When outsourcing goes too far

Ready to outsource your development job to China? One guy was doing it for months, and only got caught because he was lazy.

Verizon's security team just released a bizarre case study, describing a company that approached it after seeing some strange network traffic. It was experiencing a VPN connection from China, for no reason, which often stayed up for a day at a time. Even weirder was the fact that the person at the other end of the VPN connection was using two-factor authentication to check into the account.

While investigating the problem, the security team decided to trawl the hard drive of the account's legitimate owner, an employee inside the company. They were looking for malware that may have been planted by an attack. Instead, they found dozens of invoices from Shenyang, China. It turned out that the employee, a software developer for the company, had been outsourcing pretty much all of his job to low-cost labour on the other side of the Pacific. They were able to access the system because he had Fedexed his RSA token to them. 

The developer, who was paid a six-figure salary, was paying a fifth of what he earned to the overseas contractor. That's smart if you're someone who wants to get your job done for your while still earning a hefty salary. It's smart if you don't care about ethics, or security, or the wellbeing of your employer or the broader community that they serve. 

It's also incredibly insecure. Many security attacks have been documented as coming from China. If someone else is accessing your systems and writing your code, then they will also have carte blanche access to your infrastructure, and potentially elements of the infrastructure beyond. This company was also part of the critical national infrastructure, said Verizon. Suddenly, stories of cyberattacks on oil and gas infrastructure and malware planted in the electricity grid seem far more plausible.  

What's irritating isn't just the guy's irresponsible actions; it's the fact that he wasn't even doing anything productive with his time. The Verizon team's blog on the subject outlined his average day thus:

9:00 a.m. - Arrive and surf Reddit for a couple of hours. Watch cat videos

11:30 a.m. - Take lunch

1:00 p.m. - Ebay time.

2:00 - ish p.m Facebook updates - LinkedIn

4:30 p.m. - End of day update e-mail to management (ironically, he got consistently excellent performance reports). 

5:00 p.m. - Go home

He was also lazy enough to have the Chinese works connect directly with their VPN, rather than running a proxy at his house and having them connect to it first. That's what got him caught - thankfully for the company concerned, which presumably would now want to audit its internal network and pull a full static analysis of its code, to see if there are any security holes.

This is the darker side of the extraction theory proposed in Tim Ferris's book The Four Hour Work Week. In that book, he advocates distancing yourself from your company and working from home where possible, so that you can be more efficient with your time and start your own lifestyle business. He also suggests using a virtual assistant to take on mundane tasks. It seems our enterprising developer skipped the lifestyle business part, and just got someone else to do his job. 

Or perhaps this was his version of a lifestyle business. The Verizon team said that evidence suggests he was pulling the same scam in multiple companies.

There are most certainly things you can do to make your job easier as a sysadmin or software developer. I know of one tech expert who took a job as a sysadmin for a US company, demanded to work from home, and then scripted 80% of his tasks. His job ran smoothly, there were no security risks, and he was free to get on with other things. But that takes real smarts. 

Lessons learned here? For companies: watch your system logs more closely (this had been going on for over six months). For employees: sure, work efficiently, do what you can to automate your job and make it easier - but never, ever step away from your work ethic or basic trustworthiness.