Engineer Fired For Outsourcing Himself To China
January 17, 2013 3 Comments
The 4-Hour Workweek: Inspiration for an engineer outsourcing himself to China?
If you’ve read the 4-Hour Work Week, you know that one of the key concepts is outsourcing routine or repetitive work to Virtual Assistants. Timothy Ferriss calls it “geoarbitrage”, which is a fancy way of saying that you can benefit from the fact that what costs $60 dollars an hour in the US is $12 elsewhere.
In the book, Tim suggests that geoarbitrage is a great way to build a lifestyle business — one that can eventually free you from your day job.
Well, here’s a brilliant guy who has taken this idea to the next level. His name is Bob (not his real name), but get this: Bob is believed to have outsourced his own full-time job to a Chinese sub-contractor.
With his free time, he surfed the web and took it easy.
According to this article on The Register, Bob caught got because his company noticed that he was regularly logging in from Shenyang, China.
They probably thought, WTF? (I’m thinking WTF — is this story true!?)
Allegedly, Bob is said to have FedExed his two-factor authentication token to a Chinese programmer, and was paying 1/5 of his 6-figure salary — freeing Bob up to spend the rest of his time taking it easy.
Believe it or not, here’s Bob’s typical schedule:
- 9:00 AM: Get to work, surf Reddit for a few hours, and watch cat videos
- 11:30 AM: Eat lunch
- 1:00 PM: Spend time on eBay
- 2:00 PM: Do some Facebook updates, visit LinkedIn
- 4:30 PM: Send an end-of-day update via email to management
- 5:00 PM: Leave the office
Apparently, this was working out pretty well. Bob’s performance reviews showed him as a top engineer for many quarters.
It gets better. It turns out that Bob had also taken jobs with other companies, and had outsourced that work as well. Allegedly, he was netting hundreds of thousands of dollars in profit.
Wait, Does This Really Work?
OK, so I’m a nerd, but stay with me for a moment: let’s put aside the legality of what Bob did, and just take a quick look at the business model:
- Let’s imagine Bob’s salary is $120,00 p/year, or $57 p/hour. Let’s assume that’s $40 after taxes.
- Let’s imagine the Chinese programmer’s hourly rate is $12 p/hour.
- This yields a p/hour (after tax) profit of $28 p/hour — a 70% profit margin.
- In a year, Bob takes home $83,200, and out of that, pays $24,960 to the Chinese contractor so that he can spend time surfing the internet. He’s left with $58,240 to compensate him for his ingenuity.
And finally: Let’s imagine that Bob somehow figures out how to get hired at one other company (oh wait, Bob did do that) for the same yearly salary of $120,000, and puts the same process in place.
Assuming all other things are equal, he nets $58,240 from this gig as well, bringing his total yearly take-home to $116,480.
I must say I’m dubious of this story, as I cannot substantiate that our friend Bob actually did this. But what if it’s true?
Question: Legal issues aside, what do you think of Bob’s scheme? Is it stupid — or brilliant?
About David Rosendahl
Akathisia: Life In Motion -- David Rosendahl 
Interesting story and questions, Dave. I think his ingenuity is significantly tempered by his limited vision and purpose. He’s brilliant to have worked the scheme but stupid not to have capitalized on it for more than surfing Reddit and Ebay and a $10K/month paycheck. Assuming the quality of work was high, which required at least competent management of the Chinese programmers, he could have formed his own outsourcing company and multiplied his profit 10X. He could have shown his company’s owner how to save millions (management candidate?). He could have used the time to contribute to something bigger than himself by programming a website and tools for a local non-profit organization (a common need). I love his initiative, and I’m all for ROWE, but he missed an opportunity bigger than his temporal comfort.
Jeff, you raise an excellent point.
For anyone who has worked with VAs or an outsourced team, you know it takes a lot of work. It is not easy at all. I did not include this time in the ROI analysis above, but it would certainly take up part of his day (depends on exactly what he was having them do).
I agree that he missed a larger opportunity. I’d love to find Bob, and find out the real story. Bob, if you’re out there, email me!
Thanks for the comment Jeff,
-dr-
Thanks to Ben on Facebook, I received a link to something published on the Verizon website that seems to have been removed (but cached by Google, pasted below).
Bob is described as a family guy in his 40s, with extensive software knowledge, but somebody you wouldn’t look at twice in the elevator.
I can’t help but think of the movie “Office”. Maybe this narrative is the new 2013 version? 🙂
======
Case Study: Pro-active Log Review Might Be A Good Idea
Andrew Valentine
January 14th, 2013
With the New Year having arrived, it’s difficult not to reflect back on last year’s caseload. While the large-scale data breaches make the headlines and are widely discussed among security professionals, often the small and unknown cases are the ones that are remembered as being the most interesting from the investigators point of view. Every now and again a case comes along that, albeit small, still involves some unique attack vector – some clever and creative way that an attacker victimized an organization. It’s the unique one-offs, the ones that are different that often become the most memorable and most talked about amongst the investigators.
Such a case came about in 2012. The scenario was as follows. We received a request from a US-based company asking for our help in understanding some anomalous activity that they were witnessing in their VPN logs. This organization had been slowly moving toward a more telecommuting oriented workforce, and they had therefore started to allow their developers to work from home on certain days. In order to accomplish this, they’d set up a fairly standard VPN concentrator approximately two years prior to our receiving their call. In early May 2012, after reading the 2012 DBIR, their IT security department decided that they should start actively monitoring logs being generated at the VPN concentrator. (As illustrated within our DBIR statistics, continual and pro-active log review happens basically never – only about 8% of breaches in 2011 were discovered by internal log review). So, they began scrutinizing daily VPN connections into their environment. What they found startled and surprised them: an open and active VPN connection from Shenyang, China! As in, this connection was LIVE when they discovered it.
Besides the obvious, this discovery greatly unnerved security personnel for three main reasons:
They’re a U.S. critical infrastructure company, and it was an unauthorized VPN connection from CHINA. The implications were severe and could not be overstated.
The company implemented two-factor authentication for these VPN connection. The second factor being a rotating token RSA key fob. If this security mechanism had been negotiated by an attacker, again, the implications were alarming.
The developer whose credentials were being used was sitting at his desk in the office.
Plainly stated, the VPN logs showed him logged in from China, yet the employee is right there, sitting at his desk, staring into his monitor. Shortly after making this discovery, they contacted our group for assistance. Based on what information they had obtained, the company initially suspected some kind of unknown malware that was able route traffic from a trusted internal connection to China, and then back. This was the only way they could intellectually resolve the authentication issue. What other explanation could there be?
Our investigators spent the initial hours with the victim working to facilitate a thorough understanding of their network topology, segmentation, authentication, log collection and correlation and so on. One red flag that was immediately apparent to investigators was that this odd VPN connection from Shenyang was not new by any means. Unfortunately, available VPN logs only went back 6 months, but they showed almost daily connections from Shenyang, and occasionally these connections spanned the entire workday. In other words, not only were the intruders in the company’s environment on a frequent basis, but such had been the case for some time.
Central to the investigation was the employee himself, the person whose credentials had been used to initiate and maintain a VPN connection from China.
Employee profile –mid-40’s software developer versed in C, C++, perl, java, Ruby, php, python, etc. Relatively long tenure with the company, family man, inoffensive and quiet. Someone you wouldn’t look at twice in an elevator. For the sake of case study, let’s call him “Bob.”
The company’s IT personnel were sure that the issue had to do with some kind of zero day malware that was able to initiate VPN connections from Bob’s desktop workstation via external proxy and then route that VPN traffic to China, only to be routed back to their concentrator. Yes, it is a bit of a convoluted theory, and like most convoluted theories, an incorrect one.
As just a very basic investigative measure, once investigators acquired a forensic image of Bob’s desktop workstation, we worked to carve as many recoverable files out of unallocated disk space as possible. This would help to identify whether there had been malicious software on the system that may have been deleted. It would also serve to illustrate Bob’s work habits and potentially reveal anything he inadvertently downloaded onto his system. What we found surprised us – hundreds of .pdf invoices from a third party contractor/developer in (you guessed it) Shenyang, China.
As it turns out, Bob had simply outsourced his own job to a Chinese consulting firm. Bob spent less that one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem, he physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day. Investigators checked his web browsing history, and that told the whole story.
A typical ‘work day’ for Bob looked like this:
9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch
1:00 p.m. – Ebay time.
2:00 – ish p.m Facebook updates – LinkedIn
4:30 p.m. – End of day update e-mail to management.
5:00 p.m. – Go home
Evidence even suggested he had the same scam going across multiple companies in the area. All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually. The best part? Investigators had the opportunity to read through his performance reviews while working alongside HR. For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building.