The man outsourced his own job. Really?
Call me a sceptical old journalist if you like (I do), but am I the only person who can't quite buy the “man outsourcing his own job” story as it has been told?
The yarn about the programmer outsourcing his job to China for a fraction of his US wage while being rated best-of-breed by his employer gained much more than the usual 15 minutes of fame last week and has already passed into folklore – but maybe it was already there.
Oh, I would like to believe it 100 per cent, right down to the claim that he was somehow managing to do it simultaneously at several companies – it's such a great story.
And it is so very much like the brilliant satire the Onion team did several years ago on people outsourcing their own job. (You can watch that here but skip the ad for the R-rated movie if you're sensitive.)
Let me stress that this is purely my opinion and runs counter to a subsequent note of confirmation on the Verizon blog that first broke the story – “The case is factual and was worked by one of our investigators,” says Verizon – but there are some things about this yarn and how it came to be told that don't quite gel with me, that make me think that just maybe the story was polished a little, grew in the telling, or something like that.
For a start, there's the matter of where and when the story broke: on the aforementioned Verizon Business security blog, a piece attributed to Andrew Valentine last Monday with the catchy headline “Case Study: Pro-active Log Review Might Be A Good Idea”.
According to the blog, “Bob” the outsourcer was caught way back in May. If you were a shy computer geek, you might not know a good story when it jumps up and bites you on the backside, but Andrew J. Valentine is no shrinking violet. Google him and you'll find he's out and about giving interviews and delivering speeches around the world. Yet Andrew decided to quietly run this story as something of an end-of-year afterthought on a blog, something “most memorable and most talked about amongst the investigators”.
You no doubt know the gist of the story, with the blog version concluding: “Evidence even suggested he had the same scam going across multiple companies in the area. All told, it looked like he earned several hundred thousand dollars a year, and only had to pay the Chinese consulting firm about fifty grand annually. The best part? Investigators had the opportunity to read through his performance reviews while working alongside HR. For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building.”
Some stories are too good to stay quiet. I don't understand how Andrew J. Valentine could give a speech anywhere or pen an article without mentioning such a case. In the field of computer programming and network security, this isn't “man bites dog”, it's “man bites tiger's head off”.
Then there are technical questions about which others certainly know more than me. This post from “lesterbuck” appeared on a hacker chat site:
“While I am sure a bunch of US developers have outsourced their jobs, certain details of this "case study" make me think this is made up, or at least a synthesis of actual cases. From the original case study post, this developer worked from home on "certain days". How many people can be at work on site, month after month, and no one notices they never actually log in to their work system? How many people are the "best developer in the building" and never mentor or assist other developers? How does he handle the time gap, which is many hours out of phase, so there is a delay to any bug fix or "little patch" or emergency fix? So an entire team of excellent Chinese developers works the night shift indefinitely? Or his commits have some of the weirdest pattern of time stamps no one ever noticed. "Hell, Bob broke the build ... at 4am!?!" How does he even answer detailed questions during code reviews when he didn't write it? We've all seen that outsourced code "beautifully commented"...? With 2fa tokens, is it really possible to not have it on your person for six months and no one notices at work? Are we to believe he is smart enough to be banking all this money with no work and excellent delivered code, and it never occurs to him to proxy his VPN connection to China instead of sending a physical token? I just don't buy it as written. Maybe part of the purpose of that case study is to put the fear of god into that subset of developers that is doing the same thing without the "Oh, he was so stupid!" mistakes. Or at least galvanise their employers to read their logs, as suggested.”
Another contributor suggests a different version:
“I've heard this story before. The only difference is that the third party didn't access the company systems and that Bob was truly an expert. In my version Bob got permission from his employer to go overseas for a year where he would work remotely. Instead he spent a year on the beach in Bali shipping change requests to India and doing code reviews of the work coming back. He still understood the code and everything about it. He explained and interpreted requirement from his employer to his Indian developer(s).
“So instead of 8 hours at a desk, he spent 2 hours at a desk providing the expertise he was paid for (to both his Indian developer and to company meetings) and spent 6 hours on the beach. The only thing he didn't provide was the actual keypresses. The only problem I see with this is that the company's IP (the source code) was given to someone they company wasn't aware of (which isn't a trivial thing). The company paid an expert to provide them with his expertise and to complete particular requirements. He did both.”
An IT lawyer I know says decent Chinese outsourcing isn't that cheap – if it was, everyone really would be doing it. There are perhaps pernickety details – the original blog had “our investigators” while the very brief confirmation line was down to “one of our investigators” – and, to me, a story being “factual” doesn't quite mean it is 100 per cent truth and nothing but the truth.
But, hey, I'm certainly not a gun programmer or IT forensic investigator, just someone taught to be a little sceptical when coming across something a little too cute to be true. I don't know what Lesterbuck's excuse might be.
Michael Pascoe is a BusinessDay contributing editor yet to find a way he can outsource his work.