> As US-based companies become more aware of the fake IT worker problem, the job seekers are increasingly targeting European employers, too.
All the US companies I've worked for made sure I was legit before I could log into anything, so I assume background checks to be ubiquitous there, save for the cheapest companies. European employers on the other hand...
- don't or rarely offer remote jobs, so they often don't have this problem.
- even if they do some video or phone interview for pre-screening, they nearly always expect the prospective employee to come to a live interview if they are not weeded out by this pre-screening. It is thus expected that you at least live in a country from where you can easily travel to the place where the employer is located.
- expect their employees to be able to speak the national language, or at least learn it fast. This also makes times hard for North Korean fake IT workers.
Jeff Geerling recently discussed being contacted by the FBI to learn more about minature KVMs, one of the devices North Korean fake IT workers use to appear to be coming from other countries https://www.youtube.com/watch?v=Lc2hB2AwHso
In this case, the KVMs are plugged into multiple laptops being run in people's basement/spare bedroom, it seems. Someone will earn a set amount per laptop per month, to accept a company-supplied laptop (from a us company) then plug in one of these little KVMs to give a remote worker access without as much ease in detection.
So the main difference over more typical remote desktop methods is that it pretends to be a physical display and keyboard to fool the PC it's remoting into in if it's overly locked down?
Feels like there's otherwise a hundred different ways to already do remote control without any extra hardware.
All the alternatives have a risk of setting off D&R tripwires. Assuming these things can spoof their device IDs so they look like a Logitech keyboard etc, I think the cost of the hardware setup is gonna easily pay for itself in terms of harder detection.
You can. Just like everyone can use a good password. Yet many dont.
Also there is a good reason not to make week 1 in person. You reduce your access to talent. I know we are in the everyone RTO and do 100hrs a week part of the BSiness cycle. But still.
Not really. You need a visa (or equivalent) to enter most countries. This can take months to apply for and receive. And you can stretch that period out even longer by claiming that you don't have a passport and need to apply for one first.
In Germany, if a company want to hire some talent from a foreign country, this problem is solved by the general rule "The employment starts as soon as the visa problems have been resolved, and you are in Germany." Big companies often have a department that helps with visa problems.
So, if you stretch the period, the employment simply starts later.
North Korea would never, in a million billion years, either accept peace, or actually honour it. NK is a hideously oppressive, violent, dictatorship, which would invade SK in a microsecond if it thought it could get away with it.
I think it astounding - staggering - to point the finger here at USA.
If you were not a long term, serious poster, I would think you were a fake account.
They convinced Ukraine to give up their nukes, promising that they'd be safe. I don't think there's any chance of convincing North Korea to follow the same path.
No, one side declaring the end to a war does not end that war, this is one of the worst foreign policy takes I've ever heard. The NK regime is secure because of the war, they will poison pill any negotiation by demanding South Korea become part of the north.
I’d be shocked if that was still true after the first time someone tried it. If you’re running an undercover operation, you’re going to give your agents backing to say whatever they need to say to maintain their cover.
If someone asked me to criticize KJU, that would be the end of the conversation. I criticize people on my own or not at all. I suppose I would become a false positive.
I would never allow any potential client ask me ANY political questions. Not because I like any political figure but because I am trying not to encourage fucking thought control. I hope we are not on Nazi Germany yet. It is just simply not their fucking business. On the other hand if they offer me a million in cold hard cash just for that I would tell then anything they want to hear.
I don't consider myself to know enough to criticize.
Of course what little I do know is all negative. But I've paid only limited attention, and I get nothing from primary sources.
I expect the same from practically everyone -- perhaps excepting South Koreans who at least speak the language. I'd consider it good judgment to say that you just can't meaningfully answer the question.
I'd read a statement you hand me, if you thought that would suffice. But I'll admit I'd consider that weird and likely useless.
Even with the context of knowing the fake worker problem?
If so, I suppose that’s another good reason to ask the question. It filters out both North Korean fakes and people who are going to be doctrinaire about small things.
It was 2 min of hate ;) and this clearly isn't the same as trying to rile people up; it's a thin attempt to get people to self report if they are lying with some sort of higher level "gotcha".
Feels like the story about disconnecting Chinese gamers from matches automatically by typing "tiananmen square" or the story of the Battle of Siffin with one side putting pages of the quoran on their spears in hopes the enemy wouldn't fight that way. Unclear how accurate the stories are or how effective it may have been but kind of interesting at least.
Something is amiss here...Developers make hundreds of applications to even get a reply much less an interview...While apparently, barely English literate North Korean IT workers are getting all the jobs :-) Time to praise the Supreme Leader on LinkedIn ?
I have gotten multiple emails from wonky email addresses offering to have me interview for jobs and they will take care of the work if I get hired. fake names tons of money for me. I just have to nail the interview.
My resume is shiny enough and I've gotton hired enough times im a good candidate for this kind of scam.
This feels like a very ham fisted approach for them though. 99% of engineers are going to ignore or not take seriously these kinds of out of the blue offers.
> If only governments could provide a very simple “check identity” service online. I think this should be a basic service nowadays.
Slovenia issues personal certificates so you can identify yourself online. Mostly used for banking and e-gov. The commercial space has decided it’s too cumbersome.
Fantastic idea. Started rolling out when I was in college some 15 years ago. You go to the same place that issues your govt ID and you can also get the equivalent of an SSH cert issued by the government that guarantees you are you, your identity was verified at point of issuance, etc.
Unfortunately it’s about as fiddly to use as SSH. Okay for nerds, way cumbersome for normal humans who just want to log into their bank and pay their taxes damn it. Last I remember (moved to USA ~10 years ago) getting their e-signing browser widgets/extensions to work reliably on non-windows machines was hell. Most Mac/Linux users ran a whole VMWare VM just to do taxes once a year.
Imagine if you had to provide your government ID to use any website.
Even for employment I find the idea iffy, but seeing as it's in response to an actual non-imagined problem, I suppose it's the most reasonable solution to that...
They provide, don't they? In Russia there are "gosuslugi" (government services) that banks and other organizations can use to confirm identity. However, if you sign up, then you will receive draft notices for military service through the app so you better not sign up.
I am not sure it would resolve the issue. About 10 or so years ago I was contacted on LinedIn with offer to "rent my name and face" for a team of Chinese remote workers (probably not those exact words). I rejected the offer without asking for details. Not sure if they were actually from China.
Isn't that what the E-Verify [1] system was supposed to be? Several companies are now discovering it's not all it's cracked up to be, as ICE shows up at their door.
We don't need a general identity service though. We need to know whether someone is authorized to work for a US employer, right? How can a DPRK worker have the necessary authorization? If they use someone else's identity, isn't that something e verify should catch? If these are US citizens/nationals/residents working out of DPRK, who cares?
They can buy, steal, or hire yours. If it were a general identity service, yours would get tracked. But if it's just a matter of authorization, with no authentication, they'd just use it indefinitely.
I suspect some of the fake job postings are schemes to harvest that type of data. If I live in Atlanta and someone uses my identity to get a job in Seattle, how long will it take for me to learn about the company in Seattle that thinks it hired me, especially if they don't use my home address.
Yes. It confirms someone with a particular name, DOB, and SSN is authorized to work in the US. It doesn't confirm that the person claiming to be that person actually is that person. It relies on the employer to be able to match the applicant to the photo in e-verify, which isn't always an easy task.
The part that's really sad is that we have tons of out of work devs right now. This sort of thing only makes it harder for the legitimate people to get hired. An easy fix for this is for a place like Pearson to set up verified interview centers, which will allow for verified virtual interviews (on both sides of the table).
Another solution might be UNIONS that would have __membership verification__ including things like citizenship (which country(ies) are they a citizen of?), skills tests and training, etc.
Just like competition requires 5+ similarly sized entities for a healthy marketplace of companies, my informal opinion is that unions probably similarly shouldn't have overwhelming market share. However my feeling on contracts between unions and corporations is that the contract should be negotiated between multiple companies and multiple unions to produce the most level playing field possible.
I like that software engineering doesnt require/encourage unions, contrary to other big industries.
As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job.
Ive previpusly been in a union for a company and the experience did not encourage a competitive working environment. When layoffs came, Jr employees get sacked before more senior union members (not neccesarily the best technical staff just becuase they worked there long time).
I have family/friends in unions (non software devs) that have had similar experiences to mine.
Devs are the factory workers of today. You’re going to be sorry in 10 years when AI is fully mature and all the cheap talent overseas takes every US dev job just like it did to factory workers in the 90s and there’s no unions to even attempt to slow it.
"One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job."
And on the other side, you can have a degree and experience and still not get a job due to the wild criteria and games that get played in various interviews.
>None of this is a reason to not organize to better represent the interests of labor.
unions restrict the supply of labor and this results in (price increase) better wages for the union's members. However, overall the total dollar amount transferred from employers to labor goes down (employment decrease), so the "class" of all workers (employed and unemployed) see their per capita wages go down. and if that's not enough, the industry grows more slowly so the problem only gets worse for everyone in the future (trickle down) this is the underlying reason for europe's lower year over year economic growth compared to the US
is the reason. it's not a moral or ethical or even income distribution issue, it's just how markets operate.
A retort being familiar does not mean it isn't true or real.
Millions upon millions of ppl at every income level have experienced working in and around unions and not all of them came away with a positive experience.
It didn’t come by itself, it came in the wake of a comment that outlined a process whereby unions have a negative effect on new applicants in the job market.
The disagreement then was “I’ve heard that argument before.” - “ok that doesn’t make it wrong” <— that last sentence is what you’re replying to.
> As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
This is true in the same way that it’s true that all democracies turn into the majority oppressing everyone else, or get captured by oligarchs, or vote to raise taxes to fund social until the economy collapses, etc. – which is to say not at all. Unions CAN fail that way but it’s not a given. We shouldn’t give up on a useful tool because it can be failed, we should talk about how to keep it healthy.
For example, I’ve seen the no-degree route you talk about made easier by unions because it forced merit hiring rather than hiring more dudes with social ties from certain colleges. Again, that’s not guaranteed – you’d be forgiven for wondering if the Teamsters were a deep cover operation to discredit the concept of unions – but social institutions aren’t magic: they work to the extent that we make them work.
I've been working in the tech industry for about twenty years now, and I desperately want unions. Sticking your neck out alone sucks to begin with and only sucks harder the more time goes forward.
Same. Back when I first got into IT, I was surrounded by (similar) nerds whose self-esteem was defined by being the smartest person in the room. Compensation was often higher than other white-collar jobs, so they (we) were happy to overlook the long hours and non or poorly compensated on-call shifts.
Most IT work now, whether dev or admin side, is not rocket science. It’s mostly approachable work and no one should settle for being abused by employers for some outdated, ingrained, cultural baggage.
Why add more gatekeepers to the industry? It also doesn't really make sense for an IT worker to want to negotiate as a collective when individual salary and benefits are some of the best in the world.
The interview process in US is already insanely ridiculous, but this would only add an additional level of crazy to it. Honestly, licensing would be less bad by comparison.
Can you describe what you see as the insanely ridiculous interview process? Most of the interviews I have initiated are something like:
- 30 minute recruiter call
- 30-60 minute manager call
- 2x 60 minute leetcode easy/medium
- 1x 60 minute STAR behavioral
- 1x 60 minute systems design or maybe doubling up on a previous category
So for a total investment of what, 6 hours, I can go from a cold call to an offer of something like 150k-300k/y? And I'm not even playing in the FAANG ecosystem.
I'm not sure if we are experiencing different processes, or we have different opinions about what kind of time / reward tradeoff is reasonable.
Everything except the 30-60 minute manager call is a waste of time and money for everyone involved.
You just need to ask a couple of open-ended questions about the candidate's preferred programming language and/or some technical details of a past project they've worked on to get an idea of whether they are reasonably competent or not. It shouldn't take more than 10-15 minutes to go through. The majority of rest of the meeting can consist of the candidate asking you questions and/or chit-chatting to make sure the vibes aren't off.
What you are trying to judge is whether or not they can do the job, which you can really only tell once they are actually doing the job anyways. So you pay extra attention to what they do for the first couple of days/weeks after you've hired them and if it's obvious things are not going to work out you let them go. Most places have laws that are amenable to hiring someone on an initial trial period before stronger employee protections kick in.
In general, most of the pathologies of the hiring process can be solved by treating it as a satisfier problem instead of an optimizer problem.
There's a wide spectrum between "extremely efficient" and "insanely ridiculous". To keep it short, I think the incentives are pretty well aligned here. There's not much of an incentive for either party to waste our collective time.
I would be interested to explore a "quick hire, quick fire" philosophy, but I'm not sure it would lead to overall greater satisfaction. Employers don't like to fire people and employees don't like to be fired.
The part where I have to rehearse solving ridiculous problems for a few weeks in my free time so I can perform them to the interviewer and then never use the skills again. It’s typically 2 medium/hard problems solved optimally in 20 minutes each with no errors if I want to beat the competition.
Wouldn't the issue be that an interview center could take money to lie/etc? When I start a job I would have to go through I-9 verification - if that process is not good enough to weed out fakes, how would another verification work better?
> Wouldn't the issue be that an interview center could take money to lie/etc? When I start a job I would have to go through I-9 verification - if that process is not good enough to weed out fakes, how would another verification work better?
You just need to have a US citizen's SSN and birthday to beat the I-9 verification. And "beat" is a strong word. I-9 is just a form that the employer asks the employees to submit, there's no requirement for the employer to do anything with it.
So you can just say that your SSN is 555-55-5555 and your birthday is 01-01-2001 and you'll "pass" the verification. It'll be detected only when the employer submits the Form-944.
There's E-Verify that requires a picture ID and more information, but it's not mandatory.
Yeah, I was thinking of the Pearson testing centers because they're already prpctored to prevent cheating and setup for identity verification. But co-working spacings could certainly work too. That might be even more viable in Europe.
That’s not the question: it’s about trust and honesty. The problem with North Korean workers is that they are a huge security risk because they aren’t working as free people but as agents of their government. That might not be a guaranteed disaster if they’re just generating cash revenue but it’s a huge security risk if the North Korean government has any reason to subvert your company or customers.
Maybe first give them freedom. As long as their CVs are fake, their faces and experience are fake, and they're spying for their government, nobody should be hiring them.
Eh we're all victims of where we were born. I'm not about to hold someone's state against them. Unless i suppose it's a certain state that didn't exist 100 years ago and had to forcibly move people to make room.
I suspect it could be worse than that. I suspect certain countries' tech sectors are being partly taken over by IT workers from foreign intelligence agencies or from foreign entities with ulterior motives. Especially when you consider countries with small populations and few natives in the tech sector.
For example, in Australia, it seems like at least 8/10 software engineers are foreign-born. Most of those are probably genuine (not from intelligence agencies) but Australia has such a tiny native population of engineers compared to that of most foreign countries in its vicinity that it wouldn't be difficult for a country like China or India to overwhelm our tech industry with workers in order to gain political leverage. I was thinking that there might be more software engineers working for Indian or Chinese intelligence agencies in the world than there are native-born software engineers in Australia (not affiliated with any government entity). It's a numbers' game.
North Korea seems like the tip of the iceberg there though an easy example to talk about because everyone understands how the North Korean government operates and everyone agrees about the threat they pose vs more subtle threats from other countries which aren't seen as opponents (at least not to the same extent).
But also, consider a company like Facebook which hires maybe 20K or so software engineers. A country like India which has a large number of software developers, if it wanted, could easily put together a task force to infiltrate and take over Facebook in a focused effort if that was its intent.
It dawned on me recently that, as a caucasian, in the software industry in Australia, I've basically become a DEI hire; a minority in my industry where, statistically, I should be the majority.
I don't really understand the logistics of this to be honest. From the article it doesn't sound like these people have false IDs, they just make fake LinkedIn profiles?
In a lot of countries certainly here in Germany your employer has to pay social security contributions and needs your insurance, healthcare information etc. In addition if you're a foreigner you need to know their legal status to see if they can even work. Like what do these scammed companies do, just wire money to some guy they interviewed on social media and ship company property to random addresses? Is that even legal in most places?
They presumably wire the money to a person operating in the US who sends a portion of that money to the NK employee. The US person is then the one in the company payroll files. At least that's my understanding.
We should definitely go after those folks, but it's not pleasant, as many of them may be having their own issues that add to the problem.
One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money. We have entire industries that sell narratives, rationalizing these compromises.
This is exacerbated by the current employment problems. They keep talking about how unemployment is down, but I think we all know folks that are un (or under-) employed, and the difficulties they are having, finding work.
Someone in that state, is fertile ground for money- and job-laundering bad actors. It sucks to punish them, but that is what we need to do, to discourage the practice.
> One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money.
A US person without adequate cashflow is likely to not be able to have food, housing, clothing, medical care, etc. A lack of morals are not what causes people to do anything to make money, it's a lack of money in a capitalist society. Blaming people for systemic problems is incredibly regressive.
Quite a few people will have adequate food, housing, etc and still dispense with morals for money. Some studies suggest that having more money makes one more dishonest rather than less.
The problems are indeed systemic, but it's not just lack of money. The system is constructed around the love of money, such that too much is never enough.
My understanding is for a US employee, the employer is supposed to confirm eligibility to work in the first 3 days of employment. Some form of government id plus a social security card or a passport or something like that. IRS form I-9
Otoh, if these positions are independent contractors, form I-9 isn't required. Just a tax id for reporting purposes.
I would imagine whoever is hosting the laptops may be authorized to work in the US and could also be convinced to provide identity documentation. I think there's a lot of borrowing of documentation by immigrants/migrants who are not authorized to work in the US; so there's probably a marketplace somewhere too.
In three decades, I’ve had some call me to check a reference only twice for private sector jobs. The federal government actually does this as part of background checks so it works but you need to want to badly enough to pay real money.
The other problem is liability: companies often tell their employees not to give references for fear of being sued if the employee doesn’t work out, and most companies don’t expect useful information from them unless someone left in a way which has a public record like a court case. The federal checks don’t have that problem because not answering honestly is a crime. You’d need some kind of shield for honest statements for the private sector to really get accurate assessments, and that’s tricky to do in a way which allows the most useful opinions.
I think the paranoia and fear this kind of idea promotes is perhaps the point of all of it.
Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
Also, we need steps towards reducing the possible tools that fake workers could leverage. These steps would put a strain on some recent technological developments. A strange and wild paradox.
Inform what companies directly? If it's this pervasive, that's not going to be effective.
I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
And in the process of confirming that this was fishy, I contacted one of the past employers he claimed after doing my best to confirm _they_ weren't in any way part of the scam. They confirmed he had never worked there. I sent them his LinkedIn and portfolio site in case they wanted to chase down getting their name removed.
They told me that this was super concerning because the screenshots in his portfolio of the app he worked on for them were real screenshots... for an unreleased app that was only available internally and had never even been demoed for clients.
They'd already been breached and had god knows what exfiltrated. They found out because we caught an attempt to get hired at _our_ company and let them know.
Nobody outside of a couple of technical staff at our company had even _heard_ of this. Nobody at the other company had. The fix, to me, seems to be making people involved in hiring more aware of this. If anything, it seems we should be talking about this _more_ and _more publicly_.
Is your company involved in infrastructural or emerging tech in any way?
Forgive my frankness, but these worries about infiltrators have priority in important, large companies. I am very sure agencies responsible for this can contact these handful of important companies directly.
So, you're right. In the current age we live in, no one cares about your small SaaS company, and you're being used to spread unecessary paranoia and fear.
We're in a niche, extremely boring industry. We have an extremely small client base. We do line-of-business/sales management applications for something akin to like... light switches and light fixtures. The most exclusive thing we have access to is wholesale pricing from manufacturers. We don't handle payments. The extent of PII we handle is "name and email" from when someone emails out a quote.
We are the epitome of uninteresting to a foreign actor. Being "uninteresting" apparently does not disqualify you.
We also do not hire overseas (the applicant claimed to be from California) and offer a good US wage. We weren't targeted or vulnerable because we were being "greedy".
Greed meets greed. Companies hiring cheap labor, being exploited in several fronts.
It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
Keep focused. Small companies never mattered for nations, they are irrelevant. Spreading paranoia will not solve their over-reliance on this exploited offshore problem. It will likely lead them to bankrupcy.
Ultimately, it doesn't invalidate what I said. It actually makes my comment more relevant.
> It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
It's not offshore. Infiltrators are pretending that they're in the US. I first saw this 2 years ago, and they were pretty clumsy back then: always blurred background (and refusing to unblur it) and/or doing calls from a windowless office. You could even see their eyes moving, like they're reading the script.
This year they became much fancier. They use backgrounds with the real time-of-day and weather illumination. The eyes no longer move unnaturally, etc.
Remote working is in the same vein as offshoring. One enables the other, they're co-dependent. Both are based on greed. In the case of remote working, is avoiding having offices, avoiding paying certain kinds of insurance, etc.
You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
Again, greed meets greed.
Now it's too late. IT companies will not survive a full return to office, and they won't survive remote working as well.
The very idea that someone could be using technology to fake an identity was unthinkable. Now that it is not, there's really no place safe.
If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
I think there are still ways out of this, but we're reaching an inflection point that will be hard to overcome.
---
Your commentary seems to provide a valid point of view, and although you disagree, you reinforce my main point.
> Remote working is in the same vein as offshoring.
No, they're not.
> You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
We should get rid of electricity, then.
> If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
> I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
I'm in a similar situation. The HR leads company is trying to filter out the fakes, but they can't catch everyone.
Apparently, the infiltrators specifically target the companies in the 10-50 people range. In smaller companies everybody knows what everybody else is doing, so infiltrators will be swiftly uncovered. And larger companies typically have a well-established HR department that will catch obvious fakes without good cover.
But these mid-range companies provide the best chance for the fakes to get at least a couple of paychecks before being uncovered. And they likely won't bother with going to the FBI to chase down the payments.
I'm not saying "shouldn't". It's more likely "don't bother".
Interacting with the law enforcement takes time executives' time, it might bring in complications (legal liability for personal data leaks, etc.), and even in the best case the company is not going to get their money back.
Why try to hide it? It’s like public disclosures of security vulnerabilities. You directly contact the few people who have actionable data and means to address the problem, then you tell the world that they’re impacted and should be aware that such a problem exists so we don’t repeat it.
> Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
One key component for this scheme to work is to have local US persons act as intermediaries. While some may already know something shady is going on, and be complicit, some might not understand the entire scope of what they're being part of. Publicly discussing it might encourage some people to come forward / avoid being involved in the future.
Living up to your screen name I see, but in all seriousness, I fully agree. The average person running the laptops in a spare bedroom may have no idea the scope of what they're involved with. Especially if they're being duped as well.
Imagine a non technical person being told they're helping run an "edge data center, close to the users. Running our laptops helps Netflix/facebook/etc (insert big tech name of your choice) run faster for you and your neighbors and well pay you to do it."
Easy to imagine a non technical person buying that lie.
My imagination is very expansive, I can come up with grand scopes that movies and conspiracy theorists would never dream of.
Reality is much simpler though. Greed, I already said it. Typical human defects.
It seems that you are not comprehending who needs to come forward. Entire industries, entire parties. They simply won't, they would rather see the world burn than admit such mistakes. It has happened before.
I’m not sure it’s good for anyone to keep SMB’s in the dark, as they have the most surface area and least expertise and budget to respond. It seems like a net benefit to publicize the issue and get every IT hiring manager thinking about it.
Keeping it quiet and only disclosing to larger firms means that lots of small firms will hire these people, with the economic and IP harms they entails.
As you said, small businessess have less expertise and budget to deal with the problem.
Telling your gramma she has a virus only makes her become afraid, she won't magically gain the ability to identify it. That's my whole reasoning here. It makes things worse.
The supposed problem is being peddled by a company called Socure, who, coincidentally, offer the solution to this problem. There are absolutely "fake" remote workers floating around but to suppose this is some grand security-focused North Korean government conspiracy rather than people from poorer nations trying to get paid is without evidence. "North Korean" job applicants has become a meme, any suspicious looking applicant is being labelled "North Korean" by people who've read articles planted by Socure. If this were a grand North Korean government orchestrated conspiracy we would not see hundreds of job applicants engaging in exactly the same strategy for the same job.
Yeah I get your skepticism, but this is really a huge issue in many industries. We are seeing it with an alarmingly high rate. You don't need a technical solution though, as the article points out, some stuff is just process change:
In person final interview, gov issued ID checks, initial hardware delivery in office, etc.
I’ve also seen this pattern at a pervasive rate but I think it’s mostly shady overemployment / outsourcing agencies, with NK as a tag along. It doesn’t matter either way since the countermeasures are the same (besides the stupid meme KJU junk).
> but to suppose this is some grand security-focused North Korean government conspiracy rather than people from poorer nations trying to get paid is without evidence.
Direct impact: Outsourcing breeds a culture of unverified and verified-just-once remote work.
Indirect impact: Outsourcing is a cost-driven effort where after a certain level of competence, the bottom-line is the only measurable metric that matters so it’s a race to the bottom with patchwork efforts to “fix” issues like OP.
Making domestic options cost-equivalent with punitive outcomes for hiring NK workers.
So, again, the answering to this and most every other hiring ill in software over the past 15-20 years is… licensing.
So, let’s think about this logically. There is no baseline of candidate identification or competence in software and the jobs pay very well in physically comfortable conditions. It makes sense that unqualified liars would apply for these positions. Why shouldn’t they? I am honestly curious how far the fraud and incompetence can go and devalue the industry before someone cares enough to tackle the problem l.
The answer to this is for companies to do even a modicum of personnel vetting.
At the very least, make your remote candidate show up in person for their onboarding. A plane ticket and a few days of accomodation and meals is cheap in the grand scheme of things, and giving the opportunity to meet their team is good relationship building.
Sight their ID before you issue them with an account, give them a laptop etc.
They generally make no enquiries at all into the applicant’s bona fides.
The candidate sends in fake or stolen documents where the picture on the drivers license doesn’t even vaguely resemble the person who appeared on Zoom.
When you have an applicant who says they were born in Tennessee and that they’ve apparently lived in the U.S. for their whole life, you would normally expect them to speak English with native proficiency and at least have an American-sounding accent.
If they say they live in, say, Seattle, you’d expect they could carry on at least a basic conversation about their local area.
Even this basic level of attention to detail nonetheless escapes many HR departments and hiring managers.
Irrelevant to the OP unless you explain why North Koreans would be prevented from obtaining these licenses: it's not like there aren't competent developers in North Korea.
If your explanation is that the license grantor will verify that the applicant is a resident of a Western country, than the employer can just do the same verification of job applicants, dispensing with the need for the occupational license.
The way these people are being caught are things like dodgy LinkedIn profiles or refusing in person meetings so I would think a licensing process designed around things which would be expensive to fake: in person government ID checks, periodic exams, peer evaluations, etc. The trick would be actually doing that in person, which could be a useful thing for conferences - treat an afternoon at PyCon or re:Invent as the cost of renewing your professional credentials if you don’t live near a major city or university.
Yeah, I was thinking that if you were looking for an industry license it would probably be more useful if it also covered skills or work experience in some way since that helps multiple weak points of the common hiring processes but you’re quite right that it would raise the bad considerably if they had to basically run everyone like actual spies with robust fake identities.
I recommend researching what comprises professional licensing. If you have absolutely no frame of reference I can understand why you would be so confused.
It is trying to avoid hiring an ethnicity by saying things that a specific ethnicity would find offensive, but not others so you can filter them out of the hiring process.
You don't have to be an evil North Korean to do that. Outsources have been doing it since time immemorial because they can't achieve sales in any other way (or, through direct corruption - often offshore outsourcing shops are owned by managers of their clients, who effectively use them as tools for siphoning money away).
Hopefully the fear of foreign actors will put an end to this too.
I have to hand it to North Korea on the inventive revenue streams. This is a country under sanctions for decades that has developed some of the most clever IT scams for siphoning money from the west. Between this and the Lazarus group the country has brought in Fortune 500 company kinds of money to keep itself afloat.
It's been over 75 years. It could not be clearer that this attempt to punish the ordinary people who live in North Korea for having a government that the US finds disagreeable will not succeed in somehow fomenting revolution. What it has succeeded in doing, apparently, is sustaining a level of poverty and isolation that motivates even crazy schemes like this.
Here's how to actually stop it: stop weaponizing poverty to beat a Cold War-era dead horse, and end the damn sanctions.
Russia was an important trading partner for many European countries. Especially important for Germany. Basically no sanctions. Freedom of movement with fairly good visa policies. No great internet firewall. How much did all this help to prevent another huge war between two European countries?
Different behaviors have different motivations, contexts, and causes. It's extremely clear that these, like other criminal moneymaking schemes in the DPRK, are directly and closely related to the high degree of isolation of the DPRK and the difficulty of getting capital into it.
Of course lifting the sanctions won't also end all spycraft, or ensure an end to geopolitical conflict. Those aren't things I have claimed or would claim.
And the primary reason to end such sanctions is not any benefit to imperialist nations but because of the fact that they inflict misery on ordinary people indefinitely and (not essential, but adding insult to injury) uselessly.
> they inflict misery on ordinary people indefinitely
Pyongyang was making its people miserable before there were sanctions. America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
> Pyongyang was making its people miserable before there were sanctions.
Whether or not we approve of Pyongyang is completely irrelevant to every point I've made. The questions are (a) whether the sanctions have had a material negative effect on the North Korean people, and (b) what they have accomplished. The answers are "yes" and "nothing of any use", neither of which is controversial. And our fixation with North Korea and the evil we wrought there obviously doesn't begin with sanctions but with millions of tons of bombs, tens of thousands of tons of napalm on arable land, or the destruction of the People's Republic of Korea (not the DPRK), a functioning government that existed in both the North and South before the US invaded (literally reinstating colonial Japanese governors as officials).
> America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
The US was directly involved in the division of Korea even before all that. Frankly, your entire comment has been not only extremely handwave-y but deeply dishonest.
> As US-based companies become more aware of the fake IT worker problem, the job seekers are increasingly targeting European employers, too.
All the US companies I've worked for made sure I was legit before I could log into anything, so I assume background checks to be ubiquitous there, save for the cheapest companies. European employers on the other hand...
> European employers on the other hand...
Many European employers
- don't or rarely offer remote jobs, so they often don't have this problem.
- even if they do some video or phone interview for pre-screening, they nearly always expect the prospective employee to come to a live interview if they are not weeded out by this pre-screening. It is thus expected that you at least live in a country from where you can easily travel to the place where the employer is located.
- expect their employees to be able to speak the national language, or at least learn it fast. This also makes times hard for North Korean fake IT workers.
Jeff Geerling recently discussed being contacted by the FBI to learn more about minature KVMs, one of the devices North Korean fake IT workers use to appear to be coming from other countries https://www.youtube.com/watch?v=Lc2hB2AwHso
In this case, the KVMs are plugged into multiple laptops being run in people's basement/spare bedroom, it seems. Someone will earn a set amount per laptop per month, to accept a company-supplied laptop (from a us company) then plug in one of these little KVMs to give a remote worker access without as much ease in detection.
So the main difference over more typical remote desktop methods is that it pretends to be a physical display and keyboard to fool the PC it's remoting into in if it's overly locked down?
Feels like there's otherwise a hundred different ways to already do remote control without any extra hardware.
All the alternatives have a risk of setting off D&R tripwires. Assuming these things can spoof their device IDs so they look like a Logitech keyboard etc, I think the cost of the hardware setup is gonna easily pay for itself in terms of harder detection.
> Feels like there's otherwise a hundred different ways to already do remote control without any extra hardware
This way the worker doesn't have to know 100 different ways to remote into the machine, just one
Can’t they just make week 1 in person compulsory?
You can easily dress that up as an onboarding thing and would solve this, no?
You can. Just like everyone can use a good password. Yet many dont.
Also there is a good reason not to make week 1 in person. You reduce your access to talent. I know we are in the everyone RTO and do 100hrs a week part of the BSiness cycle. But still.
Not really. You need a visa (or equivalent) to enter most countries. This can take months to apply for and receive. And you can stretch that period out even longer by claiming that you don't have a passport and need to apply for one first.
In Germany, if a company want to hire some talent from a foreign country, this problem is solved by the general rule "The employment starts as soon as the visa problems have been resolved, and you are in Germany." Big companies often have a department that helps with visa problems.
So, if you stretch the period, the employment simply starts later.
This is a problem the USA caused, and could easily solve, by dissolving the armistice and declaring an end to the Korean war.
only seven countries are currently participating in the embargo and sanction of North Korea, (at the behest of the united states.)
North Korea would never, in a million billion years, either accept peace, or actually honour it. NK is a hideously oppressive, violent, dictatorship, which would invade SK in a microsecond if it thought it could get away with it.
I think it astounding - staggering - to point the finger here at USA.
If you were not a long term, serious poster, I would think you were a fake account.
They convinced Ukraine to give up their nukes, promising that they'd be safe. I don't think there's any chance of convincing North Korea to follow the same path.
No, one side declaring the end to a war does not end that war, this is one of the worst foreign policy takes I've ever heard. The NK regime is secure because of the war, they will poison pill any negotiation by demanding South Korea become part of the north.
I can’t find the tweet but apparently you can also filter these folks out by asking them to criticize Kim Jong Un
I’d be shocked if that was still true after the first time someone tried it. If you’re running an undercover operation, you’re going to give your agents backing to say whatever they need to say to maintain their cover.
If someone asked me to criticize KJU, that would be the end of the conversation. I criticize people on my own or not at all. I suppose I would become a false positive.
Sounds just like something a North Korean would say
I would never allow any potential client ask me ANY political questions. Not because I like any political figure but because I am trying not to encourage fucking thought control. I hope we are not on Nazi Germany yet. It is just simply not their fucking business. On the other hand if they offer me a million in cold hard cash just for that I would tell then anything they want to hear.
Honestly, sounds like a red flag if even a legitimate applicant is unwilling to voice an opinion on the Kim regime.
I don't consider myself to know enough to criticize.
Of course what little I do know is all negative. But I've paid only limited attention, and I get nothing from primary sources.
I expect the same from practically everyone -- perhaps excepting South Koreans who at least speak the language. I'd consider it good judgment to say that you just can't meaningfully answer the question.
I'd read a statement you hand me, if you thought that would suffice. But I'll admit I'd consider that weird and likely useless.
Without context it seems like a weird trick question, like phishing tests and most corporate training.
Replace North Korean leader with Biden and Trump, how that sounds?
Pretty sure a huge number of Americans would happily curse both with the fire of a thousand suns.
Even with the context of knowing the fake worker problem?
If so, I suppose that’s another good reason to ask the question. It filters out both North Korean fakes and people who are going to be doctrinaire about small things.
perhaps a better solution would be to ask an opinion about KJU... not to "criticize" him this feels pretty dystopic indeed, like 15m of hate...
It was 2 min of hate ;) and this clearly isn't the same as trying to rile people up; it's a thin attempt to get people to self report if they are lying with some sort of higher level "gotcha".
Feels like the story about disconnecting Chinese gamers from matches automatically by typing "tiananmen square" or the story of the Battle of Siffin with one side putting pages of the quoran on their spears in hopes the enemy wouldn't fight that way. Unclear how accurate the stories are or how effective it may have been but kind of interesting at least.
It was 2 min of hate
Inflation.
Something is amiss here...Developers make hundreds of applications to even get a reply much less an interview...While apparently, barely English literate North Korean IT workers are getting all the jobs :-) Time to praise the Supreme Leader on LinkedIn ?
I have gotten multiple emails from wonky email addresses offering to have me interview for jobs and they will take care of the work if I get hired. fake names tons of money for me. I just have to nail the interview.
My resume is shiny enough and I've gotton hired enough times im a good candidate for this kind of scam.
This feels like a very ham fisted approach for them though. 99% of engineers are going to ignore or not take seriously these kinds of out of the blue offers.
Most of my colleagues in India are barely literate and it doesn’t stop offshoring at all.
Thats racist!!! How dare u.
They probably use many identities
If only governments could provide a very simple “check identity” service online. I think this should be a basic service nowadays.
> If only governments could provide a very simple “check identity” service online. I think this should be a basic service nowadays.
Slovenia issues personal certificates so you can identify yourself online. Mostly used for banking and e-gov. The commercial space has decided it’s too cumbersome.
Fantastic idea. Started rolling out when I was in college some 15 years ago. You go to the same place that issues your govt ID and you can also get the equivalent of an SSH cert issued by the government that guarantees you are you, your identity was verified at point of issuance, etc.
Unfortunately it’s about as fiddly to use as SSH. Okay for nerds, way cumbersome for normal humans who just want to log into their bank and pay their taxes damn it. Last I remember (moved to USA ~10 years ago) getting their e-signing browser widgets/extensions to work reliably on non-windows machines was hell. Most Mac/Linux users ran a whole VMWare VM just to do taxes once a year.
Imagine if you had to provide your government ID to use any website.
Even for employment I find the idea iffy, but seeing as it's in response to an actual non-imagined problem, I suppose it's the most reasonable solution to that...
They provide, don't they? In Russia there are "gosuslugi" (government services) that banks and other organizations can use to confirm identity. However, if you sign up, then you will receive draft notices for military service through the app so you better not sign up.
I am not sure it would resolve the issue. About 10 or so years ago I was contacted on LinedIn with offer to "rent my name and face" for a team of Chinese remote workers (probably not those exact words). I rejected the offer without asking for details. Not sure if they were actually from China.
If you sell your identity, you are accountable. That works in real life too; So there’s less incentive in doing it.
Yeah, lets give the fascists full identity tracking tools.
Isn't that what the E-Verify [1] system was supposed to be? Several companies are now discovering it's not all it's cracked up to be, as ICE shows up at their door.
[1] https://www.e-verify.gov/
E-verify is just to check employment authorization, it's not a general identity service.
We don't need a general identity service though. We need to know whether someone is authorized to work for a US employer, right? How can a DPRK worker have the necessary authorization? If they use someone else's identity, isn't that something e verify should catch? If these are US citizens/nationals/residents working out of DPRK, who cares?
They can buy, steal, or hire yours. If it were a general identity service, yours would get tracked. But if it's just a matter of authorization, with no authentication, they'd just use it indefinitely.
I suspect some of the fake job postings are schemes to harvest that type of data. If I live in Atlanta and someone uses my identity to get a job in Seattle, how long will it take for me to learn about the company in Seattle that thinks it hired me, especially if they don't use my home address.
Yes. It confirms someone with a particular name, DOB, and SSN is authorized to work in the US. It doesn't confirm that the person claiming to be that person actually is that person. It relies on the employer to be able to match the applicant to the photo in e-verify, which isn't always an easy task.
The part that's really sad is that we have tons of out of work devs right now. This sort of thing only makes it harder for the legitimate people to get hired. An easy fix for this is for a place like Pearson to set up verified interview centers, which will allow for verified virtual interviews (on both sides of the table).
Another solution might be UNIONS that would have __membership verification__ including things like citizenship (which country(ies) are they a citizen of?), skills tests and training, etc.
Just like competition requires 5+ similarly sized entities for a healthy marketplace of companies, my informal opinion is that unions probably similarly shouldn't have overwhelming market share. However my feeling on contracts between unions and corporations is that the contract should be negotiated between multiple companies and multiple unions to produce the most level playing field possible.
At least in the US,
I like that software engineering doesnt require/encourage unions, contrary to other big industries.
As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job.
Ive previpusly been in a union for a company and the experience did not encourage a competitive working environment. When layoffs came, Jr employees get sacked before more senior union members (not neccesarily the best technical staff just becuase they worked there long time).
I have family/friends in unions (non software devs) that have had similar experiences to mine.
Devs are the factory workers of today. You’re going to be sorry in 10 years when AI is fully mature and all the cheap talent overseas takes every US dev job just like it did to factory workers in the 90s and there’s no unions to even attempt to slow it.
And in an unlikely case that there were a union, US would lose competition to China and the union will be involuntarily disbanded.
Factory workers are the factory workers of today.
"One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job."
And on the other side, you can have a degree and experience and still not get a job due to the wild criteria and games that get played in various interviews.
You trot out all the familiar retorts. None of this is a reason to not organize to better represent the interests of labor.
>None of this is a reason to not organize to better represent the interests of labor.
unions restrict the supply of labor and this results in (price increase) better wages for the union's members. However, overall the total dollar amount transferred from employers to labor goes down (employment decrease), so the "class" of all workers (employed and unemployed) see their per capita wages go down. and if that's not enough, the industry grows more slowly so the problem only gets worse for everyone in the future (trickle down) this is the underlying reason for europe's lower year over year economic growth compared to the US
is the reason. it's not a moral or ethical or even income distribution issue, it's just how markets operate.
A retort being familiar does not mean it isn't true or real.
Millions upon millions of ppl at every income level have experienced working in and around unions and not all of them came away with a positive experience.
You can say the same thing about democratic governments, or capitalism, etc. etc.
By itself that's not a meaningful observation.
It didn’t come by itself, it came in the wake of a comment that outlined a process whereby unions have a negative effect on new applicants in the job market.
The disagreement then was “I’ve heard that argument before.” - “ok that doesn’t make it wrong” <— that last sentence is what you’re replying to.
> As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
This is true in the same way that it’s true that all democracies turn into the majority oppressing everyone else, or get captured by oligarchs, or vote to raise taxes to fund social until the economy collapses, etc. – which is to say not at all. Unions CAN fail that way but it’s not a given. We shouldn’t give up on a useful tool because it can be failed, we should talk about how to keep it healthy.
For example, I’ve seen the no-degree route you talk about made easier by unions because it forced merit hiring rather than hiring more dudes with social ties from certain colleges. Again, that’s not guaranteed – you’d be forgiven for wondering if the Teamsters were a deep cover operation to discredit the concept of unions – but social institutions aren’t magic: they work to the extent that we make them work.
I've been working in the tech industry for about twenty years now, and I desperately want unions. Sticking your neck out alone sucks to begin with and only sucks harder the more time goes forward.
Same. Back when I first got into IT, I was surrounded by (similar) nerds whose self-esteem was defined by being the smartest person in the room. Compensation was often higher than other white-collar jobs, so they (we) were happy to overlook the long hours and non or poorly compensated on-call shifts.
Most IT work now, whether dev or admin side, is not rocket science. It’s mostly approachable work and no one should settle for being abused by employers for some outdated, ingrained, cultural baggage.
Why add more gatekeepers to the industry? It also doesn't really make sense for an IT worker to want to negotiate as a collective when individual salary and benefits are some of the best in the world.
The interview process in US is already insanely ridiculous, but this would only add an additional level of crazy to it. Honestly, licensing would be less bad by comparison.
Can you describe what you see as the insanely ridiculous interview process? Most of the interviews I have initiated are something like:
So for a total investment of what, 6 hours, I can go from a cold call to an offer of something like 150k-300k/y? And I'm not even playing in the FAANG ecosystem.I'm not sure if we are experiencing different processes, or we have different opinions about what kind of time / reward tradeoff is reasonable.
Everything except the 30-60 minute manager call is a waste of time and money for everyone involved.
You just need to ask a couple of open-ended questions about the candidate's preferred programming language and/or some technical details of a past project they've worked on to get an idea of whether they are reasonably competent or not. It shouldn't take more than 10-15 minutes to go through. The majority of rest of the meeting can consist of the candidate asking you questions and/or chit-chatting to make sure the vibes aren't off.
What you are trying to judge is whether or not they can do the job, which you can really only tell once they are actually doing the job anyways. So you pay extra attention to what they do for the first couple of days/weeks after you've hired them and if it's obvious things are not going to work out you let them go. Most places have laws that are amenable to hiring someone on an initial trial period before stronger employee protections kick in.
In general, most of the pathologies of the hiring process can be solved by treating it as a satisfier problem instead of an optimizer problem.
There's a wide spectrum between "extremely efficient" and "insanely ridiculous". To keep it short, I think the incentives are pretty well aligned here. There's not much of an incentive for either party to waste our collective time.
I would be interested to explore a "quick hire, quick fire" philosophy, but I'm not sure it would lead to overall greater satisfaction. Employers don't like to fire people and employees don't like to be fired.
The part where I have to rehearse solving ridiculous problems for a few weeks in my free time so I can perform them to the interviewer and then never use the skills again. It’s typically 2 medium/hard problems solved optimally in 20 minutes each with no errors if I want to beat the competition.
Wouldn't the issue be that an interview center could take money to lie/etc? When I start a job I would have to go through I-9 verification - if that process is not good enough to weed out fakes, how would another verification work better?
> Wouldn't the issue be that an interview center could take money to lie/etc? When I start a job I would have to go through I-9 verification - if that process is not good enough to weed out fakes, how would another verification work better?
You just need to have a US citizen's SSN and birthday to beat the I-9 verification. And "beat" is a strong word. I-9 is just a form that the employer asks the employees to submit, there's no requirement for the employer to do anything with it.
So you can just say that your SSN is 555-55-5555 and your birthday is 01-01-2001 and you'll "pass" the verification. It'll be detected only when the employer submits the Form-944.
There's E-Verify that requires a picture ID and more information, but it's not mandatory.
Interesting idea! This seems like a natural extension of the coworking space business concept.
Yeah, I was thinking of the Pearson testing centers because they're already prpctored to prevent cheating and setup for identity verification. But co-working spacings could certainly work too. That might be even more viable in Europe.
I don't really see north korean workers as any less deserving of work
That’s not the question: it’s about trust and honesty. The problem with North Korean workers is that they are a huge security risk because they aren’t working as free people but as agents of their government. That might not be a guaranteed disaster if they’re just generating cash revenue but it’s a huge security risk if the North Korean government has any reason to subvert your company or customers.
Maybe first give them freedom. As long as their CVs are fake, their faces and experience are fake, and they're spying for their government, nobody should be hiring them.
Eh we're all victims of where we were born. I'm not about to hold someone's state against them. Unless i suppose it's a certain state that didn't exist 100 years ago and had to forcibly move people to make room.
Why make the exception for that state? None of the people applying for jobs were involved or even alive when it happened.
Not sure why that comment got downvoted. It doesn't seem to detract from the topic at hand.
Not sure if it's feasible, but it's definitely something to consider.
I suspect it could be worse than that. I suspect certain countries' tech sectors are being partly taken over by IT workers from foreign intelligence agencies or from foreign entities with ulterior motives. Especially when you consider countries with small populations and few natives in the tech sector.
For example, in Australia, it seems like at least 8/10 software engineers are foreign-born. Most of those are probably genuine (not from intelligence agencies) but Australia has such a tiny native population of engineers compared to that of most foreign countries in its vicinity that it wouldn't be difficult for a country like China or India to overwhelm our tech industry with workers in order to gain political leverage. I was thinking that there might be more software engineers working for Indian or Chinese intelligence agencies in the world than there are native-born software engineers in Australia (not affiliated with any government entity). It's a numbers' game.
North Korea seems like the tip of the iceberg there though an easy example to talk about because everyone understands how the North Korean government operates and everyone agrees about the threat they pose vs more subtle threats from other countries which aren't seen as opponents (at least not to the same extent).
But also, consider a company like Facebook which hires maybe 20K or so software engineers. A country like India which has a large number of software developers, if it wanted, could easily put together a task force to infiltrate and take over Facebook in a focused effort if that was its intent.
It dawned on me recently that, as a caucasian, in the software industry in Australia, I've basically become a DEI hire; a minority in my industry where, statistically, I should be the majority.
Have your new hire turn up and meet with the team on day one.
They'll soon twig if that's not the person who's getting called into a quick meeting in 5 minutes to discuss some new issue.
I don't really understand the logistics of this to be honest. From the article it doesn't sound like these people have false IDs, they just make fake LinkedIn profiles?
In a lot of countries certainly here in Germany your employer has to pay social security contributions and needs your insurance, healthcare information etc. In addition if you're a foreigner you need to know their legal status to see if they can even work. Like what do these scammed companies do, just wire money to some guy they interviewed on social media and ship company property to random addresses? Is that even legal in most places?
They presumably wire the money to a person operating in the US who sends a portion of that money to the NK employee. The US person is then the one in the company payroll files. At least that's my understanding.
We should definitely go after those folks, but it's not pleasant, as many of them may be having their own issues that add to the problem.
One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money. We have entire industries that sell narratives, rationalizing these compromises.
This is exacerbated by the current employment problems. They keep talking about how unemployment is down, but I think we all know folks that are un (or under-) employed, and the difficulties they are having, finding work.
Someone in that state, is fertile ground for money- and job-laundering bad actors. It sucks to punish them, but that is what we need to do, to discourage the practice.
I agree but I don't actually feel bad about punishing people for committing fraud (as long as we punish all people fairly, etc).
> People will do almost anything, and compromise all their personal values, for money
I think this demonstrates what their ACTUAL values are or at get very least the priority of those values.
> One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money.
A US person without adequate cashflow is likely to not be able to have food, housing, clothing, medical care, etc. A lack of morals are not what causes people to do anything to make money, it's a lack of money in a capitalist society. Blaming people for systemic problems is incredibly regressive.
Quite a few people will have adequate food, housing, etc and still dispense with morals for money. Some studies suggest that having more money makes one more dishonest rather than less.
The problems are indeed systemic, but it's not just lack of money. The system is constructed around the love of money, such that too much is never enough.
My understanding is for a US employee, the employer is supposed to confirm eligibility to work in the first 3 days of employment. Some form of government id plus a social security card or a passport or something like that. IRS form I-9
Otoh, if these positions are independent contractors, form I-9 isn't required. Just a tax id for reporting purposes.
I would imagine whoever is hosting the laptops may be authorized to work in the US and could also be convinced to provide identity documentation. I think there's a lot of borrowing of documentation by immigrants/migrants who are not authorized to work in the US; so there's probably a marketplace somewhere too.
That’s part of what is being exposed here. The hiring process for many companies is not very robust. I doubt many even check references
In three decades, I’ve had some call me to check a reference only twice for private sector jobs. The federal government actually does this as part of background checks so it works but you need to want to badly enough to pay real money.
The other problem is liability: companies often tell their employees not to give references for fear of being sued if the employee doesn’t work out, and most companies don’t expect useful information from them unless someone left in a way which has a public record like a court case. The federal checks don’t have that problem because not answering honestly is a crime. You’d need some kind of shield for honest statements for the private sector to really get accurate assessments, and that’s tricky to do in a way which allows the most useful opinions.
I think the paranoia and fear this kind of idea promotes is perhaps the point of all of it.
Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
Also, we need steps towards reducing the possible tools that fake workers could leverage. These steps would put a strain on some recent technological developments. A strange and wild paradox.
Inform what companies directly? If it's this pervasive, that's not going to be effective.
I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
And in the process of confirming that this was fishy, I contacted one of the past employers he claimed after doing my best to confirm _they_ weren't in any way part of the scam. They confirmed he had never worked there. I sent them his LinkedIn and portfolio site in case they wanted to chase down getting their name removed.
They told me that this was super concerning because the screenshots in his portfolio of the app he worked on for them were real screenshots... for an unreleased app that was only available internally and had never even been demoed for clients.
They'd already been breached and had god knows what exfiltrated. They found out because we caught an attempt to get hired at _our_ company and let them know.
Nobody outside of a couple of technical staff at our company had even _heard_ of this. Nobody at the other company had. The fix, to me, seems to be making people involved in hiring more aware of this. If anything, it seems we should be talking about this _more_ and _more publicly_.
Is your company involved in infrastructural or emerging tech in any way?
Forgive my frankness, but these worries about infiltrators have priority in important, large companies. I am very sure agencies responsible for this can contact these handful of important companies directly.
So, you're right. In the current age we live in, no one cares about your small SaaS company, and you're being used to spread unecessary paranoia and fear.
Other company was, indeed, AI Startup #528532.
We're in a niche, extremely boring industry. We have an extremely small client base. We do line-of-business/sales management applications for something akin to like... light switches and light fixtures. The most exclusive thing we have access to is wholesale pricing from manufacturers. We don't handle payments. The extent of PII we handle is "name and email" from when someone emails out a quote.
We are the epitome of uninteresting to a foreign actor. Being "uninteresting" apparently does not disqualify you.
We also do not hire overseas (the applicant claimed to be from California) and offer a good US wage. We weren't targeted or vulnerable because we were being "greedy".
30 people. Damn. I suppose they must be casting a massive net. Pretty concerning.
North Korea has a shortage of foreign currency.
It's not just espionage. They need US dollars to pay for smugglers.
Greed meets greed. Companies hiring cheap labor, being exploited in several fronts.
It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
Keep focused. Small companies never mattered for nations, they are irrelevant. Spreading paranoia will not solve their over-reliance on this exploited offshore problem. It will likely lead them to bankrupcy.
Ultimately, it doesn't invalidate what I said. It actually makes my comment more relevant.
> It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
It's not offshore. Infiltrators are pretending that they're in the US. I first saw this 2 years ago, and they were pretty clumsy back then: always blurred background (and refusing to unblur it) and/or doing calls from a windowless office. You could even see their eyes moving, like they're reading the script.
This year they became much fancier. They use backgrounds with the real time-of-day and weather illumination. The eyes no longer move unnaturally, etc.
You miss the point.
Remote working is in the same vein as offshoring. One enables the other, they're co-dependent. Both are based on greed. In the case of remote working, is avoiding having offices, avoiding paying certain kinds of insurance, etc.
You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
Again, greed meets greed.
Now it's too late. IT companies will not survive a full return to office, and they won't survive remote working as well.
The very idea that someone could be using technology to fake an identity was unthinkable. Now that it is not, there's really no place safe.
If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
I think there are still ways out of this, but we're reaching an inflection point that will be hard to overcome.
---
Your commentary seems to provide a valid point of view, and although you disagree, you reinforce my main point.
> Remote working is in the same vein as offshoring.
No, they're not.
> You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
We should get rid of electricity, then.
> If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
Now you're really reaching.
> I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
I'm in a similar situation. The HR leads company is trying to filter out the fakes, but they can't catch everyone.
Apparently, the infiltrators specifically target the companies in the 10-50 people range. In smaller companies everybody knows what everybody else is doing, so infiltrators will be swiftly uncovered. And larger companies typically have a well-established HR department that will catch obvious fakes without good cover.
But these mid-range companies provide the best chance for the fakes to get at least a couple of paychecks before being uncovered. And they likely won't bother with going to the FBI to chase down the payments.
Why shouldn't they go to the FBI?
I strongly recommend going to official authorities if you believe you're being duped by a foreign nation spy or conspirator.
If they ignore you, it's more likely that you're not that important, like I said previously.
> Why shouldn't they go to the FBI?
I'm not saying "shouldn't". It's more likely "don't bother".
Interacting with the law enforcement takes time executives' time, it might bring in complications (legal liability for personal data leaks, etc.), and even in the best case the company is not going to get their money back.
Why try to hide it? It’s like public disclosures of security vulnerabilities. You directly contact the few people who have actionable data and means to address the problem, then you tell the world that they’re impacted and should be aware that such a problem exists so we don’t repeat it.
Private disclosures for more sensitive vulnerabilities are a recommended practice. In your analogy, that's why I aluded to.
In such cases, you only share the sensitive vulnerability publicly once there is a fix. For this case, there seems to be no fix.
One could think of it as a way to promote more scrutinized hiring processes, but it actually encourages widespread paranoia and fear.
It seems your analogy is valid, but the conclusion is that it supports what I said.
> Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
One key component for this scheme to work is to have local US persons act as intermediaries. While some may already know something shady is going on, and be complicit, some might not understand the entire scope of what they're being part of. Publicly discussing it might encourage some people to come forward / avoid being involved in the future.
Living up to your screen name I see, but in all seriousness, I fully agree. The average person running the laptops in a spare bedroom may have no idea the scope of what they're involved with. Especially if they're being duped as well.
Imagine a non technical person being told they're helping run an "edge data center, close to the users. Running our laptops helps Netflix/facebook/etc (insert big tech name of your choice) run faster for you and your neighbors and well pay you to do it."
Easy to imagine a non technical person buying that lie.
I'm having a hard time understanding your imagined scenario.
Can you please explain it better?
My imagination is very expansive, I can come up with grand scopes that movies and conspiracy theorists would never dream of.
Reality is much simpler though. Greed, I already said it. Typical human defects.
It seems that you are not comprehending who needs to come forward. Entire industries, entire parties. They simply won't, they would rather see the world burn than admit such mistakes. It has happened before.
I’m not sure it’s good for anyone to keep SMB’s in the dark, as they have the most surface area and least expertise and budget to respond. It seems like a net benefit to publicize the issue and get every IT hiring manager thinking about it.
Can you elaborate more? It seems that you disagree but I'm missing the rationale behind it.
Keeping it quiet and only disclosing to larger firms means that lots of small firms will hire these people, with the economic and IP harms they entails.
As you said, small businessess have less expertise and budget to deal with the problem.
Telling your gramma she has a virus only makes her become afraid, she won't magically gain the ability to identify it. That's my whole reasoning here. It makes things worse.
I am building a free service to counter exactly this problem.
This has been going on since 2018 at least and I have flagged thousands of such applicants.
Speak some more on this.
Yes please, I'm also interested in hearing more about what you're building CyberMacGyver
I'm curious why free?
The supposed problem is being peddled by a company called Socure, who, coincidentally, offer the solution to this problem. There are absolutely "fake" remote workers floating around but to suppose this is some grand security-focused North Korean government conspiracy rather than people from poorer nations trying to get paid is without evidence. "North Korean" job applicants has become a meme, any suspicious looking applicant is being labelled "North Korean" by people who've read articles planted by Socure. If this were a grand North Korean government orchestrated conspiracy we would not see hundreds of job applicants engaging in exactly the same strategy for the same job.
https://www.socure.com/blog/hiring-the-enemy-employment-frau...
https://www.paulgraham.com/submarine.html
Yeah I get your skepticism, but this is really a huge issue in many industries. We are seeing it with an alarmingly high rate. You don't need a technical solution though, as the article points out, some stuff is just process change: In person final interview, gov issued ID checks, initial hardware delivery in office, etc.
I’ve also seen this pattern at a pervasive rate but I think it’s mostly shady overemployment / outsourcing agencies, with NK as a tag along. It doesn’t matter either way since the countermeasures are the same (besides the stupid meme KJU junk).
Many users here don’t seem to understand that they are reading content marketing.
But when the FBI tells you, you might really have a problem, as happened at one company I was at several years ago.
Meh, wake me up when the FBI tells me we're infiltrated by Israelis
Ok but plan for a long sleep.
> but to suppose this is some grand security-focused North Korean government conspiracy rather than people from poorer nations trying to get paid is without evidence.
Uhh... I have news for you: https://www.fbi.gov/wanted/cyber/dprk-it-workers
North Koreax folk
Not sure why this is downvoted. There’s now abundant evidence it’s happening.
I have a feeling there may be a Nork "flash mob" going on, like when someone says bad stuff about Musk.
Maybe this, with mandatory senior executive and board accountability, will be the wakeup call to stop the outsourcing problem of the last 50 years.
This has nothing to do with outsourcing. These guys are getting hired as permanent employees as often as they’re being engaged as contractors.
What does this have to do with outsourcing?
It’s about incentives.
Direct impact: Outsourcing breeds a culture of unverified and verified-just-once remote work.
Indirect impact: Outsourcing is a cost-driven effort where after a certain level of competence, the bottom-line is the only measurable metric that matters so it’s a race to the bottom with patchwork efforts to “fix” issues like OP.
Making domestic options cost-equivalent with punitive outcomes for hiring NK workers.
This is about in-house employees. Not outsourcing.
What problem
So, again, the answering to this and most every other hiring ill in software over the past 15-20 years is… licensing.
So, let’s think about this logically. There is no baseline of candidate identification or competence in software and the jobs pay very well in physically comfortable conditions. It makes sense that unqualified liars would apply for these positions. Why shouldn’t they? I am honestly curious how far the fraud and incompetence can go and devalue the industry before someone cares enough to tackle the problem l.
The answer to this is for companies to do even a modicum of personnel vetting.
At the very least, make your remote candidate show up in person for their onboarding. A plane ticket and a few days of accomodation and meals is cheap in the grand scheme of things, and giving the opportunity to meet their team is good relationship building.
Sight their ID before you issue them with an account, give them a laptop etc.
> The answer to this is for companies to do even a modicum of personnel vetting.
They do. That is clearly not enough.
They generally make no enquiries at all into the applicant’s bona fides.
The candidate sends in fake or stolen documents where the picture on the drivers license doesn’t even vaguely resemble the person who appeared on Zoom.
When you have an applicant who says they were born in Tennessee and that they’ve apparently lived in the U.S. for their whole life, you would normally expect them to speak English with native proficiency and at least have an American-sounding accent.
If they say they live in, say, Seattle, you’d expect they could carry on at least a basic conversation about their local area.
Even this basic level of attention to detail nonetheless escapes many HR departments and hiring managers.
Irrelevant to the OP unless you explain why North Koreans would be prevented from obtaining these licenses: it's not like there aren't competent developers in North Korea.
If your explanation is that the license grantor will verify that the applicant is a resident of a Western country, than the employer can just do the same verification of job applicants, dispensing with the need for the occupational license.
The way these people are being caught are things like dodgy LinkedIn profiles or refusing in person meetings so I would think a licensing process designed around things which would be expensive to fake: in person government ID checks, periodic exams, peer evaluations, etc. The trick would be actually doing that in person, which could be a useful thing for conferences - treat an afternoon at PyCon or re:Invent as the cost of renewing your professional credentials if you don’t live near a major city or university.
Even an in person ID check would suffice.
For most of the West, this is an extremely difficult bar to clear for a North Korean national working out of China.
Yeah, I was thinking that if you were looking for an industry license it would probably be more useful if it also covered skills or work experience in some way since that helps multiple weak points of the common hiring processes but you’re quite right that it would raise the bad considerably if they had to basically run everyone like actual spies with robust fake identities.
I recommend researching what comprises professional licensing. If you have absolutely no frame of reference I can understand why you would be so confused.
OK, so you cannot answer my question.
Why would I? I don’t think you would understand the answer.
FWIW, it the "insult Kim Jong-Un" meme that's been going around doesn't work
How do you know?
Did you try it? What did the person say?
Dumb racist canard is just that, who could've guessed?
How is it racist?
It is trying to avoid hiring an ethnicity by saying things that a specific ethnicity would find offensive, but not others so you can filter them out of the hiring process.
I dont think KJU is held in high esteem by the defector community.
[flagged]
company finally swipes right only to get catfished by a DPRK agent
nice
You don't have to be an evil North Korean to do that. Outsources have been doing it since time immemorial because they can't achieve sales in any other way (or, through direct corruption - often offshore outsourcing shops are owned by managers of their clients, who effectively use them as tools for siphoning money away).
Hopefully the fear of foreign actors will put an end to this too.
I have to hand it to North Korea on the inventive revenue streams. This is a country under sanctions for decades that has developed some of the most clever IT scams for siphoning money from the west. Between this and the Lazarus group the country has brought in Fortune 500 company kinds of money to keep itself afloat.
It's been over 75 years. It could not be clearer that this attempt to punish the ordinary people who live in North Korea for having a government that the US finds disagreeable will not succeed in somehow fomenting revolution. What it has succeeded in doing, apparently, is sustaining a level of poverty and isolation that motivates even crazy schemes like this.
Here's how to actually stop it: stop weaponizing poverty to beat a Cold War-era dead horse, and end the damn sanctions.
Russia was an important trading partner for many European countries. Especially important for Germany. Basically no sanctions. Freedom of movement with fairly good visa policies. No great internet firewall. How much did all this help to prevent another huge war between two European countries?
Different behaviors have different motivations, contexts, and causes. It's extremely clear that these, like other criminal moneymaking schemes in the DPRK, are directly and closely related to the high degree of isolation of the DPRK and the difficulty of getting capital into it.
Of course lifting the sanctions won't also end all spycraft, or ensure an end to geopolitical conflict. Those aren't things I have claimed or would claim.
And the primary reason to end such sanctions is not any benefit to imperialist nations but because of the fact that they inflict misery on ordinary people indefinitely and (not essential, but adding insult to injury) uselessly.
> they inflict misery on ordinary people indefinitely
Pyongyang was making its people miserable before there were sanctions. America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
> Pyongyang was making its people miserable before there were sanctions.
Whether or not we approve of Pyongyang is completely irrelevant to every point I've made. The questions are (a) whether the sanctions have had a material negative effect on the North Korean people, and (b) what they have accomplished. The answers are "yes" and "nothing of any use", neither of which is controversial. And our fixation with North Korea and the evil we wrought there obviously doesn't begin with sanctions but with millions of tons of bombs, tens of thousands of tons of napalm on arable land, or the destruction of the People's Republic of Korea (not the DPRK), a functioning government that existed in both the North and South before the US invaded (literally reinstating colonial Japanese governors as officials).
> America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
The US was directly involved in the division of Korea even before all that. Frankly, your entire comment has been not only extremely handwave-y but deeply dishonest.
Exactly. Trade ties only go so far.
But this pov isn’t always rooted in pragmatism. Free market ideologues also think that free markets will bring world peace.
Ah yes, bec that’s worked out so well with china.
Anyone with internet access in NK is working at the behest of the government.