Employee Outsourced Programming Job To China, Spent Days Websurfing

New submitter kju writes "The security blog of Verizon has the story of an investigation into unauthorized VPN access from China which led to unexpected findings. Investigators found invoices from a Chinese contractor who had actually done the work of the employee, who spent the day watching cat videos and visiting eBay and Facebook. The man had Fedexed his RSA token to the contractor and paid only about 1/5th of his income for the contracting service. Because he provided clean code on time, he was noted in his performance reviews to be the best programmer in the building. According to the article, the man had similar scams running with other companies."

Part of me says, "Good!"

[Maow]

I'm a bit torn on TFS.

On one hand, companies outsource "our" jobs with absolutely no remorse at all.

On the other hand, ... fingers?

Legality?

[Anonymous Coward]

Aside from the security issues, is such a thing legal in the US? I mean, are you required by contract to do the work you are paid for yourself?

Not scam

[gmuslera]

Was doing his job, and better than anyone else there. And got plenty of free time doing it that way, that is efficiency. If instead of coding letter by letter he took a public domain code (to avoid messing with licenses) that do the same would be a not so different situation, mainly changed the timing related the code.

But also gave to another party (that be the one that did his job is not relevant, that is overseas or in china in particular depend on your own prejudices) internal access to network/code/information without authorization. That is not scam, is a security breach, and shoudl be taken as seriously as all the other security breachs there (i.e. if he was so happy watching lolcats and visiting facebook and ebay probably others could have been doing it, and maybe sharing with the world even more internal/critical information, or downloading malware without being aware and so on)

The Onion knew it in 2009

[mseeger]

The Onion already knew about this back in 2009: http://www.youtube.com/watch?v=rYaZ57Bn4pQ [youtube.com]

Re:Part of me says, "Good!"

[kiddygrinder]

yeah as if, i'm sure if i told my boss i was doing this they'd be so keen to keep paying me to do it rather than firing me and doing it themselves whilst keeping 4/5 of my salary.

I call bullshit.

[tofarr]

This story sets off my bullshit radar. Too many things about it don't make sense: 1.) Why would "Bob" give full access to company resources to subcontractors? Were I to subcontract a job, at the very least I would want to review everything before it was committed - especially if I was taking responsibility for it. 2.) What would happen if a colleague asked "Bob" about his code? Or as regularly happens on all but the smallest of tasks he had to collaborate closely with another fellow developer? There is a level of knowledge that you get from being part of a development process that you don't get otherwise. This sounds to me like an advertisement for outsourcing services.

Re:Part of me says, "Good!"

[TheLink]

Was he using the same contractor for everything? If he wasn't then maybe he's a competent project manager with a good eye for talent.

It's not so easy to get good results from outsourcing. So some of his 400% markup might be justified ;).

Of course, this is not unusual

[SmallFurryCreature]

Take music. The CD's are produced in China to lower costs, this is legal. You buy them from China, ILLEGAL PIRACY!

Outsource production, perfectly legal. Buy imports, pay max taxes including taxes on shipping PLUS a customs fee PLUS a fee for the shipping agency ON TOP of the shipment fee for it all... AND STILL it is often cheaper...

The global economy is there to benefit the rich, not the poor.

Re:Legality?

[Sique]

This is the mantra of civilization in general. One of the big advantages of being in a civilisation are the famous shoulders of giants. You don't need to invent a way to store speech in a durable way, you can use paper, pen and an alphabet. You don't even need to invent speech, you can use the language of your environment. You don't need to invent iron casting and forging, you can go to Home Depot and buy nails and screws. And yes, at first you look if you can borrow something (if it was in use before, it is probably usuable), then you look if you get it for free (with no guarantee that it works), then try to buy it somewhere and only if it is really not available at a price you see fit, you do it yourself.

Re:Part of me says, "Good!"

[arth1]

On one hand, companies outsource "our" jobs with absolutely no remorse at all.

On the other hand, ... fingers?

On the gripping hand, the problem is giving your personal RSA encryped access into a company's network to unidentified third parties.
Perhaps this developer could provide his services for a fifth of the going rate because he also snooped around and collected and sold data.
Clandestine data mining and illegal data bourses is no longer a SciFi concept; it happens every day.

Re:Part of me says, "Good!"

[ByOhTek]

Note: that was sarcasm - there should have been a question mark at the end. They should be put on equal footing, or because the employees are more likely to spend the money (i.e. not invest which aggregates more money to them), and therefore keep a pool of money that will help draw and encourage investors, even in a stagnate economy... I can even seen putting some favoritism towards the employee doing it.

Re:Part of me says, "Good!"

[Luckyo]

This was mt first thought as well. If employer's management has any common sense, at this point the man should be pushed into management ASAP. People who can do outsourcing that well are very rare.

Re:Part of me says, "Good!"

[dubbreak]

VPN is not really the problem, since VPN access tends to be quite limited in scope.

And my experience says the opposite. Whatever you'd have access to locally as a user you'd have over VPN. How would you do your job otherwise? The point of VPN is to make it a secure connection so you can have access to whatever you'd have access to locally.

If the company has an NDA, is ISO registered, has to follow any government security protocol (I worked at a private Canadian company that followed US security regulations in order to sell to US gov) etc.. this could lead to trouble. Of course sweeping it under the rug would have been better than advertising it if that's the case.

I agree on the kudos. Finding good people is tough enough locally. Outsourcing is hell. In a contracting type situation (as long as it didn't have a no substitution clause) this would have been perfectly ok (if not better than ok since it appears good code was actually written). The interesting part is whether the company would have paid the same had they known. They were quite willing to pay a wage of X when they thought it was the local guy producing the code, but my guess is they'd want to pay a small % of X for the Chinese worker even with this guy managing him. In reality, since he was producing the best code in the company, he should have been getting the biggest wage (reward your stars and all that).

Re:Part of me says, "Good!"

[dubbreak]

This.

A contractor or consulting company would do this no problem. That's a b2b relationship though. Employees are supposed to be subservient, "Yes mastah, whatever you need mastah."

If we ignore any issues with security it's really hard to fault the guy. The point as an employee is to do your job and do it well. The code he (had) produced was apparently commendable. He did his job well though not by the traditional solution (working hard and doing it yourself). Does that make it the wrong solution?

The biggest issue is the company "got tricked" into paying more for a cheap worker. Of course had they done the outsourcing themselves they'd probably have one or more of the worst producing low quality coders that require tons of rework (the normal reality of outsourcing).

Re:Part of me says, "Good!"

[JosKarith]

Money's not the only motivator to go to work but it's the deal breaker. And if i could earn 80% of my salary by sitting on my arse working on personal projects then I'd go for it.

Re:Part of me says, "Good!"

[cayenne8]

It's not so easy to get good results from outsourcing. So some of his 400% markup might be justified ;).

This man is my God!!!!

Now....how can I implement something of this sort? Just need to learn my lessons where this guy screwed up.

Ok, no unauthorized VPN's into the work network, do all that from home is a start.

Re:The order of things

[hey!]

Well, my experience with Chinese goods is that they give the customer what he wants. If he wants quality, he gets quality. If he wants a shiny facade over a piece of crap, that's what he gets.

What's important to note here is that the customer is seldom the end-user. It's usually a retailer, which accounts for the present day predominance of polished-turd products detouring in our homes on their way to the landfill. Once a product is sold and out of warranty, the retailer is happy if it needs replacement, and Chinese manufacturers have got planned obsolescence down to a science.

The interesting wrinkle here is that the customer in this case may have had a higher interest in software quality than the corporation he worked for. It was his reputation on the line in the way his employer's reputation was not.

Re:Part of me says, "Good!"

[fahrbot-bot]

Thanks for the encouraging words.

I'm not a shut-in, but have always been rather solitary and okay with it. All of my long-term friends live far away, with the nearest about 120 miles away. My wife was a teacher and had lots of friends, but I was okay hanging with just her for most of the time. I can keep busy on my own, most of the time. I've got home improvements, whenever I get the enthusiasm for that, and have 4 computers at home w/Windows and Linux - one is my MythTV system. I've live in the same city since 1981 and the same house since 1993. I live in a tourist town in Virginia and have (and do) see the things worth seeing, within reason... I'm not into traveling by myself, don't really see the point w/o someone to share it with and I'm not really interested in going out to get laid - dating/sex is (was) fun, but over-rated unless with the right person. I'm not interested in being with just anyone.

Basically, I'm slowly getting my personal shit in order, while I figure things out. I had a *really* good relationship with my wife and she was a wonderful person. She wanted me to find someone else and I promised her I would at least consider it, but she's a tough act to follow and I'm not interested in anything less. I'm not hung up on my past, but am defined by it.

On a really personal note. She was diagnosed with a brain tumor and died literally in my arms seven weeks later. I heard her last breath and felt her last heart beat. That gave me a lot of perspective on a lot of things - not all of it/them good. The seventh anniversary of her death was Sunday, January 13, 2013 @ 3:00pm so this week isn't good for me.