Security audit finds dev outsourced his job to China to goof off at work A security audit of a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor – and was spending all his work time playing around on the internet. The firm's telecommunications supplier Verizon was called in after the company set up a basic VPN system …
""...it just shows how cheap it is to outsource, if he can outsource his job and still pay the rent."
Verizon's investigations turned up "hundreds of invoices" from the Chinese subcontractors and suggested that he had been doing the same thing with some other companies in the area - so his total take was probably considerably more than a single salary. I am surprised he had any time for social media and the like if he was managing several people working on different projects for different clients and handling the management reporting, invoicing, etc.
Maybe he should have hired a security expert to ensure that he wasn't leaking any evidence of the Chinese subcontractors. Personally, I would have used a KVM system to attach to the client-supplied notebooks (and onward via their VPNs) and my own VPN for the connections from the subcontractors to the KVM system. That would avoid the need for any unusual connections to either the client networks or their notebooks or for any unusual software to be installed on the notebooks.
Initiative? Who hasn't thought of this dodge? It used to be a regular joke around the office back in the early '90s, before it grew old.
I'd always assumed only a combination of ethics, aversion to risk, and sloth (the recipe for most law-abiding behavior, IME) kept most developers - at least those working on suitably mundane projects - from doing it.
Depends if he is staff or contract. If the latter, a 'right of substitution' clause, sometimes used as part of the IR35 fight, could mean they would be unable to terminate his contract for this.
If he was staff, he should now hire himself out as a contracting company and charge higher rates.
"Depends if he is staff or contract. If the latter, a 'right of substitution' clause, sometimes used as part of the IR35 fight, could mean they would be unable to terminate his contract for this"
Technically , in the UK , when a company hires a contractor they're hiring his company , NOT him. A small legal point but an important one , because in means the contractor can legally hire someone else to do all his work. Though obviously the client would have to be informed of this. Something "Bob" conveniently forgot to do.
Whilst there is definitely a dependency on type of contract as to whether there is a 'right of substitution' or a prohibition on sub-contracting, from the information given,'bob' almost certainly breeched the Confidentiality clause, Security Policy and the Computer Use Policy, through his actions of: not disclosing the use of a sub-contractor, giving access to internal company systems etc to an unauthorised third-party. Mis-use of company property by using his workstation to manage his engagements with other companies.
I suspect that a result of the publicity associated with this case and books like "The 4-hour work week" that we'll see some significant changes in both employment and contractor contracts.
But thanks to the publicity we can learn and improve on Bob's efforts.
I wonder if Bob declared the sub-contractor as a business expense to the IRS ...
... is that they didn't think of it first...
I did, on several occasions. But I've been too lazy to find appropriate subcontractors.
oh, yeah, and the ethics, this was another strong factor to dissuade me. NOT.
After all the jobs I do are structured like this:
A client sends a job to their agency, who take a cut and send it to their contractors, who take a cut, who send it to their subcontractors who take a cut and who then, send it to me (and take a cut). The rest of the money is money. Minus what the cut taken by the taxman, of course.
Why, therefore should the sub-sub-sub contracting stop with me?
And, coming back to the morals, why am I supposed to bend over and get fucked by all those above me in the chain who are happy to do fuck others below me and applauded for being a dynamic and sharp business enterprise, etc, etc.?
in fact, I wouldn't be fucking those I'd be subcontracting, I'd be extending a helpful hand, giving them employment they lack in this harsh economic climate, blah blah blah :(
p.s. not, I can NOT cut the middle man / men and go to the top of the chain, because none of them deal with individuals, too much bother.
"oh, yeah, and the ethics, this was another strong factor to dissuade me. NOT."
You know, on this site, there are plenty of people who post as AC because they are drama queens and somehow think, for example, that if they criticize this or that politician or institution or policy then either the CIA or FBI or MI5 or MI6 or the Mossad is going to, well, you know. And so they post as AC's. And it's kind of pathetic, really, because they seriously believe they are "that important". And some people post as AC just to avoid having mean or insulting or silly posts tied to them specifically. I've done this myself, actually.
But your post might be the first post that I have seen on this site for which posting as AC is appropriate. And it was a good post! : )
(Obviously that's hyperbole but sometimes only hyperbole gets the point across....)
I was going to reply to this comment, but unfortunately my outsourced Chinese posting avatar is currently undergoing breathing difficulties due to the smog. Normal service will be resumed when circumstances permit. Thank you for your understanding.
Oh my how you've over estimated why people post AC. They do so not because of fear of the government in the countries you mentioned but fear of their friends, neighbors and colleagues who can and DO use such matter of stated opinion against and AC is the real world. Dog eat dog relies on two dogs who at least minimally know each other and know they are after the same thing.
"But your post might be the first post that I have seen on this site for which posting as AC is appropriate"
I've used it only once to describe something that happened at a "past" (honest!) employer in a certain condition which they might not have liked publicly broadcasting, thus avoiding me getting fired. Only time I've ever used it. Suspect that's what it's mostly for unless you live in Syria.
It seems pretty unlikely management haven't at least considered outsourcing. It's hardly a new concept.
Perhaps they didn't outsource to China because that's where there main competitor is based. Perhaps Bob has been outsourcing to staff at a competitor who are returning decent code but learning a ton of trade secrets at the same time. So while Bob rakes it in, he puts the jobs of all his co-workers in jeopardy.
If all the employer is willing to pay six figures for a US coder, there's a good chance there are reasons they don't want someone overseas doing the work.
"So while Bob rakes it in, he puts the jobs of all his co-workers in jeopardy."
Bob's attitude is that of the people described in "Snakes in suits."
He's probably a psychopath. He'll tell you whatever you want to hear in order to get what he wants.
The real question (apart from BS) does he have any real skills at all?
The difference is he's not in management.
This stuff makes a great setup for a film comedy. IRL they create havoc for those around them. And note that "His bosses loved him." I'll be the people who supported work he wrote didn't.
Doesn't matter. They probably put in some skilled people from their foreign intelligence department, not from the company itself. Getting an authorized VPN-channel into a critical infrastructure, getting all sorts of system specs, getting to write code incorporated into these systems and then even getting paid for it must have been a no-brainer for them.
On the other hand, they probably would have been smart enough to use a U.S.-proxy then. But now that the contractor is out of business with this client, they probably sell all the information they gathered to the highest (chinese) bidder.
There was no reason to be angry at him.
The real reason he was fired was fear!
Can you imagine if he'd been successful and shown the difference it makes having someone who knows about IT in charge of outsourcing? The work would be crawling with unemployed 'managers'.
He should think himself lucky he didn’t fall off his balcony.
"A client sends a job to their agency, who take a cut and send it to their contractors, who take a cut, who send it to their subcontractors who take a cut and who then, send it to me (and take a cut). The rest of the money is money. Minus what the cut taken by the taxman, of course.
Why, therefore should the sub-sub-sub contracting stop with me?"
I like it. The entire IT world could collapse one day when we realise that everybody has subcontracted everyone else's subcontracts and there is nobody actually doing the work.
Then the taxpayer would bail us out
But, this sort of thing is EXACTLY why management there needs to be called on the carpet, too. How can a star programmer at a presumably well-off company NOT randomly quiz him or drag him in on tough calls to deal with live, on-the-spot, not "I'll get back at cha in about 2 hours with some of "my" results or ideas", to prevent bullshit artists from deceiving all number of key personnel.
But, he should get an award of some sort for cunning. Wait, steady employment for a year was probably reward, since he had multiple employers. Now, if only other companies did that (or, do some?), it could become a weird pyriamid scheme for non-temp agencies.
I wonder whether he will be sued for breach of trust/faith; unlawful disclosure of proprietary info; falsification of work; misrepresentation of fact; etc.
This goes to show that NOT ALL companies monitor their staff as vigilently and regularly as they should. Legal will probably have a FIELD DAY with the execs, and maybe IT as well.
randomly quizzing him might not trigger any filters-- after all, odds are good the guy probably *was* a pretty strong programmer since he'd presumably need to audit and clean up all the code he was outsourcing. Generally you get what you pay for, so if he was paying 1/6th of his salary for multiple contractors, quality was probably pretty low before receiving the Bob filter.
Clever bastard, but his company missed a trick-- they should have put him in management.
Two things strike me as odd. First, the code he was producing was apparently good. Second, he was "working" for multiple companies.
It sounds as if his management skills would be worth paying for, just not as extravagantly.
Or maybe Verizon has a lousy idea of what good code is.
Hungry Sean, I gave you a thumbs up because you made me realize what a glaring flaw I made by not considering or positing that he had to know *something* or have decent skills to pull this off.
Actually, IIUC, in the USA, work assignments generally tell employees they must to their own tasks and if unable, seek out their manager or team leaders, etc.
In some countries, like South Korea, an egomaniac in a team might have the swagger and fearsome personality to induce others to produce impressive work, then he (usually a he) submits the work as his own. I have several Korean friends who said they eithr know of or were subjected to this themselves. They despise such people who take the credit and don't share it.
But, in Bob's case, he farmed out work, making those downstream contractors happy.
I wonder how many of his surviving bosses secretly wish they could rehire him and buy him rounds of drinks.
You're assuming he didn't have the skills.
Assuming he did, and that he'd built relationships with people he trusted and could monitor their work, the only real issue is legal / security.
If it wasn't for the breach of trust, I'd offer him a job. It's harder to find decent technical managers than it is to find decent programmers.
The problem is that most companies have got rid of the old 'people manager' the person who kept an eye on staff, monitored the work, did all the staff management duties, appraisals, training etc. etc.
Those people largely don't exist any more, Instead you have a manager that's only interested in how good he or she looks to the guy above them and maybe the guy above them too.
As long as there are not sh*tstorms heading their way they don't care what the staff are doing.
I and my other colleagues used to have to submit a lengthy and tedious weekly progress report. After a few weeks of doing this I took a gamble and started just submitting the same report every week with just the date changed at the top. Never got noticed.
If you have to do reports like that try it. Just create a an actual report for that first week just in case it gets noticed (oops I sent the wrong one!) and then send in last weeks weeks. If it works carry on. If it happens for several months and then gets noticed you have the comeback of advising them would it be worthwhile for everyone else to be made aware that their reports were not being looked at most of the time?
"I wonder whether he will be sued for breach of trust/faith; unlawful disclosure of proprietary info; falsification of work; misrepresentation of fact; etc."
probably not. Taking him to court would leave the company open to shareholders (esp institutional investors) questioning the management and security of the firm, as he had been doing this for months, so the management would be under fire after that.
Employee calls boss, faking illness, sniffling, "Sorry, Mr. Smith, I cannot come in today. I've got this terrible cold..."
"Don't worry... BOB can handle it!"
"Who's 'Bob', sir?"
"Don't worry! We've got it COVERED!"
"Wh... Wh... (throat miraculously clears up) I am FEELING BETTER already. I can be in in 15 minutes."
"THAT'S OK. YOU stay home and recover. BOB will handle EVERYthing...."
Well, THAT IT BOB took his employers for an expensive, unaccountable and embarrassing ride.
I am betting it might be time to go check Alice's machine next, since she was the number 2 programmer I am betting her and Bob have been communicating between each other and nobody knows about it yet.
Or maybe Bob is Alice, or Alice is Bob
Maybe neither of the really exist? lol
Ghost in the machine?
Are Bob, Alice, and Kate a sort of Hybrid?
Sorry, but this just BEGS for a BSG segue, hehehehe:
"Two protons expelled at each coupling site creates the mode of force, the embryo becomes a fish that we don't enter until a plate, we're here to experience evolve the little toe, atrophy, don't ask me how I'll be dead in a thousand light years, thank you, thank you. Genesis turns to its source, reduction occurs stepwise though the essence is all one. End of line. FTL system check, diagnostic functions within parameters repeats the harlequin the agony exquisite, the colors run the path of ashes, neuronal network run fifty-two percent of heat exchanger cross-collateralized with hyper-dimensional matrix, upper senses, repair ordered relay to zero zero zero zero. (Torn)"
"Gestalt therapy and escape clauses. Throughout history the nexus between man and machine has spun some of the most dramatic, compelling and entertaining fiction. [2]
(Grasping Baltar) Intelligence. A mind that burns like a fire. Find the hand that lies in the shadow of the light. In the eye of the husband of the eye of the cow. [3] "
" Thus will it come to pass. A dying leader will know the truth of the Opera House. The missing Three will give you the Five who come from the home of the Thirteenth. You are the harbinger of death, Kara Thrace. You will lead them all to their end. End of line. (Faith) "
=========
When IT, Legal, HR, the Execs, and the Site Security caught up with him....
"At last, they’ve come for me. I feel their lives, their destinies spilling out before me. The denial of the one true path, played out on a world not their own, will end soon enough. Soon there will be four, glorious in awakening, struggling with the knowledge of their true selves, the pain of revelation bringing new clarity, and in the midst of confusion, he will find her. Enemies brought together by impossible longing, enemies now joined as one. The way forward at once unthinkable, yet inevitable. And the fifth, still in shadow, will claw toward the light, hungering for redemption that will only come in the howl of terrible suffering. I can see them all. The seven, now six [5] , self-described machines who believe themselves without sin, but in time, it is sin that will consume them. They will know enmity, bitterness, the wrenching agony of the one splintering into the many, and then they will join the promised land, gathered on the wings of an angel. Not an end, but a beginning. Come in Major. I've been waiting for you for a long time. "
============
And, just as they escorted him out the door, he had his final line:
"There are secrets within lies, answers within riddles. Lay off the ACS, you betcha Galen. Open your mind and hear what your heart wants to deny. End of line."
Wasn't there a story of somebody at HP/IBM/etc that interviewed with two different divisions on different floors of the same building - got offered both jobs - and took them
By leaving his jacket on the back of the chair and always attending meetings - he got away with it for a long time!
Sauce, goose, gander. Apparently then, programmers can easily out-compete the management in the deadwood companies they work for, who knew?
Nice one Bob, the management would probably have outsourced you in the end, to the lowest-cost no-hopers they could find to boost their golf slacks budget, (and you might have had to debug their crap code or train the no-hopers for a while) so presumably you hired some rather better ones to cut down on debugging time!
Probably anyone involved in network security or data protection or even software licensing.
- He fedexed a two-factor authentication token to an unknown Chinese person to use.
- He provided them with VPN access into the internal company network.
- They were writing software (which should now, by rights, all be audited), which was deployed into the company network and nobody now really knows for sure what it did historically or what it does today.
- At any point, those Chinese programmers might have been culling other company's proprietary code to use for that job (illegal!), or similarly taking the company's code and selling it on to Chinese companies etc.
The man is a genius. But he's a genius that broke several contracts and (quite likely) a few laws in doing what he did. The company might choose not to do anything about it, depending on the work they did and the data they processed, but it's not as clear cut as "good luck to him". A lot of people will now have to do a lot of work auditing code and explaining themselves to data protection agencies. Basically all the work he did will now have to be undone at great expense, unless the company is really willing to turn a blind eye to it (which may be illegal too!).
It's like finding out that there's been a guy coming into your office, because he always came in with a certain employee, and logging onto the corporate network for years and now people find out that NOBODY has any idea who he is or what he was doing and that he was nothing to do with the company. It's serious stuff.
This post has been deleted by its author
Until this very moment, I never had a response to that cliche. But now...
Oh yes you can: Tap the shell with a syringe, suck out the contents, make omelette, patch shell after filling with density-equivalent.
Now, as for over easy, sunny side up, and similar, where the yolk cannot be malformed....
JKJKJKJK
"The man is a genius. But he's a genius that broke several contracts and (quite likely) a few laws in doing what he did."
I take your point.
Suppose 'Bob' had set up some kind of system at home that the contractors he hired could check code into and then make it appear that all VPN traffic was coming in from his home address. Would he have been caught?
Is there a 'style' or 'code signature' that you can use to identify a programmer?
"It's like finding out that there's been a guy coming into your office, because he always came in with a certain employee, and logging onto the corporate network for years and now people find out that NOBODY has any idea who he is or what he was doing and that he was nothing to do with the company. It's serious stuff."
I worked for that company, and those people were 2 a penny! In fact I think I was one of them for a while!
I'm inclined to agree. Managers are always talking about focus on 'results' and 'efficiencies'. On paper, this is exactly the kind of initative they demand from employees.
I suspect they're just pissed because they couldn't manage external contractors that well if they tried.
http://www.theregister.co.uk/Design/graphics/icons/comment/thumb_up_32.png
So it's okay if the company throws people out of work by outsourcing to China but not when a worker does it? Everyone wins here - the company was satisfied with the results and what it cost them; Bob is happy because he is paid lots of money to do nothing but manage his source and verify the work before it's submitted, and China is happy because China always wins.
What really needs outsourcing is management.
You are right in principle, Michael, but the devil is in the details. China trains one hell of a lot more engineers than the USA, but when it comes to lawyers the USA is top dog by a long, long, long way. What lawyers mostly do is arbitrate the division of the spoils, and since rich employers can afford more and better lawyers, the arbitration usually routes 99% of the money to said rich employers. (All perfectly legal, of course - it's bound to be when you can afford to HIRE the law. Also the people who make the law, of course - but that's another story).
The clue's right their at the top of the article: "critical infrastructure". Bob's job was in the US, and not already outsourced, because of security implications. Bob "outsourced" himself by granting access to a secure network to people not adequately vetted to connect to it. He has not only breached his contract of employment, but he has brought his employer into breach with their clients, a breach which will no doubt lead to a very, very expensive audit of every single line of the codebase.
The management would do it to the programmers without missing a heartbeat anyway - he's just getting his outsourcing in first. The only bonus is that he's managed to find outsourcing resources who are actually good at their work.
Ex-BT employee here - who's had his job outsourced to numpties (since the management never bothered to manage the outsourcing like Bob did).
This post has been deleted by its author
Really , really suprised that if this guy was *a star programmer* that he didn't realise that security audits of logins would take place after making VPN/work at home available! Standard security practice - check up where your workers are logging in from - home network or offsite. Tsh!
I smell a fish - this is straight out of a Dilbert strip. Someone that smart wouldn't have let his subcontractor connect directly. And when did the Chinese subcontractor actually connect? In the middle of the night? And why did this "star programmer" actually bother going in to work to surf the web all day, presumably at the same time that "he" was connected externally? And is Verizon a bit like the US version of Vodafone? If so, what sort of moron would ask them to do a security audit?
Someone's taking you for a ride, Mr. Reg.
"That smart".
You can be perfectly good at programming.
You can get the bright idea of outsourcing.
You can stuff up by forgetting which audit log to delete/thinking you don't need to do an external contractor and let them in internally.
The "smart" persons downfall is how smart they think they are versus how smart they really are. (Which goes for this commentard too!)
>> Someone that smart wouldn't have let his subcontractor connect directly.
My thoughts exactly when I read it. It would be trivial to setup a VPN through his own machine and get the Chinese guy to connect with that before connecting to the corporate VPN so his home IP shows up as the one connecting.
Every offshore outfit I've dealt with makes a point that they will work whenever suits you - if you want them 9-5 GMT, they'll be there.
Personally I prefer to leave them do their own 9-5. Usually they are 4 hours behind, so you get the morning to inspect what they've done and have some peace & quiet, then after lunch you can liaise with them, and set them the next set of tasks to continue with after you go.
Vodafone owns 49% of Verizon "Wireless", Verizon is MUCH bigger than that.
Also, for once, this is NOT Verizons fault:
"The firm's telecommunications supplier Verizon was called in after the company set up a basic VPN system with two-factor authentication so staff could work at home. "
So Verizon were the SUPPLIER of the network and they found the info on "Bob", they were not employing him.
Agreed. Bob's "typical work day" reads like a joke list of how a lazy employee would spend their time. The whole thing sounds like something you hear about from a mate of a mate. Plus the only source for this story appears to be a link to the Verizon blog, which is currently returning a database error.
delegating work out, freeing up his time,
And yet failing - By wasting the free time and getting busted. If he had set up the VPN connection to forward form his work computer at home, then he could engineer some chronic and progressive medical reason to work more and more from home and then go travelling or *something* interesting instead of being at the office.
At least he got to keep the money and the Chinese contacts might be useful in the future.
@Piro:
No, seriously. He's just being an extremely efficient manager - delegating work out, freeing up his time, providing excellent results.
In that respect, he's better than a good number of managers.
I applaud this effort.
You're assuming that:
1) he adequately security-vetted the outfit to whom he outsourced the work to ensure that they weren't a risk, and had suitable measures in place should a security issue arise.
2) he ensured that the code produced by the outsourced team was entirely their work and that they had the legal right to sell it to him under work-for-hire no-rights-reserved terms.
3) he ensured that the outsourced team did not make use of any data or infrastructure access provided by him to get up to Naughty Business
4) he performed quality-assurance on the code provided to ensure it was up to scratch and would not cause any problems within the explected deployment environment.
In the absence of proof that he did all this, and especially in the context of "freeing up his time to dick around on the internet", I thoroughly reject your assertion that this is laudable. I mean, yeah, in a pragmatic sense he allegedly got away with it for a while (assuming this isn't a bollocks PR narrative selling us the idea of Verizon's contribution to improved network security), but...well, screw this notion. If he'd done this to get otherwise-unmanageable amounts of work done in the face of a management structure that refused to properly locally resource their teams it'd be one thing. The character depicted in this story exhibits lazy parasitic bellendery and the fact that it's being applauded by a bunch of short-sighted twits is, sadly, about what I'd expect from at least some commentards.
Even longer ago I worked for a large broadcasting organization in London. A few people there openly spent most of their time at work running their own businesses. In other words, management and HR was crap.
It seems that in some modern businesses management and HR is still crap.
It's a funny story with more than a whiff of bovine residue to it.
There's no way Bob would simply be let go after an incident like that; unless the company were utterly worthless (in which case why the audit?) they would now have to review all access to their network and audit all code. They would likely also have to at least consider dropping anything particularly clever done by Bob's subcontractors, since Bob's contract won't have allowed him to commission the work on a work for hire basis and he is unable to determine whether company code has been sold to other chinese firms as a result of his actions. He's also exposed their network to substantial risk which would also need to be audited.
(i know, I know, overthinking it etc. But if all the shortsighted capitalism-at-all-costs "good on him" remarks are valid then so is mine...)
Yes way. The company will seek to limit the damage as much as possible by covering up the incident internally and getting the "communications department" to run interference externally! Truth is that Nobody will care about safety of the code or the network any further than what is minimally required to be perceived as "having taken all the necessary precautions, procedures have been strengthened e.t.c.".
Part of the deal is that "bob" keeps his gob shut and don't go writing a book about "dumbass corprat america"
No way, unless all their policies are crap written by incompetent morons and enforced/applied by incompetent morons.
What you say is well and good until you've got a job or client with any kind of risk of industrial espionage (or, worse, a government contract with security implications). I've no doubt that such morons might simply blunder onwards through the contracts, answering erroneously or outright lying if necessary; the point being that they would then not only be running a vulnerable network that's open to exploitation or attack by malicious individuals and/or business rivals, but they would also be open to litigation of the "level all buildings to rubble and salt the earth beneath for good measure" variety.
Remember, we're talking about a story existing solely on the internet: which means it's complete and utter danglies until conclusively proven otherwise - which means the company needs to be named (the individual too, optionally) and the story needs to be covered in major news services over the course of several days. Unless that happens I'm assuming it's a promo for how Verizon can help your business be more efficient (And even help find hitherto-unnoticed security issues).
9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch
1:00 p.m. – Ebay time
2:00-ish p.m – Facebook updates, LinkedIn
4:30 p.m. – End-of-day update e-mail to management
5:00 p.m. – Go home
Oh, here comes someone from IT towards my desk...
Back in the day I ran a very small courier firm - just me and a few others on bikes - till we got bored of riding and got a cheaper firm to do our work for us while we sat in the cafe fielding calls and providing "quality assurance". Occasionally we'd knock out a few jobs ourselves, especially for a few key clients. Then we'd spend a merry hour each day in our rented office raising invoices, and go home.
As has been highlighted, this was likely not being outsourced for a good reason! Maybe nothing to do with cost. It was found during a security audit.
I am based in the uk and I've had to be vetted before to download software from America that was subject to export restrictions. There could have been very good reasons why the code wasn't being done outside of the country.
All the failures here are with the management.
Even putting aside the fact that the relationship between the firm and the employee seems to have been horribly dysfunctional, outsourcing technical work typically costs well above 20% of US costs. So either he's a demon negotiator or the company were employing somebody at far too high a skill level and salary for what the job actually involved. That's business-threatening incompetence.
The only real failure on the part of the employee is that he appears to have been pissing his own life away on the interweb. He could have outsourced the dull but well-paid work and then spent his office hours doing something interesting and constructive. Or at least built a lego death star.
I still don't quite buy this version of events though. Somebody has sprinkled some apocrypha in there to make it more interesting.
..because the investigators would be killed in a freak lift accident.
or
..because the investigators would be killed in a freak generator mishap.
or
..because the investigators would be afraid of being repeatedly subjected to a cattle prod.
Outscourcing, in my experience, is troublesome, slow and unreliable.
I considered this about 8 years ago as well when I was working with a firm in Chennai in India. The problem was that the programmers required exceptional well-written documents (you get what you specify) and the mistakes that they made were often culturally-based rather than coding-based. To add to that, the programmers rarely stayed long at the company. It was not unusual to " see a new face" every 6-9 months.
I reckoned that I would be spending as much time, if more, in order to get them prepared and then further to correct mistakes. They also had a strict one-week check-out policy and that made the meeting of deadlines difficult. I would have become a project manager and that wasn't for me.
Maybe if I had met a brilliant young programmer whom I could trust, I would have jumped at them like a shot. Otherwise one is trusting so much on teh grounds of greed.
On one hand, he's living the dream of the BOFH. Many wouldn't think twice about doing the same.
On the other hand, he's committing fraud, and opening up his company / the US to potential security issues. Verizon is, in theory, a regional Tier 1 provider, and as such, functions as a backbone for a large section of the internet. Now, I do not think, contrary to current paranoia, that anything harmful has been placed into this code, nor do I think the people on the other end would act in such a fashion. However, the various parties in a contract do have the right to know who they are working with, and this is a violation of that principle. What more, the implications of an entire company, in a foreign nation, having direct access to such confidential information at such a high level at such a large company is mind-boggling.
On a secondary note, the problem with this fraud is that is has the unintentional side effect of possibly deprecating his fellow programmer's wages. By misrepresenting himself, he gave management at Verizon reason to believe that his fellow programmers were slacking, or somehow not worth their pay; this may have negatively affected their promotions and / or their salary / wage increases / bonuses. By using fraudulent means, he gave the appearance of doing the work of twenty or possibly hundreds of programmers, all by a single man; in all likelihood, excellent programmers were made to be in competition against that, potentially destroying themselves in an effort to compete; what more, good programmers were, no doubt, turned away, or unjustly downgraded / viewed as poor programmers for their inability to perform. The ramifications for this are huge.
The question now being pondered is thus: how many others are doing this? An isolated incident, or merely the first to get caught? Were the industry to find out that even a few star programmers were actually pulling the same trick, there'd be bloodshed.
This post has been deleted by its author
I think its fantastic! I understand the security risks but look at the results...win win for everyone. Top work output from BOB (the company was happy), BOB was happy, the Chinaman was happy! Stuff like this goes on all the time. Most of all my clients either think I do the work or do not care as long as it gets done and done right. The rest is just details. I have a buddy who outsources almost all of his programming work for dirt cheap. No one knows and no one cares.
Obviously bob was sloppy and could of covered his tracks but his company should of made him head of HR using his creativity.
Love it!
Virtually the whole country is outsourced to China. If this company can get work based on US employee rates then there is a very good reason for it. If there is a good reason for it then outsourcing it without the company knowing is probably a bad thing. Just how bad we will probably find out in a few years when the doeing breamliner is launched by the China Airliner Corp or something similar.
so not surprised the thought about it, not surprised Verizon management is this stupid (yes, they are!), not surprised that Chinese contractor(s?) made him look like a star programmer, etc... not surprised at all of any of this... as much as you would like to disagree the fact of the matter is that most of the jobs in IT in the US are either outsourced or performed locally by white collar slaves from India, China or Eastern Europe; yes, most of these jobs are maintenance, production support and such, but "smart" jobs in cool companies like Google and friends are still done by some of these same people, just have a look around at your coworkers;
not that I mind this, used to be one of these guys myself till very recently, but it is just a fact... the era of US leadership in IT probably is well sunset and the perspective of it returning looks quite gloom; so, bottom line, Bob should be congratulated, management fired and US should its technical education back on track!
A friend of mine, also working in IT, had this really hot looking gf, also working in IT.
She was really fit and was seriously thinking of going pro as a cyclist. But, she wasn't quite as good in her IT job, a database dev.
So... my buddy was the Chinese subbie to her Bob. Basically, he would help her out by writing her code, on top of his own day job. I'll let you guess what his reward was.
Didn't end well. She eventually got canned and blamed & left him.
analysis of the work habits of all their other employees found no difference...they all spent time just surfing the web ;-)
really....his manager is the one that needs to go. why was his working behaviour not spotted - or reported by coworkers long before the real story emerged?
for the guys over in China to connect to so that they could then VPN into Verizon.
Would have been a much more secure option all round. Firewalled on both sides so that you can monitor whats happening in both directions. And with his multiple jobs, he could have set up a terminal server farm of virtual machines with the firewall routing all VPN traffic to the required TS.
If he had done that, then he would still be quite happily sitting at home coding away making a mint.
However, now that he has been caught, I suspect that he might be in line for a lawsuit for gaining money by deception.
Most of the companies (at least in my technological environment in Israel) go through the front door and turn to companies which manage projects locally through off-shore developers.
Yes , they pay local management fees , but it is 1 manager on whole teams of developers/technological workers...
this is an old Doonesbury cartoon from way back, the describes this exactly (except for in the cartoon the protagonist hired a more expensive engineer in Bonbay that cost 1/3 of the base salary)
hmmmm .... validation of the story would be good, but it has always seemed plausible ...
copy of cartoon strip reprinted here:
http://rdrutherford.blogspot.be/2005/10/doonesbury.html
http://www.theonion.com/video/more-american-workers-outsourcing-own-jobs-oversea,14329/
This was from 2009.
Where it fell down was him giving them his 2-factor ID token and letting them turn the work in for him. He should have simply had them send him the code/finished product via some other means, then at least give it to the company himself. He'd likely either not have been caught or would have taken longer to get caught.
Perhaps the lesson to be learned is that outsourcing can work well, IF AND ONLY IF the project manager is a darned good programmer in his own right.
If he is, then it's quicker to do the desining and quality control oneself, and hive off the actual coding to sub-contractors on Chinese wages. They can't get bad code past him, and will soon know not to try. If they aren't up to scratch, they don't get any future work.
The usual outsourcing disaster starts with managers who make up for in arrogance what they lack in ability. The subcontractors soon work out that they can leave the coding to their weaker colleagues, improve their margins by skimping on the debugging, and so on. (Much the same thing if the coders are still in-house, of course). Also, since the manager can't code, the designing and specifying is also likely to be insane.
I am having a hard time agreeing that the events as stated occurred. Firstly, as others have stated, the outsourcing cost seems too low, especially considering this outsourcing company were making him look like the best programmer in the company, meaning they must be full of highly skilled Chinese programmers.
Having some experience with outsourced code (from China and India among others), I can say anecdotally that the code is sometimes good, often so-so but usually bad. By which I mean poor commenting (including poor English in some cases), very poor use of encapsulation, weird understandings of Objects, overly verbose 200~300 line functions/methods etc). That's just my experience. And usually we had to spend a few days picking apart the code and fixing it up.
Maybe Bob found an extraordinarily good value for money operation, but it just sounds fishy to me.
And I've never seen outsourced code that has perfect English in the comments. I know many programmers use bad English in their comments, but it's a different type of bad English to outsourced code. When I used to deal with outsourced source code I could spot it a mile away by the odd use of English in the comments (with also some remnants of Chinese comments occassionally lurking). So it seems odd to me that nobody spotted this. Unless, Bob was going through the code and editing comments.
"And I've never seen outsourced code that has perfect English in the comments"
ha ha! I barely see code done in-house that has anything but the bare minimum of comments in the code. All outsourced code I have ever seen only had the predefined template comment at the top & nothing else.
A US software company I used to work for stopped their outsourcing regime in 2001 because of poor code quality & increased maintenance costs. They changed strategy from outsourcing to bringing in the immigrants (I was one) and then relying on the opportunity of working in the US to make up for the lower than average salary. It didn't wash with me.
BTW a 6 figure salary is easily achievable in the N.E (Boston, NY) if you have an accredited engineering degree.
I have a very rich chinese friend from Beijing who still thinks like a person from Mainland China but has been a US citizen for over 30 years and she posted a similar reply to an instance such as this.
BAck when clinton was in charge many said Clinton ran the country very well durring the zippoer issue.
Her main comment about the issue was. Since he ran the country so well durring the zipper issue shouldn't we then give him more girls for an even better economy?
So I chuckle when I read this article and thought of the above when I read this.
The point that needs to be asked. Was anyone harmed? Was profit being made?
If no harm and profit was being made then so what!!!!
But I myself would love to fire him for doing no work at all.
Not new ,enterprising ,but not real smart ,doesnt make a profit ,exposes his companies IP to the opposition ,stupid ,will get caught and be taken through the ringer and either serve time or pay back lots of $ ,or both .
Most people have heard of the enterprising manager who hires subcontractors ( firm) to provide
a service to the firm he is employed in ,but he actually owns ,or his wife or cat and then gets caught ,
goto : above & line 2.
DOH !
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
