xixitalk's snippet

Post Longer Than 140 Characters Tweets

Jan 16, 2013 - Comments

Security audit finds dev OUTSOURCED his JOB to China

来源:http://www.theregister.co.uk/2013/01/16/developer_oursources_job_china/

Security audit finds dev OUTSOURCED his JOB to China

公司安全人员审计发现程序员外包自己工作给中国人

Cunning scheme netted him ‘best in company’ awards

狡猾的伎俩竟然让他获得了“最佳员工”称号

By Iain Thomson in San Francisco
由Iain Thomson从洛杉矶供稿
Posted in Security, 16th January 2013 01:29 GMT

A security audit of a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet.
去年美国一家重要基础设施公司的安全审计人员发现他们一个明星程序员把他的工作外包给一个中国的外包商,工作时间他全部在网络上闲逛。

The firm’s telecommunications supplier Verizon was called in after the company set up a basic VPN system with two-factor authentication so staff could work at home. The VPN traffic logs showed a regular series of logins to the company’s main server from Shenyang, China, using the credentials of the firm’s top programmer, “Bob”.
公司用Verizon的网络搭建一个简单的两步认证的VPN系统,以便员工在家里也可以工作。VPN日志显示存在有规律的从中国沈阳登陆到公司主服务器的信息,用的认证信息是公司最优秀的程序员“Bob”的证书。

“The company’s IT personnel were sure that the issue had to do with some kind of zero day malware that was able to initiate VPN connections from Bob’s desktop workstation via external proxy and then route that VPN traffic to China, only to be routed back to their concentrator,” said Verizon. “Yes, it is a bit of a convoluted theory, and like most convoluted theories, an incorrect one.”
“公司的IT部门原来认定从Bob的工作站电脑通过外部代理的连往中国又连接回来他们服务器的VPN连接是由于类似0-day的恶意软件造成的。”Verizon人说,“是的,这是一个有些绕的理论,像其他大多数绕的理论,是错误的”。

After getting permission to study Bob’s computer habits, Verizon investigators found that he had hired a software consultancy in Shenyang to do his programming work for him, and had FedExed them his two-factor authentication token so they could log into his account. He was paying them a fifth of his six-figure salary to do the work and spent the rest of his time on other activities.
在获得研究Bob使用电脑习惯的授权之后,Verizon调查人员发现他雇佣了一个位于沈阳的软件顾问公司为他工作,用FedExed给他们快递了他的两步授权数字证书,这样他们就可以用他的帐号登录。他拿他六位数工资的五分之一雇佣他们为他工作,把剩下的时间干其他事情。

The analysis of his workstation found hundreds of PDF invoices from the Chinese contractors and determined that Bob’s typical work day consisted of:
分析他的工作站电脑,发现几百个PDF格式的清单,这些清单是从他中国分包商发来的,拼凑出来Bob每天的典型生活是这样的:

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
上午9:00 - 到公司,花几个小时浏览Reddit网站,看猫视频

11:30 a.m. – Take lunch
上午11:30 - 吃午饭

1:00 p.m. – Ebay time
下午1:00 - 逛Ebay

2:00-ish p.m – Facebook updates, LinkedIn
下午2:00 - 更新Facebook和LinkedIn

4:30 p.m. – End-of-day update e-mail to management
下午4:30 - 一天最后给上司发一份邮件

5:00 p.m. – Go home
下午5:00 - 回家

The scheme worked very well for Bob. In his performance assessments by the firm’s human resources department, he was the firm’s top coder for many quarters and was considered expert in C, C++, Perl, Java, Ruby, PHP, and Python.
这个阴谋对Bob来说很有效果。公司人力资源部门对他的绩效评价是:他是公司顶级的程序员,精通C、C++、Perl、Java、Ruby、PHP和Python编程语言。

Further investigation found that the enterprising Bob had actually taken jobs with other firms and had outsourced that work too, netting him hundreds of thousands of dollars in profit as well as lots of time to hang around on internet messaging boards and checking out the latest Detective Mittens video.
进一步调查发现,有“进取心”的Bob还从其他公司接活,并且活也外包出去。从而网罗了几十万美元,并且大量的时间在网上闲逛,浏览了最新的猫咪侦探的视频。

Bob is no longer employed by the firm.
Bob已经被公司解雇。


知识共享许可协议
本作品采用知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议进行许可。