backtop


Print 36 comment(s) - last by virtualdll.. on Jan 18 at 2:43 PM

Bob gets busted bypassing business security

It comes as no surprise to anyone that it is typically much cheaper to have programming performed in China rather than in the U.S., as the work can typically done for a fraction of the cost. A security case involving this interesting dynamic between the U.S. and China has surfaced that's both funny and disturbing at the same time.

A developer for a U.S.-based critical infrastructure company simply called "Bob" was busted for outsourcing his programming job to China. Obviously, his employer had no idea what Bob was doing despite the fact that he had been receiving glowing performance reviews.

Bob was caught during a company security review of VPN logs. Security personnel at the company discovered that there was an unauthorized VPN connection coming into their system from China. Since they are a U.S. critical infrastructure company, having an unauthorized VPN access from China was a big deal.

Making the problem even scarier for the security personnel was that the company had implemented two-factor authentication for the VPN using a rotating token RSA key fob. An unauthorized Chinese connection to the VPN meant that whoever was accessing the system from China had also been able to bypass a security token, or at least they thought this was the case.

Making things even more puzzling for the investigators was that the developer whose credentials were being used was sitting at his desk in the office when the live VPN connection from China was discovered. On further investigation, it was discovered that Bob had physically mailed his RSA key fob to China and had hired developers to do his work.

Bob was reportedly making several hundred thousand dollars per year while paying roughly $50,000 per year to the Chinese developers who were doing his work for him. Bob was spending his day watching cat videos, surfing Facebook, and messing around on eBay according to evidence the security researchers later found on his computer. Bob was also storing invoices from his Chinese developer on his work computer.
 
Bob had a good thing going, but unsurprisingly, his company wasn’t too fond of his antics and fired him.

Source: Verizon Business Security Blog (cached)



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

BUAHAHA
By Brandon Hill (blog) on 1/16/2013 10:07:51 AM , Rating: 5
quote:
Bob was reportedly making several hundred thousand dollars per year while paying roughly $50,000 per year to the Chinese developers who were doing his work for him. Bob was spending his day watching cat videos, surfing Facebook, and messing around on eBay


Living the American Dream!! :)




RE: BUAHAHA
By fic2 on 1/16/2013 10:17:34 AM , Rating: 4
Just good capitalist practice...


RE: BUAHAHA
By javiergf on 1/16/2013 10:25:12 AM , Rating: 5
Is the Bob on this story the same one on this video?

http://www.youtube.com/watch?v=rYaZ57Bn4pQ


RE: BUAHAHA
By adrift02 on 1/16/2013 11:58:59 AM , Rating: 2
Lol you beat me to it!


RE: BUAHAHA
By Spuke on 1/16/2013 3:15:29 PM , Rating: 2
LOL!


RE: BUAHAHA
By Flunk on 1/16/2013 10:39:27 AM , Rating: 2
Bob thought too small, I'm sure he could have managed several teams of Chinese developers with several different 6 figure incomes.


RE: BUAHAHA
By Brandon Hill (blog) on 1/16/2013 10:45:58 AM , Rating: 5
BOB PORTER
Well, then I gotta ask, then why can't the customers just take the
specifications directly to the software people, huh?

TOM
Well, uh, uh, uh, because, uh, engineers are not good at dealing with
customers.

BOB SLYDELL
You physically take the specs from the customer?

TOM
Well, no, my, my secretary does that, or, or the fax.


RE: BUAHAHA
By kattanna on 1/16/2013 10:58:43 AM , Rating: 3
quote:
Evidence even suggested he had the same scam going across multiple companies in the area. All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually.


actually it seems he was managing multiple jobs..


RE: BUAHAHA
By Jeffk464 on 1/16/2013 12:08:50 PM , Rating: 2
Oh come one we already know China has pretty much been hacking into all of our systems anyways.


RE: BUAHAHA
By NellyFromMA on 1/16/2013 12:54:03 PM , Rating: 3
This story is effing hilarious


RE: BUAHAHA
By DrApop on 1/16/2013 1:24:37 PM , Rating: 5
The guy has upper management written all over himself. Plus he is contributing to global economic growth through trickle down economics. He is truly visionary!

This is the best, most positive article on outsourcing I have read. Keep your own job but outsource the work!


RE: BUAHAHA
By Shane McGlaun (blog) on 1/17/2013 8:27:22 AM , Rating: 2
???????????


RE: BUAHAHA
By Shane McGlaun (blog) on 1/17/2013 8:29:13 AM , Rating: 2
Luckily for me Chinese characters can't be displayed in our comment system... not that I am outsourcing. Carry on.


RE: BUAHAHA
By Nortel on 1/17/2013 4:30:54 PM , Rating: 2
Can you give yourself a "6" rating, haha!


Not bad
By Murst on 1/16/2013 10:34:32 AM , Rating: 3
This will actually be pretty good for this guy's career. There are plenty of management positions available that involve outsourcing. Seems like this guy is a pro at it.




RE: Not bad
By eagle470 on 1/16/2013 10:55:46 AM , Rating: 5
But you can't trust him is the problem.....


RE: Not bad
By Murst on 1/16/2013 11:26:06 AM , Rating: 3
Maybe not as a programmer, but it does take some know-how to be able to manage multiple outsourcing projects for several companies at a time, report to meetings, etc. He certainly was pretty good at that.


RE: Not bad
By someguy123 on 1/16/2013 12:39:15 PM , Rating: 3
Normally you're not paid hundreds of thousands for outsourcing a small amount of software projects while spending the rest of your time watching cats chase laser pointers. I'm sure he could get work managing outsourcing but his goal is probably the money as much as it is the ease.


RE: Not bad
By fic2 on 1/16/2013 3:48:03 PM , Rating: 4
You have obviously never dealt with a contract house. They are all about making loads of money from your work.


RE: Not bad
By someguy123 on 1/16/2013 10:24:06 PM , Rating: 2
You must be dreaming or living with the worlds top contractors if you think most of them are making hundreds of thousands of dollars annually through outsourcing.


RE: Not bad
By Flunk on 1/16/2013 1:16:06 PM , Rating: 3
There are a lot of people who are willing to take chances. Take a look at Kevin Mitnick.

Actually I think he would be best off starting his own business, outsourced software development. You talk to him and he outsources to China. They said the results were good, why not continue? If it's not defense work it's not a serious issue.


RE: Not bad
By Flunk on 1/16/2013 1:16:35 PM , Rating: 2
I'm actually tempted to try a legal version of this myself.


Several hundred thousand for a programmer?
By tayb on 1/16/2013 12:13:12 PM , Rating: 1
No company should be paying someone several hundred thousand to sit and write code. That's absurd. You could get 5-6 high quality developers here in the US for that amount of money. Or a few dozen in China apparently. A salary that high should be in an upper management position.




By FaaR on 1/16/2013 3:12:38 PM , Rating: 2
Tell that to John Carmack next time you see him... ;)


By someguy123 on 1/16/2013 4:14:40 PM , Rating: 3
I believe it was multiple jobs.


By inighthawki on 1/16/2013 4:45:44 PM , Rating: 5
lol upper management... if there was a job that required a serious reduction in salary, you nailed it.


By EricMartello on 1/17/2013 10:49:49 PM , Rating: 1
Oh, here we go. Someone doesn't seem to understand that the salary is determined by the free market, and the market price tends to be the highest that someone is willing to pay for a product/service. If you're not fetching a higher salary for your own skillset it's a failure of your own making to be more valuable.

If you need a coder who has a specific level or area of expertise it could be worthwhile to pay them "several hundred thousand" per year. Areas like cryptology, game engine, network protocols and such require more skill/talent than your typical McProgrammer from freelancer can muster. BTW $50K per year in China isn't far off from someone in the US earning a six-figure salary.

What this guy was doing - arbitrage - isn't new. In fact many people have done this and are currently doing this, not just with programming but also with creative work...however if I hired an American programmer as an employee I would definitely not want them outsourcing the work.


Was that worth $50,000?
By Moizy on 1/16/2013 11:30:37 AM , Rating: 2
I could understand better if the guy worked remote and then outsourced his work so he could spend the day at the golf course or whatever. But he still had to sit at a desk. So essentially he was paying $50,000 a year so he could sit at his desk at work, but not work. $50,000 a year so he could watch cat videos and peruse ebay. Wow. If you have to go through the effort to get to work and sit at your desk, wouldn't you work some? Passing your day with cat videos and ebay would take a long, long time, and he was paying $50,000 a year to do it. Not worth it to me.




RE: Was that worth $50,000?
By Nutzo on 1/16/2013 11:44:12 AM , Rating: 2
Sounds like he really wasn't able to do the quality or volume of work that the job required, so he outsourced it. Had to sit at the desk to give the appearance he was doing his job.


RE: Was that worth $50,000?
By Netscorer on 1/16/2013 12:02:12 PM , Rating: 2
More like he was doing much more then humanely possible by a single developer and got large bonuses as the result. Companies just don't pay "several hundred thousand dollars" to a dev.
So he used his bonus to pay for chinese workers. In my mind this was win-win-win. Verizon got excellent work from Bob (all those glorious performance reviews), Bob got lot's of time on his hands and chance to catch up with cat videos (impossible to do as there are too many of them), Chinese devs got a nice chunk of money to make a decent leaving and feed their families.


RE: Was that worth $50,000?
By Belegost on 1/16/2013 12:00:24 PM , Rating: 2
Look at this the other way, he was making several hundred thousand a year, let's say 250k for nice even numbers. Take out the taxes and 50k for the outsourcing, and he has say 125k/year take home.

So in that perspective, he made 125k/year net income for telling some Chinese guys what to do and sitting at his desk watching lolcats. Sounds like a good deal.

Also, sounds like every other manager out there...


Smart man!
By Netscorer on 1/16/2013 11:56:00 AM , Rating: 4
A) "U.S.-based critical infrastructure company" was Verizon.
B) "Unathorized VPN connection" is an oxymoron. Obviously, the connection was authorized, using Bob's security key and credentials.
C) Bob should be promoted to Team Lead as he showed an ingenious management skills
D) Bob should be told to use VPN proxies in the future, so that VPN connection would seem to originate from US.




RE: Smart man!
By fic2 on 1/16/2013 3:51:41 PM , Rating: 4
quote:
D) Bob should be told to use VPN proxies in the future, so that VPN connection would seem to originate from US.


He should have been promoted to management for not even using google to figure out how to do D - that has management written all over it.


I used to joke..
By woody1 on 1/17/2013 10:54:35 AM , Rating: 2
I used to joke about doing this, but this guy really did it! Amazing. He'll probably write a book and make some more money out of the experience. I would guess that other companies may be reluctant to hire him now, though




How?
By DT_Reader on 1/17/2013 3:51:27 PM , Rating: 2
If the Chinese developer was VPN'd into his desktop PC, how did he use it to surf eBay and cat videos? When he logged into his desktop, didn't it sever the VPN connection?




How he should have done it.
By virtualdll on 1/18/2013 2:43:42 PM , Rating: 2
i have my team of chinese workers connect to me via an encrypted proxy and then I bridge that connection to the vpn connection that way it all looks legit.

At least that's how I would have done it :)




"We don't know how to make a $500 computer that's not a piece of junk." -- Apple CEO Steve Jobs

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki