back to article ‘How not to hire a North Korean plant posing as a techie’ guide updated by US and South Korean authorities

US and South Korean authorities have updated their guidance on how to avoid hiring North Korean agents seeking work as freelance IT practitioners. Thousands of North Korean techies are thought to prowl the world’s freelance platforms seeking work outside the Republic. Kim Jong Un’s regime uses the workers to earn hard currency …

  1. VonDutch

    College Professor...

    They could have saved a lot of time and money instead of setting up the Professor and asked the assignment topics in ChatGPT.

    1. ckm5

      Re: College Professor...

      It's a requirement in companies that do work for the Federal Government. This is because a lot of that type of work requires a clearance and rather than segmenting the workforce they just blanket test everyone.

      Not just they US, pretty much anywhere in the world requires drug testing to work in certain environments.

      It's also required in pretty much any logistics company because most employees drive trucks.

  2. Anonymous Coward
    Anonymous Coward

    Techies get drug tests in the US

    Ultrabooks aren’t heavy machinery, so why would in-person drug tests be necessary? Drunk/stoned techies very often save the day when an out-of-contract emergency occurs and all hands are needed on deck!

    1. Spanners Silver badge
      Facepalm

      Re: Techies get drug tests in the US

      Drunk/stoned techies very often save the day

      Conservative and corporate organisations (you know, the big state) still like to work under the pretences that the 18th amendment still applies and that we are winning the "war on drugs".

      I remember a film that summed it up.

      "You have a beer at the end of your day. You have a drink problem!"

      "No. You are a Mormon. You have a problem with drink."

      1. Grogan Silver badge

        Re: Techies get drug tests in the US

        I don't have a drug problem... seems to me it's only bothering YOU (said to my parents as a teen). It worked, to some degree and they knew there wasn't much they could do about it anyway.

    2. Anonymous Coward
      Anonymous Coward

      Re: Techies get drug tests in the US

      Yes, yes I have... anonymous because I still work here.

    3. Pete Sdev Bronze badge
      WTF?

      Re: Techies get drug tests in the US

      I'm astonished, that out-side of safety-critical roles and an initial suspicion, that an employer could even ask an employee to take a drug test, let alone make it compulsory.

      The only people who have that right are the police and in the context of driving, and in my jurisdiction there's limits there too.

    4. martinusher Silver badge

      Re: Techies get drug tests in the US

      Its a Reagan era hold over. I think I've managed to evade all but one drug test in my entire working life -- I regard these as an invasion of privacy so I've avoided taking a job where its required. Its also a bit pointless because the only thing that these tests work for reliably is cannabis and its been legal to purchase in our state (California) for quite a few years now. (Some stores even offer a 'senior discount'....)

      Same rules apply, though, stoned or not stoned -- if the company requires a drug test then its almost certainly going to be a crap employer. Avoid.

      As for enemy aliens peering over one's shoulder you wouldn't believe the number of foreigners I've worked with -- lots of Chinese, Iranians and what have you. Can't get reliable, experienced, engineers "Made in America", real work doesn't pay enough compared to churning out endless web code, I suppose. Then there's the tale of the DoD sub-sub-sub-sub contract, the lack of actual technical knowhow that led our little outfit to get a job from one of those Aeriospace companies. The only people available to work on it were one Chinese and one Russian -- both naturalized US citizens, of course, but you never know.......they know that foreign lingo and how to write funny, they could be doing anything......

      1. Yet Another Anonymous coward Silver badge

        Re: Techies get drug tests in the US

        But imagine how dysfunctional the government would be if the senior politicians weren't subject to the same drug testing as a postal worker.

        Can you imagine a congress where they were all on drugs?

        1. Paul Hovnanian Silver badge

          Re: Techies get drug tests in the US

          "Can you imagine a congress where they were all on drugs?"

          They're not?!

      2. Paul Hovnanian Silver badge

        Re: Techies get drug tests in the US

        "Its also a bit pointless because the only thing that these tests work for reliably is cannabis and its been legal to purchase in our state (California) for quite a few years now."

        Washington State. Same thing. But once made legal, the pro-cannabis groups made several attempts at having it's use considered to be a disability. Covered by the ADA. So, why? You can get fired for staring vacantly at a screen, doing nothing. But it seems that if it's due to being stoned, they want that to be protected.

        Come on. If (as many claim) it enhances one's perception, insight, etc., why would you need legal protection?

        Fortunately, the being stoned as a disability legislation has gotten nowhere (yet).

        1. martinusher Silver badge

          Re: Techies get drug tests in the US

          As a rule people don't get so stoned at work that they can't function. The same applies to drinking. We all have jobs to do so people don't tend get blasted at the workplace. (Peer pressure and all that...)

          Where the drug tests cause problems is situations like a colleague of mine had. Back in the day we were "accidental Intel employees" (due to a takeover) and he got laid off because the spreadsheet said so. Unfortunately he was rather useful and so we hired him back as a 'green badge' contractor. Fine, except that a) to complete the hire he had to have a drug test and b) after he was laid off he was out partying with the aid of a bong. He failed. We moved mountains. No dice. He got a black mark on his employment record, we lost a really useful programmer. Lose/lose, but then that's what American Megacorps are about -- miststeps, waste but sheer size often allows them to get away with it (for a time, at least).

          1. Yet Another Anonymous coward Silver badge

            Re: Techies get drug tests in the US

            But at least you kept the ghosts of C17 religious extremists happy

            And look on the bright side, you might have lost a valuable contribution to shareholder value to a competitor but you avoided hiring a no good liberal hippie

          2. Paul Hovnanian Silver badge

            Re: Techies get drug tests in the US

            "a) to complete the hire he had to have a drug test and b) after he was laid off he was out partying with the aid of a bong. He failed."

            He knew there was going to be a test? In that case, I'm not certain that such an employee could be relied upon to not get stoned at work. If the job requirement (at that time) was to pass the test, he proved to be incapable of making the correct decision. Might that happen again?

            That might be half of what a drug test seeks to reveal. Put down the bong long enough to pass and one probably has the self control to handle the drug responsibly.

  3. disgruntled yank

    testing and drinking

    About 40 years ago, a techie friend had arranged to do some contract work for a big government contractor. All was going well until somebody within the organization called him to arrange for a drug test. He certainly had nothing to fear from such a test, but thought it very bad sign that the company should mention it only so late in the process. He told them so, and broke off communications.

    On the other hand, I am no teetotaler, but would just as soon that those who have been drinking go home and sleep it off before they work on computers. I remember (also from about 40 years ago), and operator with a blood-alcohol level approaching "embalmed" who left a customer's mini unusable for a couple of days.

  4. trevorde Silver badge

    Best code ever!

    Was written when I was drunk. Didn't understand it in the morning though.

    1. A. Coatsworth Silver badge
      Pint

      Re: Best code ever!

      Ah, the Ballmer Peak!

      Obligatory xkcd: https://xkcd.com/323/

    2. DoctorPaul

      Re: Best code ever!

      But did it work?

      1. stiine Silver badge
        Pint

        Re: Best code ever!

        I too have written some of my best code while blitzed out of my mind on bacardi. Weren't we all 18 at some point?

    3. Anonymous Coward
      Anonymous Coward

      Re: Best code ever!

      On the flip side, I've seen code produced by someone who you'd have *sworn* was blind drunk at the time - only they weren't. They were a very expensive contractor who walked out the door having been paid, and left me with the mess to sort out.

      1. Yet Another Anonymous coward Silver badge

        Re: Best code ever!

        From an old ALEX cartoon

        I hear Jenkins at $MEGACORP lost £ 100M yesterday.

        They did a drug test

        Oh, how did it go ?

        He was clean so they had to fire him. They're having a big crackdown on stupidity

    4. PhilipN Silver badge

      Re: Best code ever!

      Then all those packages started arriving from Amazon ....

  5. Anonymous Coward
    Anonymous Coward

    From the article: "to make it harder for bad actors to hide their identities."

    Yeah, you wouldn't want to hire Steven Segal by mistake lol

    1. Zoopy

      Only a concern if you're hiring cooks.

    2. Bitsminer Silver badge

      Or Nicholas Cage.

    3. VicMortimer Silver badge

      Why would anybody interested in security hire a Russian?

  6. JavaJester

    Geolocation Matching Address?

    Unless the laptop has GPS, that won't work reliably. I've had my "location" (egress point of ISP to the internet) be anything from a few to over 100 miles away depending on where I lived and the ISP in question. Let alone trips to the coffee shop because electrical work that impacted me was being done. I suppose it could be effective to detect someone coming from a completely different location, such as someone claiming to work in the US suddenly showing up in North Korea, but not reliable enough to rely on a perfect match.

    1. munnoch Bronze badge

      Re: Geolocation Matching Address?

      My contract conditions specifically say I need HR permission to work remotely from any location other than my home address.

      Doesn't stop me and they evidently don't check... Have SpaceSuit^H^H^H^H Laptop, Will Travel.

      1. stiine Silver badge

        Re: Geolocation Matching Address?

        Aren't you your own HR department?

        1. Yet Another Anonymous coward Silver badge

          Re: Geolocation Matching Address?

          Yes but he's very strict with himself

    2. Mike 16

      Re: Geolocation Matching Address?

      One time I got one of those "security alerts" from my mobile carrier. It seems like it knew

      I was on some street named (IIRC) "Oak Park", but resolved that as being in some actual

      park with that name, in a different county a hundred or so miles away.

      In retrospect, I should have expected as much from a system that uses "WiFi access points

      apparently near me" to be good data for location.

      A good time to switch from "This data looks funny, so must be a breach. yell and ignore"

      to "this data looks funny, time to find out why".

      1. martinusher Silver badge

        Re: Geolocation Matching Address?

        WiFi access points use unique MAC addresses, the BSSID. Since there are so may access points out there its a good bet that the BSSID will have been reused as it's only relevant to the relatively short range wireless network. If some clever types try to uniquely identify APs by their BSSID, say to place them globally on the map, then there's a good chance that your AP will get mixed up with someone else's AP.

        Its the eternal programming problem -- you just can't stop clever people using side effects because 'they appear to work'.

  7. aerogems Silver badge
    Windows

    Wise words

    "not trusting recruiters’ due diligence"

    Just maybe an hour ago I got some unsolicited email from a recruiter that gave me a chuckle and serves as a good example.

    The first warning sign that the recruiter is just spamming everyone on LinkedIn or some other database comes from them saying that experience with Oracle Cloud is mandatory. Nowhere on my LinkedIn profile or CV do I list having Oracle Cloud experience. Agile PLM, sure, but not Oracle Cloud. Sure, I could probably pick it up quickly, but that's besides the point. Moving on...

    The second warning sign is a line a little further down that reads "Knowledge in ________ is a plus." That is a direct quote, they literally didn't bother taking out the _____

    And the third warning sign is the start of their conclusion paragraph which literally starts with, "If you are qualified".

    I'm sure there are more if I went looking, but those three are what I noticed in like a 5-10 second skim. I still sometimes get recruiters sending me messages for 6-month contract positions that are half-way across the country, because I used to live within 200 miles of there maybe 20-years ago.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wise words

      A lot of these recruiters are clueless cut-and-paste monkeys. I love the “must have 5 years experience with” some software product that hasn’t even been around that long.

  8. Ken Moorhouse Silver badge

    Surely one possible technique...

    Is to ask questions which will indicate either some kind of loyalty to the regime or would be highly offensive to the regime if the answer were to be leaked.

    1. Yet Another Anonymous coward Silver badge

      Re: Surely one possible technique...

      Cos the first rule of spies is they aren't allowed to lie to you if asked a direct question

  9. Tron Silver badge

    Reds under the bed.

    If your staff are working from home, check that there isn't a Feasibly North Korean Person sitting behind them, almost out of shot.

    Of course it could just be a Kdrama poster on their wall.

    Probably 'Goblin'. Excellent series. Check it out. Better than anything on the BBC.

  10. Kernel

    Excellent!

    "Preventing use of remote desktop protocol on all company devices and prohibit using remote desktop applications for work;"

    For me that would've meant compensation for constructive dismissal as my employer would be effectively preventing me from doing my job - it couldn't be done without remote access to customer's systems.

    1. Yet Another Anonymous coward Silver badge

      Re: Excellent!

      So rather than remote-desktopping into your work computer you have all the company data, software , licenses, keys etc on everyone's laptop to be left in a bar

      Tell me you work for the security services without telling me you work for the security services

      1. Kernel

        Re: Excellent!

        "So rather than remote-desktopping into your work computer you have all the company data, software , licenses, keys etc on everyone's laptop to be left in a bar"

        Of course not - why would I have all that lot on my laptop?

        The access method was remote into my employer's network from work laptop (MFA required), remote into customer's network from my employer's network (at least one layer of MFA required) and then remote into specific product from customer's network - and as we dived deeper into the specific product many of the passwords were not known to the customer, just in case they were tempted to play. (At one of my employers a trained IT professional decided to change the Windows domain name, just to see if he could - that was 2.5 days of sitting on our arses while it was sorted.)

        Our customer did not allow vendors, such as myself, access directly from the internet, it had to be via a dedicated VPN from my employer's network.

  11. Henry Wertz 1 Gold badge

    In-person meetings and drug tests?

    Evading requests for in-person meetings and drug tests? I'm not sure how that would be a red flag. I mean, if you're hiring a freelancer through a freelancing platform for remote work...

    a) I wouldn't expect a remote worker to have to travel to wherever to meet in person. I have met in person with several people I freelance for, but I wouldn't think it'd be a red flag if I was like "No, I'm not driving 2000 miles to meet up with you."

    b) I'm surprised any company would think they could require drug tests from freelancers, this to me appears to be them wanting to have their cake and eat it too. Expecting to treat someone as a company employee while (through paying them as a freelancer) avoiding granting them the benefits an hourly or salaried employee would be owed (i.e. even if the company doesn't have health insurance, 401K, etc., the company would be paying various taxes for employees where the freelancer is expected to pay them as a freelancer.)

    The rest of the stuff listed would certainly be red flags though. Especially the rotating through payment methods too frequently, and the having stuff shipped to a shipping company rather than an actual destination.

  12. Filippo Silver badge

    As a freelance and someone who doesn't use, if a company asked me for a drug test, I'd walk, right there and then. I'm supposed to work on the machines that run your business, doing stuff that nobody in your organization is equipped to understand thoroughly (or you wouldn't be hiring me). If you don't trust me, this relationship is not going to work.

  13. Anonymous Coward
    Anonymous Coward

    Tracking and geolocating IPs? Banning VPN/Remote Desktop? Removing admin rights? Drug tests?

    Surely a more simple tool would be banks not allowing North Koreans to open accounts in the US, UK, wherever else they don't really live?

    Or is it again, one rule for 'regular' businesses and no rules for the big banks?

    1. Yet Another Anonymous coward Silver badge

      That's why the banks all have boxes on their forms to tick if you're a North Korean spy

    2. martinusher Silver badge

      But this is how things work anyway

      There are all sorts of reasons why you'd want a local banking presence rather than having remittances sent directly to your country. (Your country being on the US's s**t list is just one of them.) For example, if you're from Argentina doing remote work in for someone in the US then converting your wages directly to pesos -- especially at the official rate -- would be roughly equivalent to flushing the money down the toilet You'd want to keep as much of it as possible in a hard currency for as long as possible, only converting it to local currency on an 'as needed' basis.

      Adding to the complexity is the notion that an individual can't just open a bank account in another country unless I've got a legal presence -- residency -- in that country. This means there's almost certainly a lively trade in providing informal banking like facilities to individuals. All this will appear to a typical civil servant in a hard currency country as a network of criminals and/or spies and Joe Public, someone who doesn't know any better as well, will just tag along with the program.

  14. Azamino
    Joke

    "flooded the global marketplace with ill-intentioned information technology workers"

    Looking out for the "ill-intentioned" doesn't really help does it? I worked in IT for 25 years, mostly banking, and I cannot remember any other type of worker lasting more than a couple of months!

    My bosses were invariably trying to lock our customers into disadvantageous contracts while using the wrong software on minimally viable hardware. I much prefer the idea that they were fiendish degenerates making deliberate choices than well-intentioned incompetents making cock-up after cock-up.

  15. bertkaye

    beware possible nation state personal fraud too

    There is also identity theft through fake recruiters. I have been scammed multiple times before I started enforcing strict rules for myself. In these, things proceeded to a 'contract' and I submitted requested identity information. Then the recruiter vanished and the company ghosted all contact. Now I demand ironclad proof of authenticity which I check.

    1. J.G.Harston Silver badge

      Re: beware possible nation state personal fraud too

      I had something similar to that. I was packing up at the end of a job and got a phone call. "We're XXXX agency, are you looking for work?" Ooo, thanks, yes I am. "Ok, our recruiter will phone tomorrow". Ok thanks.

      Next day, expected phone call. Went through usual job agency questions. "Ok, Bob will phone tomorrow to discuss the project. We'll send an email with details."

      Next day, email arrived. "Please follow this link and download this software, click on Install, click on Enable, etc. etc...." Err.... no.

  16. PhilipN Silver badge

    North Korean plant

    A Triffid?

  17. Anonymous Coward
    Anonymous Coward

    This is one of those "back to the office"

    nudge stories, isn't it ?

  18. martinusher Silver badge

    Of course it might be just a North Korean techie looking for work

    This automatic assumption that anyone from the DPRK must be a spy is silly. Its quite likely that North Koreans are as smart and knowledgeable as anyone else so they'll want a piece of the global action if they can get it. So its not beyond the imagination to think that the DPRK has people working remotely not 'spying' but merely earning money -- the business would be registered outside North Korea so the earnings could be kept outside but the people doing the work could still be paid a decent wage by local standards.

    The only thing wrong with this arrangement is that it upsets Cold Warriors.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like