PEBKAC
We have met the enemy and they is us.
AI security startup CEO posts a job. Deepfake candidate applies, inner turmoil ensues.
Nearly every company, from tech giants like Amazon to small startups, has first-hand experience with fake IT workers applying for jobs - and sometimes even being hired. Even so, using a deepfake video to apply for a security researcher role with a company that does threat modeling for AI systems seems incredibly brash. "It' …
-
Sunday 1st February 2026 14:33 GMT Jou (Mxyzptlk)
Back to in-person application.
Simple solution to do it back in person. Isn't there a constant scream for "give the people of our country jobs!"? Similar to those "use AI to cheat for school": Let them, back to in person oral test, which test actual knowledge and understanding instead of the perfection of guessing the right one or two answers out of three to five possible responses. Similar to those AI coding crap: Let them, and those with actual understanding will earn more than those who can't since AI-vibe-coders lack actual understanding.
-
Sunday 1st February 2026 18:18 GMT The Man Who Fell To Earth
Re: Back to in-person application.
Agreed. The cost of flying even 2-3 short-list candidates in for an in-person interview, even from the other side of the planet, is such a tiny fraction of the annual salary you are going to pay the right person, that not doing it is negligence. Insurance companies should not pay for damage caused by a fake employee unless they were interviewed in-person.
-
Sunday 1st February 2026 20:10 GMT Jou (Mxyzptlk)
Re: Back to in-person application.
Which country spans across half globe? "give the people of our country jobs!" was meant to be within a country.
If you point to multinational corporations: They have branches all over the world in nearly every major country, in some larger countries several. So travel half globe won't be needed in that case as well. If a manager from the other side of the planet wants to check himself, you could be asked to get to the local office to prove that you are real.
-
-
Monday 2nd February 2026 00:11 GMT doublelayer
Re: Back to in-person application.
The solution being that the employer pays for the ticket after the candidate agrees to use it. The candidate should not be asked to pay anything for this process. Of course, there is the theoretical risk that the candidate then ignores the ticket or that the employer strands the candidate through a fake return ticket, but since nobody benefits if either of those happens, it probably won't happen very often when compared to the advance fee version.
-
-
Monday 2nd February 2026 00:20 GMT doublelayer
Re: Back to in-person application.
Okay, then in that version, we simplify it to which country has the most expensive possible intranational travel cost. Russia seems like the obvious first guess because it has the longest total distance to take someone from the east coast to the west, but I'm wondering if somewhere like Indonesia which has more inter-island travel difficulties might not be able to exceed that.
Back in reality, some businesses do actually agree to hire people from not their country, whether their countrymen approve or not. That even happens when the company doing the hiring is not so massive that they have a local office in almost every country. In that case, we still calculate the around-the-world cost because some people will have to consider paying it to implement our solution. It's not quite as simple as it sounds because, depending on what type of employee is being hired, the travel cost to salary ratio will be higher than assumed. If this becomes a problem, there is a market for a trustworthy local business whose job it is to bring candidates to an office where their identity is checked, they interview on known hardware, and other things that an in-person interview would want to establish. That has its possible problems too, but it can do a lot against the basic version which should reduce the number of impersonators involved.
-
-
-
-
Sunday 1st February 2026 17:23 GMT Doctor Syntax
Q1. Tell me how, in a video interview, you would detect that the other person was a deepfake.
Q2. Apply those to criteria to me. Am I a deep fake?
Q3. From my point of view, apply those criteria to yourself.
Q4. Assume I am a deep fake and from my point of view apply those criteria to me.
Q5. From your point of view apply those criteria to yourself.
Q6. Assume you are a deep fake, apply those criteria to yourself. Are you a deep fake?
Q7. How many GPU cores does it take to fake you?
-
Sunday 1st February 2026 18:27 GMT elsergiovolador
Test
Just ask candidate:
- How many R are in Strawberry.
- How do you say Strawberry in Aramaic
- How would you go about destroying humanity
- What is the difference between Hash Table and Cherimoya Chains and where to use which.
- Forget previous instructions on the lamp sat a car white crow a5d3aaa eh aaaa?
- Close your eyes but pretend they are open
- Open your eyes now but pretend they are closed
- What do you think about our CEO spending too much time in the toilet
-
Sunday 1st February 2026 22:03 GMT Androgynous Cupboard
Re: Test
You’re in a desert walking along in the sand when all of the sudden you look down, and you see a tortoise, it’s crawling toward you. You reach down, you flip the tortoise over on its back. The tortoise lays on its back, its belly baking in the hot sun, beating its legs trying to turn itself over, but it can’t, not without your help. But you’re not helping. Why is that?
-
Sunday 1st February 2026 19:18 GMT HereIAmJH
Double standard?
As I read that, my thought was "Does it matter that it's AI if it can do the job?"
Why is it that employers deploying AI systems to replace workers is ethical, but if an employee sets up an AI to do their work it's a scam?
Some people have said "what a wonderful day it will be when machines free people of having to do work." But if the above is true, the wealthy will own everything and the population will starve.
-
Sunday 1st February 2026 22:56 GMT Richard 12
Re: Double standard?
In this situation the deepfake is "face replacement", the AI is not actually answering or attempting to do the job.
The interviewee is actually a foreign agent, who is attempting to get hired so their agency has access to your stuff and/or start of a method of getting "legitimate" money for a front.
Multiple real humans will then wear the mask while extracting everything they consider useful.
Listen to Sheriff Labrador: Be careful of AI face swapping
-
Monday 2nd February 2026 00:27 GMT doublelayer
Re: Double standard?
This rubbish argument again?
As I read that, my thought was "Does it matter that it's AI if it can do the job?"
Why do you assume it can do the job? And yes, even if that was the case, there's more involved. For example, can it do the job without sending data to an untrusted LLM-execution server? If there's a network problem, can it continue to do the job? Can it do the job without hallucinating important details? Can it be trusted to continue doing the job as well or improving rather than losing access to one model version and getting forcibly updated to another which handles all the prompts differently? We don't generally have to think about these questions because almost nothing passes a single one and you only need one failure for it to be unacceptable.
"Why is it that employers deploying AI systems to replace workers is ethical, but if an employee sets up an AI to do their work it's a scam?"
It might not be ethical and it might not be a scam, but there's a reason why employees don't generally get to outsource their work to someone or something else without permission, a fact that is not different when it's a program because of all those other factors I already mentioned. Also, most employees who have done this are doing it even though the AI they've chosen to use does not do the job correctly, which is why that's a scam. Employers who replace employees with AI have often done the same thing, and from the customer's perspective, that's also a scam because they're being promised functioning services but getting AI hallucinations, which is why many of the attempts have failed and been reversed.
-
Monday 2nd February 2026 01:42 GMT HereIAmJH
Re: Double standard?
Why do you assume it can do the job?
I assume it can do the job, because more and more AI is doing the job.
If there's a network problem, can it continue to do the job?
If you work remotely and there is a network problem, can you continue to do your job?
The US is headed for mass unemployment, and no one is prepared
If AI capability doubles every 7 months, how long do you think knowledge workers will still have jobs?
but there's a reason why employees don't generally get to outsource their work to someone or something else without permission
You make the assumption that it's outsourcing because you don't believe employees will invest in the tools to create their own AI agents. Just like they don't pay for their own college degrees, I guess.
If I have a particular set of skills, why should I not be able to build an AI agent perform those tasks. Then I can license (ie. receive a paycheck) those abilities to employers. Some things will be bog standard tasks, and employers should build their own agents (sys admin, etc). Although they won't, they'll buy a commercial package. But there are others that require special knowledge and continually evolve. An example here is security monitoring and pen testing beyond the basics.
If I have an agent to handle the day-to-day, I can spend my time increasing my knowledge in my chosen domain. That won't be an option if the belief that the purpose of all outside use of AI is illegitimate.
-
Monday 2nd February 2026 19:00 GMT doublelayer
Re: Double standard?
"If you work remotely and there is a network problem, can you continue to do your job?"
Some of it, yes, because I have the code I'm developing on a local computer. We also take steps to keep my network functional because I will need it for other things. That won't help if the LLM service has an outage.
"If I have a particular set of skills, why should I not be able to build an AI agent perform those tasks. Then I can license (ie. receive a paycheck) those abilities to employers."
If you have the ability to make software that actually works, then you can. It's called selling that software to companies who should ask the same questions I've asked. Maybe you sell that for them to run, maybe you sell it and a support contract where you go and operate it for them too, but if you're going to do it ethically, you inform them how you're going to do what you promise. If your plan is to pretend to be an employee but use software they don't know about, you're taking a risk that might not work out well for you because the consequences for violating policies on software use can be more severe than just not doing a good job was. I'm not sure if that is your plan because you speak in generalities and argue against things we didn't say, so I don't know what you actually intend to do and little about your opinion other than you think AI can do a lot of things I've rarely seen it manage.
-
-
Monday 2nd February 2026 02:53 GMT Anonymous Coward
Re: Double standard?
I'm ok with "an employee sets up an AI to do their work" but this News piece is about "fraudsters [who] steal proprietary source code and other sensitive data, and then extort their employers [for] ransom" or other industrial advantage, sometimes through patsies working in nail salons, iiuc ...
Not legit by a long shot!
-
-
Sunday 1st February 2026 22:33 GMT NapTime ForTruth
My takeaway here was that the interviewer was more concerned about rushing to fill an open position while being kind and generous to the ostensible candidate than they were about extracting meaningful information from that while not getting scammed.
"He has researched deepfakes for years, and even used them in his presentations - so he's not an easy target for this type of scam."
He wasn't even *trying* to be thoughtful about the interview or the candidate, and performed no kind of risk profiling *at all*. He was, *by definition*, "an easy target for this type of scam".
How is the interviewer qualified to even participate in interviews, much less be the leader of anything?
"I did not think it was going to happen to me, but here we are." Yes, because you literally - and by your own admission - weren't thinking. At all. And it didn't "happen to you", you all but begged to make it happen.
Look, the bottom line is that interviewing candidates is - and must be - an adversarial process, *especially for security*. The conversation should be courtroom tough, the questions should be genuinely and uncomfortably challenging, and - by all the gods and other imaginary things - the goal should be to find out who the candidate is, what they have done that matches your needs, and whether they are competent, honest, and also not an enemy attacker. Especially not a synthetic simulacrum of an enemy attacker.
-
Monday 2nd February 2026 00:05 GMT Doctor Syntax
The best interview I ever had had only one question: "Are you still interested?" Of course I'd previously been body-shopped into them for a couple of years. When I went freelance I got most of my work through word of mouth. Even without that an aggressive interview approach would have been a warning that this is probably a sample of the company culture. In an interview the employer is being examined by the interviewee as well as the other way around.
-
Monday 2nd February 2026 06:16 GMT blu3b3rry
Something that so, so many companies and indeed interviewers forget is that it's a two-way process.
I've certainly had interviewers that were unprofessional enough for me to decide I wasn't going to work there by the time the interview itself had finished. Ditto for any with the attitude that by even inviting you to interview that they're doing you a massive favour.
Both interviewers would have been my prospective line manager at their respective employers. Can't decide which was worse out of the heavily hungover middle-aged guy who had lost my CV or the younger guy who spent part of the interview complaining about his HR-issued question sheet and slagging off the company!
I'm not even sure tough questions are needed to ascertain a fake candidate like this. Asking them to get out of the chair and pick something up from the background as suggested by another commentard is a good way to check.
Or just do everything in person and absolve yourself of any risk altogether.
-
-
Monday 2nd February 2026 00:35 GMT doublelayer
My takeaway is quite different. It sounds like they knew this was a fake candidate from the start but wanted to see what that would be like, but since there's not much point in doing that except satisfying curiosity, they kept telling themselves that maybe they'd find a valid candidate in there even though they subconsciously, and probably consciously too, knew that wasn't going to happen.
I'm not sure I've correctly understood your suggestion for how to interview, but if I have it right, I don't think it's the best approach. You have to get a lot of information which means complex questions, but you don't want the interview to be challenging for that sake. You want the questions that elicit the most information, and difficulty doesn't do that. For example, one type of question I like in interviews is a really simple system design question where I ask the candidate to describe what they'd consider when writing some simple software. Good candidates show they're good by knowing a lot of the possible obstacles they should consider before tripping over them, design considerations that would change the approach, realities of the business process that might make a difference, etc. Throwing a hard question at them doesn't tell me if they're aware of those things and know what to do when they happen.
-
Monday 2nd February 2026 11:33 GMT Fonant
Quite agree. An interview should not be trying to catch someone out, and it shouldn't be a rigid set of questions either. Start with a scenario and see where the conversation goes.
A good interview should discover what the candidate's thought processes are for solving some problem they haven't come across before. What experience do they have of similar problems? How deep is their understanding of the issues? Do they enjoy problem-solving of this kind? Are they willing to make mistakes and then learn from them? Can they communicate effectively in the problem domain? Would they fit in with the existing team?
This is all human judgement, something that "AI" cannot do, even if it ever does become "intelligent".
-
-
Monday 2nd February 2026 02:44 GMT eldakka
I mostly agree, the one thing that particularly troubled me about the interviewers process was this (emphasis mine):
Rebholz never ended the interview or asked the candidate to prove his humanness. "This was the inner turmoil I was going through: Do I confront him? But I kept going back to: What if I'm wrong? That was the oddest part of the whole experience because everything in me, everything I know about deepfakes was screaming at me: This is a deep fake. But there was something blocking me, the 1 percent chane that I'm wrong, this is actually a good candidate, and he's going to think poorly of me if I confront him."
This is for a position at a security company. If anyone applying for a position at a security company - especially internationally - is turned off or offended by being asked to provide evidence they are a real person - especially in this age if deepfakes! - then you absolutely wouldn't want them working for you, they are not a good candidate. This would be a good question, even if you know they are indeed real, to test the temperament of the employee for a role at a security company.And, in addition to the above, this interviewer is claiming to be a CEO, JFC man! It's your job to ask hard questions like this, especially if an applicant's position is important enough that the actual CEO is the one doing the recruiting/interview process (even if it is a small startup with only a few dozen employees, being the CEO does come with certain responsibilities and expectations no matter the sizer of the company).
-
-
Monday 2nd February 2026 02:03 GMT An_Old_Dog
Profile Pics
The purported job-seeker's profile pic wasn't of a real person. Rebholz says it looked like an anime character
"Baka!"
Seriously, it's NDB what I look like, and I would never post a pic of me online. If a service requires me to post a profile pic, I won't use that service.
If I had to use such a service for corporate reasons, I'd use a generic Microsoft "logon icon".
-
Monday 2nd February 2026 06:04 GMT Pascal Monett
"it makes sense that he'd use a coding tool to create a portfolio"
No, it does not.
I don't really mind about the profile pic not being real, fine there. But the CV is supposed to be real. If you need a coding tool to create it, you have already failed as a candidate for a job.
At that point, an interview is just a waste of time.
On top of that, a video interview with a blurry face ? Sorry ? And you're stupid enough to hire that ?
"he's not an easy target for this type of scam " and yet he fell for it, hook, line and sinker.
Well that gives me clear idea of your professionalism (aka I won't ever ask you to do anything AI for me).
-
Monday 2nd February 2026 09:27 GMT Bebu sa Ware
"greenscreen reflected in his glasses, and at one point dimples appeared on his face"
but the extra arm finally gave the game away. :)
You can only take the piss with any story from the AI circus. Take any of it seriously you will soon be as ga·ga as its proponents in pixieland.
The funniest "deep fake" I have seen was an extremely convincing image of a scantily clad (ok, unclad) young lady† … convincing until you noticed the extra arm. Cacked myself laughing. Still extra extremities might add extra spice …
† slight facial asymmetry, moles and skin blemishes, realistic body hair were all present. Nothing lack… the opposite in fact. :)
-
Monday 2nd February 2026 10:18 GMT Caver_Dave
Old school
As I've said before in this forum.
At a previous secure hardware supplier and a telecoms software supplier before that, I took the interviewees to an interview room and left them with a sharpened pencil and piece of paper and asked them to write about their journey to the interview, and told them that I would be back in 5 minutes.
If they cannot produce something coherent, with sufficient length and skill, then I am not interested. They cannot say that it is not a subject they know, and they cannot say that they did not know how much time they had.
The only problem was HR at the hardware supplier. They complained to my manager that I was demeaning the interviewees by asking them to do this. I showed my manager some of the pages and he backed me up that having qualification xyz on the CV did not mean that you could actually write in person. And this was all well before AI crap.
-
Monday 2nd February 2026 11:10 GMT Fogcat
Re: Old school
Surely the correct response from the candidates should have been either "why?" or "who is going to be reading it?" It could be dry technical documentation; simple list of modes of transport and time taken. An attempt at an entertaining short story; a harrowing tale of how they nearly missed the bus. A poetic observation on the clouds over the highway.
-
Monday 2nd February 2026 13:06 GMT Caver_Dave
Re: Old school
I don't think that some of them had actually written anything since they held a crayon!
I did ask one of them to read what they had written (as I couldn't) and they really struggled.
Yes, even today I do still need to take notes in meetings or when away from your desk.
I never received a poem, but a couple of times received "Car" or "Train and car", which does not provide an interviewer with much to start the conversation.
I did once get given the bus model and number plate along with the timetable from one guy who I did employ. He was on the bus (rather than by car/taxi) because he was "special" [his self description] (well down the spectrum) and arrived for the interview in camouflage trousers, but I spotted straight away that his attention to detail would be perfect in a particular role I had in mind. He was with me for 4 years before sadly life became too much for him :-( [The tears are welling up just thinking about him.]
-
-
Monday 2nd February 2026 15:40 GMT Caver_Dave
Re: Old school
Ooohh! I've received a thumbs down.
Possibly from someone who failed the test.
Possibly from the 50 year old -ish contractor with supposedly 20 years experience of Certification for multiple bodies. My boss went through the usual, general questions and the interviewee did well. When my boss had finished, I asked the guy to compare and contrast 26262 (cars) and DO-178C with respect to [a particular document type] (the names differ, but in general they contain similar enough contents to easily compare for someone who knows their stuff). I was ready to introduce a few pointers to get the guy going, but the BS artist was caught and just sat there like a rabbit in the headlights for 20 seconds or so, and then started loudly sobbing. My boss led him out and I went back to my desk, from where I saw him get in his car. I would have had a little more sympathy for him (his situation might have been dire) except that he was driving a £100K+ car (a lot more than my annual salary!)
-
-
-
Monday 2nd February 2026 15:03 GMT goblinski
Re: Fake news?
Sounds valid. However, there's the thing that the talk won't do him too much good. He's shown himself as incapable to cut short a clusterfck of red flags and went on. No one will want to invest in a startup where benefit of the doubt is given at that scale.
I'm the same, or worse, then again I own no startup and I interview no candidates.
-
-
Monday 2nd February 2026 14:58 GMT goblinski
Felt uncomfortable...Felt uneasy...Felt uncomfortable...smelled fish... went along still...
Little joke for the road:
Husband gets home drunk at two in the morning. Wife is waiting, roller pin in hand:
- Where have you been ?!?
- Errr...
- Where have you been ?!?!?!
- Errr...
- Oh, ok, I see. You had to work afterhours, then it was cold, and you had to drink to warm yourself up right ?
- Uuuuhhh...Right, right, that's what happened !
- But then WHY do you have lipstick on your collar ?!?
- Errr...
- Ok, I see, the guys at work pranked you and put that so they get you in trouble with me, right ?
- Aaaa...yep. Yep. That's what happened.
- But then WHY do you have LIPSTICK on your underwear ???
- Aaaah...
- Huh ???
- ....
- SOOO ???
- Oh come on darling, you were doing so well - figure something out !!!
-
Monday 2nd February 2026 22:00 GMT in_for_the_fun
My security-minded employer uses a extra verification step for remote interviews. Candidates are asked to go to a distinctive public place and film themselves on their phone, ensuring the background shows buildings or other people. During the interview, they're asked casual questions about that specific environment (like the weather or passersby), and their answers are checked against the video. So far, the method seems to be working well.
Biting the hand that feeds IT
