobs in IT in the US are either outsourced or performed locally by white collar slaves from India, China or Eastern Europe; yes, most of these jobs are maintenance, production support and such, but "smart" jobs in cool companies like Google and friends are still done by some of these same people, just have a look around at your coworkers;
not that I mind this, used to be one of these guys myself till very recently, but it is just a fact... the era of US leadership in IT probably is well sunset and the perspective of it returning looks quite gloom; so, bottom line, Bob should be congratulated, management fired and US should its technical education back on track!
Re: Go, go, all the Bobs in US of A!!!
not surprised Verizon management is this stupid (yes, they are!),
You know he didnt work for Verizon, dont you?
(although I agree Verizon is terrible with seriously deficient management....)
Ah, the things we do for love...
A friend of mine, also working in IT, had this really hot looking gf, also working in IT.
She was really fit and was seriously thinking of going pro as a cyclist. But, she wasn't quite as good in her IT job, a database dev.
So... my buddy was the Chinese subbie to her Bob. Basically, he would help her out by writing her code, on top of his own day job. I'll let you guess what his reward was.
Didn't end well. She eventually got canned and blamed & left him.
It would have been cheaper...
.... to outsource to the UK. After all $50k/yr is about average for developers if you look over at the JOBS section -----> , plus no language problems. You could hire an whole development team for $250k/yr
further analysis
analysis of the work habits of all their other employees found no difference...they all spent time just surfing the web ;-)
really....his manager is the one that needs to go. why was his working behaviour not spotted - or reported by coworkers long before the real story emerged?
Why are top managersalways idiots? They should have fired Bob's boss and promote Bob to that position.
No harm no foul?
He was getting the work done, to a high standard by all accounts and they have sacked him? His greatest sin was giving a third party his access details - he should have setup a VPN on his home system, and had the Chinese connect to via his home VPN into his work VPN.
Isn't this what Tim Ferriss makes a living telling people to do?
The main message behind "The 4 hour work week" (fourhourworkweek.com) is basically, "outsource everything in your life that you can't be bothered to do yourself".
Having a terminal server machine at home...
for the guys over in China to connect to so that they could then VPN into Verizon.
Would have been a much more secure option all round. Firewalled on both sides so that you can monitor whats happening in both directions. And with his multiple jobs, he could have set up a terminal server farm of virtual machines with the firewall routing all VPN traffic to the required TS.
If he had done that, then he would still be quite happily sitting at home coding away making a mint.
However, now that he has been caught, I suspect that he might be in line for a lawsuit for gaining money by deception.
A bit of a convoluted theory
"Yes, it is a bit of a convoluted theory, and like most convoluted theories, an incorrect one."
Occam's Razor.
Why go in the back door ?
Most of the companies (at least in my technological environment in Israel) go through the front door and turn to companies which manage projects locally through off-shore developers.
Yes , they pay local management fees , but it is 1 manager on whole teams of developers/technological workers...
Old Doonesbury cartoon ...
this is an old Doonesbury cartoon from way back, the describes this exactly (except for in the cartoon the protagonist hired a more expensive engineer in Bonbay that cost 1/3 of the base salary)
hmmmm .... validation of the story would be good, but it has always seemed plausible ...
copy of cartoon strip reprinted here:
http://rdrutherford.blogspot.be/2005/10/doonesbury.html
Nobody linked to the Onion yet?
http://www.theonion.com/video/more-american-workers-outsourcing-own-jobs-oversea,14329/
This was from 2009.
This topic is closed for new posts.
