A crafty developer reportedly figured how to get paid to sit and watch cat videos for a good chunk of the day.
It's a story almost too good to be true -- and one which has an almost uncanny resemblance to this fake news story run by The Onion. But according to Verizon's Security Blog, a U.S. developer actually did find a way to fool everyone at his company into thinking he was working, while in fact outsourcing his entire job to China.
Andrew Valentine wrote up the case study for Verizon, and the story apparently caused such a furor it temporarily crashed the Verizon servers.
Citing the study, the BBC notes the ingenious scam came to light after the employee's company asked for an audit to investigate "anomalous activity on its virtual private network (VPN) logs" that pointed to an active VPN connection between Shenyang, China, and the employee's workstation that appeared to be operational for months.
Valentine went so far as to profile the employee, who is not named in the report, and who was paying less than "one fifth of his six-figure salary" on the outsourcing:
Mid-40’s software developer versed in C, C++, perl, java, Ruby, php, python, etc. Relatively long tenure with the company, family man, inoffensive and quiet. Someone you wouldn’t look at twice in an elevator.
A check of the employee's web browsing history revealed an average schedule. According to the case study, the worker's day looked like this:
9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch
1:00 p.m. – Ebay time.
2:00–ish p.m - Facebook updates – LinkedIn
4:30 p.m. – End of day update e-mail to management.
5:00 p.m. – Go home
According to The Register, the employee no longer works for the company that ordered the audit. (As Gizmodo's Jamie Condliffe quipped, "Looks like he'll be spending more time on LinkedIn from now on.")
Help Net Security reached out to Nick Cavalancia, a vice president at SpectorSoft, to gather information on how companies may work to prevent similar schemes.
"We have yet to see what impact this incident will have, but providing programming code used to run critical national infrastructure providers' systems to off-shore firms seems dangerous at best," Cavalancia said. "What many organizations fail to understand is that with proactive monitoring that can alert IT security teams when unacceptable online behaviors occur, this type activity can be thwarted before it becomes an incident."