ONTD Political

Outsourced: Employee Sends Own Job To China; Surfs Web

1:10 pm - 01/18/2013
What began as a company's suspicion that its infrastructure was being hacked turned into a case of a worker outsourcing his own job to a Chinese consulting firm, according to reports that cite an investigation by Verizon's security team. The man was earning a six-figure salary.

The anonymous company, identified only as a critical infrastructure firm, asked Verizon's Web security personnel to look into data that showed its virtual private network was being accessed from China — even as the employee whose credentials were used to log in from overseas was sitting in the company's offices, using his computer.

As Emil Protalinski writes at The Next Web, the company's security measures included a coded fob which, the investigating team learned, a code developer had shipped to Shenyang, China, so that a company there could perform his assigned work.

And it turns out that the job done in China was above par — the employee's "code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building," according to the Verizon Security Blog.

It seems that Verizon has removed the page publishing this "case study" — either that, or it has merely become unavailable for some other reason. But a cached version of the story offers more details. The report, which assigns the inventive employee the fictitious name of "Bob," described him as a family guy in his 40s, with extensive software knowledge.

After they were called in to look for rogue software that allowed hackers to perfectly mimic an employee's log-in, and maintain an active and secure connection, the investigators instead found "hundreds of .pdf notices from a third party contractor/developer in (you guessed it) Shenyang, China."

The Verizon team even found that "Bob" kept a regular schedule at his office:

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch
1:00 p.m. – Ebay time.
2:00 – ish p.m Facebook updates – LinkedIn
4:30 p.m. – End of day update e-mail to management.
5:00 p.m. – Go home

And as they learned, his schedule also included sending less than one-fifth of his salary to the Chinese firm. Verizon's investigators say the evidence they uncovered suggests "Bob" might have had similar arrangements at several companies.

"All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually," according to the Security Blog.

It is not yet clear whether "Bob" has read former kickboxer Tim Ferriss's book The 4-Hour Workweek, which explores ideas that include "Outsourcing Life" and "Disappearing Act: How to Escape the Office."


This feels like the sequel to Office Space.
perthro 18th-Jan-2013 06:35 pm (UTC)
This is one of those times when I am alllll about seeing if those programmer dudes want a green card, for free, and a guaranteed job in that position (for more pay than this douche was giving them!). Why? Because if they did the work better, by all fucking means. Or just let them stay there and telecommute like they have been. We have Skype for a reason.

All this just to watch cat videos.
communion 18th-Jan-2013 06:55 pm (UTC)
lickbrains 19th-Jan-2013 12:46 am (UTC)
crossfire 18th-Jan-2013 07:02 pm (UTC)
This article caused quite a stir in our internal memegen. :D
squeeful 18th-Jan-2013 07:11 pm (UTC)
I've known or of a few people who have done similar, outsourcing part of their coding job. It wasn't so they could watch cat videos, but because they didn't want to/couldn't work 100 hour weeks.
chaya 18th-Jan-2013 07:40 pm (UTC)
Did they have an NDA and a fob?
fluorescenta 19th-Jan-2013 06:04 pm (UTC)
what's a fob? I know what a NDA is but not fob....

never mind just saw someone's comment below

Edited at 2013-01-19 06:06 pm (UTC)
mary_pickforded 18th-Jan-2013 07:47 pm (UTC)
Genius tbh.
chaya 18th-Jan-2013 07:53 pm (UTC)
If he'd outsourced to someplace less flag-raising than China, then I'd have to agree.
kitanabychoice 18th-Jan-2013 07:48 pm (UTC)
I read this yesterday and was like... "must be nice." I guess. He was making a killing doing that, I bet.
nesmith 18th-Jan-2013 08:05 pm (UTC)
Proving that it's totally okay for corporations to do it, but not for anyone else. Double standard much?
chaya 18th-Jan-2013 08:11 pm (UTC)
Considering he had an NDA and was allowing someone onto the VPN with falsified identification, not really.
nesmith 18th-Jan-2013 08:16 pm (UTC)
True, but still. Just irks me that this is an outrage but much more heinous exploitation is business as usual.
chaya 18th-Jan-2013 08:30 pm (UTC)
"Still" what? I'm all for hating on The Man, but this guy rented out his work to a stranger in a country (nay, a specific part of a country) famous for stealing proprietary information. Even if he'd had this same setup with a buddy of his he'd still have been breaking a nondisclosure agreement and, again, allowing a non-employee on to the VPN.
nesmith 18th-Jan-2013 10:34 pm (UTC)
No, you're right. There's times to gripe but this isn't the case. He was right to be fired post haste.
nesmith 19th-Jan-2013 02:04 am (UTC)
And upon further realization, when I read this originally elsewhere, it didn't mention the guy in China was actually logging into the network with his ID. The way it was presented there (and of course it was an article link through FB that I can't find now) was that he just gave his work to this other guy to do and took the credit for it. I completely understand the absolutely huge security breaches in play here.
tsu_ 18th-Jan-2013 09:02 pm (UTC)
I don't understand why he couldn't just get the code sent to him separately and he/the empolyee would just update it directly. If not, scrub the IP and stuff before uploading. It's simple enough to do, and less likely to get caught. It just seems so lazy... if you want to cheat/outsource, then do it properly!!
chaya 18th-Jan-2013 09:03 pm (UTC)
That's what I was wondering actually. Unless all the code is in that 'tree' software where it wouldn't be easy to export, send, receive, and import? I'm no programmer though so idk.
shadwing 18th-Jan-2013 09:12 pm (UTC)
Since I'm seeing notes about a 'Fob' my guess some of the work needed to done live and in order to log in to do it live the PC in question needed the Fob plugged into it.

When you log in, the server checks to see if the PC logging in not only has the right access code, but also has this Fob attached to his PC. Wouldn't shock me if some of these programers were all issued a Fob for their home PC's so they could work from home.

My brother actually had a piece of software that required such a Fob and if it wasn't plugged in, the program wouldn't even start. I'm guessing this guy FedExed his 'Home PC' Fob to China so they could do the work needed
chaya 18th-Jan-2013 09:14 pm (UTC)
Yeah, I keep seeing mentions of a fob but I don't see any mention of it in the article.

Either way. Dude. China. Someone was gonna notice.
crossfire 18th-Jan-2013 09:29 pm (UTC)
The fob is probably a "one-time password" generator, or "OTP." (Yes, lol.) The OTP is issued to the employee and linked to their main password; access to things requires both entry of your correct password and a correct OTP. It's an added layer of security: not only does the person logging in need to know a valid password, they need the physical OTP generator associated with that password as well.

If their security is standard, then both the password and OTP were necessary for VPN access to the corporate intranet, then again for accessing the codebase, and possibly again for participating in code reviews if they had some sort of formal web-based review system.
chaya 18th-Jan-2013 11:08 pm (UTC)
I know what fobs are, I j- oh. Rereading, they mention it in the third paragraph. -_-;
crossfire 18th-Jan-2013 09:30 pm (UTC)
That was my first thought.
bestdaywelived 18th-Jan-2013 10:25 pm (UTC)
I have a lot of friends in the IT industry, and they're universally angry about what this guy did and that the story hit the media. Outsourcing is the biggest danger to their jobs, and if more companies start doing it, the industry in the US is dunzo.
littlelauren86 18th-Jan-2013 10:48 pm (UTC)
First thing I thought.
circumambulate 19th-Jan-2013 12:32 am (UTC)
That makes no sense. There is no tech managment team in the country that doesn't already know all about outsourcing. This being in the media will have 0% impact.
bestdaywelived 19th-Jan-2013 04:34 pm (UTC)
It makes plenty of sense. The attitude I have heard is that outsourced labor is sub-par to American work. This guy getting paid so much for his excellent work presents a problem.
circumambulate 19th-Jan-2013 04:59 pm (UTC)
nah, that's bullshit. The quality of SW work out of asian outsourcing is equal or better in most cases, and everybody knows it. The management side, and cultural differences can be problematic, but there's no shortage of technical skill.
nesmith 19th-Jan-2013 02:13 am (UTC)
I asked a couple of the IT people where I work if they heard about it and they were all very nervous about the implications of it, especially since none of them pull big salaries as it is.
thevelvetsun 19th-Jan-2013 08:36 am (UTC)
Because before this story hit the media, IT companies had never heard of outsourcing??
bestdaywelived 19th-Jan-2013 04:36 pm (UTC)
No, because outsourcing was often used for less important jobs/grunt work. This guy doing it with a 6-figure salary and getting excellent reviews. That's dangerous to well-paid developers.
kishmet 19th-Jan-2013 10:25 pm (UTC)
Which says a lot about corporate greed and ethics (or lack thereof) tbh. They'd dump great devs and other IT people here just because they can underpay some guy in China to do the same thing.

And it could just be me but the idea that outsourced work is subpar strikes me as racist to begin with
tallycola 20th-Jan-2013 02:29 am (UTC)
That's not really this guy's fault, though. I mean what he did was obviously wrong in terms of breeching his NDA, but ethically it was no worse than corporations outsourcing, and the corporations would've caught on that foreign workers were just as good at these jobs eventually anyway. They should be mad at corporate culture, how our society undervalues work, and how our cost of living and standard of lifestyles are inflated until they are no longer sustainable. They should be mad that finding the cheapest labour possible for the most profit possible is the holy grail in our society. This guy was just taking it to the next logical step.
chaya 20th-Jan-2013 03:27 am (UTC)
it was no worse than corporations outsourcing

Corporations probably vet the subcontractors to make sure they're reliable enough to do the job right and not sell information about the company's work to other companies.
louisiane_fille 19th-Jan-2013 02:33 am (UTC)
And it would be hilarious.
jesskat 19th-Jan-2013 04:07 am (UTC)
When I first heard about the story, my first thought was to assume it was about an employee who was doing this "ironically" to protest big companies' outsourcing practices. Unfortunately turns out he was just greedy and lazy and wasn't trying to teach anyone a lesson.
redstar826 19th-Jan-2013 05:07 am (UTC)
are we no longer doing shenanigans friday?
This page was loaded Aug 17th 2017, 7:07 pm GMT.