They cite LinkedIn profiles with 25 connections as easy tell tale signs. Well, I've got news for you: hacked LinkedIn profiles. Happened to a colleague of mine. Profile with more than a thousand genuine, reputable connections got hacked. Picture and name got changed to something East Asian sounding/looking. CV got changed to US defense contracting. Luckily this tripped some automatic account lockdown otherwise it might have well gone undiscovered for a while. Few people will remember every single LinkedIn connection, there's no notification of name change in messages etc. Quite likely this profile was sold to North Korean fake IT workers.
9cb14c1ec0 18 days ago [-]
Also, many people like me don't even have LinkedIn profiles. The "pick up your work computer in person" idea sounds like a much more reliable method to me.
Roark66 18 days ago [-]
Yeah, pick up your computer in person will not work if you live 2d travel away. If my remote job told me to pick up the computer in person after 8h of interviews and tests I'd be seriously pissed off. If they advertised it in the beginning I'd not have applied.
In my country (Poland) courier companies offer this service of "id checking and contract signing". You can have a courier deliver a contract, check the recipient's photo ID and confirm their identity, have the person sign the contract, return it and the courier takes it back.
If there is no such service available there is only one way to prevent this from happening, proper screening of candidates. In my 20+ years of working for Fortune 500 companies in positions not far from the top only 1 - a Japanese one actually screened my educational background and called my references and past employers to verify.
If employees worry they will loose some really good candidates that have no documentable background ask them to do some other security check. Do a video call from the main street of their home town. Or some other thing randomly selected from a set of 5. If the role is really important hire someone to visit the remote worker in their home and deliver that laptop in person. But don't expect them to travel to pick it up.
pllbnk 17 days ago [-]
Sounds reasonable to me that the companies that hire to work remotely would like to have some live meet-ups once in a while. For the most part I wouldn't see a problem traveling to an employer's office for a week or so to start.
fhd2 17 days ago [-]
For working parents, it's pretty tricky. I ran a few remote organisations, and while there were usually decision makers that wanted mandatory meetups, I always tried to make it as optional as possible, and to eliminate the need for those where feasible.
In the age of vibe coding and North Korean fake workers, I'd probably go another way though. Trusting your remote workers used to be easier from my perspective.
Roark66 17 days ago [-]
You know the saying "trust but verify" :-) As mentioned before I think we need robust verification in place for things like new hire identity, but you mentioned an additional thing "vibe coding". The most obvious response to this is to have merge checks that run a bunch of tests on important stuff, and peer review.
My current place of work has rolled out both copilot and gemini coding assistants to everyone and so far I've not seen the expected flood of lower quality code or code clearly written by AI and not even being understood by the submitter. We're talking ~80 devs in 3 timezones just in my project. This is very encouraging.
Roark66 17 days ago [-]
Unless like me you live 8h travel by road away, and there are no reasonable flights, to the nearest office.
I made a decision long ago. Either a job is remote (I apply) in which case it has to really be remote. Or it is hybrid(I don't apply). If there is a day in a week/month/year that you're required to visit it is no longer 100% remote. This especially applies if it requires international travel, doubly so to certain places that make such travel even a bigger hassle than it needs to be (I didn't think US will be on this list in my lifetime, but here we are).
Perhaps I'm just annoyed it is very common in this job market (at least when I looked last ~2 years ago) to advertise 100% remote jobs, have 3 interviews during which you're assured "yes,100% remote" and then either get a contract that has provisions allowing for it to be revoked, or even being told verbally, or not even being told, but pressured as time goes by, no actually you're expected to visit. I had a client like this once. Otherwise a good job. The manager of my team got constantly a lot of crap that his people are "never in" despite the company hiring the whole team as a remote.
There are plenty of people in business that would love that whole remote thing to dissappear. It starts with "come to the office once a month for a night out, we'll pay for your hotel", then it's just "come to the office once a month", then it's 2 weeks, 1 week, then it's 3 days a week, and then it's just Friday you work from home, but no one actually works on that day, but you so you're blocked on most of what you do.
Who are these people? Managers that never learned how to manage remote teams, HR that worries their dept will be cut down, branch/country directors that can't show the visiting "leadership" an office buzzing with activity, and that guy who decided it's a good idea to buy a huge office building in the city centre a month before covid started (I've already worked fully remote for 3 years before covid started, but it was just me and another guy in a team of 9, now it is much better when the entire team is remote, there is no "us and them").
Sorry, just as luditites wanted to go to the power of muscle from the power of steam, there is no going back. The advantages to everyone are too great. To the employee, don't have to explain I hope, to the employer, lower cost and much bigger hiring market, to the entire world there is less travel and entire generations of people not wasting 20% of their waking hours on travel...
raverbashing 18 days ago [-]
If I was in the US I'd be investing in "verification centers" right now
AbstractH24 17 days ago [-]
I think of the network of testing centers used for various certifications as a model and even something that could be repurposed.
If I recall, certain government jobs already need something like that you can get at the post office?
okdood64 17 days ago [-]
So notary publics?
red_admiral 18 days ago [-]
I'm guessing many people working in security don't have LinkedIn profiles. It's not like you want to advertise a stint in Fort Meade, and then a list of people someone might contact to get access to you, or pull some social engineering. Or advertise your TS/SCI in your profile.
There's more and more places where the less visible presence online you have, the more you're a good fit for the position.
saagarjha 18 days ago [-]
Perhaps I don't know the people who aren't advertising it but I see plenty of people advertising their time in natsec or their clearances
red_admiral 17 days ago [-]
> Perhaps I don't know the people who aren't advertising it
Not picking on you, but that's kind of a tautology :)
dmurray 17 days ago [-]
Surely North Korea could arrange people to do this, too. They already have people on the ground in the US e.g. to open bank accounts, and they only need this for candidates that actually get the job, not every interview.
You might say the people who interviewed the candidate should be there when he picks up his laptop. But this is already an extremely remote-friendly company, the interviewers might never be in the office. He's going to pick it up from the IT department in the basement and at best they will take a photograph of his face.
abrookewood 18 days ago [-]
But it is so late in the process to catch them - hours wasted by so many people.
miffy900 18 days ago [-]
True, but at that point it's still not too late to prevent paying money that will ultimately end up in the NK government hands.
asteroidburger 18 days ago [-]
If it was the norm, the fake worker problem would go away, and the hours would not be wasted.
smohare 18 days ago [-]
[dead]
Maxious 18 days ago [-]
Jeff Geerling recently discussed being contacted by the FBI to learn more about minature KVMs, one of the devices North Korean fake IT workers use to appear to be coming from other countries https://www.youtube.com/watch?v=Lc2hB2AwHso
geerlingguy 18 days ago [-]
In this case, the KVMs are plugged into multiple laptops being run in people's basement/spare bedroom, it seems. Someone will earn a set amount per laptop per month, to accept a company-supplied laptop (from a us company) then plug in one of these little KVMs to give a remote worker access without as much ease in detection.
nradov 18 days ago [-]
The Wall Street Journal had an article about the people running these North Korean laptop farms.
> "I live in a travel trailer. I don’t have running water; I don’t have a working bathroom. And now I don’t have heat,” she said. “I’m really scared. I don’t know what to do."
Whn people have no solutions for basic problems they become the problem.
moffkalast 18 days ago [-]
So the main difference over more typical remote desktop methods is that it pretends to be a physical display and keyboard to fool the PC it's remoting into in if it's overly locked down?
Feels like there's otherwise a hundred different ways to already do remote control without any extra hardware.
bjackman 18 days ago [-]
All the alternatives have a risk of setting off D&R tripwires. Assuming these things can spoof their device IDs so they look like a Logitech keyboard etc, I think the cost of the hardware setup is gonna easily pay for itself in terms of harder detection.
InfiniteLoup 18 days ago [-]
What does "D&R" stand for in this context?
mango7283 17 days ago [-]
Detection and response - basically any remote access software usage is very likely to trigger an alert to the IT security team, either from the antivirus or EDR (endpoint detection and response, the most famous is Crowdstrike)
moffkalast 17 days ago [-]
The most infamous at this point one could say.
mango7283 17 days ago [-]
Either way you've heard of them :)
nightfly 18 days ago [-]
> Feels like there's otherwise a hundred different ways to already do remote control without any extra hardware
This way the worker doesn't have to know 100 different ways to remote into the machine, just one
Quitschquat 18 days ago [-]
> amount per laptop per month
Curious what typical rates would be.
snickerbockers 18 days ago [-]
So I must be really dumb here but what exactly does the kvm do? It's just stated that it has an Ethernet port and an HDMI and therefore can remote control a computer? And he said the North Koreans are putting them on people's computers as if North Koreans breaking into people's apartments is a common occurrence we've all experienced? And why did the FBI contact him about this?
There's obviously some context I'm missing here, I always thought kvm was the Linux kennel virtualization system...
krisoft 18 days ago [-]
> what exactly does the kvm do?
In this context the abbreviation stands for “keyboard, video, and mouse”. These are hardware devices you physically connect to a computer and then you can remotely see the computer’s screen and input keyboard and mouse inputs to it via the network.
> It's just stated that it has an Ethernet port and an HDMI and therefore can remote control a computer?
Yes. That is the purpose of a KVM device.
> he said the North Koreans are putting them on people's computers
What is described here is a scam perpetrated by North Korean state to gain funds despite economic sanctions trying to prevent it from doing so.
The scheme involves someone pretending to be a legitimate remote worker working from a legitimate location, but in reality they are performing the work from North Korea. The person working the remote IT job in North Korea gets a pitance, while the state pockets the larger part of the money paid to them.
As part of the scheme the remote worker gets a laptop from their western employer. Corporate IT installs all kind of security measures on the laptop, but also grants it means to access internal resources. The scammer can’t ship the laptop to North Korea and use it directly because if that gets detected they will be found out and fired. They also can’t install software based remote access tools because corporate IT might detect those too. So they use a KVM to remotely use the laptop from North Korea and stay on the job as long as they can.
> as if North Koreans breaking into people's apartments is a common occurrence
The scheme does not involve North Koreans breaking into apartments.
> And why did the FBI contact him about this?
Who knows. Jeff seems to have described how to use a particular cheap KVM in the past. Likely this KVM device is used by the scammers. Maybe he has connections to the KVMs manufacturer? Maybe the FBI thought he does?
> I always thought kvm was the Linux kennel virtualization system...
Same abreviation, but different thing.
Thorrez 18 days ago [-]
KVM in this context stands for keyboard, video, mouse. There are multiple types of these KVMs, and the ones discussed here are remote KVMs.
It sounds like the North Koreans pay 1 person in the US to have a ton of laptops with KVMs attached to them, and those laptops are remotely used by North Koreans.
Not to be confused with Kernel-based virtual machine (also called KVM):
It seems they don’t break into someone’s apartment but instead pay someone to stick a kvm connected laptop somewhere in the apartment.
ianpurton 18 days ago [-]
I imagine they mean a remote KVM. So you remote into a PC sitting in a basement in someones house in the US. You then make all your outgoing internet from thta setup and your IP address would look legit.
AbstractH24 17 days ago [-]
Its not just North Koreans using them. Its also everyday US citizens who want to be digital nomads.
But if you had a farm of them and one guy maintaining them, rather than sticking it in your parents basement with nobody to maintain it, that might be something different.
belter 18 days ago [-]
Something is amiss here...Developers make hundreds of applications to even get a reply much less an interview...While apparently, barely English literate North Korean IT workers are getting all the jobs :-) Time to praise the Supreme Leader on LinkedIn ?
wisty 18 days ago [-]
People are single but romance scams exist.
Scammers are good at the scam. They are good at telling the right lies, they often work in teams (lead finders, closers, and everything in between), use automation where appropriate, etc.
A single dev might have trouble cracking the lead finding code, the resume code, the interview code, etc while and avoiding telling any lies that will get then fired 3 weeks into the job. But a team who all treat the application process as a full time job? It's a lot easier.
Also when a dev gets good at finding a job, they stop looking. Scammers get good at it and then keep getting better.
ryandrake 18 days ago [-]
Maybe these North Korean scammers could make good money by selling their job application tips and tricks to actual talented out of work engineers. They seem to not be struggling to get these jobs, unlike actual developers who are struggling.
krisoft 18 days ago [-]
Very likely the jobs these North Koreans are getting would not be considered a good job by the devs struggling to find one. As a starter when you plan to phone it in from North Korea you can accept a salary which would not be liveable for a local and stil make it worth it for you.
sfryxell 18 days ago [-]
I have gotten multiple emails from wonky email addresses offering to have me interview for jobs and they will take care of the work if I get hired. fake names tons of money for me. I just have to nail the interview.
My resume is shiny enough and I've gotton hired enough times im a good candidate for this kind of scam.
This feels like a very ham fisted approach for them though. 99% of engineers are going to ignore or not take seriously these kinds of out of the blue offers.
lazide 18 days ago [-]
1% will be plenty in the current market, eh?
Aurornis 18 days ago [-]
These people aren’t constrained by the bounds of reality. They’re applying with claims of having attended Harvard and then worked at Meta and now they’re applying to your company.
Their resume goes in front of yours in line.
esafak 18 days ago [-]
I would not say they are getting the jobs but they are getting interviews.
sva_ 18 days ago [-]
They probably use many identities
asdf6969 18 days ago [-]
[flagged]
heraldgeezer 18 days ago [-]
[flagged]
mkl95 18 days ago [-]
> As US-based companies become more aware of the fake IT worker problem, the job seekers are increasingly targeting European employers, too.
All the US companies I've worked for made sure I was legit before I could log into anything, so I assume background checks to be ubiquitous there, save for the cheapest companies. European employers on the other hand...
const_cast 18 days ago [-]
The thing I don't like is that US companies take it too far, to the point they're violating my privacy and making me uncomfortable.
Why do you need to do a hard credit check before you give me an offer? Why do you need to know exactly how much I owe on my credit cards, car, house, how much I'm paying per month, and how much I've made at every job for the past 7 years?
That feels... excessive. And weird. And kind of unfair. Now you know my paycheck, and the paycheck before that, and how desperate I am. Well, there goes negotiations.
red_admiral 18 days ago [-]
It feels like you're going through some kind of security clearance.
To be honest, getting insight and access to a major company's networks and maybe customer data is perhaps the same kind of risk to the company as it is for the government to give someone access to (top) secret files. It might not be so much a negotiating tactic as awareness that more sophisticated spies and criminals than the ones in the OP article are targeting your company.
asteroidburger 18 days ago [-]
Who's doing a hard credit pull at all, especially before salary's negotiated and the offer's extended?
const_cast 17 days ago [-]
It's a thing, but I'm not in the business of naming names. IMO we should just nip this in the bud and make it illegal.
AndyMcConachie 17 days ago [-]
> That feels... excessive. And weird. And kind of unfair. Now you know my paycheck, and the paycheck before that, and how desperate I am. Well, there goes negotiations.
I think that's partly the point.
aleph_minus_one 18 days ago [-]
> European employers on the other hand...
Many European employers
- don't or rarely offer remote jobs, so they often don't have this problem.
- even if they do some video or phone interview for pre-screening, they nearly always expect the prospective employee to come to a live interview if they are not weeded out by this pre-screening. It is thus expected that you at least live in a country from where you can easily travel to the place where the employer is located.
- often expect their employees to be able to speak the national language, or at least learn it fast. This also makes times hard for North Korean fake IT workers.
stevekemp 18 days ago [-]
I live in Finland, and while it is not universal it is extremely common for IT-companies to have a working-language of English.
The country is small and hires both immigrants, and people who specifically relocate to start working at the English-only companies, as well as local candidates.
Learning Finnish will obviously make your life easier, in many many ways, but companies themselves do not seem to expect or require it.
jjani 18 days ago [-]
I've heard this before about Finland and found it really interesting as to my knowledge English isn't particularly more societally prevalent in Finland than in nearby countries such as Sweden, Denmark or the Netherlands. Any idea if it's as common in those countries as well? By the sounds of it in Finland there's more IT companies operating in English than in Finnish.
_delirium 18 days ago [-]
It’s definitely common in Denmark, enough that it’s a perennial national debate. Maersk is a huge employer that officially made their corporate language English something like 20 years ago, which spawned discussions about whether you should need to speak a foreign language to get a job in your own country. In practice the answer is yes, for some sectors.
I worked for years in an English-language work environment in Denmark (I am not Danish), and learned maybe a handful of phrases of spoken Danish the entire time. I was expected to be able to read the occasional email in Danish, but 1) written Danish is not hard in comparison, and 2) even years ago Google Translate was good enough.
It would have been nice from a social perspective to have known more spoken Danish, but my employer didn’t really care, and it isn’t easy to learn if you don’t have strong local connections. Danes will just immediately switch to English by default, and even if you ask them to continue in Danish, you need a decent level of Danish pronunciation to make yourself understood, which is not trivial to get to.
AndyMcConachie 17 days ago [-]
In The Netherlands I think it's pretty rare to require Dutch in IT related jobs. I know of one software company that recently initiated a policy of only hiring Dutch speakers and I suspect it will really hurt their hiring going forward. When they initiated the policy they also retroactively exempted all the great developers that already worked there who could not speak Dutch.
rcruzeiro 18 days ago [-]
I’ve never had this experience. Never once was I flew in for an interview and, in two of the previous companies I’ve worked for, I did not speak the language.
aleph_minus_one 18 days ago [-]
This is at least the experience that I (and many people who I know) had.
> I did not speak the language
As I implied: if you are really talented, you don't have to speak the native language yet, but it is expected that you learn it fast.
rcruzeiro 18 days ago [-]
Maybe I was lucky there (or unlucky depending on the point of view). I’ve even worked for years for a French company without learning French.
eythian 17 days ago [-]
I wouldn't say that's generally true, at least in NL the work language in IT is often, probably almost always, English. I know people who have worked here for ~10 years who barely speak any Dutch.
Aurornis 18 days ago [-]
I’ve seen reports from people who were contacted by companies asking to use their identity for jobs. The deal was that the company used their likeness and identity to secure the job, but they would do all of the work and split the paycheck with them.
There are a million reasons why this is a bad idea, but I’m sure they don’t have trouble finding people excited to collect free paychecks.
SV_BubbleTime 18 days ago [-]
We got catfished by an outsourcer on Upwork.
Great interview, good questions, really solid candidate.
His first day on the job, his English went to shit.
Then he refused to pick up the phone or call me back. Lame excuses about how it’s loud there, then he lost his voice, then scheduled a call with the real “Jeff” the American who couldn’t answer anything about what we had discussed an hour earlier.
Reported to Upwork but I sort of doubt they did much about it.
dawnerd 18 days ago [-]
Video calls super important and asking questions that wouldn’t be a normal interview question. Helps to have candidates walk through and explain code they haven’t seen to reduce any prep work that may have happened. I’ve got a few questions I ask that no one is preparing for. I’ve interviewed a couple people that seemed kinda sus, maybe not working as someone else but definitely lied about their capabilities but somehow passing the coding test. This was before LLMs ruined everything too.
SV_BubbleTime 17 days ago [-]
We had a video call. He did great.
It was day1 on Slack that the issue was immediately apparent.
roywashere 18 days ago [-]
I also got contacted via LinkedIn by a “normal” profile of a Dutch guy with normal connections, that was even connected to people I know, offering me the same. I politely suggested it’s not a great idea and declined
aitchnyu 18 days ago [-]
In Indian dev groups, we gets ads for "job support" and "interview support" for recruiting people into frauds.
superb_dev 18 days ago [-]
I was once contacted on LinkedIn by an individual asking to use my identity to work in the US
nerdix 18 days ago [-]
The background checks don't always work because they typically use stolen identities or use the identities of Americans that they've paid. They basically have to in order to pass I-9 verification.
There are also different levels of background checks. For instance, previous employment verification can be time consuming so some companies skip it. Checking references aren't useful because they can be faked (you have to run background checks with employment verification on the references to make sure they are who they say they are).
cute_boi 18 days ago [-]
Yes, it generally don't work. Thats why you will find many F1 student with 8 years of experience.....
stef25 18 days ago [-]
Where I am in Europe you couldn't even get a (legal!) job in a bar without showing proper ID, and having your identification (id card number) checked and be present in the contract.
The fact that "fake people" can be employed for high level IT companies in the US is just unfathomable to me.
Spooky23 18 days ago [-]
That’s only one of the scams. You pass background checks if you’re new to the US. It’s a fairly common grift to place contract programmers at big companies with fake degrees and experience, who then send the work back to Asia to be done overnight. It’s easier now with ChatGPT - you can send photos of screens and instantly extract the text.
You also have people who outsource themselves. That’s one of the ways that the people who work multiple jobs pull it off.
chii 18 days ago [-]
> You also have people who outsource themselves. That’s one of the ways that the people who work multiple jobs pull it off.
that's not a scam - that's the new work smarter, not harder method of earning money.
conradev 18 days ago [-]
I can’t find the tweet but apparently you can also filter these folks out by asking them to criticize Kim Jong Un
acdha 18 days ago [-]
I’d be shocked if that was still true after the first time someone tried it. If you’re running an undercover operation, you’re going to give your agents backing to say whatever they need to say to maintain their cover.
ipnon 18 days ago [-]
It's very naive to think you can win against any state-level advanced persistent threat.
acdha 17 days ago [-]
That’s why it’s important to remember that not all state-level attacks are created equal. Intelligence agencies can create fake personas at varying levels of cost and realism, but if North Korea is doing that for revenue they’re not going to spend the same kind of resources they would trying to get, say, nuclear weapons data.
The situation here is significantly asymmetric: the attacker has to do a lot of work to build a realistic persona but the defense can make that much harder with a few basic checks. It’s been cost-effective in the past because companies were skimping on their hiring and internal security, similar to how the identity theft crisis was mostly a crisis in companies doing due diligence.
nradov 18 days ago [-]
It's not naive at all. Most of these threats can be thwarted by simply following basic business and security best practices. Many hiring managers are lazy and incompetent, and don't even do the bare minimum.
ghssds 18 days ago [-]
If someone asked me to criticize KJU, that would be the end of the conversation. I criticize people on my own or not at all. I suppose I would become a false positive.
brookst 18 days ago [-]
Even with the context of knowing the fake worker problem?
If so, I suppose that’s another good reason to ask the question. It filters out both North Korean fakes and people who are going to be doctrinaire about small things.
LtWorf 17 days ago [-]
Companies ask a lot of weird questions instead of asking what they really want to know: "will you join a union?"
freeopinion 18 days ago [-]
I think I would encourage companies that are experiencing problems with unwittingly hiring fake employees (North Korean or otherwise) to ask such bizarre questions. Or they could just flat out state that they have been having such problems and will therefore be implementing schemes to detect fake employees.
I would very much appreciate that. I think it would be grand if they could even put that in the job posting right up front. It would help me cross that company off the list of places I would be willing to work. I personally don't want to work at a place that cannot tell whether I am real or fake.
kome 18 days ago [-]
perhaps a better solution would be to ask an opinion about KJU... not to "criticize" him this feels pretty dystopic indeed, like 15m of hate...
ryandrake 18 days ago [-]
If a company asked me anything about the leader of North Korea during an interview for a tech job, I would conclude that they were not a serious company.
What I think about any country leader is totally irrelevant to tech work. So the company is either 1. Wasting my time with a totally irrelevant question or 2. Their hiring process is so vulnerable, they can’t even tell if a candidate is fake. Neither of those would make me particularly excited about that company.
collingreen 18 days ago [-]
It was 2 min of hate ;) and this clearly isn't the same as trying to rile people up; it's a thin attempt to get people to self report if they are lying with some sort of higher level "gotcha".
Feels like the story about disconnecting Chinese gamers from matches automatically by typing "tiananmen square" or the story of the Battle of Siffin with one side putting pages of the quoran on their spears in hopes the enemy wouldn't fight that way. Unclear how accurate the stories are or how effective it may have been but kind of interesting at least.
jfengel 18 days ago [-]
It was 2 min of hate
Inflation.
collingreen 18 days ago [-]
Lol the ever increasing cost of living gets you in places you don't always expect!
pmarreck 18 days ago [-]
Sounds just like something a North Korean would say
JumpCrisscross 18 days ago [-]
Honestly, sounds like a red flag if even a legitimate applicant is unwilling to voice an opinion on the Kim regime.
snickerbockers 18 days ago [-]
Please do not foster this concept that I have a responsibility to proactively criticize ever fascist regime of the past century in order to dispel implicit notions that I am "supporting" them in vague undefined ways.
JumpCrisscross 18 days ago [-]
To be basically informed about, yes. An educated person should probably have a view about broad topics like North Korea, and whether Pyongyang is more worthy of criticism than praise. And I don’t want to work with someone who is open to the morality of the Kim regime.
bigDinosaur 17 days ago [-]
It isn't your place to know the political sympathies of everyone, nor is it your place to decide what constitutes 'support' about every possible issue. It is simply not viable to do this if you want to work together with large, diverse groups of people. There are people with objectionable but private views in the world and in the workplace, deal with it. This is entirely separate from people's public views.
AStonesThrow 18 days ago [-]
[dead]
jfengel 18 days ago [-]
I don't consider myself to know enough to criticize.
Of course what little I do know is all negative. But I've paid only limited attention, and I get nothing from primary sources.
I expect the same from practically everyone -- perhaps excepting South Koreans who at least speak the language. I'd consider it good judgment to say that you just can't meaningfully answer the question.
I'd read a statement you hand me, if you thought that would suffice. But I'll admit I'd consider that weird and likely useless.
smohare 18 days ago [-]
If you know so little about a major, long term authoritarian dictatorship, consider this evidence you need to educate yourself.
wltr 18 days ago [-]
This was dead because?
bigstrat2003 18 days ago [-]
Because "educate yourself" is quite possibly the most annoying, low effort thing you can say to someone whom you think should know something that they don't. Either share the information with them or don't engage at all; there's no need to be a dick about it.
ghssds 18 days ago [-]
Because it was a low-effort, uselessly snarky answer to a valid opinion.
SV_BubbleTime 18 days ago [-]
Especially when the reality is everyone “knows” so much that isn’t true or that is true but they could never personally confirm it.
I am not 100% that North Korea exists. I’m pretty sure, but I can’t KNOW it without going there.
So while dictators are bad, the Kim’s are probably bad, sorry if I don’t go to the deep end repeating everything that someone else taught me.
wltr 17 days ago [-]
[flagged]
jfengel 17 days ago [-]
You're right; there are limits to that excuse.
In the case of North Korea, my excuse is "I haven't put the time into it because it's a small country on the other end of the earth -- nuclear armed, but without effective delivery devices and massively outgunned. I wasn't prepared to give a lot more detail in the context of an interview that isn't about geopolitics. If you want me to research I can."
wltr 17 days ago [-]
Look, that’s better than pretending there’s nothing wrong with North Korea, because you wasn’t there personally and hence cannot talk of the matter.
bigDinosaur 18 days ago [-]
I would find that question extremely weird in a job interview for a normal job, and I have no problem saying that the Kim regime is one of the most horrible regimes ever.
raverbashing 18 days ago [-]
100%
It's not a false positive. It's a true positive
If the person is so obnoxious as to not be able to give such a silly statement, imagine how they would be fun in your team
pmarreck 13 days ago [-]
Most AI's would have a light but informed opinion on the Kim regime. Here's ChatGPT's:
Without context it seems like a weird trick question, like phishing tests and most corporate training.
LtWorf 17 days ago [-]
I can ask people to criticize trump before hiring them?
codedokode 18 days ago [-]
Replace North Korean leader with Biden and Trump, how that sounds?
jfengel 18 days ago [-]
Pretty sure a huge number of Americans would happily curse both with the fire of a thousand suns.
blackoil 18 days ago [-]
On demand? Also will this trigger some discrimination law?
Spooky23 18 days ago [-]
You can legally discriminate on the basis of political views.
deathanatos 18 days ago [-]
(IANAL.) Whether that is legal depends on jurisdiction, in the US. CA has protections, for example.
CoffeeOnWrite 18 days ago [-]
In California?
yard2010 17 days ago [-]
It sounds like you are supporting those villains, justifying their atrocities.
FpUser 18 days ago [-]
I would never allow any potential client ask me ANY political questions. Not because I like any political figure but because I am trying not to encourage fucking thought control. I hope we are not on Nazi Germany yet. It is just simply not their fucking business. On the other hand if they offer me a million in cold hard cash just for that I would tell then anything they want to hear.
nothrabannosir 18 days ago [-]
> I would never…
> … if they offer me a million…
This is exactly like that famous joke! :D “Mam I believe we’ve already established that. At this point, we’re just negotiating.”
FpUser 18 days ago [-]
You nailed it. If they want to pry into my private things they better pay for it ;)
nothrabannosir 18 days ago [-]
The punchline of the joke isn’t that it’s weird to put a price on X, but that it makes it rather hollow to start that same paragraph with four different variations of “I would never do X!”.
It’s kind of like an Abbott and Costello routine. I would never do that! How dare you suggest that. You’re a commie. The scum of the earth. I’m above that. Gimme five bucks I’ll do it right now.
FpUser 17 days ago [-]
There is a big difference between saying you gonna do it and actually doing it.
qiqitori 18 days ago [-]
[flagged]
FpUser 17 days ago [-]
I disagree with all of them. Sleep well
wltr 18 days ago [-]
[flagged]
nerdix 18 days ago [-]
You'll likely have to be careful with profiling here. You'll probably need to have documentation/proof that you ask this question to all candidates regardless of race or immigration status. And yes, that means you'll need to ask it to people that clearly aren't North Korean (though that maybe be a good thing in general as I'm sure the next step for the NK regime would be to pay people who are not Asian or who have American accents to do interviews if the practice became widespread)
waffleiron 18 days ago [-]
Maybe more likely that they just assume they are caught, or assume the likelihood of getting caught is higher when there is overt screening for North Koreans.
Similar to why email scammers don’t need good grammar, filtering out difficult cases quickly and move on to easier ones.
18 days ago [-]
Barrin92 18 days ago [-]
I don't really understand the logistics of this to be honest. From the article it doesn't sound like these people have false IDs, they just make fake LinkedIn profiles?
In a lot of countries certainly here in Germany your employer has to pay social security contributions and needs your insurance, healthcare information etc. In addition if you're a foreigner you need to know their legal status to see if they can even work. Like what do these scammed companies do, just wire money to some guy they interviewed on social media and ship company property to random addresses? Is that even legal in most places?
trinix912 18 days ago [-]
They presumably wire the money to a person operating in the US who sends a portion of that money to the NK employee. The US person is then the one in the company payroll files. At least that's my understanding.
ChrisMarshallNY 18 days ago [-]
We should definitely go after those folks, but it's not pleasant, as many of them may be having their own issues that add to the problem.
One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money. We have entire industries that sell narratives, rationalizing these compromises.
This is exacerbated by the current employment problems. They keep talking about how unemployment is down, but I think we all know folks that are un (or under-) employed, and the difficulties they are having, finding work.
Someone in that state, is fertile ground for money- and job-laundering bad actors. It sucks to punish them, but that is what we need to do, to discourage the practice.
collingreen 18 days ago [-]
I agree but I don't actually feel bad about punishing people for committing fraud (as long as we punish all people fairly, etc).
> People will do almost anything, and compromise all their personal values, for money
I think this demonstrates what their ACTUAL values are or at get very least the priority of those values.
t-3 18 days ago [-]
> One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money.
A US person without adequate cashflow is likely to not be able to have food, housing, clothing, medical care, etc. A lack of morals are not what causes people to do anything to make money, it's a lack of money in a capitalist society. Blaming people for systemic problems is incredibly regressive.
jfengel 18 days ago [-]
Quite a few people will have adequate food, housing, etc and still dispense with morals for money. Some studies suggest that having more money makes one more dishonest rather than less.
The problems are indeed systemic, but it's not just lack of money. The system is constructed around the love of money, such that too much is never enough.
scns 17 days ago [-]
> Some studies suggest that having more money makes one more dishonest rather than less.
What came first, money or dishonesty?
toast0 18 days ago [-]
My understanding is for a US employee, the employer is supposed to confirm eligibility to work in the first 3 days of employment. Some form of government id plus a social security card or a passport or something like that. IRS form I-9
Otoh, if these positions are independent contractors, form I-9 isn't required. Just a tax id for reporting purposes.
I would imagine whoever is hosting the laptops may be authorized to work in the US and could also be convinced to provide identity documentation. I think there's a lot of borrowing of documentation by immigrants/migrants who are not authorized to work in the US; so there's probably a marketplace somewhere too.
mathverse 18 days ago [-]
Because it's contractors. You are not an employer in that person's country.
sylens 18 days ago [-]
That’s part of what is being exposed here. The hiring process for many companies is not very robust. I doubt many even check references
acdha 18 days ago [-]
In three decades, I’ve had some call me to check a reference only twice for private sector jobs. The federal government actually does this as part of background checks so it works but you need to want to badly enough to pay real money.
The other problem is liability: companies often tell their employees not to give references for fear of being sued if the employee doesn’t work out, and most companies don’t expect useful information from them unless someone left in a way which has a public record like a court case. The federal checks don’t have that problem because not answering honestly is a crime. You’d need some kind of shield for honest statements for the private sector to really get accurate assessments, and that’s tricky to do in a way which allows the most useful opinions.
esafak 18 days ago [-]
They're targeting locales and companies with less stringent checks.
pllbnk 17 days ago [-]
I would really like to see one of these deepfake videos that managed to trick any competent interviewer into thinking it was real. I couldn't find anything like that on Youtube. Even in highly controlled environments the deepfake videos can be immediately recognized.
frontfor 17 days ago [-]
Here’s one example, although I don’t know if this is a North Korean.
I keep hearing about this and honestly I don’t get it how does this continue to happen?
Here I am, a real human, decent person and a nice guy lol
yet I can’t find a good job.
What are these companies doing, how is this possible?
Aurornis 18 days ago [-]
They aren’t telling the truth when they apply. They’ll use stolen identities, fabricated backgrounds, fake reference checks, hacked LinkedIn profiles.
They are professionals at lying and interviewing. When it’s your job to get jobs and you’re doing it with organized support, you will find something.
They also don’t really care if the job is good or bad. They’re just farming any and all jobs they can get and hanging on to them until they’re pushed out. At many companies, that can take years.
edm0nd 18 days ago [-]
The Norks basically just steal a very qualified persons identity and info and then use that info to apply for jobs. So on paper, the job applicant looks pretty good but its just all larping from the threat actors. For being such a hermit kingdom, they are very good at infiltrating large companies and stealing cryptocurrencies.
CyberMacGyver 18 days ago [-]
I am building a free service to counter exactly this problem.
This has been going on since 2018 at least and I have flagged thousands of such applicants.
tomrod 18 days ago [-]
Speak some more on this.
grej 18 days ago [-]
Yes please, I'm also interested in hearing more about what you're building CyberMacGyver
triceratops 18 days ago [-]
I'm curious why free?
giantg2 18 days ago [-]
The part that's really sad is that we have tons of out of work devs right now. This sort of thing only makes it harder for the legitimate people to get hired. An easy fix for this is for a place like Pearson to set up verified interview centers, which will allow for verified virtual interviews (on both sides of the table).
mjevans 18 days ago [-]
Another solution might be UNIONS that would have __membership verification__ including things like citizenship (which country(ies) are they a citizen of?), skills tests and training, etc.
Just like competition requires 5+ similarly sized entities for a healthy marketplace of companies, my informal opinion is that unions probably similarly shouldn't have overwhelming market share. However my feeling on contracts between unions and corporations is that the contract should be negotiated between multiple companies and multiple unions to produce the most level playing field possible.
jacob_a_dev 18 days ago [-]
At least in the US,
I like that software engineering doesnt require/encourage unions, contrary to other big industries.
As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job.
Ive previpusly been in a union for a company and the experience did not encourage a competitive working environment. When layoffs came, Jr employees get sacked before more senior union members (not neccesarily the best technical staff just becuase they worked there long time).
I have family/friends in unions (non software devs) that have had similar experiences to mine.
vitaflo 18 days ago [-]
Devs are the factory workers of today. You’re going to be sorry in 10 years when AI is fully mature and all the cheap talent overseas takes every US dev job just like it did to factory workers in the 90s and there’s no unions to even attempt to slow it.
codedokode 18 days ago [-]
And in an unlikely case that there were a union, US would lose competition to China and the union will be involuntarily disbanded.
hackable_sand 18 days ago [-]
Factory workers are the factory workers of today.
const_cast 18 days ago [-]
I believe what they mean is that software devs are the lowest of the low of the totem pole for making software. We, manually, put together the software. We're the lowest level part of the chain. In that way, we're the factory workers of software.
globular-toast 17 days ago [-]
I'm sorry you feel that way about software. I suppose if your bedrock is JavaScript or Python and you've been bashing out CRUD apps it might seem that way.
We've actually been automating away our job since the beginning of software. Compilers have been thing for like 80 years now. We've had auto-complete, static analysis, automated testing tools etc. for decades. What about the poor assembly programmers? What about the people who were bit banging serial protocols for a living?
const_cast 17 days ago [-]
Yes, we have automated away most of our job, however we are still the bottom of the totem pole.
For example, Amazon warehouse are also mostly automated. Still, workers who move boxes around and scan barcodes are the bottom of the totem pole of the operation. They're the people manually making Amazon work. You can't get any lower, otherwise then you'd become a machine.
> What about the poor assembly programmers? What about the people who were bit banging serial protocols for a living?
Those jobs are mostly obsolesced, so the totem pole has "moved up", but we're still at the bottom.
You have to ask the question, who is manually making the product and putting it together piece by piece? For factories, it's assembly line workers. For McDonald's, it's the burger flippers and the board worker. For software, it's us.
We have a misconception that since we are educated and relatively well-paid we are not like that. In terms of our business function, what we actually do for products and companies, our roles are of the same type. That's not a bad thing - this can serve as a gentle reminder to curb any delusions of grandeur.
hackable_sand 17 days ago [-]
I get it now.
Good luck then.
Can't say I have much sympathy for American devs after what they've done with the place.
giantg2 18 days ago [-]
"One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job."
And on the other side, you can have a degree and experience and still not get a job due to the wild criteria and games that get played in various interviews.
MangoToupe 18 days ago [-]
I've been working in the tech industry for about twenty years now, and I desperately want unions. Sticking your neck out alone sucks to begin with and only sucks harder the more time goes forward.
lc9er 18 days ago [-]
Same. Back when I first got into IT, I was surrounded by (similar) nerds whose self-esteem was defined by being the smartest person in the room. Compensation was often higher than other white-collar jobs, so they (we) were happy to overlook the long hours and non or poorly compensated on-call shifts.
Most IT work now, whether dev or admin side, is not rocket science. It’s mostly approachable work and no one should settle for being abused by employers for some outdated, ingrained, cultural baggage.
vanviegen 18 days ago [-]
Why unions? Why not just more protective labor laws? Why bet on some political organisation to protect you, instead of being able to take your employer to court yourself?
LtWorf 17 days ago [-]
labour laws don't happen by themselves…
Henchman21 18 days ago [-]
You trot out all the familiar retorts. None of this is a reason to not organize to better represent the interests of labor.
appreciatorBus 18 days ago [-]
A retort being familiar does not mean it isn't true or real.
Millions upon millions of ppl at every income level have experienced working in and around unions and not all of them came away with a positive experience.
fzeroracer 18 days ago [-]
Do these same criticisms also apply to corporations? I've worked for some absolutely shitty corps that have abused and taken advantage of their labor. Should we abolish corporations?
These criticisms of unions are always pulled out but then never equally applied to corporations.
vanviegen 18 days ago [-]
Corporations are providing people with jobs and clients with value (or they go out of business).
Unions, especially failing ones, don't inherently provide any net benefit to society. They may as well be engaged in little more than self-preservation and zero-sum games.
Therefore, I believe unions deserve a different type of scrutiny than corporations.
antonvs 18 days ago [-]
You can say the same thing about democratic governments, or capitalism, etc. etc.
By itself that's not a meaningful observation.
nothrabannosir 18 days ago [-]
It didn’t come by itself, it came in the wake of a comment that outlined a process whereby unions have a negative effect on new applicants in the job market.
The disagreement then was “I’ve heard that argument before.” - “ok that doesn’t make it wrong” <— that last sentence is what you’re replying to.
fsckboy 18 days ago [-]
>None of this is a reason to not organize to better represent the interests of labor.
unions restrict the supply of labor and this results in (price increase) better wages for the union's members. However, overall the total dollar amount transferred from employers to labor goes down (employment decrease), so the "class" of all workers (employed and unemployed) see their per capita wages go down. and if that's not enough, the industry grows more slowly so the problem only gets worse for everyone in the future (trickle down) this is the underlying reason for europe's lower year over year economic growth compared to the US
is the reason. it's not a moral or ethical or even income distribution issue, it's just how markets operate.
LtWorf 17 days ago [-]
Surely you deserve a nobel prize for having solved economy where everyone else was just doing guesswork?
fsckboy 17 days ago [-]
I just took economics, this is what is taught at any school with a serious economics program. (it's non-serious, though still can be good, if calculus is not a prerequisite)
jacob_a_dev 3 days ago [-]
i also took a few econ classes in college, enjoyed it a lot.
Some other ramblings from me.
Management at companies generally dont want to unionize because it generally makes the company less nimble/competitive (its obvious 99% management doesnt want to pay more for labor so i dont feel need to argue that). So yes, if u are lucky enough to be in the union when it gets created, your benifits/salary is negotiated which is cool, less variability in your future, but youll only get paid if your business manages to continue to out compete competitors.
A union example of this i had was installing robots in factories (most of the factories were unionized) (to replace some transportation of goods inside giant factories). My team and I would work with factory management/engineers to come up with plan to automate some process. Before trying to impliment it, we would need to give our plans to a union rep for approval/feedback (who wasnt an engineer). So that factory's competitors didnt have to wait for an additional approval, we would need to wait for a non technical persons feedback to BEGIN a project, your competitor might be finished with project before union approval is done.
Common story of the american factory. Company unionizes, slowly becomes less competitive, a while later goes out of business. This is why so many companies resist (legally) unionization, as in some industries it means certain death.
LtWorf 17 days ago [-]
The fact that economists disagree all the time is due to economics laws being just opinions.
acdha 18 days ago [-]
> As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
This is true in the same way that it’s true that all democracies turn into the majority oppressing everyone else, or get captured by oligarchs, or vote to raise taxes to fund social until the economy collapses, etc. – which is to say not at all. Unions CAN fail that way but it’s not a given. We shouldn’t give up on a useful tool because it can be failed, we should talk about how to keep it healthy.
For example, I’ve seen the no-degree route you talk about made easier by unions because it forced merit hiring rather than hiring more dudes with social ties from certain colleges. Again, that’s not guaranteed – you’d be forgiven for wondering if the Teamsters were a deep cover operation to discredit the concept of unions – but social institutions aren’t magic: they work to the extent that we make them work.
Spooky23 18 days ago [-]
That’s not how unions work.
They are fine, but struggle with remote work in general because fundamentally the leverage the union has is a monopoly on labor, which is compromised by a global labor force.
Aurornis 18 days ago [-]
These people are using stolen identities of real people in many cases.
Or they’re applying as international remote workers, where you wouldn’t expect them to be members of your country’s union anyway.
Widespread union membership with verifications wouldn’t solve anything.
Melatonic 18 days ago [-]
Exactly - it's too bad certain rich assholes back in the day squashed the unions forming for software devs and VFX workers
billy99k 18 days ago [-]
Why add more gatekeepers to the industry? It also doesn't really make sense for an IT worker to want to negotiate as a collective when individual salary and benefits are some of the best in the world.
A4ET8a8uTh0_v2 18 days ago [-]
The interview process in US is already insanely ridiculous, but this would only add an additional level of crazy to it. Honestly, licensing would be less bad by comparison.
ahepp 18 days ago [-]
Can you describe what you see as the insanely ridiculous interview process? Most of the interviews I have initiated are something like:
- 30 minute recruiter call
- 30-60 minute manager call
- 2x 60 minute leetcode easy/medium
- 1x 60 minute STAR behavioral
- 1x 60 minute systems design or maybe doubling up on a previous category
So for a total investment of what, 6 hours, I can go from a cold call to an offer of something like 150k-300k/y? And I'm not even playing in the FAANG ecosystem.
I'm not sure if we are experiencing different processes, or we have different opinions about what kind of time / reward tradeoff is reasonable.
snackbroken 18 days ago [-]
Everything except the 30-60 minute manager call is a waste of time and money for everyone involved.
You just need to ask a couple of open-ended questions about the candidate's preferred programming language and/or some technical details of a past project they've worked on to get an idea of whether they are reasonably competent or not. It shouldn't take more than 10-15 minutes to go through. The majority of rest of the meeting can consist of the candidate asking you questions and/or chit-chatting to make sure the vibes aren't off.
What you are trying to judge is whether or not they can do the job, which you can really only tell once they are actually doing the job anyways. So you pay extra attention to what they do for the first couple of days/weeks after you've hired them and if it's obvious things are not going to work out you let them go. Most places have laws that are amenable to hiring someone on an initial trial period before stronger employee protections kick in.
In general, most of the pathologies of the hiring process can be solved by treating it as a satisfier problem instead of an optimizer problem.
ahepp 18 days ago [-]
There's a wide spectrum between "extremely efficient" and "insanely ridiculous". To keep it short, I think the incentives are pretty well aligned here. There's not much of an incentive for either party to waste our collective time.
I would be interested to explore a "quick hire, quick fire" philosophy, but I'm not sure it would lead to overall greater satisfaction. Employers don't like to fire people and employees don't like to be fired.
const_cast 18 days ago [-]
6 hours per application, plus another hundred hours of leetcode practice.
Because, let's be real, not a lot of us are writing leetcode type solutions in our shitty web devs jobs where we center a div. So we need to practice, and more importantly, memorize. Companies don't want a solution, they don't even want a good solution, they want one particular solution. That requires memorization.
saagarjha 18 days ago [-]
Surely you are not getting through every round of interviews at these companies and suddenly failing on the last step.
guskel 18 days ago [-]
How many hours of interview prep did you include?
asdf6969 18 days ago [-]
The part where I have to rehearse solving ridiculous problems for a few weeks in my free time so I can perform them to the interviewer and then never use the skills again. It’s typically 2 medium/hard problems solved optimally in 20 minutes each with no errors if I want to beat the competition.
ahepp 18 days ago [-]
It can suck. I've definitely had some low points where I screw up an easy question and lost out on a place I wanted to work. I also understand that companies can't afford to make a bad hire often. My experience has been that interviewers are interested in the ability to recognize and fix mistakes, communicate about the problem, etc, and have had multiple occasions where I never even got around to filling out a couple pseudocode comments and still got passed.
asdf6969 18 days ago [-]
Have you interviewed since 2015?
deathanatos 18 days ago [-]
I don't think I've rehearsed for an interview ever. (And to your question in another thread, yes, I've interviewed since 2015. Multiple times, thanks to a layoff.)
> It’s typically 2 medium/hard problems solved optimally in 20 minutes each with no errors if I want to beat the competition.
I have also definitely made errors in interviews, and gotten hired. If I had to guess, it is a lot more about how you handle those. (To a degree. E.g., in one question, which was a coding challenge, I could solve it, but I was pretty sure my solution was not efficient. I voiced that, voiced why my gut was thinking it could probably be better, but I didn't ever get the full solution. In another one, I was just asked for past experience; I didn't think I had much to offer, voiced what I did have. I still to this day like the question, because it was a tough question, and the person who asked it really pressed me — in a good way, in that I could see that she took her own role/work seriously — on why I thought I was qualified.)
I've also had a call where me & the interview were definitely not connecting, at all. That wasn't going to work out, so nothing was lost?
As an interviewer,
> It’s typically 2 medium/hard problems solved optimally in 20 minutes each
… add 5 min for entry pleasantries and padding, 10 for questions for you at the end, and that's an hour, which is often all the time the recruiter schedules. And honestly, that's usually enough.
I don't ask hard problems. Easy ones sift out candidates. Where I ask coding questions, the first is almost always designed around "can the candidate write a for loop?" and the second is around basic datastructure comprehension. (Can you recognize situations that require a hashtable? a queue? and apply those to the problem.) Often a parsing question. Essentially CS 201, or easier, though I do not care if you know big-oh notation.
Most interviews I've been a part of fit that MO, and I've done interviewing with startups and with FAANG-sized companies.
> each with no errors if I want to beat the competition.
It's not about beating the competition. SWE hiring IME is never zero-sum. Two phenomenal candidates are two hires.
asdf6969 18 days ago [-]
Maybe you’re just smarter than me or you’re applying for different jobs. I don’t really care about your interview process. I just need a few months of practice so I can perform LC hards in 20 minutes to achieve my goals
mosdl 18 days ago [-]
Wouldn't the issue be that an interview center could take money to lie/etc? When I start a job I would have to go through I-9 verification - if that process is not good enough to weed out fakes, how would another verification work better?
cyberax 18 days ago [-]
> Wouldn't the issue be that an interview center could take money to lie/etc? When I start a job I would have to go through I-9 verification - if that process is not good enough to weed out fakes, how would another verification work better?
You just need to have a US citizen's SSN and birthday to beat the I-9 verification. And "beat" is a strong word. I-9 is just a form that the employer asks the employees to submit, there's no requirement for the employer to do anything with it.
So you can just say that your SSN is 555-55-5555 and your birthday is 01-01-2001 and you'll "pass" the verification. It'll be detected only when the employer submits the Form-944.
There's E-Verify that requires a picture ID and more information, but it's not mandatory.
mosdl 18 days ago [-]
I forgot e-verify is separate, seems like a better thing to mandate
smelendez 18 days ago [-]
Maybe.
You’d lose out on people who don’t live near an interview center and potentially have legal issues if people had disabilities that impacted their ability to travel to an interview center but not their ability to do the job.
Barbing 18 days ago [-]
Maybe everyone who is enthusiastic about traveling to an interview center could do it, and the remainder can undergo heavy vetting? Perhaps a cost & safety optimized approach if tuned right.
lend000 18 days ago [-]
Interesting idea! This seems like a natural extension of the coworking space business concept.
giantg2 18 days ago [-]
Yeah, I was thinking of the Pearson testing centers because they're already prpctored to prevent cheating and setup for identity verification. But co-working spacings could certainly work too. That might be even more viable in Europe.
ChrisMarshallNY 18 days ago [-]
Not sure why that comment got downvoted. It doesn't seem to detract from the topic at hand.
Not sure if it's feasible, but it's definitely something to consider.
MangoToupe 18 days ago [-]
I don't really see north korean workers as any less deserving of work
acdha 18 days ago [-]
That’s not the question: it’s about trust and honesty. The problem with North Korean workers is that they are a huge security risk because they aren’t working as free people but as agents of their government. That might not be a guaranteed disaster if they’re just generating cash revenue but it’s a huge security risk if the North Korean government has any reason to subvert your company or customers.
mcv 18 days ago [-]
Maybe first give them freedom. As long as their CVs are fake, their faces and experience are fake, and they're spying for their government, nobody should be hiring them.
MangoToupe 18 days ago [-]
Eh we're all victims of where we were born. I'm not about to hold someone's state against them. Unless i suppose it's a certain state that didn't exist 100 years ago and had to forcibly move people to make room.
dennis_jeeves2 18 days ago [-]
>Eh we're all victims of where we were born.
It's a very profound statement (perhaps unintentionally so). Most of us wouldn't even be doing the work we do if we did not have to pay ransom money to our rulers. And then there are unwanted children and all of that...
acdha 18 days ago [-]
The problem isn’t the people but the government which controls every aspect of their lives. If I hire a remote worker from England, I don’t have much reason to worry that they’re secretly working for MI-5 and plotting to infiltrate our systems unless I work for a drug cartel or military supplier, and I have a high degree of confidence that if they engage in misconduct they’re subject to a real legal system. If you hire a North Korean, abuse is far more plausible since the invention of cryptocurrency has helped them immensely when it comes to getting and laundering ransoms – and with nobody actually in a country subject to the jurisdiction of a government which cares what you think, they’re going to see it as a safe operation even if it brings you considerable harm.
mcv 17 days ago [-]
Really? Even when everything about them is fake, and the most productive thing they're likely to do is spying on you?
I also don't hold people's place of birth against them, but there are some very reasonable limits to that.
Aurornis 18 days ago [-]
> I'm not about to hold someone's state against them.
You don’t understand. These people are working for the state.
They’re not getting nice remote jobs to support their families. Infiltrating these companies is their job from the state of North Korea.
OfficeChad 18 days ago [-]
[dead]
confidantlake 18 days ago [-]
Why make the exception for that state? None of the people applying for jobs were involved or even alive when it happened.
MangoToupe 18 days ago [-]
Just like I don't blame people for hating me because I'm a symbol of ongoing colonization, I expect people to be ok if I blame them for ongoing atrocities carried out in their name in public with no shame or believable justification.
If North Korea is just as bad, at least they're smart enough to not let me see evidence that invades my dreams.
Aurornis 18 days ago [-]
Please re-read the article: These aren’t helpless people looking for jobs where they can do good work. This is a state-sponsored activity to exfiltrate source code, customer data, and in many cases extort the companies by demanding ransoms.
Havoc 18 days ago [-]
Can’t they just make week 1 in person compulsory?
You can easily dress that up as an onboarding thing and would solve this, no?
folkrav 18 days ago [-]
Assuming they have offices at all. My previous employer didn’t even have an office until 6 months after I was hired, and half the employees in the country were at the very minimum a decent 3-4h drive away from the office anyway. I’ve only ever met a handful of members of my team in person. The remaining employees were split up on 3 different continents.
nerdix 18 days ago [-]
A lot of companies have gone completely remote including a fully remote interview process because COVID basically mandated that and many companies kept doing it after COVID subsided because it was working.
But, yes, this will likely change that. In person interviews and onboarding will probably become the norm with fully remote teams as more companies become aware of the risks.
bravesoul2 18 days ago [-]
You can. Just like everyone can use a good password. Yet many dont.
Also there is a good reason not to make week 1 in person. You reduce your access to talent. I know we are in the everyone RTO and do 100hrs a week part of the BSiness cycle. But still.
ryandrake 18 days ago [-]
Workers are currently in a bear market. No company has problems “accessing” talent, at least today. They aren’t going to lose a candidate by simply insisting on an in-person step, whether it be an in-person interview or a week of in-person work.
bravesoul2 18 days ago [-]
Yes I acknowledge that. Right now you can toss candidates because they didn't join your Discord 1am on a Sunday and still find hires.
But it does reduce your pool anyway and access to cheaper and /or better people.
sarchertech 18 days ago [-]
It’s not a bear market for the best candidates. I know plenty of people who have found new jobs in the last 6 months.
Many of them would have said no to in-person interviews.
mcherm 18 days ago [-]
Candidates who are already well-known in their fields are generally not plausible candidates for this scam.
deathanatos 18 days ago [-]
> Also there is a good reason not to make week 1 in person. You reduce your access to talent.
… I don't think candidates are going to turn down a company in droves for an initial 1 week onsite. You make it sound like you're losing access to all remotes.
bravesoul2 18 days ago [-]
Lets forget global and look at US.
100 people. Working full time. Cannot take leave at last minute (or may not have it to take). Average distance to your office 1000 miles.
How many will come to your on-site.
deathanatos 17 days ago [-]
> 100 people. Working full time. Cannot take leave at last minute (or may not have it to take).
You're misinterpreting the thread. The context here is that the candidate is post-hire (…candidate is perhaps a poor word, but in the context of TFA, it makes more sense), so they're employed by the same company they're visiting.
I.e., the suggestion here is that Person A's employer E flies A out to E's headquarters to work for ~1 week.
Then you meet them in person, and can visually see they're not some fraudster in NK.
I.e., you start in-person, and transition to remote after 1wk.
const_cast 18 days ago [-]
Just bite the bullet and pay to fly them out for a week and pay for a shitty La Quinta with a view of the suburban office park.
I mean, airlines do it for pilots. How much of a hit to compensation would that be for software developers? Less than 5% for the first year?
bravesoul2 17 days ago [-]
The cost isn't an issue. If I'm a well paid pro looking at 10 interview pipelines. I ain't taking say 3 weeks off work to do my top 3 interviews. It's insane. Pay my flights and 20k might consider it.
It might work for grads or people out of work if it is well paid e.g. at least pro rata od the target salary. But that's a subset so if the employer chooses this they narrow their pool.
raverbashing 18 days ago [-]
> Can’t they just make week 1 in person compulsory?
Yes, but you'll have people making all kinds of excuses and how they only eat from this specific place that delivers on DoorDash and etc etc
(but honestly I think this would be an improvement)
Prickle 18 days ago [-]
They definitely can.
For my first 3 months it was obligatory to show up to the office.
The office was basically a apartment room, and very small. But it got the job done.
someotherperson 18 days ago [-]
Not really. You need a visa (or equivalent) to enter most countries. This can take months to apply for and receive. And you can stretch that period out even longer by claiming that you don't have a passport and need to apply for one first.
aleph_minus_one 18 days ago [-]
In Germany, if a company want to hire some talent from a foreign country, this problem is solved by the general rule "The employment starts as soon as the visa problems have been resolved, and you are in Germany." Big companies often have a department that helps with visa problems.
So, if you stretch the period, the employment simply starts later.
danielhep 18 days ago [-]
What’s the end game for these scammers once they get the job? I understand there’s a question of espionage if they’re collecting intel from these companies, but do they also do their jobs? Or do they disappear as soon as they’re hired and collect as much data and money until they get fired? Do they actually know how to do IT work?
Aurornis 18 days ago [-]
The article mentions ransoming company data or source code as one outcome.
For many scammers (not North Korean specifically) it’s just one big game of collecting as many paychecks from as many companies as you can until they fire you.
For some multi-job people, the game is to continuously apply to companies and then let any company that is paying attention fire them after 1-3 months. Repeat long enough and you might find your way into a couple companies where your demands are so low that you can do all the jobs in a couple hours per day because your managers are so checked out that they don’t care. Ride this until the company lays off the whole underperforming team, then find the next jobs.
ta1243 18 days ago [-]
Have your new hire turn up and meet with the team on day one.
They'll soon twig if that's not the person who's getting called into a quick meeting in 5 minutes to discuss some new issue.
abxyz 18 days ago [-]
The supposed problem is being peddled by a company called Socure, who, coincidentally, offer the solution to this problem. There are absolutely "fake" remote workers floating around but to suppose this is some grand security-focused North Korean government conspiracy rather than people from poorer nations trying to get paid is without evidence. "North Korean" job applicants has become a meme, any suspicious looking applicant is being labelled "North Korean" by people who've read articles planted by Socure. If this were a grand North Korean government orchestrated conspiracy we would not see hundreds of job applicants engaging in exactly the same strategy for the same job.
Yeah I get your skepticism, but this is really a huge issue in many industries. We are seeing it with an alarmingly high rate. You don't need a technical solution though, as the article points out, some stuff is just process change:
In person final interview, gov issued ID checks, initial hardware delivery in office, etc.
bri3d 18 days ago [-]
I’ve also seen this pattern at a pervasive rate but I think it’s mostly shady overemployment / outsourcing agencies, with NK as a tag along. It doesn’t matter either way since the countermeasures are the same (besides the stupid meme KJU junk).
fergie 18 days ago [-]
Many users here don’t seem to understand that they are reading content marketing.
le-mark 18 days ago [-]
But when the FBI tells you, you might really have a problem, as happened at one company I was at several years ago.
xkcd-sucks 18 days ago [-]
[flagged]
18 days ago [-]
bn-l 18 days ago [-]
Ok but plan for a long sleep.
NitpickLawyer 18 days ago [-]
> but to suppose this is some grand security-focused North Korean government conspiracy rather than people from poorer nations trying to get paid is without evidence.
Not sure why this is downvoted. There’s now abundant evidence it’s happening.
ChrisMarshallNY 18 days ago [-]
I have a feeling there may be a Nork "flash mob" going on, like when someone says bad stuff about Musk.
dakiol 18 days ago [-]
If only governments could provide a very simple “check identity” service online. I think this should be a basic service nowadays.
Swizec 18 days ago [-]
> If only governments could provide a very simple “check identity” service online. I think this should be a basic service nowadays.
Slovenia issues personal certificates so you can identify yourself online. Mostly used for banking and e-gov. The commercial space has decided it’s too cumbersome.
Fantastic idea. Started rolling out when I was in college some 15 years ago. You go to the same place that issues your govt ID and you can also get the equivalent of an SSH cert issued by the government that guarantees you are you, your identity was verified at point of issuance, etc.
Unfortunately it’s about as fiddly to use as SSH. Okay for nerds, way cumbersome for normal humans who just want to log into their bank and pay their taxes damn it. Last I remember (moved to USA ~10 years ago) getting their e-signing browser widgets/extensions to work reliably on non-windows machines was hell. Most Mac/Linux users ran a whole VMWare VM just to do taxes once a year.
immibis 18 days ago [-]
Imagine if you had to provide your government ID to use any website.
Even for employment I find the idea iffy, but seeing as it's in response to an actual non-imagined problem, I suppose it's the most reasonable solution to that...
dakiol 17 days ago [-]
You lack some imagination. One could verify their identity against a government service once every let’s say 5 years. You get a public link/code that you can share with employers (or banks or real state agencies or…) so that they can use the link/code against a government service to verify that you are who you claim to be.
immibis 16 days ago [-]
Adding a session token in the middle of the process of a website getting your government ID won't stop the website getting your government ID though? Either way the website learns your full name and address, and you can only ever have one account - which will make you extra careful not to violate any real or imagined rules - the chilling effect on speech is still there.
codedokode 18 days ago [-]
They provide, don't they? In Russia there are "gosuslugi" (government services) that banks and other organizations can use to confirm identity. However, if you sign up, then you will receive draft notices for military service through the app so you better not sign up.
stanac 18 days ago [-]
I am not sure it would resolve the issue. About 10 or so years ago I was contacted on LinedIn with offer to "rent my name and face" for a team of Chinese remote workers (probably not those exact words). I rejected the offer without asking for details. Not sure if they were actually from China.
dakiol 18 days ago [-]
If you sell your identity, you are accountable. That works in real life too; So there’s less incentive in doing it.
kQq9oHeAz6wLLS 18 days ago [-]
Isn't that what the E-Verify [1] system was supposed to be? Several companies are now discovering it's not all it's cracked up to be, as ICE shows up at their door.
E-verify is just to check employment authorization, it's not a general identity service.
Mountain_Skies 18 days ago [-]
Yes. It confirms someone with a particular name, DOB, and SSN is authorized to work in the US. It doesn't confirm that the person claiming to be that person actually is that person. It relies on the employer to be able to match the applicant to the photo in e-verify, which isn't always an easy task.
mcny 18 days ago [-]
We don't need a general identity service though. We need to know whether someone is authorized to work for a US employer, right? How can a DPRK worker have the necessary authorization? If they use someone else's identity, isn't that something e verify should catch? If these are US citizens/nationals/residents working out of DPRK, who cares?
antonvs 17 days ago [-]
> We need to know whether someone is authorized to work for a US employer, right?
E-verify is only for US residents, and depends on the employer interacting in person with the prospective employee.
Its primary goal is to check that someone is a legal resident, so it has no bearing on hiring remote foreign workers.
Mountain_Skies 18 days ago [-]
I suspect some of the fake job postings are schemes to harvest that type of data. If I live in Atlanta and someone uses my identity to get a job in Seattle, how long will it take for me to learn about the company in Seattle that thinks it hired me, especially if they don't use my home address.
mcny 18 days ago [-]
One of the many reasons I don't like to give references, social security number, date of birth, and so on to anyone except the end client hiring manager. I don't really care if the talent manager software has a required field to put last four of social security number. I simply don't trust random job postings to keep my information secure.
Would it help if I could query some IRS service to check what paychecks have been sent to me? Does this have a delay of a quarter year or more?
How do these people avoid getting the people they impersonated and or scammed in trouble with the IRS?
klausa 18 days ago [-]
You would also exclude everyone that is not a US resident; which might or might not be what you want.
I would guess many (most?) of the places with this problem are actually fine with people that aren't living in the US; just not in North Korea.
jfengel 18 days ago [-]
They can buy, steal, or hire yours. If it were a general identity service, yours would get tracked. But if it's just a matter of authorization, with no authentication, they'd just use it indefinitely.
cyanydeez 18 days ago [-]
[flagged]
alganet 18 days ago [-]
I think the paranoia and fear this kind of idea promotes is perhaps the point of all of it.
Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
Also, we need steps towards reducing the possible tools that fake workers could leverage. These steps would put a strain on some recent technological developments. A strange and wild paradox.
nucleardog 18 days ago [-]
Inform what companies directly? If it's this pervasive, that's not going to be effective.
I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
And in the process of confirming that this was fishy, I contacted one of the past employers he claimed after doing my best to confirm _they_ weren't in any way part of the scam. They confirmed he had never worked there. I sent them his LinkedIn and portfolio site in case they wanted to chase down getting their name removed.
They told me that this was super concerning because the screenshots in his portfolio of the app he worked on for them were real screenshots... for an unreleased app that was only available internally and had never even been demoed for clients.
They'd already been breached and had god knows what exfiltrated. They found out because we caught an attempt to get hired at _our_ company and let them know.
Nobody outside of a couple of technical staff at our company had even _heard_ of this. Nobody at the other company had. The fix, to me, seems to be making people involved in hiring more aware of this. If anything, it seems we should be talking about this _more_ and _more publicly_.
alganet 18 days ago [-]
Is your company involved in infrastructural or emerging tech in any way?
Forgive my frankness, but these worries about infiltrators have priority in important, large companies. I am very sure agencies responsible for this can contact these handful of important companies directly.
So, you're right. In the current age we live in, no one cares about your small SaaS company, and you're being used to spread unecessary paranoia and fear.
nucleardog 18 days ago [-]
Other company was, indeed, AI Startup #528532.
We're in a niche, extremely boring industry. We have an extremely small client base. We do line-of-business/sales management applications for something akin to like... light switches and light fixtures. The most exclusive thing we have access to is wholesale pricing from manufacturers. We don't handle payments. The extent of PII we handle is "name and email" from when someone emails out a quote.
We are the epitome of uninteresting to a foreign actor. Being "uninteresting" apparently does not disqualify you.
We also do not hire overseas (the applicant claimed to be from California) and offer a good US wage. We weren't targeted or vulnerable because we were being "greedy".
alganet 18 days ago [-]
You do hire remote workers, don't you?
If you had to hire workers in office, would you have space and infrastructure for all of them?
From my perspective, this would solve the issue. Unless you're worried about in-person north korea spies.
I don't know man, seems like you're living in some cold war mind trap or something.
nucleardog 16 days ago [-]
So if I'm reading all your posts correctly the problem is:
* You're a Fortune 500 that's a valuable target.
* Okay, well, you're in emerging markets or infrastructure then.
* Okay, well, the problem's really that you're being greedy hiring overseas.
* Okay, well, the problem's that you're not paying sufficient office expenses and _that's_ greedy.
I think we can call it done here.
alganet 16 days ago [-]
You're not reading correctly. Go back to my first comment, it's all there.
xarope 18 days ago [-]
Isn't this the best way to start an infiltration, though? Like hiring a janitor or cleaner, who is able to access the office during off hours, and can start planting false information, which is then used by a more relevant company years later?
alganet 18 days ago [-]
If you start thinking like this, then no one will ever feel safe.
I think this kind of idea is stupid.
bn-l 18 days ago [-]
30 people. Damn. I suppose they must be casting a massive net. Pretty concerning.
jjmarr 18 days ago [-]
North Korea has a shortage of foreign currency.
It's not just espionage. They need US dollars to pay for smugglers.
alganet 18 days ago [-]
Greed meets greed. Companies hiring cheap labor, being exploited in several fronts.
It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
Keep focused. Small companies never mattered for nations, they are irrelevant. Spreading paranoia will not solve their over-reliance on this exploited offshore problem. It will likely lead them to bankrupcy.
Ultimately, it doesn't invalidate what I said. It actually makes my comment more relevant.
cyberax 18 days ago [-]
> It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
It's not offshore. Infiltrators are pretending that they're in the US. I first saw this 2 years ago, and they were pretty clumsy back then: always blurred background (and refusing to unblur it) and/or doing calls from a windowless office. You could even see their eyes moving, like they're reading the script.
This year they became much fancier. They use backgrounds with the real time-of-day and weather illumination. The eyes no longer move unnaturally, etc.
alganet 18 days ago [-]
You miss the point.
Remote working is in the same vein as offshoring. One enables the other, they're co-dependent. Both are based on greed. In the case of remote working, is avoiding having offices, avoiding paying certain kinds of insurance, etc.
You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
Again, greed meets greed.
Now it's too late. IT companies will not survive a full return to office, and they won't survive remote working as well.
The very idea that someone could be using technology to fake an identity was unthinkable. Now that it is not, there's really no place safe.
If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
I think there are still ways out of this, but we're reaching an inflection point that will be hard to overcome.
---
Your commentary seems to provide a valid point of view, and although you disagree, you reinforce my main point.
cyberax 18 days ago [-]
> Remote working is in the same vein as offshoring.
No, they're not.
> You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
We should get rid of electricity, then.
> If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
Now you're really reaching.
alganet 18 days ago [-]
> We should get rid of electricity, then.
Pathetic.
cyberax 18 days ago [-]
> I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
I'm in a similar situation. The HR leads company is trying to filter out the fakes, but they can't catch everyone.
Apparently, the infiltrators specifically target the companies in the 10-50 people range. In smaller companies everybody knows what everybody else is doing, so infiltrators will be swiftly uncovered. And larger companies typically have a well-established HR department that will catch obvious fakes without good cover.
But these mid-range companies provide the best chance for the fakes to get at least a couple of paychecks before being uncovered. And they likely won't bother with going to the FBI to chase down the payments.
Barbing 18 days ago [-]
[Background: We both know companies should (must?) inform the feds if they accidentally (illegally?) hire someone as a part of fraud perpetrated against them.]
>And they likely won't bother
Thank you for your insight. Unfortunate! The rationale makes sense—the temptation to sweep under the rug—but doesn’t make it right, which as established we both know.
…you can perhaps tell I was frustrated with what seemed to be an argument against actually taking this course of action; hope replying here is better than arguing directly downthread esp. in case I misunderstood something
alganet 18 days ago [-]
Why shouldn't they go to the FBI?
I strongly recommend going to official authorities if you believe you're being duped by a foreign nation spy or conspirator.
If they ignore you, it's more likely that you're not that important, like I said previously.
cyberax 18 days ago [-]
> Why shouldn't they go to the FBI?
I'm not saying "shouldn't". It's more likely "don't bother".
Interacting with the law enforcement takes time executives' time, it might bring in complications (legal liability for personal data leaks, etc.), and even in the best case the company is not going to get their money back.
alganet 18 days ago [-]
So, it's a big problem that everyone should know about but do nothing except post shit on news?
No, you should bother. You should bother a lot. Get in contact with the FBI, make a huge deal about it. You think one company can handle a spy agency? That's bad advice.
cyberax 18 days ago [-]
Sure, feel free to tell that to every mid-size company.
alganet 18 days ago [-]
You are mixing hypothetical scenarios with reality.
My argument was to inform high value targets first, since they are more at risk and capable of developing a fix.
I also argued for slowing down the development of technology that can help infiltrators.
Go back, read the discussion, see how far you are from the simple truth. Someone is making IT companies paranoid, either on purpose or by mistake. Probably, by greed or as a consequence to it.
markerz 18 days ago [-]
Why try to hide it? It’s like public disclosures of security vulnerabilities. You directly contact the few people who have actionable data and means to address the problem, then you tell the world that they’re impacted and should be aware that such a problem exists so we don’t repeat it.
alganet 18 days ago [-]
Private disclosures for more sensitive vulnerabilities are a recommended practice. In your analogy, that's why I aluded to.
In such cases, you only share the sensitive vulnerability publicly once there is a fix. For this case, there seems to be no fix.
One could think of it as a way to promote more scrutinized hiring processes, but it actually encourages widespread paranoia and fear.
It seems your analogy is valid, but the conclusion is that it supports what I said.
NitpickLawyer 18 days ago [-]
> Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
One key component for this scheme to work is to have local US persons act as intermediaries. While some may already know something shady is going on, and be complicit, some might not understand the entire scope of what they're being part of. Publicly discussing it might encourage some people to come forward / avoid being involved in the future.
fuzzzerd 18 days ago [-]
Living up to your screen name I see, but in all seriousness, I fully agree. The average person running the laptops in a spare bedroom may have no idea the scope of what they're involved with. Especially if they're being duped as well.
Imagine a non technical person being told they're helping run an "edge data center, close to the users. Running our laptops helps Netflix/facebook/etc (insert big tech name of your choice) run faster for you and your neighbors and well pay you to do it."
Easy to imagine a non technical person buying that lie.
alganet 18 days ago [-]
I'm having a hard time understanding your imagined scenario.
Can you please explain it better?
fuzzzerd 18 days ago [-]
NK "fake employee" finds a non technical American to run their laptop farm by lying to them that running these laptops is helping make their access to some service faster.
alganet 18 days ago [-]
Sounds very convoluted.
I'm sure many, many countries have botnets. I have a bunch of those countries which I consider irresponsible and wreckless in my radar, not only north korea.
NitpickLawyer 18 days ago [-]
These aren't botnets in the traditional sense. These operations need a US-based laptop (they receive it by mail, from the "target" corporation upon employment) and they also need the mini-kvm device to be plugged in. Then the remote agents connect via that kvm, to make detection harder. To an enterprise IDS/IPS the laptop seems connected from a residential, US IP address (expected).
They've already arrested some people involved in this, they have devices as evidence. It's pretty well documented at this point.
alganet 17 days ago [-]
Please, share the well documented evidence (media articles won't do).
alganet 18 days ago [-]
My imagination is very expansive, I can come up with grand scopes that movies and conspiracy theorists would never dream of.
Reality is much simpler though. Greed, I already said it. Typical human defects.
It seems that you are not comprehending who needs to come forward. Entire industries, entire parties. They simply won't, they would rather see the world burn than admit such mistakes. It has happened before.
brookst 18 days ago [-]
I’m not sure it’s good for anyone to keep SMB’s in the dark, as they have the most surface area and least expertise and budget to respond. It seems like a net benefit to publicize the issue and get every IT hiring manager thinking about it.
alganet 18 days ago [-]
Can you elaborate more? It seems that you disagree but I'm missing the rationale behind it.
brookst 18 days ago [-]
Keeping it quiet and only disclosing to larger firms means that lots of small firms will hire these people, with the economic and IP harms they entails.
alganet 18 days ago [-]
As you said, small businessess have less expertise and budget to deal with the problem.
Telling your gramma she has a virus only makes her become afraid, she won't magically gain the ability to identify it. That's my whole reasoning here. It makes things worse.
jongjong 18 days ago [-]
I suspect it could be worse than that. It feels like certain countries' tech sectors are being partly taken over by IT workers from foreign intelligence agencies or from foreign entities with ulterior motives. Especially when you consider countries with small populations and few natives in the tech sector.
For example, in Australia, it seems like at least 8/10 software engineers are foreign-born. Most of those are probably genuine (not from intelligence agencies) but Australia has such a tiny native population of engineers compared to that of most foreign countries in its vicinity that it wouldn't be difficult for a country like China or India to overwhelm our tech industry with a few highly-placed workers in order to gain political leverage. I was thinking that there might be more software engineers working for Indian and Chinese intelligence agencies in the world than there are native-born software engineers in Australia (of all kinds). It's a numbers' game.
North Korea seems like the tip of the iceberg there though it is an easy example to talk about because everyone understands how the North Korean government operates and everyone agrees about the threat they pose compared to more subtle threats from other countries which aren't seen as opponents (at least not to the same extent).
But also, consider a company like Facebook which hires maybe 20K or so software devs. A country like India which has a large number of software developers, if it wanted, could easily put together a task force to infiltrate and take over Facebook in a focused decade-long effort if that was its intent. They almost certainly do have some people inside every major tech company right now.
If a group can have a few highly placed people inside a target company, they could then recruit more of their group into the company and start promoting their own until they have full control over the critical systems. It's a weakness of our current highly centralized tech sector.
Something else that could happen is a foreign intelligence agency could wait for people to get promoted naturally and then reach out to dual-nationals which they have leverage over (e.g. because of family members or assets owned in the foreign country) and then use that to demand favors. Then they could help coordinate the engineers to recruit more of their own to achieve even more control. Different groups would form factions within the target company and every normal employee would be unwittingly pushed out because anyone trying to 'improve or simplify things' would be seen as a threat to various nefarious agendas which rely on complexity to hide backdoors or algorithm exploits.
Imagine how valuable it would be if you could hijack's Google's search algorithm or Facebook's recommendation engines to prioritize your group's businesses and/or agendas.
high_na_euv 17 days ago [-]
>If a group can have a few highly placed people inside a target company, they could then recruit more of their group into the company and start promoting their own until they have full control over the critical systems. It's a weakness of our current highly centralized tech sector.
Isnt the critique of Indian managers that they favor indian ppl?
shivasaxena 17 days ago [-]
That critique is by the same section of our society that also believes that it's the "jews" that are behind this so ...
Spooky23 18 days ago [-]
It’s likely that some variant of what you’re describing is actively taking place right now.
anarticle 17 days ago [-]
I've definitely gotten something similar to this in dev slacks offering to use my upwork/linkedin to get a job and then I hand it off to someone else. They claim they'll pay 30-50k/y.
Sounds like my IRL value just keeps going up.
gkanai 18 days ago [-]
An required in-person verification due diligence step would stop this, no?
stuaxo 18 days ago [-]
Feel like at least one coworker might be better if they were this.
tehjoker 18 days ago [-]
The LinkedIn thing is very weird, what about all the guys that worked for another company for a long time and didn't bother with LinkedIn? I don't buy that, but the trend of these guys not showing up in-person at all is very suspicious, though not impossible. There are all kinds of reasons people want to do remote work, and some of those reasons might preclude an in-person meeting (like you might find out about a disability).
Still, I agree that's pretty suspicious. However, they didn't offer any proof whatsoever these guys are from North Korea or any motivation for why they would be doing this from North Korea. So, that sounds like potential U.S. propaganda.
They said they worked with the FBI, which honestly is a red flag for that kind of thing. Rather, if a company states without proof they're from NK, it's very likely BS. If the feds say it's North Korea without proof, it's definitely BS (they have resources to prove it!). If the Feds say it and provide proof, then we can talk about the proof.
ErigmolCt 18 days ago [-]
What's clear is that this isn't just a security problem
nobodyandproud 18 days ago [-]
Maybe this, with mandatory senior executive and board accountability, will be the wakeup call to stop the outsourcing problem of the last 50 years.
bigfatkitten 18 days ago [-]
This has nothing to do with outsourcing. These guys are getting hired as permanent employees as often as they’re being engaged as contractors.
nobodyandproud 18 days ago [-]
My mistake. I meant “off-shoring”.
This is only possible in the scale we see today, because of the infrastructure built to support off-shore and remote work.
rwmj 18 days ago [-]
What does this have to do with outsourcing?
nobodyandproud 18 days ago [-]
It’s about incentives.
Direct impact: Outsourcing breeds a culture of unverified and verified-just-once remote work.
Indirect impact: Outsourcing is a cost-driven effort where after a certain level of competence, the bottom-line is the only measurable metric that matters so it’s a race to the bottom with patchwork efforts to “fix” issues like OP.
Making domestic options cost-equivalent with punitive outcomes for hiring NK workers.
JumpCrisscross 18 days ago [-]
This is about in-house employees. Not outsourcing.
nobodyandproud 18 days ago [-]
My mistake in term. I meant “off-shoring”.
Otherwise, I stand by my argument. The support infrastructure we built to support remote work and offshore teams
have made this an easy attack channel.
lukaslalinsky 17 days ago [-]
How is it off-shoring if they are hiring "US citizens living in the US"?
nobodyandproud 17 days ago [-]
Oh, so they’re interviewing in-person?
Or perhaps, off-shoring support and infrastructure is what enabled and made-normal this sort of remote interviewing and work in the first place.
deadbabe 18 days ago [-]
[flagged]
almosthere 18 days ago [-]
the funneling of money from the us to other countries for workers
the companies located here should only hire here
deadbabe 17 days ago [-]
[flagged]
nobodyandproud 17 days ago [-]
That’s bad faith quip. The US is a competitive market with ground rules.
deathanatos 18 days ago [-]
Maybe this is a real problem, IDK. But this article is so scant on actual details, and is mostly just weasel-wording it's way to "it's a problem, trust us."
> Chief among these disconnects were "shallow" LinkedIn profiles paired with "beefy resumes," she explained, citing job-seeker claims of working at Meta, attending Ivy League schools, developing major tech companies' flagship products … but then only having 25 LinkedIn connections.
LinkedIn is not the end-all be-all of résumés, and my coworkers have wildly varying numbers of connections.
> "We've certainly seen applicants that fit into this category with various IOCs [indicators of compromise] that we've shared with partners and peers," Snowflake CISO Brad Jones told The Register.
This is an abuse of the technical term IoC to try and dress up what amounts to "my gut hunch".
> Once the recruitment team began meeting via video conferences with some of the applicants, they noted extremely Western-sounding names, like James Anderson, paired with East Asian appearances and accented English, in much higher numbers than they expected.
That's just discriminatory.
> "You can't profile people, […] *But*
sigh
> The fraudster's answers weren't word-for-word ChatGPT, Little noted. "These people are smart, they're not unskilled, they're sophisticated," she said.
… no, that's because that's not how LLMs work.
> routing everything through a VPN
I'm not even sure how you would know this about a candidate.
> These IOCs, or indicators of compromise, include email addresses, physical addresses, and phone numbers that have been flagged as associated with non-legitimate candidates.
This is begging the question: the candidate is suss because they're suss. What makes the email address et al. "flagged"?
> The final step is always an in-person interview.
I mean … if you're not doing that, then … okay, I see how the scammers got to you.
> "We require people to come to the office to pick up their computer," Robinson said as an example.
I mean, if you pay for the plane tickets, the hotels, the taxis, the meals, and the time, sure, I guess.
If this is truly a problem — and maybe it is — the Register's reporting is so unspecific that it leaves us with no details of how we might tell, what to look out for (in ways that doesn't run afoul of racial discrimination, or seen elsewhere in the comments, political discrimination). It leaves me thinking this is an ad designed to leave me going "I'd have to hire a company that specializes in this to know if I'm being affected by it."
austin-cheney 18 days ago [-]
So, again, the answering to this and most every other hiring ill in software over the past 15-20 years is… licensing.
So, let’s think about this logically. There is no baseline of candidate identification or competence in software and the jobs pay very well in physically comfortable conditions. It makes sense that unqualified liars would apply for these positions. Why shouldn’t they? I am honestly curious how far the fraud and incompetence can go and devalue the industry before someone cares enough to tackle the problem l.
bigfatkitten 18 days ago [-]
The answer to this is for companies to do even a modicum of personnel vetting.
At the very least, make your remote candidate show up in person for their onboarding. A plane ticket and a few days of accomodation and meals is cheap in the grand scheme of things, and giving the opportunity to meet their team is good relationship building.
Sight their ID before you issue them with an account, give them a laptop etc.
austin-cheney 18 days ago [-]
> The answer to this is for companies to do even a modicum of personnel vetting.
They do. That is clearly not enough.
bigfatkitten 18 days ago [-]
They generally make no enquiries at all into the applicant’s bona fides.
The candidate sends in fake or stolen documents where the picture on the drivers license doesn’t even vaguely resemble the person who appeared on Zoom.
When you have an applicant who says they were born in Tennessee and that they’ve apparently lived in the U.S. for their whole life, you would normally expect them to speak English with native proficiency and at least have an American-sounding accent.
If they say they live in, say, Seattle, you’d expect they could carry on at least a basic conversation about their local area.
Even this basic level of attention to detail nonetheless escapes many HR departments and hiring managers.
cyberax 18 days ago [-]
> If they say they live in, say, Seattle, you’d expect they could carry on at least a basic conversation about their local area.
When I was working at $LargeCompany, we were encouraged to NOT engage in small talk with applicants beyond the regular politeness. It's too easy to ask questions that would open the company to discrimination lawsuits.
austin-cheney 18 days ago [-]
I have known many people born in the US who learn English as a second language with a think accent. Employers have to use legally qualified means to discriminate applicants to avoid violations of various laws.
hollerith 18 days ago [-]
Irrelevant to the OP unless you explain why North Koreans would be prevented from obtaining these licenses: it's not like there aren't competent developers in North Korea.
If your explanation is that the license grantor will verify that the applicant is a resident of a Western country, than the employer can just do the same verification of job applicants, dispensing with the need for the occupational license.
acdha 18 days ago [-]
The way these people are being caught are things like dodgy LinkedIn profiles or refusing in person meetings so I would think a licensing process designed around things which would be expensive to fake: in person government ID checks, periodic exams, peer evaluations, etc. The trick would be actually doing that in person, which could be a useful thing for conferences - treat an afternoon at PyCon or re:Invent as the cost of renewing your professional credentials if you don’t live near a major city or university.
bigfatkitten 18 days ago [-]
Even an in person ID check would suffice.
For most of the West, this is an extremely difficult bar to clear for a North Korean national working out of China.
acdha 18 days ago [-]
Yeah, I was thinking that if you were looking for an industry license it would probably be more useful if it also covered skills or work experience in some way since that helps multiple weak points of the common hiring processes but you’re quite right that it would raise the bad considerably if they had to basically run everyone like actual spies with robust fake identities.
austin-cheney 18 days ago [-]
I recommend researching what comprises professional licensing. If you have absolutely no frame of reference I can understand why you would be so confused.
hollerith 18 days ago [-]
OK, so you cannot answer my question.
austin-cheney 18 days ago [-]
Why would I? I don’t think you would understand the answer.
lukaslalinsky 17 days ago [-]
If there is an US person providing the identity, what's stopping them from also providing the license.
I guess the main problem is, if you are a company with bad management structure, and you see your new coworker has really weird patterns, inconsistencies in their talking, why would you tell the manager about it? You can just mind your own business. It was them who hired them after all.
austin-cheney 17 days ago [-]
I don’t understand your question about licensing. A professional license isn’t a physical artifact.
Edit: If you don’t know what licensing is why are you replying to a comment about it? Most of the comments here read like this and it’s really weird.
hnthrow90348765 18 days ago [-]
FWIW, it the "insult Kim Jong-Un" meme that's been going around doesn't work
jawiggins 18 days ago [-]
Did you try it? What did the person say?
hbs18 18 days ago [-]
How do you know?
kyo_gisors 18 days ago [-]
[flagged]
rcstank 18 days ago [-]
How is it racist?
charcircuit 18 days ago [-]
It is trying to avoid hiring an ethnicity by saying things that a specific ethnicity would find offensive, but not others so you can filter them out of the hiring process.
bigstrat2003 18 days ago [-]
That is not what that's about. It is trying to avoid hiring people who work for a foreign government by asking them to say things that would be illegal in their country. It has nothing to do with ethnicity and everything to do with nationality.
ImJamal 17 days ago [-]
Nobody is trying to avoid hiring an ethnicity. There are plenty of Koreans that would still be hired, those from South Korea and everywhere other than North Korea.
throwaway48476 18 days ago [-]
I dont think KJU is held in high esteem by the defector community.
mateoowen44 13 days ago [-]
[dead]
peju112 12 days ago [-]
[dead]
Hellenmfinal 13 days ago [-]
[dead]
OfficeChad 18 days ago [-]
[dead]
iw7tdb2kqo9 18 days ago [-]
[flagged]
marve087 17 days ago [-]
[flagged]
tropicalfruit 18 days ago [-]
company finally swipes right only to get catfished by a DPRK agent
nice
peterdemin 18 days ago [-]
I hate how this is acceptable to make such claims about another country without providing any evidence. Same goes for Chinese or Russian hackers. It’s just whoever the US government is unhappy about.
miffy900 18 days ago [-]
The article itself is evidence. There are many more links in it to other stories that report on basically the same or similar incidents. There are also several names in the article itself that you can research or probe on your own to tell if it's coming from a trustworthy source.
Consider also the author: it's written by an actual journalist/editor with a large body of pre-existing work in the field, and many of the claims written are backed up by quotes from a named source. It's not like they're writing all this and hiding it behind the weasel phrase 'according to a source close to the matter'.
The register too is actually UK founded, so it's not even American.
Your reaction is just so typical of people nowadays - just assume it's all 'made up' without any effort in debunking or picking apart any specific claims.
esafak 18 days ago [-]
I've interviewed these people. They really exist! I did not know they were North Korean, but it would not surprise me.
defrost 18 days ago [-]
There's evidence, large investigations, and arrests aplenty already.
Justice Department Announces Coordinated, Nationwide Actions to Combat North Korean Remote Information Technology Workers’ Illicit Revenue Generation Schemes (justice.gov)
Law Enforcement Actions Across 16 States Result in Charges, Arrest, and Seizures of 29 Financial Accounts, 21 Fraudulent Websites, and Approximately 200 Computers
..
Today, the United States Attorney’s Office for the District of Massachusetts and the National Security Division announced the arrest of U.S. national Zhenxing “Danny” Wang of New Jersey pursuant to a five-count indictment. The indictment describes a multi-year fraud scheme by Wang and his co-conspirators to obtain remote IT work with U.S. companies that generated more than $5 million in revenue.
energy123 18 days ago [-]
> It’s just whoever the US government is unhappy about.
Likewise, you don't have evidence for this.
some_random 18 days ago [-]
What evidence is lacking here?
nimbius 18 days ago [-]
This is a problem the USA caused, and could easily solve, by dissolving the armistice and declaring an end to the Korean war.
only seven countries are currently participating in the embargo and sanction of North Korea, (at the behest of the united states.)
casenmgreen 18 days ago [-]
North Korea would never, in a million billion years, either accept peace, or actually honour it. NK is a hideously oppressive, violent, dictatorship, which would invade SK in a microsecond if it thought it could get away with it.
I think it astounding - staggering - to point the finger here at USA.
If you were not a long term, serious poster, I would think you were a fake account.
daedrdev 18 days ago [-]
No, one side declaring the end to a war does not end that war, this is one of the worst foreign policy takes I've ever heard. The NK regime is secure because of the war, they will poison pill any negotiation by demanding South Korea become part of the north.
WhyNotHugo 18 days ago [-]
They convinced Ukraine to give up their nukes, promising that they'd be safe. I don't think there's any chance of convincing North Korea to follow the same path.
mathverse 18 days ago [-]
This is entirely US's companies fault for not favorizing people from 1st world countries. At this point it's not a question of $ but not really giving a shit.
If you have 2 candidates and one is from lets say Czech Republic and the other one from 3rd world then it's fully on you for getting screwed over.
akazantsev 17 days ago [-]
Could have read the article. All involved companies hired US-based workers who received company-provided laptops and set up remote access on them for North Koreans.
anovikov 18 days ago [-]
You don't have to be an evil North Korean to do that. Outsources have been doing it since time immemorial because they can't achieve sales in any other way (or, through direct corruption - often offshore outsourcing shops are owned by managers of their clients, who effectively use them as tools for siphoning money away).
gibbitz 18 days ago [-]
Hopefully the fear of foreign actors will put an end to this too.
I have to hand it to North Korea on the inventive revenue streams. This is a country under sanctions for decades that has developed some of the most clever IT scams for siphoning money from the west. Between this and the Lazarus group the country has brought in Fortune 500 company kinds of money to keep itself afloat.
pxc 18 days ago [-]
It's been over 75 years. It could not be clearer that this attempt to punish the ordinary people who live in North Korea for having a government that the US finds disagreeable will not succeed in somehow fomenting revolution. What it has succeeded in doing, apparently, is sustaining a level of poverty and isolation that motivates even crazy schemes like this.
Here's how to actually stop it: stop weaponizing poverty to beat a Cold War-era dead horse, and end the damn sanctions.
trallnag 18 days ago [-]
Russia was an important trading partner for many European countries. Especially important for Germany. Basically no sanctions. Freedom of movement with fairly good visa policies. No great internet firewall. How much did all this help to prevent another huge war between two European countries?
pxc 18 days ago [-]
Different behaviors have different motivations, contexts, and causes. It's extremely clear that these, like other criminal moneymaking schemes in the DPRK, are directly and closely related to the high degree of isolation of the DPRK and the difficulty of getting capital into it.
Of course lifting the sanctions won't also end all spycraft, or ensure an end to geopolitical conflict. Those aren't things I have claimed or would claim.
And the primary reason to end such sanctions is not any benefit to imperialist nations but because of the fact that they inflict misery on ordinary people indefinitely and (not essential, but adding insult to injury) uselessly.
JumpCrisscross 18 days ago [-]
> they inflict misery on ordinary people indefinitely
Pyongyang was making its people miserable before there were sanctions. America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
pxc 18 days ago [-]
> Pyongyang was making its people miserable before there were sanctions.
Whether or not we approve of Pyongyang is completely irrelevant to every point I've made. The questions are (a) whether the sanctions have had a material negative effect on the North Korean people, and (b) what they have accomplished. The answers are "yes" and "nothing of any use", neither of which is controversial. And our fixation with North Korea and the evil we wrought there obviously doesn't begin with sanctions but with millions of tons of bombs, tens of thousands of tons of napalm on arable land, or the destruction of the People's Republic of Korea (not the DPRK), a functioning government that existed in both the North and South before the US invaded (literally reinstating colonial Japanese governors as officials).
> America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
The US was directly involved in the division of Korea even before all that. Frankly, your entire comment has been not only extremely handwave-y but deeply dishonest.
Ergh, something did get lost in a rewrite of my comment between tons of bombs and pounds of bombs: it's "only" over half a million tons of bombs. Many hundreds of millions of pounds, "only" over 650,000 tons. The range given for napalm was accurate; it's over 30,000 tons.
shermantanktop 18 days ago [-]
Exactly. Trade ties only go so far.
But this pov isn’t always rooted in pragmatism. Free market ideologues also think that free markets will bring world peace.
dontTREATonme 18 days ago [-]
Ah yes, bec that’s worked out so well with china.
Anyone with internet access in NK is working at the behest of the government.
Rendered at 20:44:54 GMT+0000 (UTC) with Wasmer Edge.
In my country (Poland) courier companies offer this service of "id checking and contract signing". You can have a courier deliver a contract, check the recipient's photo ID and confirm their identity, have the person sign the contract, return it and the courier takes it back.
If there is no such service available there is only one way to prevent this from happening, proper screening of candidates. In my 20+ years of working for Fortune 500 companies in positions not far from the top only 1 - a Japanese one actually screened my educational background and called my references and past employers to verify.
If employees worry they will loose some really good candidates that have no documentable background ask them to do some other security check. Do a video call from the main street of their home town. Or some other thing randomly selected from a set of 5. If the role is really important hire someone to visit the remote worker in their home and deliver that laptop in person. But don't expect them to travel to pick it up.
In the age of vibe coding and North Korean fake workers, I'd probably go another way though. Trusting your remote workers used to be easier from my perspective.
My current place of work has rolled out both copilot and gemini coding assistants to everyone and so far I've not seen the expected flood of lower quality code or code clearly written by AI and not even being understood by the submitter. We're talking ~80 devs in 3 timezones just in my project. This is very encouraging.
I made a decision long ago. Either a job is remote (I apply) in which case it has to really be remote. Or it is hybrid(I don't apply). If there is a day in a week/month/year that you're required to visit it is no longer 100% remote. This especially applies if it requires international travel, doubly so to certain places that make such travel even a bigger hassle than it needs to be (I didn't think US will be on this list in my lifetime, but here we are).
Perhaps I'm just annoyed it is very common in this job market (at least when I looked last ~2 years ago) to advertise 100% remote jobs, have 3 interviews during which you're assured "yes,100% remote" and then either get a contract that has provisions allowing for it to be revoked, or even being told verbally, or not even being told, but pressured as time goes by, no actually you're expected to visit. I had a client like this once. Otherwise a good job. The manager of my team got constantly a lot of crap that his people are "never in" despite the company hiring the whole team as a remote.
There are plenty of people in business that would love that whole remote thing to dissappear. It starts with "come to the office once a month for a night out, we'll pay for your hotel", then it's just "come to the office once a month", then it's 2 weeks, 1 week, then it's 3 days a week, and then it's just Friday you work from home, but no one actually works on that day, but you so you're blocked on most of what you do.
Who are these people? Managers that never learned how to manage remote teams, HR that worries their dept will be cut down, branch/country directors that can't show the visiting "leadership" an office buzzing with activity, and that guy who decided it's a good idea to buy a huge office building in the city centre a month before covid started (I've already worked fully remote for 3 years before covid started, but it was just me and another guy in a team of 9, now it is much better when the entire team is remote, there is no "us and them").
Sorry, just as luditites wanted to go to the power of muscle from the power of steam, there is no going back. The advantages to everyone are too great. To the employee, don't have to explain I hope, to the employer, lower cost and much bigger hiring market, to the entire world there is less travel and entire generations of people not wasting 20% of their waking hours on travel...
If I recall, certain government jobs already need something like that you can get at the post office?
There's more and more places where the less visible presence online you have, the more you're a good fit for the position.
Not picking on you, but that's kind of a tautology :)
You might say the people who interviewed the candidate should be there when he picks up his laptop. But this is already an extremely remote-friendly company, the interviewers might never be in the office. He's going to pick it up from the IT department in the basement and at best they will take a photograph of his face.
https://www.wsj.com/business/north-korea-remote-jobs-e4daa72...
Whn people have no solutions for basic problems they become the problem.
Feels like there's otherwise a hundred different ways to already do remote control without any extra hardware.
This way the worker doesn't have to know 100 different ways to remote into the machine, just one
Curious what typical rates would be.
There's obviously some context I'm missing here, I always thought kvm was the Linux kennel virtualization system...
In this context the abbreviation stands for “keyboard, video, and mouse”. These are hardware devices you physically connect to a computer and then you can remotely see the computer’s screen and input keyboard and mouse inputs to it via the network.
> It's just stated that it has an Ethernet port and an HDMI and therefore can remote control a computer?
Yes. That is the purpose of a KVM device.
> he said the North Koreans are putting them on people's computers
What is described here is a scam perpetrated by North Korean state to gain funds despite economic sanctions trying to prevent it from doing so.
The scheme involves someone pretending to be a legitimate remote worker working from a legitimate location, but in reality they are performing the work from North Korea. The person working the remote IT job in North Korea gets a pitance, while the state pockets the larger part of the money paid to them.
As part of the scheme the remote worker gets a laptop from their western employer. Corporate IT installs all kind of security measures on the laptop, but also grants it means to access internal resources. The scammer can’t ship the laptop to North Korea and use it directly because if that gets detected they will be found out and fired. They also can’t install software based remote access tools because corporate IT might detect those too. So they use a KVM to remotely use the laptop from North Korea and stay on the job as long as they can.
> as if North Koreans breaking into people's apartments is a common occurrence
The scheme does not involve North Koreans breaking into apartments.
> And why did the FBI contact him about this?
Who knows. Jeff seems to have described how to use a particular cheap KVM in the past. Likely this KVM device is used by the scammers. Maybe he has connections to the KVMs manufacturer? Maybe the FBI thought he does?
> I always thought kvm was the Linux kennel virtualization system...
Same abreviation, but different thing.
https://en.wikipedia.org/wiki/KVM_switch#KVM_over_IP_(IPKVM)
It sounds like the North Koreans pay 1 person in the US to have a ton of laptops with KVMs attached to them, and those laptops are remotely used by North Koreans.
Not to be confused with Kernel-based virtual machine (also called KVM):
https://en.wikipedia.org/wiki/Kernel-based_Virtual_Machine
It seems they don’t break into someone’s apartment but instead pay someone to stick a kvm connected laptop somewhere in the apartment.
When i looked at https://www.reddit.com/r/digitalnomad/ a few years ago it didn't seem like any solution really worked reliably.
But if you had a farm of them and one guy maintaining them, rather than sticking it in your parents basement with nobody to maintain it, that might be something different.
Scammers are good at the scam. They are good at telling the right lies, they often work in teams (lead finders, closers, and everything in between), use automation where appropriate, etc.
A single dev might have trouble cracking the lead finding code, the resume code, the interview code, etc while and avoiding telling any lies that will get then fired 3 weeks into the job. But a team who all treat the application process as a full time job? It's a lot easier.
Also when a dev gets good at finding a job, they stop looking. Scammers get good at it and then keep getting better.
My resume is shiny enough and I've gotton hired enough times im a good candidate for this kind of scam.
This feels like a very ham fisted approach for them though. 99% of engineers are going to ignore or not take seriously these kinds of out of the blue offers.
Their resume goes in front of yours in line.
All the US companies I've worked for made sure I was legit before I could log into anything, so I assume background checks to be ubiquitous there, save for the cheapest companies. European employers on the other hand...
Why do you need to do a hard credit check before you give me an offer? Why do you need to know exactly how much I owe on my credit cards, car, house, how much I'm paying per month, and how much I've made at every job for the past 7 years?
That feels... excessive. And weird. And kind of unfair. Now you know my paycheck, and the paycheck before that, and how desperate I am. Well, there goes negotiations.
To be honest, getting insight and access to a major company's networks and maybe customer data is perhaps the same kind of risk to the company as it is for the government to give someone access to (top) secret files. It might not be so much a negotiating tactic as awareness that more sophisticated spies and criminals than the ones in the OP article are targeting your company.
I think that's partly the point.
Many European employers
- don't or rarely offer remote jobs, so they often don't have this problem.
- even if they do some video or phone interview for pre-screening, they nearly always expect the prospective employee to come to a live interview if they are not weeded out by this pre-screening. It is thus expected that you at least live in a country from where you can easily travel to the place where the employer is located.
- often expect their employees to be able to speak the national language, or at least learn it fast. This also makes times hard for North Korean fake IT workers.
The country is small and hires both immigrants, and people who specifically relocate to start working at the English-only companies, as well as local candidates.
Learning Finnish will obviously make your life easier, in many many ways, but companies themselves do not seem to expect or require it.
I worked for years in an English-language work environment in Denmark (I am not Danish), and learned maybe a handful of phrases of spoken Danish the entire time. I was expected to be able to read the occasional email in Danish, but 1) written Danish is not hard in comparison, and 2) even years ago Google Translate was good enough.
It would have been nice from a social perspective to have known more spoken Danish, but my employer didn’t really care, and it isn’t easy to learn if you don’t have strong local connections. Danes will just immediately switch to English by default, and even if you ask them to continue in Danish, you need a decent level of Danish pronunciation to make yourself understood, which is not trivial to get to.
> I did not speak the language
As I implied: if you are really talented, you don't have to speak the native language yet, but it is expected that you learn it fast.
There are a million reasons why this is a bad idea, but I’m sure they don’t have trouble finding people excited to collect free paychecks.
Great interview, good questions, really solid candidate.
His first day on the job, his English went to shit.
Then he refused to pick up the phone or call me back. Lame excuses about how it’s loud there, then he lost his voice, then scheduled a call with the real “Jeff” the American who couldn’t answer anything about what we had discussed an hour earlier.
Reported to Upwork but I sort of doubt they did much about it.
It was day1 on Slack that the issue was immediately apparent.
There are also different levels of background checks. For instance, previous employment verification can be time consuming so some companies skip it. Checking references aren't useful because they can be faked (you have to run background checks with employment verification on the references to make sure they are who they say they are).
The fact that "fake people" can be employed for high level IT companies in the US is just unfathomable to me.
You also have people who outsource themselves. That’s one of the ways that the people who work multiple jobs pull it off.
that's not a scam - that's the new work smarter, not harder method of earning money.
The situation here is significantly asymmetric: the attacker has to do a lot of work to build a realistic persona but the defense can make that much harder with a few basic checks. It’s been cost-effective in the past because companies were skimping on their hiring and internal security, similar to how the identity theft crisis was mostly a crisis in companies doing due diligence.
If so, I suppose that’s another good reason to ask the question. It filters out both North Korean fakes and people who are going to be doctrinaire about small things.
I would very much appreciate that. I think it would be grand if they could even put that in the job posting right up front. It would help me cross that company off the list of places I would be willing to work. I personally don't want to work at a place that cannot tell whether I am real or fake.
What I think about any country leader is totally irrelevant to tech work. So the company is either 1. Wasting my time with a totally irrelevant question or 2. Their hiring process is so vulnerable, they can’t even tell if a candidate is fake. Neither of those would make me particularly excited about that company.
Feels like the story about disconnecting Chinese gamers from matches automatically by typing "tiananmen square" or the story of the Battle of Siffin with one side putting pages of the quoran on their spears in hopes the enemy wouldn't fight that way. Unclear how accurate the stories are or how effective it may have been but kind of interesting at least.
Inflation.
Of course what little I do know is all negative. But I've paid only limited attention, and I get nothing from primary sources.
I expect the same from practically everyone -- perhaps excepting South Koreans who at least speak the language. I'd consider it good judgment to say that you just can't meaningfully answer the question.
I'd read a statement you hand me, if you thought that would suffice. But I'll admit I'd consider that weird and likely useless.
I am not 100% that North Korea exists. I’m pretty sure, but I can’t KNOW it without going there.
So while dictators are bad, the Kim’s are probably bad, sorry if I don’t go to the deep end repeating everything that someone else taught me.
In the case of North Korea, my excuse is "I haven't put the time into it because it's a small country on the other end of the earth -- nuclear armed, but without effective delivery devices and massively outgunned. I wasn't prepared to give a lot more detail in the context of an interview that isn't about geopolitics. If you want me to research I can."
It's not a false positive. It's a true positive
If the person is so obnoxious as to not be able to give such a silly statement, imagine how they would be fun in your team
https://chatgpt.com/share/687a8963-81e8-8004-b457-432fae79d4...
> … if they offer me a million…
This is exactly like that famous joke! :D “Mam I believe we’ve already established that. At this point, we’re just negotiating.”
It’s kind of like an Abbott and Costello routine. I would never do that! How dare you suggest that. You’re a commie. The scum of the earth. I’m above that. Gimme five bucks I’ll do it right now.
Similar to why email scammers don’t need good grammar, filtering out difficult cases quickly and move on to easier ones.
In a lot of countries certainly here in Germany your employer has to pay social security contributions and needs your insurance, healthcare information etc. In addition if you're a foreigner you need to know their legal status to see if they can even work. Like what do these scammed companies do, just wire money to some guy they interviewed on social media and ship company property to random addresses? Is that even legal in most places?
One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money. We have entire industries that sell narratives, rationalizing these compromises.
This is exacerbated by the current employment problems. They keep talking about how unemployment is down, but I think we all know folks that are un (or under-) employed, and the difficulties they are having, finding work.
Someone in that state, is fertile ground for money- and job-laundering bad actors. It sucks to punish them, but that is what we need to do, to discourage the practice.
> People will do almost anything, and compromise all their personal values, for money
I think this demonstrates what their ACTUAL values are or at get very least the priority of those values.
A US person without adequate cashflow is likely to not be able to have food, housing, clothing, medical care, etc. A lack of morals are not what causes people to do anything to make money, it's a lack of money in a capitalist society. Blaming people for systemic problems is incredibly regressive.
The problems are indeed systemic, but it's not just lack of money. The system is constructed around the love of money, such that too much is never enough.
What came first, money or dishonesty?
Otoh, if these positions are independent contractors, form I-9 isn't required. Just a tax id for reporting purposes.
I would imagine whoever is hosting the laptops may be authorized to work in the US and could also be convinced to provide identity documentation. I think there's a lot of borrowing of documentation by immigrants/migrants who are not authorized to work in the US; so there's probably a marketplace somewhere too.
The other problem is liability: companies often tell their employees not to give references for fear of being sued if the employee doesn’t work out, and most companies don’t expect useful information from them unless someone left in a way which has a public record like a court case. The federal checks don’t have that problem because not answering honestly is a crime. You’d need some kind of shield for honest statements for the private sector to really get accurate assessments, and that’s tricky to do in a way which allows the most useful opinions.
https://www.linkedin.com/feed/update/urn:li:activity:7292604...
They are professionals at lying and interviewing. When it’s your job to get jobs and you’re doing it with organized support, you will find something.
They also don’t really care if the job is good or bad. They’re just farming any and all jobs they can get and hanging on to them until they’re pushed out. At many companies, that can take years.
This has been going on since 2018 at least and I have flagged thousands of such applicants.
Just like competition requires 5+ similarly sized entities for a healthy marketplace of companies, my informal opinion is that unions probably similarly shouldn't have overwhelming market share. However my feeling on contracts between unions and corporations is that the contract should be negotiated between multiple companies and multiple unions to produce the most level playing field possible.
I like that software engineering doesnt require/encourage unions, contrary to other big industries.
As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job.
Ive previpusly been in a union for a company and the experience did not encourage a competitive working environment. When layoffs came, Jr employees get sacked before more senior union members (not neccesarily the best technical staff just becuase they worked there long time).
I have family/friends in unions (non software devs) that have had similar experiences to mine.
We've actually been automating away our job since the beginning of software. Compilers have been thing for like 80 years now. We've had auto-complete, static analysis, automated testing tools etc. for decades. What about the poor assembly programmers? What about the people who were bit banging serial protocols for a living?
For example, Amazon warehouse are also mostly automated. Still, workers who move boxes around and scan barcodes are the bottom of the totem pole of the operation. They're the people manually making Amazon work. You can't get any lower, otherwise then you'd become a machine.
> What about the poor assembly programmers? What about the people who were bit banging serial protocols for a living?
Those jobs are mostly obsolesced, so the totem pole has "moved up", but we're still at the bottom.
You have to ask the question, who is manually making the product and putting it together piece by piece? For factories, it's assembly line workers. For McDonald's, it's the burger flippers and the board worker. For software, it's us.
We have a misconception that since we are educated and relatively well-paid we are not like that. In terms of our business function, what we actually do for products and companies, our roles are of the same type. That's not a bad thing - this can serve as a gentle reminder to curb any delusions of grandeur.
Good luck then.
Can't say I have much sympathy for American devs after what they've done with the place.
And on the other side, you can have a degree and experience and still not get a job due to the wild criteria and games that get played in various interviews.
Most IT work now, whether dev or admin side, is not rocket science. It’s mostly approachable work and no one should settle for being abused by employers for some outdated, ingrained, cultural baggage.
Millions upon millions of ppl at every income level have experienced working in and around unions and not all of them came away with a positive experience.
These criticisms of unions are always pulled out but then never equally applied to corporations.
Unions, especially failing ones, don't inherently provide any net benefit to society. They may as well be engaged in little more than self-preservation and zero-sum games.
Therefore, I believe unions deserve a different type of scrutiny than corporations.
By itself that's not a meaningful observation.
The disagreement then was “I’ve heard that argument before.” - “ok that doesn’t make it wrong” <— that last sentence is what you’re replying to.
unions restrict the supply of labor and this results in (price increase) better wages for the union's members. However, overall the total dollar amount transferred from employers to labor goes down (employment decrease), so the "class" of all workers (employed and unemployed) see their per capita wages go down. and if that's not enough, the industry grows more slowly so the problem only gets worse for everyone in the future (trickle down) this is the underlying reason for europe's lower year over year economic growth compared to the US
is the reason. it's not a moral or ethical or even income distribution issue, it's just how markets operate.
Some other ramblings from me.
Management at companies generally dont want to unionize because it generally makes the company less nimble/competitive (its obvious 99% management doesnt want to pay more for labor so i dont feel need to argue that). So yes, if u are lucky enough to be in the union when it gets created, your benifits/salary is negotiated which is cool, less variability in your future, but youll only get paid if your business manages to continue to out compete competitors.
A union example of this i had was installing robots in factories (most of the factories were unionized) (to replace some transportation of goods inside giant factories). My team and I would work with factory management/engineers to come up with plan to automate some process. Before trying to impliment it, we would need to give our plans to a union rep for approval/feedback (who wasnt an engineer). So that factory's competitors didnt have to wait for an additional approval, we would need to wait for a non technical persons feedback to BEGIN a project, your competitor might be finished with project before union approval is done.
Common story of the american factory. Company unionizes, slowly becomes less competitive, a while later goes out of business. This is why so many companies resist (legally) unionization, as in some industries it means certain death.
This is true in the same way that it’s true that all democracies turn into the majority oppressing everyone else, or get captured by oligarchs, or vote to raise taxes to fund social until the economy collapses, etc. – which is to say not at all. Unions CAN fail that way but it’s not a given. We shouldn’t give up on a useful tool because it can be failed, we should talk about how to keep it healthy.
For example, I’ve seen the no-degree route you talk about made easier by unions because it forced merit hiring rather than hiring more dudes with social ties from certain colleges. Again, that’s not guaranteed – you’d be forgiven for wondering if the Teamsters were a deep cover operation to discredit the concept of unions – but social institutions aren’t magic: they work to the extent that we make them work.
They are fine, but struggle with remote work in general because fundamentally the leverage the union has is a monopoly on labor, which is compromised by a global labor force.
Or they’re applying as international remote workers, where you wouldn’t expect them to be members of your country’s union anyway.
Widespread union membership with verifications wouldn’t solve anything.
I'm not sure if we are experiencing different processes, or we have different opinions about what kind of time / reward tradeoff is reasonable.
You just need to ask a couple of open-ended questions about the candidate's preferred programming language and/or some technical details of a past project they've worked on to get an idea of whether they are reasonably competent or not. It shouldn't take more than 10-15 minutes to go through. The majority of rest of the meeting can consist of the candidate asking you questions and/or chit-chatting to make sure the vibes aren't off.
What you are trying to judge is whether or not they can do the job, which you can really only tell once they are actually doing the job anyways. So you pay extra attention to what they do for the first couple of days/weeks after you've hired them and if it's obvious things are not going to work out you let them go. Most places have laws that are amenable to hiring someone on an initial trial period before stronger employee protections kick in.
In general, most of the pathologies of the hiring process can be solved by treating it as a satisfier problem instead of an optimizer problem.
I would be interested to explore a "quick hire, quick fire" philosophy, but I'm not sure it would lead to overall greater satisfaction. Employers don't like to fire people and employees don't like to be fired.
Because, let's be real, not a lot of us are writing leetcode type solutions in our shitty web devs jobs where we center a div. So we need to practice, and more importantly, memorize. Companies don't want a solution, they don't even want a good solution, they want one particular solution. That requires memorization.
> It’s typically 2 medium/hard problems solved optimally in 20 minutes each with no errors if I want to beat the competition.
I have also definitely made errors in interviews, and gotten hired. If I had to guess, it is a lot more about how you handle those. (To a degree. E.g., in one question, which was a coding challenge, I could solve it, but I was pretty sure my solution was not efficient. I voiced that, voiced why my gut was thinking it could probably be better, but I didn't ever get the full solution. In another one, I was just asked for past experience; I didn't think I had much to offer, voiced what I did have. I still to this day like the question, because it was a tough question, and the person who asked it really pressed me — in a good way, in that I could see that she took her own role/work seriously — on why I thought I was qualified.)
I've also had a call where me & the interview were definitely not connecting, at all. That wasn't going to work out, so nothing was lost?
As an interviewer,
> It’s typically 2 medium/hard problems solved optimally in 20 minutes each
… add 5 min for entry pleasantries and padding, 10 for questions for you at the end, and that's an hour, which is often all the time the recruiter schedules. And honestly, that's usually enough.
I don't ask hard problems. Easy ones sift out candidates. Where I ask coding questions, the first is almost always designed around "can the candidate write a for loop?" and the second is around basic datastructure comprehension. (Can you recognize situations that require a hashtable? a queue? and apply those to the problem.) Often a parsing question. Essentially CS 201, or easier, though I do not care if you know big-oh notation.
Most interviews I've been a part of fit that MO, and I've done interviewing with startups and with FAANG-sized companies.
> each with no errors if I want to beat the competition.
It's not about beating the competition. SWE hiring IME is never zero-sum. Two phenomenal candidates are two hires.
You just need to have a US citizen's SSN and birthday to beat the I-9 verification. And "beat" is a strong word. I-9 is just a form that the employer asks the employees to submit, there's no requirement for the employer to do anything with it.
So you can just say that your SSN is 555-55-5555 and your birthday is 01-01-2001 and you'll "pass" the verification. It'll be detected only when the employer submits the Form-944.
There's E-Verify that requires a picture ID and more information, but it's not mandatory.
You’d lose out on people who don’t live near an interview center and potentially have legal issues if people had disabilities that impacted their ability to travel to an interview center but not their ability to do the job.
Not sure if it's feasible, but it's definitely something to consider.
It's a very profound statement (perhaps unintentionally so). Most of us wouldn't even be doing the work we do if we did not have to pay ransom money to our rulers. And then there are unwanted children and all of that...
I also don't hold people's place of birth against them, but there are some very reasonable limits to that.
You don’t understand. These people are working for the state.
They’re not getting nice remote jobs to support their families. Infiltrating these companies is their job from the state of North Korea.
If North Korea is just as bad, at least they're smart enough to not let me see evidence that invades my dreams.
You can easily dress that up as an onboarding thing and would solve this, no?
But, yes, this will likely change that. In person interviews and onboarding will probably become the norm with fully remote teams as more companies become aware of the risks.
Also there is a good reason not to make week 1 in person. You reduce your access to talent. I know we are in the everyone RTO and do 100hrs a week part of the BSiness cycle. But still.
But it does reduce your pool anyway and access to cheaper and /or better people.
Many of them would have said no to in-person interviews.
… I don't think candidates are going to turn down a company in droves for an initial 1 week onsite. You make it sound like you're losing access to all remotes.
100 people. Working full time. Cannot take leave at last minute (or may not have it to take). Average distance to your office 1000 miles.
How many will come to your on-site.
You're misinterpreting the thread. The context here is that the candidate is post-hire (…candidate is perhaps a poor word, but in the context of TFA, it makes more sense), so they're employed by the same company they're visiting.
I.e., the suggestion here is that Person A's employer E flies A out to E's headquarters to work for ~1 week.
Then you meet them in person, and can visually see they're not some fraudster in NK.
I.e., you start in-person, and transition to remote after 1wk.
I mean, airlines do it for pilots. How much of a hit to compensation would that be for software developers? Less than 5% for the first year?
It might work for grads or people out of work if it is well paid e.g. at least pro rata od the target salary. But that's a subset so if the employer chooses this they narrow their pool.
Yes, but you'll have people making all kinds of excuses and how they only eat from this specific place that delivers on DoorDash and etc etc
(but honestly I think this would be an improvement)
So, if you stretch the period, the employment simply starts later.
For many scammers (not North Korean specifically) it’s just one big game of collecting as many paychecks from as many companies as you can until they fire you.
For some multi-job people, the game is to continuously apply to companies and then let any company that is paying attention fire them after 1-3 months. Repeat long enough and you might find your way into a couple companies where your demands are so low that you can do all the jobs in a couple hours per day because your managers are so checked out that they don’t care. Ride this until the company lays off the whole underperforming team, then find the next jobs.
They'll soon twig if that's not the person who's getting called into a quick meeting in 5 minutes to discuss some new issue.
https://www.socure.com/blog/hiring-the-enemy-employment-frau...
https://www.paulgraham.com/submarine.html
Uhh... I have news for you: https://www.fbi.gov/wanted/cyber/dprk-it-workers
Slovenia issues personal certificates so you can identify yourself online. Mostly used for banking and e-gov. The commercial space has decided it’s too cumbersome.
Fantastic idea. Started rolling out when I was in college some 15 years ago. You go to the same place that issues your govt ID and you can also get the equivalent of an SSH cert issued by the government that guarantees you are you, your identity was verified at point of issuance, etc.
Unfortunately it’s about as fiddly to use as SSH. Okay for nerds, way cumbersome for normal humans who just want to log into their bank and pay their taxes damn it. Last I remember (moved to USA ~10 years ago) getting their e-signing browser widgets/extensions to work reliably on non-windows machines was hell. Most Mac/Linux users ran a whole VMWare VM just to do taxes once a year.
Even for employment I find the idea iffy, but seeing as it's in response to an actual non-imagined problem, I suppose it's the most reasonable solution to that...
[1] https://www.e-verify.gov/
E-verify is only for US residents, and depends on the employer interacting in person with the prospective employee.
Its primary goal is to check that someone is a legal resident, so it has no bearing on hiring remote foreign workers.
Would it help if I could query some IRS service to check what paychecks have been sent to me? Does this have a delay of a quarter year or more?
How do these people avoid getting the people they impersonated and or scammed in trouble with the IRS?
I would guess many (most?) of the places with this problem are actually fine with people that aren't living in the US; just not in North Korea.
Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
Also, we need steps towards reducing the possible tools that fake workers could leverage. These steps would put a strain on some recent technological developments. A strange and wild paradox.
I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
And in the process of confirming that this was fishy, I contacted one of the past employers he claimed after doing my best to confirm _they_ weren't in any way part of the scam. They confirmed he had never worked there. I sent them his LinkedIn and portfolio site in case they wanted to chase down getting their name removed.
They told me that this was super concerning because the screenshots in his portfolio of the app he worked on for them were real screenshots... for an unreleased app that was only available internally and had never even been demoed for clients.
They'd already been breached and had god knows what exfiltrated. They found out because we caught an attempt to get hired at _our_ company and let them know.
Nobody outside of a couple of technical staff at our company had even _heard_ of this. Nobody at the other company had. The fix, to me, seems to be making people involved in hiring more aware of this. If anything, it seems we should be talking about this _more_ and _more publicly_.
Forgive my frankness, but these worries about infiltrators have priority in important, large companies. I am very sure agencies responsible for this can contact these handful of important companies directly.
So, you're right. In the current age we live in, no one cares about your small SaaS company, and you're being used to spread unecessary paranoia and fear.
We're in a niche, extremely boring industry. We have an extremely small client base. We do line-of-business/sales management applications for something akin to like... light switches and light fixtures. The most exclusive thing we have access to is wholesale pricing from manufacturers. We don't handle payments. The extent of PII we handle is "name and email" from when someone emails out a quote.
We are the epitome of uninteresting to a foreign actor. Being "uninteresting" apparently does not disqualify you.
We also do not hire overseas (the applicant claimed to be from California) and offer a good US wage. We weren't targeted or vulnerable because we were being "greedy".
If you had to hire workers in office, would you have space and infrastructure for all of them?
From my perspective, this would solve the issue. Unless you're worried about in-person north korea spies.
I don't know man, seems like you're living in some cold war mind trap or something.
I think this kind of idea is stupid.
It's not just espionage. They need US dollars to pay for smugglers.
It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
Keep focused. Small companies never mattered for nations, they are irrelevant. Spreading paranoia will not solve their over-reliance on this exploited offshore problem. It will likely lead them to bankrupcy.
Ultimately, it doesn't invalidate what I said. It actually makes my comment more relevant.
It's not offshore. Infiltrators are pretending that they're in the US. I first saw this 2 years ago, and they were pretty clumsy back then: always blurred background (and refusing to unblur it) and/or doing calls from a windowless office. You could even see their eyes moving, like they're reading the script.
This year they became much fancier. They use backgrounds with the real time-of-day and weather illumination. The eyes no longer move unnaturally, etc.
Remote working is in the same vein as offshoring. One enables the other, they're co-dependent. Both are based on greed. In the case of remote working, is avoiding having offices, avoiding paying certain kinds of insurance, etc.
You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
Again, greed meets greed.
Now it's too late. IT companies will not survive a full return to office, and they won't survive remote working as well.
The very idea that someone could be using technology to fake an identity was unthinkable. Now that it is not, there's really no place safe.
If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
I think there are still ways out of this, but we're reaching an inflection point that will be hard to overcome.
---
Your commentary seems to provide a valid point of view, and although you disagree, you reinforce my main point.
No, they're not.
> You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
We should get rid of electricity, then.
> If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
Now you're really reaching.
Pathetic.
I'm in a similar situation. The HR leads company is trying to filter out the fakes, but they can't catch everyone.
Apparently, the infiltrators specifically target the companies in the 10-50 people range. In smaller companies everybody knows what everybody else is doing, so infiltrators will be swiftly uncovered. And larger companies typically have a well-established HR department that will catch obvious fakes without good cover.
But these mid-range companies provide the best chance for the fakes to get at least a couple of paychecks before being uncovered. And they likely won't bother with going to the FBI to chase down the payments.
>And they likely won't bother
Thank you for your insight. Unfortunate! The rationale makes sense—the temptation to sweep under the rug—but doesn’t make it right, which as established we both know.
…you can perhaps tell I was frustrated with what seemed to be an argument against actually taking this course of action; hope replying here is better than arguing directly downthread esp. in case I misunderstood something
I strongly recommend going to official authorities if you believe you're being duped by a foreign nation spy or conspirator.
If they ignore you, it's more likely that you're not that important, like I said previously.
I'm not saying "shouldn't". It's more likely "don't bother".
Interacting with the law enforcement takes time executives' time, it might bring in complications (legal liability for personal data leaks, etc.), and even in the best case the company is not going to get their money back.
No, you should bother. You should bother a lot. Get in contact with the FBI, make a huge deal about it. You think one company can handle a spy agency? That's bad advice.
My argument was to inform high value targets first, since they are more at risk and capable of developing a fix.
I also argued for slowing down the development of technology that can help infiltrators.
Go back, read the discussion, see how far you are from the simple truth. Someone is making IT companies paranoid, either on purpose or by mistake. Probably, by greed or as a consequence to it.
In such cases, you only share the sensitive vulnerability publicly once there is a fix. For this case, there seems to be no fix.
One could think of it as a way to promote more scrutinized hiring processes, but it actually encourages widespread paranoia and fear.
It seems your analogy is valid, but the conclusion is that it supports what I said.
One key component for this scheme to work is to have local US persons act as intermediaries. While some may already know something shady is going on, and be complicit, some might not understand the entire scope of what they're being part of. Publicly discussing it might encourage some people to come forward / avoid being involved in the future.
Imagine a non technical person being told they're helping run an "edge data center, close to the users. Running our laptops helps Netflix/facebook/etc (insert big tech name of your choice) run faster for you and your neighbors and well pay you to do it."
Easy to imagine a non technical person buying that lie.
Can you please explain it better?
I'm sure many, many countries have botnets. I have a bunch of those countries which I consider irresponsible and wreckless in my radar, not only north korea.
They've already arrested some people involved in this, they have devices as evidence. It's pretty well documented at this point.
Reality is much simpler though. Greed, I already said it. Typical human defects.
It seems that you are not comprehending who needs to come forward. Entire industries, entire parties. They simply won't, they would rather see the world burn than admit such mistakes. It has happened before.
Telling your gramma she has a virus only makes her become afraid, she won't magically gain the ability to identify it. That's my whole reasoning here. It makes things worse.
For example, in Australia, it seems like at least 8/10 software engineers are foreign-born. Most of those are probably genuine (not from intelligence agencies) but Australia has such a tiny native population of engineers compared to that of most foreign countries in its vicinity that it wouldn't be difficult for a country like China or India to overwhelm our tech industry with a few highly-placed workers in order to gain political leverage. I was thinking that there might be more software engineers working for Indian and Chinese intelligence agencies in the world than there are native-born software engineers in Australia (of all kinds). It's a numbers' game.
North Korea seems like the tip of the iceberg there though it is an easy example to talk about because everyone understands how the North Korean government operates and everyone agrees about the threat they pose compared to more subtle threats from other countries which aren't seen as opponents (at least not to the same extent).
But also, consider a company like Facebook which hires maybe 20K or so software devs. A country like India which has a large number of software developers, if it wanted, could easily put together a task force to infiltrate and take over Facebook in a focused decade-long effort if that was its intent. They almost certainly do have some people inside every major tech company right now.
If a group can have a few highly placed people inside a target company, they could then recruit more of their group into the company and start promoting their own until they have full control over the critical systems. It's a weakness of our current highly centralized tech sector.
Something else that could happen is a foreign intelligence agency could wait for people to get promoted naturally and then reach out to dual-nationals which they have leverage over (e.g. because of family members or assets owned in the foreign country) and then use that to demand favors. Then they could help coordinate the engineers to recruit more of their own to achieve even more control. Different groups would form factions within the target company and every normal employee would be unwittingly pushed out because anyone trying to 'improve or simplify things' would be seen as a threat to various nefarious agendas which rely on complexity to hide backdoors or algorithm exploits.
Imagine how valuable it would be if you could hijack's Google's search algorithm or Facebook's recommendation engines to prioritize your group's businesses and/or agendas.
Isnt the critique of Indian managers that they favor indian ppl?
Sounds like my IRL value just keeps going up.
Still, I agree that's pretty suspicious. However, they didn't offer any proof whatsoever these guys are from North Korea or any motivation for why they would be doing this from North Korea. So, that sounds like potential U.S. propaganda.
They said they worked with the FBI, which honestly is a red flag for that kind of thing. Rather, if a company states without proof they're from NK, it's very likely BS. If the feds say it's North Korea without proof, it's definitely BS (they have resources to prove it!). If the Feds say it and provide proof, then we can talk about the proof.
This is only possible in the scale we see today, because of the infrastructure built to support off-shore and remote work.
Direct impact: Outsourcing breeds a culture of unverified and verified-just-once remote work.
Indirect impact: Outsourcing is a cost-driven effort where after a certain level of competence, the bottom-line is the only measurable metric that matters so it’s a race to the bottom with patchwork efforts to “fix” issues like OP.
Making domestic options cost-equivalent with punitive outcomes for hiring NK workers.
Otherwise, I stand by my argument. The support infrastructure we built to support remote work and offshore teams have made this an easy attack channel.
Or perhaps, off-shoring support and infrastructure is what enabled and made-normal this sort of remote interviewing and work in the first place.
the companies located here should only hire here
> Chief among these disconnects were "shallow" LinkedIn profiles paired with "beefy resumes," she explained, citing job-seeker claims of working at Meta, attending Ivy League schools, developing major tech companies' flagship products … but then only having 25 LinkedIn connections.
LinkedIn is not the end-all be-all of résumés, and my coworkers have wildly varying numbers of connections.
> "We've certainly seen applicants that fit into this category with various IOCs [indicators of compromise] that we've shared with partners and peers," Snowflake CISO Brad Jones told The Register.
This is an abuse of the technical term IoC to try and dress up what amounts to "my gut hunch".
> Once the recruitment team began meeting via video conferences with some of the applicants, they noted extremely Western-sounding names, like James Anderson, paired with East Asian appearances and accented English, in much higher numbers than they expected.
That's just discriminatory.
> "You can't profile people, […] *But*
sigh
> The fraudster's answers weren't word-for-word ChatGPT, Little noted. "These people are smart, they're not unskilled, they're sophisticated," she said.
… no, that's because that's not how LLMs work.
> routing everything through a VPN
I'm not even sure how you would know this about a candidate.
> These IOCs, or indicators of compromise, include email addresses, physical addresses, and phone numbers that have been flagged as associated with non-legitimate candidates.
This is begging the question: the candidate is suss because they're suss. What makes the email address et al. "flagged"?
> The final step is always an in-person interview.
I mean … if you're not doing that, then … okay, I see how the scammers got to you.
> "We require people to come to the office to pick up their computer," Robinson said as an example.
I mean, if you pay for the plane tickets, the hotels, the taxis, the meals, and the time, sure, I guess.
If this is truly a problem — and maybe it is — the Register's reporting is so unspecific that it leaves us with no details of how we might tell, what to look out for (in ways that doesn't run afoul of racial discrimination, or seen elsewhere in the comments, political discrimination). It leaves me thinking this is an ad designed to leave me going "I'd have to hire a company that specializes in this to know if I'm being affected by it."
So, let’s think about this logically. There is no baseline of candidate identification or competence in software and the jobs pay very well in physically comfortable conditions. It makes sense that unqualified liars would apply for these positions. Why shouldn’t they? I am honestly curious how far the fraud and incompetence can go and devalue the industry before someone cares enough to tackle the problem l.
At the very least, make your remote candidate show up in person for their onboarding. A plane ticket and a few days of accomodation and meals is cheap in the grand scheme of things, and giving the opportunity to meet their team is good relationship building.
Sight their ID before you issue them with an account, give them a laptop etc.
They do. That is clearly not enough.
The candidate sends in fake or stolen documents where the picture on the drivers license doesn’t even vaguely resemble the person who appeared on Zoom.
When you have an applicant who says they were born in Tennessee and that they’ve apparently lived in the U.S. for their whole life, you would normally expect them to speak English with native proficiency and at least have an American-sounding accent.
If they say they live in, say, Seattle, you’d expect they could carry on at least a basic conversation about their local area.
Even this basic level of attention to detail nonetheless escapes many HR departments and hiring managers.
When I was working at $LargeCompany, we were encouraged to NOT engage in small talk with applicants beyond the regular politeness. It's too easy to ask questions that would open the company to discrimination lawsuits.
If your explanation is that the license grantor will verify that the applicant is a resident of a Western country, than the employer can just do the same verification of job applicants, dispensing with the need for the occupational license.
For most of the West, this is an extremely difficult bar to clear for a North Korean national working out of China.
I guess the main problem is, if you are a company with bad management structure, and you see your new coworker has really weird patterns, inconsistencies in their talking, why would you tell the manager about it? You can just mind your own business. It was them who hired them after all.
Edit: If you don’t know what licensing is why are you replying to a comment about it? Most of the comments here read like this and it’s really weird.
nice
Consider also the author: it's written by an actual journalist/editor with a large body of pre-existing work in the field, and many of the claims written are backed up by quotes from a named source. It's not like they're writing all this and hiding it behind the weasel phrase 'according to a source close to the matter'.
The register too is actually UK founded, so it's not even American.
Your reaction is just so typical of people nowadays - just assume it's all 'made up' without any effort in debunking or picking apart any specific claims.
Justice Department Announces Coordinated, Nationwide Actions to Combat North Korean Remote Information Technology Workers’ Illicit Revenue Generation Schemes (justice.gov)
https://www.justice.gov/opa/pr/justice-department-announces-...
(12 days ago) https://news.ycombinator.com/item?id=44431853
..only seven countries are currently participating in the embargo and sanction of North Korea, (at the behest of the united states.)
I think it astounding - staggering - to point the finger here at USA.
If you were not a long term, serious poster, I would think you were a fake account.
If you have 2 candidates and one is from lets say Czech Republic and the other one from 3rd world then it's fully on you for getting screwed over.
I have to hand it to North Korea on the inventive revenue streams. This is a country under sanctions for decades that has developed some of the most clever IT scams for siphoning money from the west. Between this and the Lazarus group the country has brought in Fortune 500 company kinds of money to keep itself afloat.
Here's how to actually stop it: stop weaponizing poverty to beat a Cold War-era dead horse, and end the damn sanctions.
Of course lifting the sanctions won't also end all spycraft, or ensure an end to geopolitical conflict. Those aren't things I have claimed or would claim.
And the primary reason to end such sanctions is not any benefit to imperialist nations but because of the fact that they inflict misery on ordinary people indefinitely and (not essential, but adding insult to injury) uselessly.
Pyongyang was making its people miserable before there were sanctions. America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
Whether or not we approve of Pyongyang is completely irrelevant to every point I've made. The questions are (a) whether the sanctions have had a material negative effect on the North Korean people, and (b) what they have accomplished. The answers are "yes" and "nothing of any use", neither of which is controversial. And our fixation with North Korea and the evil we wrought there obviously doesn't begin with sanctions but with millions of tons of bombs, tens of thousands of tons of napalm on arable land, or the destruction of the People's Republic of Korea (not the DPRK), a functioning government that existed in both the North and South before the US invaded (literally reinstating colonial Japanese governors as officials).
> America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
The US was directly involved in the division of Korea even before all that. Frankly, your entire comment has been not only extremely handwave-y but deeply dishonest.
But this pov isn’t always rooted in pragmatism. Free market ideologues also think that free markets will bring world peace.
Anyone with internet access in NK is working at the behest of the government.