There was a brief flurry in the intertubes this week when Emil Protalinski broke a story titled “Verizon finds US developer outsourced his job to China so he could surf Reddit and watch cat videos.” It appears that the programmer was discovered because he’d sent his RSA token — the one that generates a password to log in to the VPN — and people in China were logging in:
From Andrew Valentine’s “Case Study: Pro-active Log Review Might Be A Good Idea“:
Besides the obvious, this discovery greatly unnerved security personnel for three main reasons:
- They’re a U.S. critical infrastructure company, and it was an unauthorized VPN connection from CHINA. The implications were severe and could not be overstated.
- The company implemented two-factor authentication for these VPN connection. The second factor being a rotating token RSA key fob. If this security mechanism had been negotiated by an attacker, again, the implications were alarming.
- The developer whose credentials were being used was sitting at his desk in the office.
Plainly stated, the VPN logs showed him logged in from China, yet the employee is right there, sitting at his desk, staring into his monitor.
And looking deeper, it discovered that the mid-40ish programmer, ‘Bob,’ had been spending his day watching cat videos.
A typical ‘work day’ for Bob looked like this:
9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch
1:00 p.m. – Ebay time.
2:00 – ish p.m Facebook updates – LinkedIn
4:30 p.m. – End of day update e-mail to management.
5:00 p.m. – Go home
OK, all well and good.
But leaving aside the RSA breach, what would be wrong with outsourcing your own job? Imagine a slightly different scenario for Bob. Imagine that he’s a programmer building some software that is not hush-hush secret, and he doesn’t break the VPN login. Imagine that he outsources some or all the programming that he’s supposed to do and then he personally inspects it, integrated with other software at his company and tests it. And let’s imagine he was able to do all that working only a few hours per day, from his home.
Who’s harmed? Isn’t he just doing what businesses do all the time? They contract with freelancers or outside companies to undertake steps in critical business processes, right?
What if Bob was a freelancer? He’s not being paid to occupy a seat a certain number of hours a day, after all, but to get the software built. If he can do it in ten days instead of thirty his client might pay more, not less, since it’s to the company’s benefit to have the software sooner, all other things being equal. The company would pay, and if Bob spent his time at the race track, no one would say “boo,” as long as he signed the nondisclosure contracts. And if he chooses to outsource all or part of that work? Well, he simply has to contractually lock up those he’s outsourcing to, and all’s well.
Imagine, then, a not-too-distant future where everyone in the workforce — at least the professional ranks — operates as a corporation, with a well-defined contractual relationship to their client (formerly their employer). The client company would lose nothing in secrecy provisions or ownership of ideas, since employees already can steal and go work elsewhere. And they could jettison the vestiges of corporate benefits, like health care and perks, which most seem eager to do anyway. In return the former employee, now freelancer, gets freedom and the possibility of more money, too.
After all, our example, Bob, was making over $100,000 and was only paying the Chinese firm $50,000. He could have perhaps run several of these projects at the same time, making several times more. And what about the quality of his work? According to Valentine,
Investigators had the opportunity to read through his performance reviews while working alongside HR. For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building.
Maybe instead of terminating this guy they should have made him head of IT.