College Professor...
They could have saved a lot of time and money instead of setting up the Professor and asked the assignment topics in ChatGPT.
US and South Korean authorities have updated their guidance on how to avoid hiring North Korean agents seeking work as freelance IT practitioners. Thousands of North Korean techies are thought to prowl the world’s freelance platforms seeking work outside the Republic. Kim Jong Un’s regime uses the workers to earn hard currency …
It's a requirement in companies that do work for the Federal Government. This is because a lot of that type of work requires a clearance and rather than segmenting the workforce they just blanket test everyone.
Not just they US, pretty much anywhere in the world requires drug testing to work in certain environments.
It's also required in pretty much any logistics company because most employees drive trucks.
Drunk/stoned techies very often save the day
Conservative and corporate organisations (you know, the big state) still like to work under the pretences that the 18th amendment still applies and that we are winning the "war on drugs".
I remember a film that summed it up.
"You have a beer at the end of your day. You have a drink problem!"
"No. You are a Mormon. You have a problem with drink."
I'm astonished, that out-side of safety-critical roles and an initial suspicion, that an employer could even ask an employee to take a drug test, let alone make it compulsory.
The only people who have that right are the police and in the context of driving, and in my jurisdiction there's limits there too.
Its a Reagan era hold over. I think I've managed to evade all but one drug test in my entire working life -- I regard these as an invasion of privacy so I've avoided taking a job where its required. Its also a bit pointless because the only thing that these tests work for reliably is cannabis and its been legal to purchase in our state (California) for quite a few years now. (Some stores even offer a 'senior discount'....)
Same rules apply, though, stoned or not stoned -- if the company requires a drug test then its almost certainly going to be a crap employer. Avoid.
As for enemy aliens peering over one's shoulder you wouldn't believe the number of foreigners I've worked with -- lots of Chinese, Iranians and what have you. Can't get reliable, experienced, engineers "Made in America", real work doesn't pay enough compared to churning out endless web code, I suppose. Then there's the tale of the DoD sub-sub-sub-sub contract, the lack of actual technical knowhow that led our little outfit to get a job from one of those Aeriospace companies. The only people available to work on it were one Chinese and one Russian -- both naturalized US citizens, of course, but you never know.......they know that foreign lingo and how to write funny, they could be doing anything......
"Its also a bit pointless because the only thing that these tests work for reliably is cannabis and its been legal to purchase in our state (California) for quite a few years now."
Washington State. Same thing. But once made legal, the pro-cannabis groups made several attempts at having it's use considered to be a disability. Covered by the ADA. So, why? You can get fired for staring vacantly at a screen, doing nothing. But it seems that if it's due to being stoned, they want that to be protected.
Come on. If (as many claim) it enhances one's perception, insight, etc., why would you need legal protection?
Fortunately, the being stoned as a disability legislation has gotten nowhere (yet).
As a rule people don't get so stoned at work that they can't function. The same applies to drinking. We all have jobs to do so people don't tend get blasted at the workplace. (Peer pressure and all that...)
Where the drug tests cause problems is situations like a colleague of mine had. Back in the day we were "accidental Intel employees" (due to a takeover) and he got laid off because the spreadsheet said so. Unfortunately he was rather useful and so we hired him back as a 'green badge' contractor. Fine, except that a) to complete the hire he had to have a drug test and b) after he was laid off he was out partying with the aid of a bong. He failed. We moved mountains. No dice. He got a black mark on his employment record, we lost a really useful programmer. Lose/lose, but then that's what American Megacorps are about -- miststeps, waste but sheer size often allows them to get away with it (for a time, at least).
"a) to complete the hire he had to have a drug test and b) after he was laid off he was out partying with the aid of a bong. He failed."
He knew there was going to be a test? In that case, I'm not certain that such an employee could be relied upon to not get stoned at work. If the job requirement (at that time) was to pass the test, he proved to be incapable of making the correct decision. Might that happen again?
That might be half of what a drug test seeks to reveal. Put down the bong long enough to pass and one probably has the self control to handle the drug responsibly.
About 40 years ago, a techie friend had arranged to do some contract work for a big government contractor. All was going well until somebody within the organization called him to arrange for a drug test. He certainly had nothing to fear from such a test, but thought it very bad sign that the company should mention it only so late in the process. He told them so, and broke off communications.
On the other hand, I am no teetotaler, but would just as soon that those who have been drinking go home and sleep it off before they work on computers. I remember (also from about 40 years ago), and operator with a blood-alcohol level approaching "embalmed" who left a customer's mini unusable for a couple of days.
Unless the laptop has GPS, that won't work reliably. I've had my "location" (egress point of ISP to the internet) be anything from a few to over 100 miles away depending on where I lived and the ISP in question. Let alone trips to the coffee shop because electrical work that impacted me was being done. I suppose it could be effective to detect someone coming from a completely different location, such as someone claiming to work in the US suddenly showing up in North Korea, but not reliable enough to rely on a perfect match.
One time I got one of those "security alerts" from my mobile carrier. It seems like it knew
I was on some street named (IIRC) "Oak Park", but resolved that as being in some actual
park with that name, in a different county a hundred or so miles away.
In retrospect, I should have expected as much from a system that uses "WiFi access points
apparently near me" to be good data for location.
A good time to switch from "This data looks funny, so must be a breach. yell and ignore"
to "this data looks funny, time to find out why".
WiFi access points use unique MAC addresses, the BSSID. Since there are so may access points out there its a good bet that the BSSID will have been reused as it's only relevant to the relatively short range wireless network. If some clever types try to uniquely identify APs by their BSSID, say to place them globally on the map, then there's a good chance that your AP will get mixed up with someone else's AP.
Its the eternal programming problem -- you just can't stop clever people using side effects because 'they appear to work'.
"not trusting recruiters’ due diligence"
Just maybe an hour ago I got some unsolicited email from a recruiter that gave me a chuckle and serves as a good example.
The first warning sign that the recruiter is just spamming everyone on LinkedIn or some other database comes from them saying that experience with Oracle Cloud is mandatory. Nowhere on my LinkedIn profile or CV do I list having Oracle Cloud experience. Agile PLM, sure, but not Oracle Cloud. Sure, I could probably pick it up quickly, but that's besides the point. Moving on...
The second warning sign is a line a little further down that reads "Knowledge in ________ is a plus." That is a direct quote, they literally didn't bother taking out the _____
And the third warning sign is the start of their conclusion paragraph which literally starts with, "If you are qualified".
I'm sure there are more if I went looking, but those three are what I noticed in like a 5-10 second skim. I still sometimes get recruiters sending me messages for 6-month contract positions that are half-way across the country, because I used to live within 200 miles of there maybe 20-years ago.
If your staff are working from home, check that there isn't a Feasibly North Korean Person sitting behind them, almost out of shot.
Of course it could just be a Kdrama poster on their wall.
Probably 'Goblin'. Excellent series. Check it out. Better than anything on the BBC.
"Preventing use of remote desktop protocol on all company devices and prohibit using remote desktop applications for work;"
For me that would've meant compensation for constructive dismissal as my employer would be effectively preventing me from doing my job - it couldn't be done without remote access to customer's systems.
"So rather than remote-desktopping into your work computer you have all the company data, software , licenses, keys etc on everyone's laptop to be left in a bar"
Of course not - why would I have all that lot on my laptop?
The access method was remote into my employer's network from work laptop (MFA required), remote into customer's network from my employer's network (at least one layer of MFA required) and then remote into specific product from customer's network - and as we dived deeper into the specific product many of the passwords were not known to the customer, just in case they were tempted to play. (At one of my employers a trained IT professional decided to change the Windows domain name, just to see if he could - that was 2.5 days of sitting on our arses while it was sorted.)
Our customer did not allow vendors, such as myself, access directly from the internet, it had to be via a dedicated VPN from my employer's network.
Evading requests for in-person meetings and drug tests? I'm not sure how that would be a red flag. I mean, if you're hiring a freelancer through a freelancing platform for remote work...
a) I wouldn't expect a remote worker to have to travel to wherever to meet in person. I have met in person with several people I freelance for, but I wouldn't think it'd be a red flag if I was like "No, I'm not driving 2000 miles to meet up with you."
b) I'm surprised any company would think they could require drug tests from freelancers, this to me appears to be them wanting to have their cake and eat it too. Expecting to treat someone as a company employee while (through paying them as a freelancer) avoiding granting them the benefits an hourly or salaried employee would be owed (i.e. even if the company doesn't have health insurance, 401K, etc., the company would be paying various taxes for employees where the freelancer is expected to pay them as a freelancer.)
The rest of the stuff listed would certainly be red flags though. Especially the rotating through payment methods too frequently, and the having stuff shipped to a shipping company rather than an actual destination.
As a freelance and someone who doesn't use, if a company asked me for a drug test, I'd walk, right there and then. I'm supposed to work on the machines that run your business, doing stuff that nobody in your organization is equipped to understand thoroughly (or you wouldn't be hiring me). If you don't trust me, this relationship is not going to work.
Tracking and geolocating IPs? Banning VPN/Remote Desktop? Removing admin rights? Drug tests?
Surely a more simple tool would be banks not allowing North Koreans to open accounts in the US, UK, wherever else they don't really live?
Or is it again, one rule for 'regular' businesses and no rules for the big banks?
There are all sorts of reasons why you'd want a local banking presence rather than having remittances sent directly to your country. (Your country being on the US's s**t list is just one of them.) For example, if you're from Argentina doing remote work in for someone in the US then converting your wages directly to pesos -- especially at the official rate -- would be roughly equivalent to flushing the money down the toilet You'd want to keep as much of it as possible in a hard currency for as long as possible, only converting it to local currency on an 'as needed' basis.
Adding to the complexity is the notion that an individual can't just open a bank account in another country unless I've got a legal presence -- residency -- in that country. This means there's almost certainly a lively trade in providing informal banking like facilities to individuals. All this will appear to a typical civil servant in a hard currency country as a network of criminals and/or spies and Joe Public, someone who doesn't know any better as well, will just tag along with the program.
Looking out for the "ill-intentioned" doesn't really help does it? I worked in IT for 25 years, mostly banking, and I cannot remember any other type of worker lasting more than a couple of months!
My bosses were invariably trying to lock our customers into disadvantageous contracts while using the wrong software on minimally viable hardware. I much prefer the idea that they were fiendish degenerates making deliberate choices than well-intentioned incompetents making cock-up after cock-up.
There is also identity theft through fake recruiters. I have been scammed multiple times before I started enforcing strict rules for myself. In these, things proceeded to a 'contract' and I submitted requested identity information. Then the recruiter vanished and the company ghosted all contact. Now I demand ironclad proof of authenticity which I check.
I had something similar to that. I was packing up at the end of a job and got a phone call. "We're XXXX agency, are you looking for work?" Ooo, thanks, yes I am. "Ok, our recruiter will phone tomorrow". Ok thanks.
Next day, expected phone call. Went through usual job agency questions. "Ok, Bob will phone tomorrow to discuss the project. We'll send an email with details."
Next day, email arrived. "Please follow this link and download this software, click on Install, click on Enable, etc. etc...." Err.... no.
This automatic assumption that anyone from the DPRK must be a spy is silly. Its quite likely that North Koreans are as smart and knowledgeable as anyone else so they'll want a piece of the global action if they can get it. So its not beyond the imagination to think that the DPRK has people working remotely not 'spying' but merely earning money -- the business would be registered outside North Korea so the earnings could be kept outside but the people doing the work could still be paid a decent wage by local standards.
The only thing wrong with this arrangement is that it upsets Cold Warriors.