美国程序员用1/5薪水将工作外包到中国曾被认为是天才 说到程序员，大家脑海中都会闪现出一个踏实勤奋的形象，今天为大家带来一则趣闻，讲讲世界上最清闲也是最会偷懒的程序员一家美国重要基础设施公司在对去年工作进行安全审计时发现，该公司的一个明星程序员竟然将自己的工作外包给了中国沈阳的一家软件公司，自己则在上班的时候在网上闲逛 该公司在电信供应商Verizon那里设立了一个基本VPN系统，支持双重认证，从而可以让员工在家中办公然而，VPN登录日志却显示，该公司的主服务器经常被来自中国沈阳的用户访问，而且使用的认证账户是其程序员“Bob” 据Verizon介绍，发现此事后，这家公司的IT人事部认为，可能是网络受到了恶意攻击，因此要求Verizon排查然而，最终调查结果令人大跌眼镜并非是受恶意软件感染或是黑客攻击，是程序员Bob雇佣了中国沈阳的一家软件公司帮助他完成日常工作，调查人员在他的工作站中发现了他与那家软件公司交易的数百张PDF发票Bob的工资高达6位数，而他付给外包公司的佣金只是其工资的五分之一 Bob每天在公司的“工作”就是在网上闲逛，9点上班后看看新闻网站和视频，11点半去吃午饭，下午1点开始“工作”去逛eBay淘东西，然后再花两三个小时登录社交网站，5点准时下班 令人惊诧的，他的计划之前从未被识破，而且在人力资源部门眼中，Bob多个季度都是公司的明星程序员，被认为精通C、C++、Perl、Java、Ruby、PHP和Python 进一步的调查发现，Bob其实很有事业心，他还兼职了多份工作，当然同样也是外包出去了通过这种方法，他不但每天都能清闲地上网，还轻松赚到了大把的Money 目前Bob已被解雇 Verizon finds US developer outsourced his job to China so he could surf Reddit and watch cat videos 16 January2013 Updated at08:18 CET No, this is not the Onion, it’s not April Fools, and I’m not making this up. All of this comes straight from Verizon, or more specifically, a case study from2012 outlined by its security team. The story goes a little something like this. A developer at a US-based critical infrastructure company, referred to as“Bob,” was caught last year outsourcing his work to China, paying someone else less than one fifth of his six-figure salary to do his job. As a result, Bob had a lot of time on his hands; in fact, during the investigation, his browsing history revealed this was his typical work day: 9:00 a.m.– Arrive and surf Reddit for a couple of hours. Watch cat videos.11:30 a.m.– Take lunch.1:00 p.m.– Ebay time.2:00– ish p.m Facebook updates– LinkedIn.4:30 p.m.– End of day update e-mail to management.5:00 p.m.– Go home.Again, I want to emphasize that I haven’t invented this schedule for the sake of making this story more interesting or to have a snazzy headline. This comes straight from Verizon; take that as you will. Apparently Bob had the same scam going across multiple companies in the area(this part is a little unclear given that he clearly couldn’t physically go into work for all of them), earning“several hundred thousand dollars a year,” and only paying the Chinese consulting firm“about fifty grand annually.” At the unnamed company, he apparently received excellent performance reviews for the last several years in a row, even being hailed the best developer in the building: his code was clean, well-written, and submitted in a timely fashion. Folks, you can’t make this stuff up. Here are the rest of the crazy details, which Verizon says it released because although this wasn’t a large-scale data breach that made headlines, the case had a unique attack vector. Apparently the scheme was discovered accidentally. Verizon received a request from the US company asking for help in understanding anomalous activity it was witnessing in its VPN logs: an open and active connection from Shenyang, China. This was alarming because the company had implemented two-factor authentication for these VPN connections, the second factor being a rotating token RSA key fob. Yet somehow, although the developer whose credentials were being used was sitting at his desk staring into his monitor, the logs showed he was logged in from China. This unnamed company initially suspected some kind of unknown(0-day) malware that was able to initiate VPN connections from Bob’s desktop workstation via external proxy, route that VPN traffic to China, and then back. When Verizon investigated, it eventually noticed that the VPN connection from Shenyang was at least six months old, which is how far back the VPN logs went, and it occurred almost daily and occasionally spanned the entire workday. Unable to explain how an intruder could have possibly been accessing the company’s internal system on such a frequent basis, Verizon decided to look more closely at Bob, since it was his credentials that were being used. Here’s how his the case study described him: Employee profile–mid-40′s software developer versed in C, C++, perl, java, Ruby, php, python, etc. Relatively long tenure with the company, family man, inoffensive and quiet. Someone you wouldn’t look at twice in an elevator. All it took was a look a forensic image of Bob’s desktop workstation to discover hundreds of PDF invoices from a Chinese consulting firm in Shenyang. How did he get around the security requirements?