01-16-2013 08:45 AM
> "The security blog of Verizon has the story of an investigation into unauthorized VPN access from China which led to unexpected findings. Investigators found invoices from a Chinese contractor who had actually done the work of the employee, who spent the day watching cat videos and visiting eBay and Facebook. The man had Fedexed his RSA token to the contractor and paid only about 1/5th of his income for the contracting service. Because he provided clean code on time, he was noted in his performance reviews to be the best programmer in the building. According to the article, the man had similar scams running with other companies."
01-16-2013 11:17 AM
The difference is that when a company hires a consulting firm, the two companies have agreements put into place about the consultants' access. If the company is unaware of this informal subcontracting, then it can't do that.
I'm going to move this topic to the Security Talent Community's section. You'll still be able to comment on it, just as you would in current events, but I want to make sure the talent guides and those who follow the security area are aware of it.
01-16-2013 11:36 AM
Here's a cached copy of the item from Verizon's security blog.
Please note: I've noticed that some publications have incorrectly reported that "Bob" worked for Verizon. The company that Bob worked for used Verizon's security service to uncover what was going on. At first, company officials thought that they were being hacked by a company or government body in China.
This story is so bizarre that when I first read it this morning, I thought it was from the Onion.
01-16-2013 11:41 AM
It is one thing to subcontract work out. But this goes beyond that, in terms of misrepresentation (the employee was saying this was his work when it wasn't) and sending an RSA token to someone else is clearly not good practice, and probably is something that will get your fired (I don't think it is ethical, and whether or not it is legal isn't for me to say).
The whole thing makes me rather sad this morning.
01-16-2013 12:45 PM
yes, my edit was lost as they were moving the post but I meant to amend that - if not always illegal (and I bet it would be if you worked for the NSA or some other gov) it would be against 99% of the contracts out there.
But this is just the more egregious act. I expect there are a helluva lot of people sitting at home telecommuting or in a cube someplace, sending code out there to be done offshore, while they pull a US salary and I'd expect H1Bs to be at the forefront of this.