Thursday, January 24, 2013

Outsourcing takes on a new dimension

There’s goldbricking, and then there’s goldbricking. And ‘Bob’, the software developer discovered to have been outsourcing his work to a cut-rate coder in China, will have to go down in the annals of goldbricking as a Top Ten.

For those who missed this exceptionally marvelous story, Andrew Valentine had a recent blog post on a security investigation that Verizon was brought in on during 2012. (Valentine is with Verizon Business/Cybertrust’s Forensics and Investigative Response Team.)

A U.S. tech company hired Verizon to check out some “anomalous activity” they’d detected around an employee who was doing occasional telecommuting.

Many telecommuters access corporate systems through virtual private networks (VPNs), which was how this tech company operated. Somewhere along the line, the company decided it would be prudent to look at the VPN activity logs.

What they found startled and surprised them: an open and active VPN connection from Shenyang, China! As in, this connection was LIVE when they discovered it. (Source: Andrew Valentine/Verizon Security Blog.)

The company was a tad surprised, since they’re a “critical U.S. infrastructure” provider that had NO authorized VPN connections to China. Plus they use a relatively strong (two-factor) authentication protocol (using a token) which, if it had been hacked, would have been a big WOW. Not to mention that they made their discovery that Bob’s credentials were being used from China on a day when Bob happened to be in the office “working.” And, thus, could not have been in China telecommuting.

The company did not initially suspect Bob – Bob, after all, was a trusted employee, the best coder in the building – so they went ahead and hired Verizon’s sleuths to figure out wazzup.

Investigators took a look at Bob’s workstation, figuring they’d find some malware lurking there that, unbeknownst to Bob, was enabling Chinese hackers to get into their systems. Instead:

What we found surprised us – hundreds of .pdf invoices from a third party contractor/developer in (you guessed it) Shenyang, China.

The enterprising Bob was, in fact, outsourcing his own work to a Chinese consulting firm. Their cut? Twenty percent of his six-figure salary. (Bob was also, they theorize, running the same scam for other companies. Nice work if you can get it.)

Bob had sent the consulting firm – via FedEx (when it absolutely, positively, has to be there overnight) – his personal security token so that they could get in and do his work for him, keeping to Bob’s regular 9 to 5 schedule.

Investigators also checked Bob’s browsing history to figure out just what he was doing while his Chinese contractors were doing his coding for him.

Turns out that what old Bob was spending his mornings on was farting around on Reddit and looking at cute kitten videos on YouTube. After a leisurely lunch, he hung out on Ebay for awhile, followed by updates to Facebook and LinkedIn. His capstone activity for the day was sending his boss an e-mail detailing what he’d accomplished during his day. (Presumably, he left out the time spent watching cute kitten videos.)

Since Valentine’s blog post appeared last week, this story has taken off. And a lot of the commentary is lauding Bob for his entrepreneurial spirit, his initiative, his hustle. These sentiments might have some merit, if it weren’t for the fact that Bob sent his credentials – including his physical security token – to folks he didn’t know from Adam, located in a country well-known for technological espionage and the theft of intellectual property. Which are among the reasons why certain organizations are loath to outsource certain jobs there.

If Bob’s company is, indeed, on the ‘critical U.S.  infrastructure provider’, then Bob very likely had agreed to abide by security rules and regulations. He very likely had to sign something.

So he’s no nerd hero, no personal Robin Hood robin hooding for me-myself-and-I. He’s really what you might call your out-and-out cheater pants.

Pretty bad behavior, I’d say.

Not to mention, however smart he was on one level, studip.

Sure, he got away with it for a while, but if he were so clever, he might have been a little more secure about his thieving ways.

Keeping pdf’s of his invoices on his workstation? Wasn’t he aware of Bring Your Own Device?

Bob may well have a future in being a middle-man between tech companies and Chinese code consultants. With the glowing reviews “his” code earned him –best in the building – it’s apparent that he knows how to communicate information and expectations to someone whose second language is English. He sounds like a decent enough project manager, juggling his salaried work with his outsourcing activities.

On the flip side of skills and attributes, there are those cute kitten videos…

Seriously, folks, just how professional and trustworthy is someone who spends half of his morning watching kitties chase string, peek out of oversized teacups, and  look at their reflections in toilet bowls.

The profile of Bob identified him as a 40-something “family man.”

I’m sure the wife was happy that her hubby was bringing in several hundred thousand dollars a year, between his “job” and the other contracts he outsourced.

Maybe she was in cahoots with him, or maybe she just thought he was a good provider, and is more than a tiny bit annoyed that this particular gravy train has dried up. For some reason, I’m reminded of a local incident a few years back. Some Boston parking meter collectors were nabbed for having made off with hundreds of thousands of dollars in quarters over the years. These fellows were living in nice suburban houses that would have been well beyond the economic reach of meter collectors. Plus they were doing their grocery shopping with bags of quarters. One of the wives told a reporter “I just thought he was a good provider.”

Okay, Bob wasn’t bringing home canvas bags full of change. Still…

Meanwhile, there are those kitten videos.

Is that really any way for a grownup to spend his or her day. A few minutes in the morning, maybe a few more in the afternoon if there’s an especially cute one.

Still…

 

-----------------------------------------------------------------------------

A tip of the goldbrickin’ hat to my sister Trish, who sent this one along to me.

No comments: