They cite LinkedIn profiles with 25 connections as easy tell tale signs. Well, I've got news for you: hacked LinkedIn profiles. Happened to a colleague of mine. Profile with more than a thousand genuine, reputable connections got hacked. Picture and name got changed to something East Asian sounding/looking. CV got changed to US defense contracting. Luckily this tripped some automatic account lockdown otherwise it might have well gone undiscovered for a while. Few people will remember every single LinkedIn connection, there's no notification of name change in messages etc. Quite likely this profile was sold to North Korean fake IT workers.
Also, many people like me don't even have LinkedIn profiles. The "pick up your work computer in person" idea sounds like a much more reliable method to me.
> As US-based companies become more aware of the fake IT worker problem, the job seekers are increasingly targeting European employers, too.
All the US companies I've worked for made sure I was legit before I could log into anything, so I assume background checks to be ubiquitous there, save for the cheapest companies. European employers on the other hand...
- don't or rarely offer remote jobs, so they often don't have this problem.
- even if they do some video or phone interview for pre-screening, they nearly always expect the prospective employee to come to a live interview if they are not weeded out by this pre-screening. It is thus expected that you at least live in a country from where you can easily travel to the place where the employer is located.
- often expect their employees to be able to speak the national language, or at least learn it fast. This also makes times hard for North Korean fake IT workers.
I’ve never had this experience. Never once was I flew in for an interview and, in two of the previous companies I’ve worked for, I did not speak the language.
The background checks don't always work because they typically use stolen identities or use the identities of Americans that they've paid. They basically have to in order to pass I-9 verification.
There are also different levels of background checks. For instance, previous employment verification can be time consuming so some companies skip it. Checking references aren't useful because they can be faked (you have to run background checks with employment verification on the references to make sure they are who they say they are).
That’s only one of the scams. You pass background checks if you’re new to the US. It’s a fairly common grift to place contract programmers at big companies with fake degrees and experience, who then send the work back to Asia to be done overnight. It’s easier now with ChatGPT - you can send photos of screens and instantly extract the text.
You also have people who outsource themselves. That’s one of the ways that the people who work multiple jobs pull it off.
Jeff Geerling recently discussed being contacted by the FBI to learn more about minature KVMs, one of the devices North Korean fake IT workers use to appear to be coming from other countries https://www.youtube.com/watch?v=Lc2hB2AwHso
In this case, the KVMs are plugged into multiple laptops being run in people's basement/spare bedroom, it seems. Someone will earn a set amount per laptop per month, to accept a company-supplied laptop (from a us company) then plug in one of these little KVMs to give a remote worker access without as much ease in detection.
So the main difference over more typical remote desktop methods is that it pretends to be a physical display and keyboard to fool the PC it's remoting into in if it's overly locked down?
Feels like there's otherwise a hundred different ways to already do remote control without any extra hardware.
All the alternatives have a risk of setting off D&R tripwires. Assuming these things can spoof their device IDs so they look like a Logitech keyboard etc, I think the cost of the hardware setup is gonna easily pay for itself in terms of harder detection.
Assuming they have offices at all. My previous employer didn’t even have an office until 6 months after I was hired, and half the employees in the country were at the very minimum a decent 3-4h drive away from the office anyway. I’ve only ever met a handful of members of my team in person. The remaining employees were split up on 3 different continents.
A lot of companies have gone completely remote including a fully remote interview process because COVID basically mandated that and many companies kept doing it after COVID subsided because it was working.
But, yes, this will likely change that. In person interviews and onboarding will probably become the norm with fully remote teams as more companies become aware of the risks.
You can. Just like everyone can use a good password. Yet many dont.
Also there is a good reason not to make week 1 in person. You reduce your access to talent. I know we are in the everyone RTO and do 100hrs a week part of the BSiness cycle. But still.
Workers are currently in a bear market. No company has problems “accessing” talent, at least today. They aren’t going to lose a candidate by simply insisting on an in-person step, whether it be an in-person interview or a week of in-person work.
They definitely can.
For my first 3 months it was obligatory to show up to the office.
The office was basically a apartment room, and very small. But it got the job done.
Not really. You need a visa (or equivalent) to enter most countries. This can take months to apply for and receive. And you can stretch that period out even longer by claiming that you don't have a passport and need to apply for one first.
In Germany, if a company want to hire some talent from a foreign country, this problem is solved by the general rule "The employment starts as soon as the visa problems have been resolved, and you are in Germany." Big companies often have a department that helps with visa problems.
So, if you stretch the period, the employment simply starts later.
Maybe more likely that they just assume they are caught, or assume the likelihood of getting caught is higher when there is overt screening for North Koreans.
Similar to why email scammers don’t need good grammar, filtering out difficult cases quickly and move on to easier ones.
I’d be shocked if that was still true after the first time someone tried it. If you’re running an undercover operation, you’re going to give your agents backing to say whatever they need to say to maintain their cover.
You'll likely have to be careful with profiling here. You'll probably need to have documentation/proof that you ask this question to all candidates regardless of race or immigration status. And yes, that means you'll need to ask it to people that clearly aren't North Korean (though that maybe be a good thing in general as I'm sure the next step for the NK regime would be to pay people who are not Asian or who have American accents to do interviews if the practice became widespread)
If someone asked me to criticize KJU, that would be the end of the conversation. I criticize people on my own or not at all. I suppose I would become a false positive.
I don't consider myself to know enough to criticize.
Of course what little I do know is all negative. But I've paid only limited attention, and I get nothing from primary sources.
I expect the same from practically everyone -- perhaps excepting South Koreans who at least speak the language. I'd consider it good judgment to say that you just can't meaningfully answer the question.
I'd read a statement you hand me, if you thought that would suffice. But I'll admit I'd consider that weird and likely useless.
I would never allow any potential client ask me ANY political questions. Not because I like any political figure but because I am trying not to encourage fucking thought control. I hope we are not on Nazi Germany yet. It is just simply not their fucking business. On the other hand if they offer me a million in cold hard cash just for that I would tell then anything they want to hear.
Even with the context of knowing the fake worker problem?
If so, I suppose that’s another good reason to ask the question. It filters out both North Korean fakes and people who are going to be doctrinaire about small things.
If a company asked me anything about the leader of North Korea during an interview for a tech job, I would conclude that they were not a serious company.
What I think about any country leader is totally irrelevant to tech work. So the company is either 1. Wasting my time with a totally irrelevant question or 2. Their hiring process is so vulnerable, they can’t even tell if a candidate is fake. Neither of those would make me particularly excited about that company.
It was 2 min of hate ;) and this clearly isn't the same as trying to rile people up; it's a thin attempt to get people to self report if they are lying with some sort of higher level "gotcha".
Feels like the story about disconnecting Chinese gamers from matches automatically by typing "tiananmen square" or the story of the Battle of Siffin with one side putting pages of the quoran on their spears in hopes the enemy wouldn't fight that way. Unclear how accurate the stories are or how effective it may have been but kind of interesting at least.
Something is amiss here...Developers make hundreds of applications to even get a reply much less an interview...While apparently, barely English literate North Korean IT workers are getting all the jobs :-) Time to praise the Supreme Leader on LinkedIn ?
Scammers are good at the scam. They are good at telling the right lies, they often work in teams (lead finders, closers, and everything in between), use automation where appropriate, etc.
A single dev might have trouble cracking the lead finding code, the resume code, the interview code, etc while and avoiding telling any lies that will get then fired 3 weeks into the job. But a team who all treat the application process as a full time job? It's a lot easier.
Also when a dev gets good at finding a job, they stop looking. Scammers get good at it and then keep getting better.
Maybe these North Korean scammers could make good money by selling their job application tips and tricks to actual talented out of work engineers. They seem to not be struggling to get these jobs, unlike actual developers who are struggling.
I have gotten multiple emails from wonky email addresses offering to have me interview for jobs and they will take care of the work if I get hired. fake names tons of money for me. I just have to nail the interview.
My resume is shiny enough and I've gotton hired enough times im a good candidate for this kind of scam.
This feels like a very ham fisted approach for them though. 99% of engineers are going to ignore or not take seriously these kinds of out of the blue offers.
The part that's really sad is that we have tons of out of work devs right now. This sort of thing only makes it harder for the legitimate people to get hired. An easy fix for this is for a place like Pearson to set up verified interview centers, which will allow for verified virtual interviews (on both sides of the table).
Another solution might be UNIONS that would have __membership verification__ including things like citizenship (which country(ies) are they a citizen of?), skills tests and training, etc.
Just like competition requires 5+ similarly sized entities for a healthy marketplace of companies, my informal opinion is that unions probably similarly shouldn't have overwhelming market share. However my feeling on contracts between unions and corporations is that the contract should be negotiated between multiple companies and multiple unions to produce the most level playing field possible.
I like that software engineering doesnt require/encourage unions, contrary to other big industries.
As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job.
Ive previpusly been in a union for a company and the experience did not encourage a competitive working environment. When layoffs came, Jr employees get sacked before more senior union members (not neccesarily the best technical staff just becuase they worked there long time).
I have family/friends in unions (non software devs) that have had similar experiences to mine.
Devs are the factory workers of today. You’re going to be sorry in 10 years when AI is fully mature and all the cheap talent overseas takes every US dev job just like it did to factory workers in the 90s and there’s no unions to even attempt to slow it.
"One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job."
And on the other side, you can have a degree and experience and still not get a job due to the wild criteria and games that get played in various interviews.
A retort being familiar does not mean it isn't true or real.
Millions upon millions of ppl at every income level have experienced working in and around unions and not all of them came away with a positive experience.
Do these same criticisms also apply to corporations? I've worked for some absolutely shitty corps that have abused and taken advantage of their labor. Should we abolish corporations?
These criticisms of unions are always pulled out but then never equally applied to corporations.
It didn’t come by itself, it came in the wake of a comment that outlined a process whereby unions have a negative effect on new applicants in the job market.
The disagreement then was “I’ve heard that argument before.” - “ok that doesn’t make it wrong” <— that last sentence is what you’re replying to.
>None of this is a reason to not organize to better represent the interests of labor.
unions restrict the supply of labor and this results in (price increase) better wages for the union's members. However, overall the total dollar amount transferred from employers to labor goes down (employment decrease), so the "class" of all workers (employed and unemployed) see their per capita wages go down. and if that's not enough, the industry grows more slowly so the problem only gets worse for everyone in the future (trickle down) this is the underlying reason for europe's lower year over year economic growth compared to the US
is the reason. it's not a moral or ethical or even income distribution issue, it's just how markets operate.
> As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
This is true in the same way that it’s true that all democracies turn into the majority oppressing everyone else, or get captured by oligarchs, or vote to raise taxes to fund social until the economy collapses, etc. – which is to say not at all. Unions CAN fail that way but it’s not a given. We shouldn’t give up on a useful tool because it can be failed, we should talk about how to keep it healthy.
For example, I’ve seen the no-degree route you talk about made easier by unions because it forced merit hiring rather than hiring more dudes with social ties from certain colleges. Again, that’s not guaranteed – you’d be forgiven for wondering if the Teamsters were a deep cover operation to discredit the concept of unions – but social institutions aren’t magic: they work to the extent that we make them work.
I've been working in the tech industry for about twenty years now, and I desperately want unions. Sticking your neck out alone sucks to begin with and only sucks harder the more time goes forward.
Same. Back when I first got into IT, I was surrounded by (similar) nerds whose self-esteem was defined by being the smartest person in the room. Compensation was often higher than other white-collar jobs, so they (we) were happy to overlook the long hours and non or poorly compensated on-call shifts.
Most IT work now, whether dev or admin side, is not rocket science. It’s mostly approachable work and no one should settle for being abused by employers for some outdated, ingrained, cultural baggage.
They are fine, but struggle with remote work in general because fundamentally the leverage the union has is a monopoly on labor, which is compromised by a global labor force.
Why add more gatekeepers to the industry? It also doesn't really make sense for an IT worker to want to negotiate as a collective when individual salary and benefits are some of the best in the world.
The interview process in US is already insanely ridiculous, but this would only add an additional level of crazy to it. Honestly, licensing would be less bad by comparison.
Can you describe what you see as the insanely ridiculous interview process? Most of the interviews I have initiated are something like:
- 30 minute recruiter call
- 30-60 minute manager call
- 2x 60 minute leetcode easy/medium
- 1x 60 minute STAR behavioral
- 1x 60 minute systems design or maybe doubling up on a previous category
So for a total investment of what, 6 hours, I can go from a cold call to an offer of something like 150k-300k/y? And I'm not even playing in the FAANG ecosystem.
I'm not sure if we are experiencing different processes, or we have different opinions about what kind of time / reward tradeoff is reasonable.
Everything except the 30-60 minute manager call is a waste of time and money for everyone involved.
You just need to ask a couple of open-ended questions about the candidate's preferred programming language and/or some technical details of a past project they've worked on to get an idea of whether they are reasonably competent or not. It shouldn't take more than 10-15 minutes to go through. The majority of rest of the meeting can consist of the candidate asking you questions and/or chit-chatting to make sure the vibes aren't off.
What you are trying to judge is whether or not they can do the job, which you can really only tell once they are actually doing the job anyways. So you pay extra attention to what they do for the first couple of days/weeks after you've hired them and if it's obvious things are not going to work out you let them go. Most places have laws that are amenable to hiring someone on an initial trial period before stronger employee protections kick in.
In general, most of the pathologies of the hiring process can be solved by treating it as a satisfier problem instead of an optimizer problem.
There's a wide spectrum between "extremely efficient" and "insanely ridiculous". To keep it short, I think the incentives are pretty well aligned here. There's not much of an incentive for either party to waste our collective time.
I would be interested to explore a "quick hire, quick fire" philosophy, but I'm not sure it would lead to overall greater satisfaction. Employers don't like to fire people and employees don't like to be fired.
The part where I have to rehearse solving ridiculous problems for a few weeks in my free time so I can perform them to the interviewer and then never use the skills again. It’s typically 2 medium/hard problems solved optimally in 20 minutes each with no errors if I want to beat the competition.
It can suck. I've definitely had some low points where I screw up an easy question and lost out on a place I wanted to work. I also understand that companies can't afford to make a bad hire often. My experience has been that interviewers are interested in the ability to recognize and fix mistakes, communicate about the problem, etc, and have had multiple occasions where I never even got around to filling out a couple pseudocode comments and still got passed.
Wouldn't the issue be that an interview center could take money to lie/etc? When I start a job I would have to go through I-9 verification - if that process is not good enough to weed out fakes, how would another verification work better?
> Wouldn't the issue be that an interview center could take money to lie/etc? When I start a job I would have to go through I-9 verification - if that process is not good enough to weed out fakes, how would another verification work better?
You just need to have a US citizen's SSN and birthday to beat the I-9 verification. And "beat" is a strong word. I-9 is just a form that the employer asks the employees to submit, there's no requirement for the employer to do anything with it.
So you can just say that your SSN is 555-55-5555 and your birthday is 01-01-2001 and you'll "pass" the verification. It'll be detected only when the employer submits the Form-944.
There's E-Verify that requires a picture ID and more information, but it's not mandatory.
Yeah, I was thinking of the Pearson testing centers because they're already prpctored to prevent cheating and setup for identity verification. But co-working spacings could certainly work too. That might be even more viable in Europe.
That’s not the question: it’s about trust and honesty. The problem with North Korean workers is that they are a huge security risk because they aren’t working as free people but as agents of their government. That might not be a guaranteed disaster if they’re just generating cash revenue but it’s a huge security risk if the North Korean government has any reason to subvert your company or customers.
Maybe first give them freedom. As long as their CVs are fake, their faces and experience are fake, and they're spying for their government, nobody should be hiring them.
Eh we're all victims of where we were born. I'm not about to hold someone's state against them. Unless i suppose it's a certain state that didn't exist 100 years ago and had to forcibly move people to make room.
It's a very profound statement (perhaps unintentionally so). Most of us wouldn't even be doing the work we do if we did not have to pay ransom money to our rulers. And then there are unwanted children and all of that...
The problem isn’t the people but the government which controls every aspect of their lives. If I hire a remote worker from England, I don’t have much reason to worry that they’re secretly working for MI-5 and plotting to infiltrate our systems unless I work for a drug cartel or military supplier, and I have a high degree of confidence that if they engage in misconduct they’re subject to a real legal system. If you hire a North Korean, abuse is far more plausible since the invention of cryptocurrency has helped them immensely when it comes to getting and laundering ransoms – and with nobody actually in a country subject to the jurisdiction of a government which cares what you think, they’re going to see it as a safe operation even if it brings you considerable harm.
Just like I don't blame people for hating me because I'm a symbol of ongoing colonization, I expect people to be ok if I blame them for ongoing atrocities carried out in their name in public with no shame or believable justification.
If North Korea is just as bad, at least they're smart enough to not let me see evidence that invades my dreams.
> If only governments could provide a very simple “check identity” service online. I think this should be a basic service nowadays.
Slovenia issues personal certificates so you can identify yourself online. Mostly used for banking and e-gov. The commercial space has decided it’s too cumbersome.
Fantastic idea. Started rolling out when I was in college some 15 years ago. You go to the same place that issues your govt ID and you can also get the equivalent of an SSH cert issued by the government that guarantees you are you, your identity was verified at point of issuance, etc.
Unfortunately it’s about as fiddly to use as SSH. Okay for nerds, way cumbersome for normal humans who just want to log into their bank and pay their taxes damn it. Last I remember (moved to USA ~10 years ago) getting their e-signing browser widgets/extensions to work reliably on non-windows machines was hell. Most Mac/Linux users ran a whole VMWare VM just to do taxes once a year.
Imagine if you had to provide your government ID to use any website.
Even for employment I find the idea iffy, but seeing as it's in response to an actual non-imagined problem, I suppose it's the most reasonable solution to that...
They provide, don't they? In Russia there are "gosuslugi" (government services) that banks and other organizations can use to confirm identity. However, if you sign up, then you will receive draft notices for military service through the app so you better not sign up.
I am not sure it would resolve the issue. About 10 or so years ago I was contacted on LinedIn with offer to "rent my name and face" for a team of Chinese remote workers (probably not those exact words). I rejected the offer without asking for details. Not sure if they were actually from China.
Isn't that what the E-Verify [1] system was supposed to be? Several companies are now discovering it's not all it's cracked up to be, as ICE shows up at their door.
We don't need a general identity service though. We need to know whether someone is authorized to work for a US employer, right? How can a DPRK worker have the necessary authorization? If they use someone else's identity, isn't that something e verify should catch? If these are US citizens/nationals/residents working out of DPRK, who cares?
They can buy, steal, or hire yours. If it were a general identity service, yours would get tracked. But if it's just a matter of authorization, with no authentication, they'd just use it indefinitely.
I suspect some of the fake job postings are schemes to harvest that type of data. If I live in Atlanta and someone uses my identity to get a job in Seattle, how long will it take for me to learn about the company in Seattle that thinks it hired me, especially if they don't use my home address.
One of the many reasons I don't like to give references, social security number, date of birth, and so on to anyone except the end client hiring manager. I don't really care if the talent manager software has a required field to put last four of social security number. I simply don't trust random job postings to keep my information secure.
Would it help if I could query some IRS service to check what paychecks have been sent to me? Does this have a delay of a quarter year or more?
How do these people avoid getting the people they impersonated and or scammed in trouble with the IRS?
Yes. It confirms someone with a particular name, DOB, and SSN is authorized to work in the US. It doesn't confirm that the person claiming to be that person actually is that person. It relies on the employer to be able to match the applicant to the photo in e-verify, which isn't always an easy task.
I suspect it could be worse than that. It feels like certain countries' tech sectors are being partly taken over by IT workers from foreign intelligence agencies or from foreign entities with ulterior motives. Especially when you consider countries with small populations and few natives in the tech sector.
For example, in Australia, it seems like at least 8/10 software engineers are foreign-born. Most of those are probably genuine (not from intelligence agencies) but Australia has such a tiny native population of engineers compared to that of most foreign countries in its vicinity that it wouldn't be difficult for a country like China or India to overwhelm our tech industry with a few highly-placed workers in order to gain political leverage. I was thinking that there might be more software engineers working for Indian and Chinese intelligence agencies in the world than there are native-born software engineers in Australia (of all kinds). It's a numbers' game.
North Korea seems like the tip of the iceberg there though it is an easy example to talk about because everyone understands how the North Korean government operates and everyone agrees about the threat they pose compared to more subtle threats from other countries which aren't seen as opponents (at least not to the same extent).
But also, consider a company like Facebook which hires maybe 20K or so software devs. A country like India which has a large number of software developers, if it wanted, could easily put together a task force to infiltrate and take over Facebook in a focused decade-long effort if that was its intent. They almost certainly do have some people inside every major tech company right now.
If a group can have a few highly placed people inside a target company, they could then recruit more of their group into the company and start promoting their own until they have full control over the critical systems. It's a weakness of our current highly centralized tech sector.
Something else that could happen is a foreign intelligence agency could wait for people to get promoted naturally and then reach out to dual-nationals which they have leverage over (e.g. because of family members or assets owned in the foreign country) and then use that to demand favors. Then they could help coordinate the engineers to recruit more of their own to achieve even more control. Different groups would form factions within the target company and every normal employee would be unwittingly pushed out because anyone trying to 'improve or simplify things' would be seen as a threat to various nefarious agendas which rely on complexity to hide backdoors or algorithm exploits.
Imagine how valuable it would be if you could hijack's Google's search algorithm or Facebook's recommendation engines to prioritize your group's businesses and/or agendas.
North Korea would never, in a million billion years, either accept peace, or actually honour it. NK is a hideously oppressive, violent, dictatorship, which would invade SK in a microsecond if it thought it could get away with it.
I think it astounding - staggering - to point the finger here at USA.
If you were not a long term, serious poster, I would think you were a fake account.
They convinced Ukraine to give up their nukes, promising that they'd be safe. I don't think there's any chance of convincing North Korea to follow the same path.
No, one side declaring the end to a war does not end that war, this is one of the worst foreign policy takes I've ever heard. The NK regime is secure because of the war, they will poison pill any negotiation by demanding South Korea become part of the north.
I don't really understand the logistics of this to be honest. From the article it doesn't sound like these people have false IDs, they just make fake LinkedIn profiles?
In a lot of countries certainly here in Germany your employer has to pay social security contributions and needs your insurance, healthcare information etc. In addition if you're a foreigner you need to know their legal status to see if they can even work. Like what do these scammed companies do, just wire money to some guy they interviewed on social media and ship company property to random addresses? Is that even legal in most places?
They presumably wire the money to a person operating in the US who sends a portion of that money to the NK employee. The US person is then the one in the company payroll files. At least that's my understanding.
We should definitely go after those folks, but it's not pleasant, as many of them may be having their own issues that add to the problem.
One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money. We have entire industries that sell narratives, rationalizing these compromises.
This is exacerbated by the current employment problems. They keep talking about how unemployment is down, but I think we all know folks that are un (or under-) employed, and the difficulties they are having, finding work.
Someone in that state, is fertile ground for money- and job-laundering bad actors. It sucks to punish them, but that is what we need to do, to discourage the practice.
> One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money.
A US person without adequate cashflow is likely to not be able to have food, housing, clothing, medical care, etc. A lack of morals are not what causes people to do anything to make money, it's a lack of money in a capitalist society. Blaming people for systemic problems is incredibly regressive.
Quite a few people will have adequate food, housing, etc and still dispense with morals for money. Some studies suggest that having more money makes one more dishonest rather than less.
The problems are indeed systemic, but it's not just lack of money. The system is constructed around the love of money, such that too much is never enough.
My understanding is for a US employee, the employer is supposed to confirm eligibility to work in the first 3 days of employment. Some form of government id plus a social security card or a passport or something like that. IRS form I-9
Otoh, if these positions are independent contractors, form I-9 isn't required. Just a tax id for reporting purposes.
I would imagine whoever is hosting the laptops may be authorized to work in the US and could also be convinced to provide identity documentation. I think there's a lot of borrowing of documentation by immigrants/migrants who are not authorized to work in the US; so there's probably a marketplace somewhere too.
In three decades, I’ve had some call me to check a reference only twice for private sector jobs. The federal government actually does this as part of background checks so it works but you need to want to badly enough to pay real money.
The other problem is liability: companies often tell their employees not to give references for fear of being sued if the employee doesn’t work out, and most companies don’t expect useful information from them unless someone left in a way which has a public record like a court case. The federal checks don’t have that problem because not answering honestly is a crime. You’d need some kind of shield for honest statements for the private sector to really get accurate assessments, and that’s tricky to do in a way which allows the most useful opinions.
I think the paranoia and fear this kind of idea promotes is perhaps the point of all of it.
Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
Also, we need steps towards reducing the possible tools that fake workers could leverage. These steps would put a strain on some recent technological developments. A strange and wild paradox.
Inform what companies directly? If it's this pervasive, that's not going to be effective.
I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
And in the process of confirming that this was fishy, I contacted one of the past employers he claimed after doing my best to confirm _they_ weren't in any way part of the scam. They confirmed he had never worked there. I sent them his LinkedIn and portfolio site in case they wanted to chase down getting their name removed.
They told me that this was super concerning because the screenshots in his portfolio of the app he worked on for them were real screenshots... for an unreleased app that was only available internally and had never even been demoed for clients.
They'd already been breached and had god knows what exfiltrated. They found out because we caught an attempt to get hired at _our_ company and let them know.
Nobody outside of a couple of technical staff at our company had even _heard_ of this. Nobody at the other company had. The fix, to me, seems to be making people involved in hiring more aware of this. If anything, it seems we should be talking about this _more_ and _more publicly_.
Is your company involved in infrastructural or emerging tech in any way?
Forgive my frankness, but these worries about infiltrators have priority in important, large companies. I am very sure agencies responsible for this can contact these handful of important companies directly.
So, you're right. In the current age we live in, no one cares about your small SaaS company, and you're being used to spread unecessary paranoia and fear.
We're in a niche, extremely boring industry. We have an extremely small client base. We do line-of-business/sales management applications for something akin to like... light switches and light fixtures. The most exclusive thing we have access to is wholesale pricing from manufacturers. We don't handle payments. The extent of PII we handle is "name and email" from when someone emails out a quote.
We are the epitome of uninteresting to a foreign actor. Being "uninteresting" apparently does not disqualify you.
We also do not hire overseas (the applicant claimed to be from California) and offer a good US wage. We weren't targeted or vulnerable because we were being "greedy".
Isn't this the best way to start an infiltration, though? Like hiring a janitor or cleaner, who is able to access the office during off hours, and can start planting false information, which is then used by a more relevant company years later?
Greed meets greed. Companies hiring cheap labor, being exploited in several fronts.
It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
Keep focused. Small companies never mattered for nations, they are irrelevant. Spreading paranoia will not solve their over-reliance on this exploited offshore problem. It will likely lead them to bankrupcy.
Ultimately, it doesn't invalidate what I said. It actually makes my comment more relevant.
> It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
It's not offshore. Infiltrators are pretending that they're in the US. I first saw this 2 years ago, and they were pretty clumsy back then: always blurred background (and refusing to unblur it) and/or doing calls from a windowless office. You could even see their eyes moving, like they're reading the script.
This year they became much fancier. They use backgrounds with the real time-of-day and weather illumination. The eyes no longer move unnaturally, etc.
Remote working is in the same vein as offshoring. One enables the other, they're co-dependent. Both are based on greed. In the case of remote working, is avoiding having offices, avoiding paying certain kinds of insurance, etc.
You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
Again, greed meets greed.
Now it's too late. IT companies will not survive a full return to office, and they won't survive remote working as well.
The very idea that someone could be using technology to fake an identity was unthinkable. Now that it is not, there's really no place safe.
If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
I think there are still ways out of this, but we're reaching an inflection point that will be hard to overcome.
---
Your commentary seems to provide a valid point of view, and although you disagree, you reinforce my main point.
> Remote working is in the same vein as offshoring.
No, they're not.
> You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
We should get rid of electricity, then.
> If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
> I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
I'm in a similar situation. The HR leads company is trying to filter out the fakes, but they can't catch everyone.
Apparently, the infiltrators specifically target the companies in the 10-50 people range. In smaller companies everybody knows what everybody else is doing, so infiltrators will be swiftly uncovered. And larger companies typically have a well-established HR department that will catch obvious fakes without good cover.
But these mid-range companies provide the best chance for the fakes to get at least a couple of paychecks before being uncovered. And they likely won't bother with going to the FBI to chase down the payments.
I'm not saying "shouldn't". It's more likely "don't bother".
Interacting with the law enforcement takes time executives' time, it might bring in complications (legal liability for personal data leaks, etc.), and even in the best case the company is not going to get their money back.
So, it's a big problem that everyone should know about but do nothing except post shit on news?
No, you should bother. You should bother a lot. Get in contact with the FBI, make a huge deal about it. You think one company can handle a spy agency? That's bad advice.
You are mixing hypothetical scenarios with reality.
My argument was to inform high value targets first, since they are more at risk and capable of developing a fix.
I also argued for slowing down the development of technology that can help infiltrators.
Go back, read the discussion, see how far you are from the simple truth. Someone is making IT companies paranoid, either on purpose or by mistake. Probably, by greed or as a consequence to it.
Why try to hide it? It’s like public disclosures of security vulnerabilities. You directly contact the few people who have actionable data and means to address the problem, then you tell the world that they’re impacted and should be aware that such a problem exists so we don’t repeat it.
> Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
One key component for this scheme to work is to have local US persons act as intermediaries. While some may already know something shady is going on, and be complicit, some might not understand the entire scope of what they're being part of. Publicly discussing it might encourage some people to come forward / avoid being involved in the future.
Living up to your screen name I see, but in all seriousness, I fully agree. The average person running the laptops in a spare bedroom may have no idea the scope of what they're involved with. Especially if they're being duped as well.
Imagine a non technical person being told they're helping run an "edge data center, close to the users. Running our laptops helps Netflix/facebook/etc (insert big tech name of your choice) run faster for you and your neighbors and well pay you to do it."
Easy to imagine a non technical person buying that lie.
NK "fake employee" finds a non technical American to run their laptop farm by lying to them that running these laptops is helping make their access to some service faster.
I'm sure many, many countries have botnets. I have a bunch of those countries which I consider irresponsible and wreckless in my radar, not only north korea.
My imagination is very expansive, I can come up with grand scopes that movies and conspiracy theorists would never dream of.
Reality is much simpler though. Greed, I already said it. Typical human defects.
It seems that you are not comprehending who needs to come forward. Entire industries, entire parties. They simply won't, they would rather see the world burn than admit such mistakes. It has happened before.
I’m not sure it’s good for anyone to keep SMB’s in the dark, as they have the most surface area and least expertise and budget to respond. It seems like a net benefit to publicize the issue and get every IT hiring manager thinking about it.
Keeping it quiet and only disclosing to larger firms means that lots of small firms will hire these people, with the economic and IP harms they entails.
As you said, small businessess have less expertise and budget to deal with the problem.
Telling your gramma she has a virus only makes her become afraid, she won't magically gain the ability to identify it. That's my whole reasoning here. It makes things worse.
The supposed problem is being peddled by a company called Socure, who, coincidentally, offer the solution to this problem. There are absolutely "fake" remote workers floating around but to suppose this is some grand security-focused North Korean government conspiracy rather than people from poorer nations trying to get paid is without evidence. "North Korean" job applicants has become a meme, any suspicious looking applicant is being labelled "North Korean" by people who've read articles planted by Socure. If this were a grand North Korean government orchestrated conspiracy we would not see hundreds of job applicants engaging in exactly the same strategy for the same job.
Yeah I get your skepticism, but this is really a huge issue in many industries. We are seeing it with an alarmingly high rate. You don't need a technical solution though, as the article points out, some stuff is just process change:
In person final interview, gov issued ID checks, initial hardware delivery in office, etc.
I’ve also seen this pattern at a pervasive rate but I think it’s mostly shady overemployment / outsourcing agencies, with NK as a tag along. It doesn’t matter either way since the countermeasures are the same (besides the stupid meme KJU junk).
> but to suppose this is some grand security-focused North Korean government conspiracy rather than people from poorer nations trying to get paid is without evidence.
The LinkedIn thing is very weird, what about all the guys that worked for another company for a long time and didn't bother with LinkedIn? I don't buy that, but the trend of these guys not showing up in-person at all is very suspicious, though not impossible. There are all kinds of reasons people want to do remote work, and some of those reasons might preclude an in-person meeting (like you might find out about a disability).
Still, I agree that's pretty suspicious. However, they didn't offer any proof whatsoever these guys are from North Korea or any motivation for why they would be doing this from North Korea. So, that sounds like potential U.S. propaganda.
They said they worked with the FBI, which honestly is a red flag for that kind of thing. Rather, if a company states without proof they're from NK, it's very likely BS. If the feds say it's North Korea without proof, it's definitely BS (they have resources to prove it!). If the Feds say it and provide proof, then we can talk about the proof.
Direct impact: Outsourcing breeds a culture of unverified and verified-just-once remote work.
Indirect impact: Outsourcing is a cost-driven effort where after a certain level of competence, the bottom-line is the only measurable metric that matters so it’s a race to the bottom with patchwork efforts to “fix” issues like OP.
Making domestic options cost-equivalent with punitive outcomes for hiring NK workers.
Otherwise, I stand by my argument. The support infrastructure we built to support remote work and offshore teams
have made this an easy attack channel.
So, again, the answering to this and most every other hiring ill in software over the past 15-20 years is… licensing.
So, let’s think about this logically. There is no baseline of candidate identification or competence in software and the jobs pay very well in physically comfortable conditions. It makes sense that unqualified liars would apply for these positions. Why shouldn’t they? I am honestly curious how far the fraud and incompetence can go and devalue the industry before someone cares enough to tackle the problem l.
The answer to this is for companies to do even a modicum of personnel vetting.
At the very least, make your remote candidate show up in person for their onboarding. A plane ticket and a few days of accomodation and meals is cheap in the grand scheme of things, and giving the opportunity to meet their team is good relationship building.
Sight their ID before you issue them with an account, give them a laptop etc.
They generally make no enquiries at all into the applicant’s bona fides.
The candidate sends in fake or stolen documents where the picture on the drivers license doesn’t even vaguely resemble the person who appeared on Zoom.
When you have an applicant who says they were born in Tennessee and that they’ve apparently lived in the U.S. for their whole life, you would normally expect them to speak English with native proficiency and at least have an American-sounding accent.
If they say they live in, say, Seattle, you’d expect they could carry on at least a basic conversation about their local area.
Even this basic level of attention to detail nonetheless escapes many HR departments and hiring managers.
I have known many people born in the US who learn English as a second language with a think accent. Employers have to use legally qualified means to discriminate applicants to avoid violations of various laws.
> If they say they live in, say, Seattle, you’d expect they could carry on at least a basic conversation about their local area.
When I was working at $LargeCompany, we were encouraged to NOT engage in small talk with applicants beyond the regular politeness. It's too easy to ask questions that would open the company to discrimination lawsuits.
Irrelevant to the OP unless you explain why North Koreans would be prevented from obtaining these licenses: it's not like there aren't competent developers in North Korea.
If your explanation is that the license grantor will verify that the applicant is a resident of a Western country, than the employer can just do the same verification of job applicants, dispensing with the need for the occupational license.
The way these people are being caught are things like dodgy LinkedIn profiles or refusing in person meetings so I would think a licensing process designed around things which would be expensive to fake: in person government ID checks, periodic exams, peer evaluations, etc. The trick would be actually doing that in person, which could be a useful thing for conferences - treat an afternoon at PyCon or re:Invent as the cost of renewing your professional credentials if you don’t live near a major city or university.
Yeah, I was thinking that if you were looking for an industry license it would probably be more useful if it also covered skills or work experience in some way since that helps multiple weak points of the common hiring processes but you’re quite right that it would raise the bad considerably if they had to basically run everyone like actual spies with robust fake identities.
I recommend researching what comprises professional licensing. If you have absolutely no frame of reference I can understand why you would be so confused.
It is trying to avoid hiring an ethnicity by saying things that a specific ethnicity would find offensive, but not others so you can filter them out of the hiring process.
You don't have to be an evil North Korean to do that. Outsources have been doing it since time immemorial because they can't achieve sales in any other way (or, through direct corruption - often offshore outsourcing shops are owned by managers of their clients, who effectively use them as tools for siphoning money away).
Hopefully the fear of foreign actors will put an end to this too.
I have to hand it to North Korea on the inventive revenue streams. This is a country under sanctions for decades that has developed some of the most clever IT scams for siphoning money from the west. Between this and the Lazarus group the country has brought in Fortune 500 company kinds of money to keep itself afloat.
It's been over 75 years. It could not be clearer that this attempt to punish the ordinary people who live in North Korea for having a government that the US finds disagreeable will not succeed in somehow fomenting revolution. What it has succeeded in doing, apparently, is sustaining a level of poverty and isolation that motivates even crazy schemes like this.
Here's how to actually stop it: stop weaponizing poverty to beat a Cold War-era dead horse, and end the damn sanctions.
Russia was an important trading partner for many European countries. Especially important for Germany. Basically no sanctions. Freedom of movement with fairly good visa policies. No great internet firewall. How much did all this help to prevent another huge war between two European countries?
Different behaviors have different motivations, contexts, and causes. It's extremely clear that these, like other criminal moneymaking schemes in the DPRK, are directly and closely related to the high degree of isolation of the DPRK and the difficulty of getting capital into it.
Of course lifting the sanctions won't also end all spycraft, or ensure an end to geopolitical conflict. Those aren't things I have claimed or would claim.
And the primary reason to end such sanctions is not any benefit to imperialist nations but because of the fact that they inflict misery on ordinary people indefinitely and (not essential, but adding insult to injury) uselessly.
> they inflict misery on ordinary people indefinitely
Pyongyang was making its people miserable before there were sanctions. America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
> Pyongyang was making its people miserable before there were sanctions.
Whether or not we approve of Pyongyang is completely irrelevant to every point I've made. The questions are (a) whether the sanctions have had a material negative effect on the North Korean people, and (b) what they have accomplished. The answers are "yes" and "nothing of any use", neither of which is controversial. And our fixation with North Korea and the evil we wrought there obviously doesn't begin with sanctions but with millions of tons of bombs, tens of thousands of tons of napalm on arable land, or the destruction of the People's Republic of Korea (not the DPRK), a functioning government that existed in both the North and South before the US invaded (literally reinstating colonial Japanese governors as officials).
> America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
The US was directly involved in the division of Korea even before all that. Frankly, your entire comment has been not only extremely handwave-y but deeply dishonest.
I hate how this is acceptable to make such claims about another country without providing any evidence. Same goes for Chinese or Russian hackers. It’s just whoever the US government is unhappy about.
The article itself is evidence. There are many more links in it to other stories that report on basically the same or similar incidents. There are also several names in the article itself that you can research or probe on your own to tell if it's coming from a trustworthy source.
Consider also the author: it's written by an actual journalist/editor with a large body of pre-existing work in the field, and many of the claims written are backed up by quotes from a named source. It's not like they're writing all this and hiding it behind the weasel phrase 'according to a source close to the matter'.
The register too is actually UK founded, so it's not even American.
Your reaction is just so typical of people nowadays - just assume it's all 'made up' without any effort in debunking or picking apart any specific claims.
There's evidence, large investigations, and arrests aplenty already.
Justice Department Announces Coordinated, Nationwide Actions to Combat North Korean Remote Information Technology Workers’ Illicit Revenue Generation Schemes (justice.gov)
Law Enforcement Actions Across 16 States Result in Charges, Arrest, and Seizures of 29 Financial Accounts, 21 Fraudulent Websites, and Approximately 200 Computers
..
Today, the United States Attorney’s Office for the District of Massachusetts and the National Security Division announced the arrest of U.S. national Zhenxing “Danny” Wang of New Jersey pursuant to a five-count indictment. The indictment describes a multi-year fraud scheme by Wang and his co-conspirators to obtain remote IT work with U.S. companies that generated more than $5 million in revenue.
They cite LinkedIn profiles with 25 connections as easy tell tale signs. Well, I've got news for you: hacked LinkedIn profiles. Happened to a colleague of mine. Profile with more than a thousand genuine, reputable connections got hacked. Picture and name got changed to something East Asian sounding/looking. CV got changed to US defense contracting. Luckily this tripped some automatic account lockdown otherwise it might have well gone undiscovered for a while. Few people will remember every single LinkedIn connection, there's no notification of name change in messages etc. Quite likely this profile was sold to North Korean fake IT workers.
Also, many people like me don't even have LinkedIn profiles. The "pick up your work computer in person" idea sounds like a much more reliable method to me.
But it is so late in the process to catch them - hours wasted by so many people.
True, but at that point it's still not too late to prevent paying money that will ultimately end up in the NK government hands.
[dead]
> As US-based companies become more aware of the fake IT worker problem, the job seekers are increasingly targeting European employers, too.
All the US companies I've worked for made sure I was legit before I could log into anything, so I assume background checks to be ubiquitous there, save for the cheapest companies. European employers on the other hand...
> European employers on the other hand...
Many European employers
- don't or rarely offer remote jobs, so they often don't have this problem.
- even if they do some video or phone interview for pre-screening, they nearly always expect the prospective employee to come to a live interview if they are not weeded out by this pre-screening. It is thus expected that you at least live in a country from where you can easily travel to the place where the employer is located.
- often expect their employees to be able to speak the national language, or at least learn it fast. This also makes times hard for North Korean fake IT workers.
I’ve never had this experience. Never once was I flew in for an interview and, in two of the previous companies I’ve worked for, I did not speak the language.
This is at least the experience that I (and many people who I know) had.
> I did not speak the language
As I implied: if you are really talented, you don't have to speak the native language yet, but it is expected that you learn it fast.
Maybe I was lucky there (or unlucky depending on the point of view). I’ve even worked for years for a French company without learning French.
The background checks don't always work because they typically use stolen identities or use the identities of Americans that they've paid. They basically have to in order to pass I-9 verification.
There are also different levels of background checks. For instance, previous employment verification can be time consuming so some companies skip it. Checking references aren't useful because they can be faked (you have to run background checks with employment verification on the references to make sure they are who they say they are).
That’s only one of the scams. You pass background checks if you’re new to the US. It’s a fairly common grift to place contract programmers at big companies with fake degrees and experience, who then send the work back to Asia to be done overnight. It’s easier now with ChatGPT - you can send photos of screens and instantly extract the text.
You also have people who outsource themselves. That’s one of the ways that the people who work multiple jobs pull it off.
Jeff Geerling recently discussed being contacted by the FBI to learn more about minature KVMs, one of the devices North Korean fake IT workers use to appear to be coming from other countries https://www.youtube.com/watch?v=Lc2hB2AwHso
In this case, the KVMs are plugged into multiple laptops being run in people's basement/spare bedroom, it seems. Someone will earn a set amount per laptop per month, to accept a company-supplied laptop (from a us company) then plug in one of these little KVMs to give a remote worker access without as much ease in detection.
So the main difference over more typical remote desktop methods is that it pretends to be a physical display and keyboard to fool the PC it's remoting into in if it's overly locked down?
Feels like there's otherwise a hundred different ways to already do remote control without any extra hardware.
All the alternatives have a risk of setting off D&R tripwires. Assuming these things can spoof their device IDs so they look like a Logitech keyboard etc, I think the cost of the hardware setup is gonna easily pay for itself in terms of harder detection.
> Feels like there's otherwise a hundred different ways to already do remote control without any extra hardware
This way the worker doesn't have to know 100 different ways to remote into the machine, just one
Can’t they just make week 1 in person compulsory?
You can easily dress that up as an onboarding thing and would solve this, no?
Assuming they have offices at all. My previous employer didn’t even have an office until 6 months after I was hired, and half the employees in the country were at the very minimum a decent 3-4h drive away from the office anyway. I’ve only ever met a handful of members of my team in person. The remaining employees were split up on 3 different continents.
A lot of companies have gone completely remote including a fully remote interview process because COVID basically mandated that and many companies kept doing it after COVID subsided because it was working.
But, yes, this will likely change that. In person interviews and onboarding will probably become the norm with fully remote teams as more companies become aware of the risks.
You can. Just like everyone can use a good password. Yet many dont.
Also there is a good reason not to make week 1 in person. You reduce your access to talent. I know we are in the everyone RTO and do 100hrs a week part of the BSiness cycle. But still.
Workers are currently in a bear market. No company has problems “accessing” talent, at least today. They aren’t going to lose a candidate by simply insisting on an in-person step, whether it be an in-person interview or a week of in-person work.
Yes I acknowledge that. Right now you can toss candidates because they didn't join your Discord 1am on a Sunday and still find hires.
But it does reduce your pool anyway and access to cheaper and /or better people.
It’s not a bear market for the best candidates. I know plenty of people who have found new jobs in the last 6 months.
Many of them would have said no to in-person interviews.
They definitely can. For my first 3 months it was obligatory to show up to the office. The office was basically a apartment room, and very small. But it got the job done.
Not really. You need a visa (or equivalent) to enter most countries. This can take months to apply for and receive. And you can stretch that period out even longer by claiming that you don't have a passport and need to apply for one first.
In Germany, if a company want to hire some talent from a foreign country, this problem is solved by the general rule "The employment starts as soon as the visa problems have been resolved, and you are in Germany." Big companies often have a department that helps with visa problems.
So, if you stretch the period, the employment simply starts later.
I can’t find the tweet but apparently you can also filter these folks out by asking them to criticize Kim Jong Un
Maybe more likely that they just assume they are caught, or assume the likelihood of getting caught is higher when there is overt screening for North Koreans.
Similar to why email scammers don’t need good grammar, filtering out difficult cases quickly and move on to easier ones.
I’d be shocked if that was still true after the first time someone tried it. If you’re running an undercover operation, you’re going to give your agents backing to say whatever they need to say to maintain their cover.
You'll likely have to be careful with profiling here. You'll probably need to have documentation/proof that you ask this question to all candidates regardless of race or immigration status. And yes, that means you'll need to ask it to people that clearly aren't North Korean (though that maybe be a good thing in general as I'm sure the next step for the NK regime would be to pay people who are not Asian or who have American accents to do interviews if the practice became widespread)
If someone asked me to criticize KJU, that would be the end of the conversation. I criticize people on my own or not at all. I suppose I would become a false positive.
Sounds just like something a North Korean would say
Honestly, sounds like a red flag if even a legitimate applicant is unwilling to voice an opinion on the Kim regime.
I don't consider myself to know enough to criticize.
Of course what little I do know is all negative. But I've paid only limited attention, and I get nothing from primary sources.
I expect the same from practically everyone -- perhaps excepting South Koreans who at least speak the language. I'd consider it good judgment to say that you just can't meaningfully answer the question.
I'd read a statement you hand me, if you thought that would suffice. But I'll admit I'd consider that weird and likely useless.
[dead]
Without context it seems like a weird trick question, like phishing tests and most corporate training.
Replace North Korean leader with Biden and Trump, how that sounds?
Pretty sure a huge number of Americans would happily curse both with the fire of a thousand suns.
On demand? Also will this trigger some discrimination law?
You can legally discriminate on the basis of political views.
I would never allow any potential client ask me ANY political questions. Not because I like any political figure but because I am trying not to encourage fucking thought control. I hope we are not on Nazi Germany yet. It is just simply not their fucking business. On the other hand if they offer me a million in cold hard cash just for that I would tell then anything they want to hear.
> I would never…
> … if they offer me a million…
This is exactly like that famous joke! :D “Mam I believe we’ve already established that. At this point, we’re just negotiating.”
You nailed it. If they want to pry into my private things they better pay for it ;)
So you disagree with Nazi Germany but you're okay with North Korea? :p
Even with the context of knowing the fake worker problem?
If so, I suppose that’s another good reason to ask the question. It filters out both North Korean fakes and people who are going to be doctrinaire about small things.
perhaps a better solution would be to ask an opinion about KJU... not to "criticize" him this feels pretty dystopic indeed, like 15m of hate...
If a company asked me anything about the leader of North Korea during an interview for a tech job, I would conclude that they were not a serious company.
What I think about any country leader is totally irrelevant to tech work. So the company is either 1. Wasting my time with a totally irrelevant question or 2. Their hiring process is so vulnerable, they can’t even tell if a candidate is fake. Neither of those would make me particularly excited about that company.
It was 2 min of hate ;) and this clearly isn't the same as trying to rile people up; it's a thin attempt to get people to self report if they are lying with some sort of higher level "gotcha".
Feels like the story about disconnecting Chinese gamers from matches automatically by typing "tiananmen square" or the story of the Battle of Siffin with one side putting pages of the quoran on their spears in hopes the enemy wouldn't fight that way. Unclear how accurate the stories are or how effective it may have been but kind of interesting at least.
It was 2 min of hate
Inflation.
Lol the ever increasing cost of living gets you in places you don't always expect!
Feel like at least one coworker might be better if they were this.
Something is amiss here...Developers make hundreds of applications to even get a reply much less an interview...While apparently, barely English literate North Korean IT workers are getting all the jobs :-) Time to praise the Supreme Leader on LinkedIn ?
People are single but romance scams exist.
Scammers are good at the scam. They are good at telling the right lies, they often work in teams (lead finders, closers, and everything in between), use automation where appropriate, etc.
A single dev might have trouble cracking the lead finding code, the resume code, the interview code, etc while and avoiding telling any lies that will get then fired 3 weeks into the job. But a team who all treat the application process as a full time job? It's a lot easier.
Also when a dev gets good at finding a job, they stop looking. Scammers get good at it and then keep getting better.
Maybe these North Korean scammers could make good money by selling their job application tips and tricks to actual talented out of work engineers. They seem to not be struggling to get these jobs, unlike actual developers who are struggling.
I have gotten multiple emails from wonky email addresses offering to have me interview for jobs and they will take care of the work if I get hired. fake names tons of money for me. I just have to nail the interview.
My resume is shiny enough and I've gotton hired enough times im a good candidate for this kind of scam.
This feels like a very ham fisted approach for them though. 99% of engineers are going to ignore or not take seriously these kinds of out of the blue offers.
I would not say they are getting the jobs but they are getting interviews.
They probably use many identities
Most of my colleagues in India are barely literate and it doesn’t stop offshoring at all.
Thats racist!!! How dare u.
The part that's really sad is that we have tons of out of work devs right now. This sort of thing only makes it harder for the legitimate people to get hired. An easy fix for this is for a place like Pearson to set up verified interview centers, which will allow for verified virtual interviews (on both sides of the table).
Another solution might be UNIONS that would have __membership verification__ including things like citizenship (which country(ies) are they a citizen of?), skills tests and training, etc.
Just like competition requires 5+ similarly sized entities for a healthy marketplace of companies, my informal opinion is that unions probably similarly shouldn't have overwhelming market share. However my feeling on contracts between unions and corporations is that the contract should be negotiated between multiple companies and multiple unions to produce the most level playing field possible.
At least in the US,
I like that software engineering doesnt require/encourage unions, contrary to other big industries.
As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job.
Ive previpusly been in a union for a company and the experience did not encourage a competitive working environment. When layoffs came, Jr employees get sacked before more senior union members (not neccesarily the best technical staff just becuase they worked there long time).
I have family/friends in unions (non software devs) that have had similar experiences to mine.
Devs are the factory workers of today. You’re going to be sorry in 10 years when AI is fully mature and all the cheap talent overseas takes every US dev job just like it did to factory workers in the 90s and there’s no unions to even attempt to slow it.
And in an unlikely case that there were a union, US would lose competition to China and the union will be involuntarily disbanded.
Factory workers are the factory workers of today.
"One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job."
And on the other side, you can have a degree and experience and still not get a job due to the wild criteria and games that get played in various interviews.
You trot out all the familiar retorts. None of this is a reason to not organize to better represent the interests of labor.
A retort being familiar does not mean it isn't true or real.
Millions upon millions of ppl at every income level have experienced working in and around unions and not all of them came away with a positive experience.
Do these same criticisms also apply to corporations? I've worked for some absolutely shitty corps that have abused and taken advantage of their labor. Should we abolish corporations?
These criticisms of unions are always pulled out but then never equally applied to corporations.
You can say the same thing about democratic governments, or capitalism, etc. etc.
By itself that's not a meaningful observation.
It didn’t come by itself, it came in the wake of a comment that outlined a process whereby unions have a negative effect on new applicants in the job market.
The disagreement then was “I’ve heard that argument before.” - “ok that doesn’t make it wrong” <— that last sentence is what you’re replying to.
>None of this is a reason to not organize to better represent the interests of labor.
unions restrict the supply of labor and this results in (price increase) better wages for the union's members. However, overall the total dollar amount transferred from employers to labor goes down (employment decrease), so the "class" of all workers (employed and unemployed) see their per capita wages go down. and if that's not enough, the industry grows more slowly so the problem only gets worse for everyone in the future (trickle down) this is the underlying reason for europe's lower year over year economic growth compared to the US
is the reason. it's not a moral or ethical or even income distribution issue, it's just how markets operate.
> As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
This is true in the same way that it’s true that all democracies turn into the majority oppressing everyone else, or get captured by oligarchs, or vote to raise taxes to fund social until the economy collapses, etc. – which is to say not at all. Unions CAN fail that way but it’s not a given. We shouldn’t give up on a useful tool because it can be failed, we should talk about how to keep it healthy.
For example, I’ve seen the no-degree route you talk about made easier by unions because it forced merit hiring rather than hiring more dudes with social ties from certain colleges. Again, that’s not guaranteed – you’d be forgiven for wondering if the Teamsters were a deep cover operation to discredit the concept of unions – but social institutions aren’t magic: they work to the extent that we make them work.
I've been working in the tech industry for about twenty years now, and I desperately want unions. Sticking your neck out alone sucks to begin with and only sucks harder the more time goes forward.
Same. Back when I first got into IT, I was surrounded by (similar) nerds whose self-esteem was defined by being the smartest person in the room. Compensation was often higher than other white-collar jobs, so they (we) were happy to overlook the long hours and non or poorly compensated on-call shifts.
Most IT work now, whether dev or admin side, is not rocket science. It’s mostly approachable work and no one should settle for being abused by employers for some outdated, ingrained, cultural baggage.
That’s not how unions work.
They are fine, but struggle with remote work in general because fundamentally the leverage the union has is a monopoly on labor, which is compromised by a global labor force.
Why add more gatekeepers to the industry? It also doesn't really make sense for an IT worker to want to negotiate as a collective when individual salary and benefits are some of the best in the world.
The interview process in US is already insanely ridiculous, but this would only add an additional level of crazy to it. Honestly, licensing would be less bad by comparison.
Can you describe what you see as the insanely ridiculous interview process? Most of the interviews I have initiated are something like:
So for a total investment of what, 6 hours, I can go from a cold call to an offer of something like 150k-300k/y? And I'm not even playing in the FAANG ecosystem.I'm not sure if we are experiencing different processes, or we have different opinions about what kind of time / reward tradeoff is reasonable.
Everything except the 30-60 minute manager call is a waste of time and money for everyone involved.
You just need to ask a couple of open-ended questions about the candidate's preferred programming language and/or some technical details of a past project they've worked on to get an idea of whether they are reasonably competent or not. It shouldn't take more than 10-15 minutes to go through. The majority of rest of the meeting can consist of the candidate asking you questions and/or chit-chatting to make sure the vibes aren't off.
What you are trying to judge is whether or not they can do the job, which you can really only tell once they are actually doing the job anyways. So you pay extra attention to what they do for the first couple of days/weeks after you've hired them and if it's obvious things are not going to work out you let them go. Most places have laws that are amenable to hiring someone on an initial trial period before stronger employee protections kick in.
In general, most of the pathologies of the hiring process can be solved by treating it as a satisfier problem instead of an optimizer problem.
There's a wide spectrum between "extremely efficient" and "insanely ridiculous". To keep it short, I think the incentives are pretty well aligned here. There's not much of an incentive for either party to waste our collective time.
I would be interested to explore a "quick hire, quick fire" philosophy, but I'm not sure it would lead to overall greater satisfaction. Employers don't like to fire people and employees don't like to be fired.
How many hours of interview prep did you include?
The part where I have to rehearse solving ridiculous problems for a few weeks in my free time so I can perform them to the interviewer and then never use the skills again. It’s typically 2 medium/hard problems solved optimally in 20 minutes each with no errors if I want to beat the competition.
It can suck. I've definitely had some low points where I screw up an easy question and lost out on a place I wanted to work. I also understand that companies can't afford to make a bad hire often. My experience has been that interviewers are interested in the ability to recognize and fix mistakes, communicate about the problem, etc, and have had multiple occasions where I never even got around to filling out a couple pseudocode comments and still got passed.
Have you interviewed since 2015?
Wouldn't the issue be that an interview center could take money to lie/etc? When I start a job I would have to go through I-9 verification - if that process is not good enough to weed out fakes, how would another verification work better?
> Wouldn't the issue be that an interview center could take money to lie/etc? When I start a job I would have to go through I-9 verification - if that process is not good enough to weed out fakes, how would another verification work better?
You just need to have a US citizen's SSN and birthday to beat the I-9 verification. And "beat" is a strong word. I-9 is just a form that the employer asks the employees to submit, there's no requirement for the employer to do anything with it.
So you can just say that your SSN is 555-55-5555 and your birthday is 01-01-2001 and you'll "pass" the verification. It'll be detected only when the employer submits the Form-944.
There's E-Verify that requires a picture ID and more information, but it's not mandatory.
I forgot e-verify is separate, seems like a better thing to mandate
Interesting idea! This seems like a natural extension of the coworking space business concept.
Yeah, I was thinking of the Pearson testing centers because they're already prpctored to prevent cheating and setup for identity verification. But co-working spacings could certainly work too. That might be even more viable in Europe.
Not sure why that comment got downvoted. It doesn't seem to detract from the topic at hand.
Not sure if it's feasible, but it's definitely something to consider.
I don't really see north korean workers as any less deserving of work
That’s not the question: it’s about trust and honesty. The problem with North Korean workers is that they are a huge security risk because they aren’t working as free people but as agents of their government. That might not be a guaranteed disaster if they’re just generating cash revenue but it’s a huge security risk if the North Korean government has any reason to subvert your company or customers.
Maybe first give them freedom. As long as their CVs are fake, their faces and experience are fake, and they're spying for their government, nobody should be hiring them.
Eh we're all victims of where we were born. I'm not about to hold someone's state against them. Unless i suppose it's a certain state that didn't exist 100 years ago and had to forcibly move people to make room.
>Eh we're all victims of where we were born.
It's a very profound statement (perhaps unintentionally so). Most of us wouldn't even be doing the work we do if we did not have to pay ransom money to our rulers. And then there are unwanted children and all of that...
The problem isn’t the people but the government which controls every aspect of their lives. If I hire a remote worker from England, I don’t have much reason to worry that they’re secretly working for MI-5 and plotting to infiltrate our systems unless I work for a drug cartel or military supplier, and I have a high degree of confidence that if they engage in misconduct they’re subject to a real legal system. If you hire a North Korean, abuse is far more plausible since the invention of cryptocurrency has helped them immensely when it comes to getting and laundering ransoms – and with nobody actually in a country subject to the jurisdiction of a government which cares what you think, they’re going to see it as a safe operation even if it brings you considerable harm.
Why make the exception for that state? None of the people applying for jobs were involved or even alive when it happened.
Just like I don't blame people for hating me because I'm a symbol of ongoing colonization, I expect people to be ok if I blame them for ongoing atrocities carried out in their name in public with no shame or believable justification.
If North Korea is just as bad, at least they're smart enough to not let me see evidence that invades my dreams.
If only governments could provide a very simple “check identity” service online. I think this should be a basic service nowadays.
> If only governments could provide a very simple “check identity” service online. I think this should be a basic service nowadays.
Slovenia issues personal certificates so you can identify yourself online. Mostly used for banking and e-gov. The commercial space has decided it’s too cumbersome.
Fantastic idea. Started rolling out when I was in college some 15 years ago. You go to the same place that issues your govt ID and you can also get the equivalent of an SSH cert issued by the government that guarantees you are you, your identity was verified at point of issuance, etc.
Unfortunately it’s about as fiddly to use as SSH. Okay for nerds, way cumbersome for normal humans who just want to log into their bank and pay their taxes damn it. Last I remember (moved to USA ~10 years ago) getting their e-signing browser widgets/extensions to work reliably on non-windows machines was hell. Most Mac/Linux users ran a whole VMWare VM just to do taxes once a year.
Imagine if you had to provide your government ID to use any website.
Even for employment I find the idea iffy, but seeing as it's in response to an actual non-imagined problem, I suppose it's the most reasonable solution to that...
They provide, don't they? In Russia there are "gosuslugi" (government services) that banks and other organizations can use to confirm identity. However, if you sign up, then you will receive draft notices for military service through the app so you better not sign up.
I am not sure it would resolve the issue. About 10 or so years ago I was contacted on LinedIn with offer to "rent my name and face" for a team of Chinese remote workers (probably not those exact words). I rejected the offer without asking for details. Not sure if they were actually from China.
If you sell your identity, you are accountable. That works in real life too; So there’s less incentive in doing it.
Yeah, lets give the fascists full identity tracking tools.
Isn't that what the E-Verify [1] system was supposed to be? Several companies are now discovering it's not all it's cracked up to be, as ICE shows up at their door.
[1] https://www.e-verify.gov/
E-verify is just to check employment authorization, it's not a general identity service.
We don't need a general identity service though. We need to know whether someone is authorized to work for a US employer, right? How can a DPRK worker have the necessary authorization? If they use someone else's identity, isn't that something e verify should catch? If these are US citizens/nationals/residents working out of DPRK, who cares?
They can buy, steal, or hire yours. If it were a general identity service, yours would get tracked. But if it's just a matter of authorization, with no authentication, they'd just use it indefinitely.
I suspect some of the fake job postings are schemes to harvest that type of data. If I live in Atlanta and someone uses my identity to get a job in Seattle, how long will it take for me to learn about the company in Seattle that thinks it hired me, especially if they don't use my home address.
One of the many reasons I don't like to give references, social security number, date of birth, and so on to anyone except the end client hiring manager. I don't really care if the talent manager software has a required field to put last four of social security number. I simply don't trust random job postings to keep my information secure.
Would it help if I could query some IRS service to check what paychecks have been sent to me? Does this have a delay of a quarter year or more?
How do these people avoid getting the people they impersonated and or scammed in trouble with the IRS?
Yes. It confirms someone with a particular name, DOB, and SSN is authorized to work in the US. It doesn't confirm that the person claiming to be that person actually is that person. It relies on the employer to be able to match the applicant to the photo in e-verify, which isn't always an easy task.
I suspect it could be worse than that. It feels like certain countries' tech sectors are being partly taken over by IT workers from foreign intelligence agencies or from foreign entities with ulterior motives. Especially when you consider countries with small populations and few natives in the tech sector.
For example, in Australia, it seems like at least 8/10 software engineers are foreign-born. Most of those are probably genuine (not from intelligence agencies) but Australia has such a tiny native population of engineers compared to that of most foreign countries in its vicinity that it wouldn't be difficult for a country like China or India to overwhelm our tech industry with a few highly-placed workers in order to gain political leverage. I was thinking that there might be more software engineers working for Indian and Chinese intelligence agencies in the world than there are native-born software engineers in Australia (of all kinds). It's a numbers' game.
North Korea seems like the tip of the iceberg there though it is an easy example to talk about because everyone understands how the North Korean government operates and everyone agrees about the threat they pose compared to more subtle threats from other countries which aren't seen as opponents (at least not to the same extent).
But also, consider a company like Facebook which hires maybe 20K or so software devs. A country like India which has a large number of software developers, if it wanted, could easily put together a task force to infiltrate and take over Facebook in a focused decade-long effort if that was its intent. They almost certainly do have some people inside every major tech company right now.
If a group can have a few highly placed people inside a target company, they could then recruit more of their group into the company and start promoting their own until they have full control over the critical systems. It's a weakness of our current highly centralized tech sector.
Something else that could happen is a foreign intelligence agency could wait for people to get promoted naturally and then reach out to dual-nationals which they have leverage over (e.g. because of family members or assets owned in the foreign country) and then use that to demand favors. Then they could help coordinate the engineers to recruit more of their own to achieve even more control. Different groups would form factions within the target company and every normal employee would be unwittingly pushed out because anyone trying to 'improve or simplify things' would be seen as a threat to various nefarious agendas which rely on complexity to hide backdoors or algorithm exploits.
Imagine how valuable it would be if you could hijack's Google's search algorithm or Facebook's recommendation engines to prioritize your group's businesses and/or agendas.
It’s likely that some variant of what you’re describing is actively taking place right now.
I am building a free service to counter exactly this problem.
This has been going on since 2018 at least and I have flagged thousands of such applicants.
Speak some more on this.
Yes please, I'm also interested in hearing more about what you're building CyberMacGyver
I'm curious why free?
This is a problem the USA caused, and could easily solve, by dissolving the armistice and declaring an end to the Korean war.
only seven countries are currently participating in the embargo and sanction of North Korea, (at the behest of the united states.)
North Korea would never, in a million billion years, either accept peace, or actually honour it. NK is a hideously oppressive, violent, dictatorship, which would invade SK in a microsecond if it thought it could get away with it.
I think it astounding - staggering - to point the finger here at USA.
If you were not a long term, serious poster, I would think you were a fake account.
They convinced Ukraine to give up their nukes, promising that they'd be safe. I don't think there's any chance of convincing North Korea to follow the same path.
No, one side declaring the end to a war does not end that war, this is one of the worst foreign policy takes I've ever heard. The NK regime is secure because of the war, they will poison pill any negotiation by demanding South Korea become part of the north.
I don't really understand the logistics of this to be honest. From the article it doesn't sound like these people have false IDs, they just make fake LinkedIn profiles?
In a lot of countries certainly here in Germany your employer has to pay social security contributions and needs your insurance, healthcare information etc. In addition if you're a foreigner you need to know their legal status to see if they can even work. Like what do these scammed companies do, just wire money to some guy they interviewed on social media and ship company property to random addresses? Is that even legal in most places?
They're targeting locales and companies with less stringent checks.
They presumably wire the money to a person operating in the US who sends a portion of that money to the NK employee. The US person is then the one in the company payroll files. At least that's my understanding.
We should definitely go after those folks, but it's not pleasant, as many of them may be having their own issues that add to the problem.
One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money. We have entire industries that sell narratives, rationalizing these compromises.
This is exacerbated by the current employment problems. They keep talking about how unemployment is down, but I think we all know folks that are un (or under-) employed, and the difficulties they are having, finding work.
Someone in that state, is fertile ground for money- and job-laundering bad actors. It sucks to punish them, but that is what we need to do, to discourage the practice.
I agree but I don't actually feel bad about punishing people for committing fraud (as long as we punish all people fairly, etc).
> People will do almost anything, and compromise all their personal values, for money
I think this demonstrates what their ACTUAL values are or at get very least the priority of those values.
> One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money.
A US person without adequate cashflow is likely to not be able to have food, housing, clothing, medical care, etc. A lack of morals are not what causes people to do anything to make money, it's a lack of money in a capitalist society. Blaming people for systemic problems is incredibly regressive.
Quite a few people will have adequate food, housing, etc and still dispense with morals for money. Some studies suggest that having more money makes one more dishonest rather than less.
The problems are indeed systemic, but it's not just lack of money. The system is constructed around the love of money, such that too much is never enough.
My understanding is for a US employee, the employer is supposed to confirm eligibility to work in the first 3 days of employment. Some form of government id plus a social security card or a passport or something like that. IRS form I-9
Otoh, if these positions are independent contractors, form I-9 isn't required. Just a tax id for reporting purposes.
I would imagine whoever is hosting the laptops may be authorized to work in the US and could also be convinced to provide identity documentation. I think there's a lot of borrowing of documentation by immigrants/migrants who are not authorized to work in the US; so there's probably a marketplace somewhere too.
That’s part of what is being exposed here. The hiring process for many companies is not very robust. I doubt many even check references
In three decades, I’ve had some call me to check a reference only twice for private sector jobs. The federal government actually does this as part of background checks so it works but you need to want to badly enough to pay real money.
The other problem is liability: companies often tell their employees not to give references for fear of being sued if the employee doesn’t work out, and most companies don’t expect useful information from them unless someone left in a way which has a public record like a court case. The federal checks don’t have that problem because not answering honestly is a crime. You’d need some kind of shield for honest statements for the private sector to really get accurate assessments, and that’s tricky to do in a way which allows the most useful opinions.
I think the paranoia and fear this kind of idea promotes is perhaps the point of all of it.
Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
Also, we need steps towards reducing the possible tools that fake workers could leverage. These steps would put a strain on some recent technological developments. A strange and wild paradox.
Inform what companies directly? If it's this pervasive, that's not going to be effective.
I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
And in the process of confirming that this was fishy, I contacted one of the past employers he claimed after doing my best to confirm _they_ weren't in any way part of the scam. They confirmed he had never worked there. I sent them his LinkedIn and portfolio site in case they wanted to chase down getting their name removed.
They told me that this was super concerning because the screenshots in his portfolio of the app he worked on for them were real screenshots... for an unreleased app that was only available internally and had never even been demoed for clients.
They'd already been breached and had god knows what exfiltrated. They found out because we caught an attempt to get hired at _our_ company and let them know.
Nobody outside of a couple of technical staff at our company had even _heard_ of this. Nobody at the other company had. The fix, to me, seems to be making people involved in hiring more aware of this. If anything, it seems we should be talking about this _more_ and _more publicly_.
Is your company involved in infrastructural or emerging tech in any way?
Forgive my frankness, but these worries about infiltrators have priority in important, large companies. I am very sure agencies responsible for this can contact these handful of important companies directly.
So, you're right. In the current age we live in, no one cares about your small SaaS company, and you're being used to spread unecessary paranoia and fear.
Other company was, indeed, AI Startup #528532.
We're in a niche, extremely boring industry. We have an extremely small client base. We do line-of-business/sales management applications for something akin to like... light switches and light fixtures. The most exclusive thing we have access to is wholesale pricing from manufacturers. We don't handle payments. The extent of PII we handle is "name and email" from when someone emails out a quote.
We are the epitome of uninteresting to a foreign actor. Being "uninteresting" apparently does not disqualify you.
We also do not hire overseas (the applicant claimed to be from California) and offer a good US wage. We weren't targeted or vulnerable because we were being "greedy".
Isn't this the best way to start an infiltration, though? Like hiring a janitor or cleaner, who is able to access the office during off hours, and can start planting false information, which is then used by a more relevant company years later?
30 people. Damn. I suppose they must be casting a massive net. Pretty concerning.
North Korea has a shortage of foreign currency.
It's not just espionage. They need US dollars to pay for smugglers.
Greed meets greed. Companies hiring cheap labor, being exploited in several fronts.
It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
Keep focused. Small companies never mattered for nations, they are irrelevant. Spreading paranoia will not solve their over-reliance on this exploited offshore problem. It will likely lead them to bankrupcy.
Ultimately, it doesn't invalidate what I said. It actually makes my comment more relevant.
> It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
It's not offshore. Infiltrators are pretending that they're in the US. I first saw this 2 years ago, and they were pretty clumsy back then: always blurred background (and refusing to unblur it) and/or doing calls from a windowless office. You could even see their eyes moving, like they're reading the script.
This year they became much fancier. They use backgrounds with the real time-of-day and weather illumination. The eyes no longer move unnaturally, etc.
You miss the point.
Remote working is in the same vein as offshoring. One enables the other, they're co-dependent. Both are based on greed. In the case of remote working, is avoiding having offices, avoiding paying certain kinds of insurance, etc.
You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
Again, greed meets greed.
Now it's too late. IT companies will not survive a full return to office, and they won't survive remote working as well.
The very idea that someone could be using technology to fake an identity was unthinkable. Now that it is not, there's really no place safe.
If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
I think there are still ways out of this, but we're reaching an inflection point that will be hard to overcome.
---
Your commentary seems to provide a valid point of view, and although you disagree, you reinforce my main point.
> Remote working is in the same vein as offshoring.
No, they're not.
> You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
We should get rid of electricity, then.
> If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
Now you're really reaching.
> We should get rid of electricity, then.
Pathetic.
> I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
I'm in a similar situation. The HR leads company is trying to filter out the fakes, but they can't catch everyone.
Apparently, the infiltrators specifically target the companies in the 10-50 people range. In smaller companies everybody knows what everybody else is doing, so infiltrators will be swiftly uncovered. And larger companies typically have a well-established HR department that will catch obvious fakes without good cover.
But these mid-range companies provide the best chance for the fakes to get at least a couple of paychecks before being uncovered. And they likely won't bother with going to the FBI to chase down the payments.
Why shouldn't they go to the FBI?
I strongly recommend going to official authorities if you believe you're being duped by a foreign nation spy or conspirator.
If they ignore you, it's more likely that you're not that important, like I said previously.
> Why shouldn't they go to the FBI?
I'm not saying "shouldn't". It's more likely "don't bother".
Interacting with the law enforcement takes time executives' time, it might bring in complications (legal liability for personal data leaks, etc.), and even in the best case the company is not going to get their money back.
So, it's a big problem that everyone should know about but do nothing except post shit on news?
No, you should bother. You should bother a lot. Get in contact with the FBI, make a huge deal about it. You think one company can handle a spy agency? That's bad advice.
Sure, feel free to tell that to every mid-size company.
You are mixing hypothetical scenarios with reality.
My argument was to inform high value targets first, since they are more at risk and capable of developing a fix.
I also argued for slowing down the development of technology that can help infiltrators.
Go back, read the discussion, see how far you are from the simple truth. Someone is making IT companies paranoid, either on purpose or by mistake. Probably, by greed or as a consequence to it.
Why try to hide it? It’s like public disclosures of security vulnerabilities. You directly contact the few people who have actionable data and means to address the problem, then you tell the world that they’re impacted and should be aware that such a problem exists so we don’t repeat it.
Private disclosures for more sensitive vulnerabilities are a recommended practice. In your analogy, that's why I aluded to.
In such cases, you only share the sensitive vulnerability publicly once there is a fix. For this case, there seems to be no fix.
One could think of it as a way to promote more scrutinized hiring processes, but it actually encourages widespread paranoia and fear.
It seems your analogy is valid, but the conclusion is that it supports what I said.
> Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
One key component for this scheme to work is to have local US persons act as intermediaries. While some may already know something shady is going on, and be complicit, some might not understand the entire scope of what they're being part of. Publicly discussing it might encourage some people to come forward / avoid being involved in the future.
Living up to your screen name I see, but in all seriousness, I fully agree. The average person running the laptops in a spare bedroom may have no idea the scope of what they're involved with. Especially if they're being duped as well.
Imagine a non technical person being told they're helping run an "edge data center, close to the users. Running our laptops helps Netflix/facebook/etc (insert big tech name of your choice) run faster for you and your neighbors and well pay you to do it."
Easy to imagine a non technical person buying that lie.
I'm having a hard time understanding your imagined scenario.
Can you please explain it better?
NK "fake employee" finds a non technical American to run their laptop farm by lying to them that running these laptops is helping make their access to some service faster.
Sounds very convoluted.
I'm sure many, many countries have botnets. I have a bunch of those countries which I consider irresponsible and wreckless in my radar, not only north korea.
My imagination is very expansive, I can come up with grand scopes that movies and conspiracy theorists would never dream of.
Reality is much simpler though. Greed, I already said it. Typical human defects.
It seems that you are not comprehending who needs to come forward. Entire industries, entire parties. They simply won't, they would rather see the world burn than admit such mistakes. It has happened before.
I’m not sure it’s good for anyone to keep SMB’s in the dark, as they have the most surface area and least expertise and budget to respond. It seems like a net benefit to publicize the issue and get every IT hiring manager thinking about it.
Can you elaborate more? It seems that you disagree but I'm missing the rationale behind it.
Keeping it quiet and only disclosing to larger firms means that lots of small firms will hire these people, with the economic and IP harms they entails.
As you said, small businessess have less expertise and budget to deal with the problem.
Telling your gramma she has a virus only makes her become afraid, she won't magically gain the ability to identify it. That's my whole reasoning here. It makes things worse.
The supposed problem is being peddled by a company called Socure, who, coincidentally, offer the solution to this problem. There are absolutely "fake" remote workers floating around but to suppose this is some grand security-focused North Korean government conspiracy rather than people from poorer nations trying to get paid is without evidence. "North Korean" job applicants has become a meme, any suspicious looking applicant is being labelled "North Korean" by people who've read articles planted by Socure. If this were a grand North Korean government orchestrated conspiracy we would not see hundreds of job applicants engaging in exactly the same strategy for the same job.
https://www.socure.com/blog/hiring-the-enemy-employment-frau...
https://www.paulgraham.com/submarine.html
Yeah I get your skepticism, but this is really a huge issue in many industries. We are seeing it with an alarmingly high rate. You don't need a technical solution though, as the article points out, some stuff is just process change: In person final interview, gov issued ID checks, initial hardware delivery in office, etc.
I’ve also seen this pattern at a pervasive rate but I think it’s mostly shady overemployment / outsourcing agencies, with NK as a tag along. It doesn’t matter either way since the countermeasures are the same (besides the stupid meme KJU junk).
Many users here don’t seem to understand that they are reading content marketing.
But when the FBI tells you, you might really have a problem, as happened at one company I was at several years ago.
Meh, wake me up when the FBI tells me we're infiltrated by Israelis
Ok but plan for a long sleep.
> but to suppose this is some grand security-focused North Korean government conspiracy rather than people from poorer nations trying to get paid is without evidence.
Uhh... I have news for you: https://www.fbi.gov/wanted/cyber/dprk-it-workers
North Koreax folk
Not sure why this is downvoted. There’s now abundant evidence it’s happening.
I have a feeling there may be a Nork "flash mob" going on, like when someone says bad stuff about Musk.
Have your new hire turn up and meet with the team on day one.
They'll soon twig if that's not the person who's getting called into a quick meeting in 5 minutes to discuss some new issue.
The LinkedIn thing is very weird, what about all the guys that worked for another company for a long time and didn't bother with LinkedIn? I don't buy that, but the trend of these guys not showing up in-person at all is very suspicious, though not impossible. There are all kinds of reasons people want to do remote work, and some of those reasons might preclude an in-person meeting (like you might find out about a disability).
Still, I agree that's pretty suspicious. However, they didn't offer any proof whatsoever these guys are from North Korea or any motivation for why they would be doing this from North Korea. So, that sounds like potential U.S. propaganda.
They said they worked with the FBI, which honestly is a red flag for that kind of thing. Rather, if a company states without proof they're from NK, it's very likely BS. If the feds say it's North Korea without proof, it's definitely BS (they have resources to prove it!). If the Feds say it and provide proof, then we can talk about the proof.
Maybe this, with mandatory senior executive and board accountability, will be the wakeup call to stop the outsourcing problem of the last 50 years.
This has nothing to do with outsourcing. These guys are getting hired as permanent employees as often as they’re being engaged as contractors.
My mistake. I meant “off-shoring”.
This is only possible in the scale we see today, because of the infrastructure built to support off-shore and remote work.
What does this have to do with outsourcing?
It’s about incentives.
Direct impact: Outsourcing breeds a culture of unverified and verified-just-once remote work.
Indirect impact: Outsourcing is a cost-driven effort where after a certain level of competence, the bottom-line is the only measurable metric that matters so it’s a race to the bottom with patchwork efforts to “fix” issues like OP.
Making domestic options cost-equivalent with punitive outcomes for hiring NK workers.
This is about in-house employees. Not outsourcing.
My mistake in term. I meant “off-shoring”.
Otherwise, I stand by my argument. The support infrastructure we built to support remote work and offshore teams have made this an easy attack channel.
What problem
the funneling of money from the us to other countries for workers
the companies located here should only hire here
So, again, the answering to this and most every other hiring ill in software over the past 15-20 years is… licensing.
So, let’s think about this logically. There is no baseline of candidate identification or competence in software and the jobs pay very well in physically comfortable conditions. It makes sense that unqualified liars would apply for these positions. Why shouldn’t they? I am honestly curious how far the fraud and incompetence can go and devalue the industry before someone cares enough to tackle the problem l.
The answer to this is for companies to do even a modicum of personnel vetting.
At the very least, make your remote candidate show up in person for their onboarding. A plane ticket and a few days of accomodation and meals is cheap in the grand scheme of things, and giving the opportunity to meet their team is good relationship building.
Sight their ID before you issue them with an account, give them a laptop etc.
> The answer to this is for companies to do even a modicum of personnel vetting.
They do. That is clearly not enough.
They generally make no enquiries at all into the applicant’s bona fides.
The candidate sends in fake or stolen documents where the picture on the drivers license doesn’t even vaguely resemble the person who appeared on Zoom.
When you have an applicant who says they were born in Tennessee and that they’ve apparently lived in the U.S. for their whole life, you would normally expect them to speak English with native proficiency and at least have an American-sounding accent.
If they say they live in, say, Seattle, you’d expect they could carry on at least a basic conversation about their local area.
Even this basic level of attention to detail nonetheless escapes many HR departments and hiring managers.
I have known many people born in the US who learn English as a second language with a think accent. Employers have to use legally qualified means to discriminate applicants to avoid violations of various laws.
> If they say they live in, say, Seattle, you’d expect they could carry on at least a basic conversation about their local area.
When I was working at $LargeCompany, we were encouraged to NOT engage in small talk with applicants beyond the regular politeness. It's too easy to ask questions that would open the company to discrimination lawsuits.
Irrelevant to the OP unless you explain why North Koreans would be prevented from obtaining these licenses: it's not like there aren't competent developers in North Korea.
If your explanation is that the license grantor will verify that the applicant is a resident of a Western country, than the employer can just do the same verification of job applicants, dispensing with the need for the occupational license.
The way these people are being caught are things like dodgy LinkedIn profiles or refusing in person meetings so I would think a licensing process designed around things which would be expensive to fake: in person government ID checks, periodic exams, peer evaluations, etc. The trick would be actually doing that in person, which could be a useful thing for conferences - treat an afternoon at PyCon or re:Invent as the cost of renewing your professional credentials if you don’t live near a major city or university.
Even an in person ID check would suffice.
For most of the West, this is an extremely difficult bar to clear for a North Korean national working out of China.
Yeah, I was thinking that if you were looking for an industry license it would probably be more useful if it also covered skills or work experience in some way since that helps multiple weak points of the common hiring processes but you’re quite right that it would raise the bad considerably if they had to basically run everyone like actual spies with robust fake identities.
I recommend researching what comprises professional licensing. If you have absolutely no frame of reference I can understand why you would be so confused.
OK, so you cannot answer my question.
Why would I? I don’t think you would understand the answer.
FWIW, it the "insult Kim Jong-Un" meme that's been going around doesn't work
How do you know?
Did you try it? What did the person say?
Dumb racist canard is just that, who could've guessed?
How is it racist?
It is trying to avoid hiring an ethnicity by saying things that a specific ethnicity would find offensive, but not others so you can filter them out of the hiring process.
I dont think KJU is held in high esteem by the defector community.
[flagged]
company finally swipes right only to get catfished by a DPRK agent
nice
You don't have to be an evil North Korean to do that. Outsources have been doing it since time immemorial because they can't achieve sales in any other way (or, through direct corruption - often offshore outsourcing shops are owned by managers of their clients, who effectively use them as tools for siphoning money away).
Hopefully the fear of foreign actors will put an end to this too.
I have to hand it to North Korea on the inventive revenue streams. This is a country under sanctions for decades that has developed some of the most clever IT scams for siphoning money from the west. Between this and the Lazarus group the country has brought in Fortune 500 company kinds of money to keep itself afloat.
It's been over 75 years. It could not be clearer that this attempt to punish the ordinary people who live in North Korea for having a government that the US finds disagreeable will not succeed in somehow fomenting revolution. What it has succeeded in doing, apparently, is sustaining a level of poverty and isolation that motivates even crazy schemes like this.
Here's how to actually stop it: stop weaponizing poverty to beat a Cold War-era dead horse, and end the damn sanctions.
Russia was an important trading partner for many European countries. Especially important for Germany. Basically no sanctions. Freedom of movement with fairly good visa policies. No great internet firewall. How much did all this help to prevent another huge war between two European countries?
Different behaviors have different motivations, contexts, and causes. It's extremely clear that these, like other criminal moneymaking schemes in the DPRK, are directly and closely related to the high degree of isolation of the DPRK and the difficulty of getting capital into it.
Of course lifting the sanctions won't also end all spycraft, or ensure an end to geopolitical conflict. Those aren't things I have claimed or would claim.
And the primary reason to end such sanctions is not any benefit to imperialist nations but because of the fact that they inflict misery on ordinary people indefinitely and (not essential, but adding insult to injury) uselessly.
> they inflict misery on ordinary people indefinitely
Pyongyang was making its people miserable before there were sanctions. America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
> Pyongyang was making its people miserable before there were sanctions.
Whether or not we approve of Pyongyang is completely irrelevant to every point I've made. The questions are (a) whether the sanctions have had a material negative effect on the North Korean people, and (b) what they have accomplished. The answers are "yes" and "nothing of any use", neither of which is controversial. And our fixation with North Korea and the evil we wrought there obviously doesn't begin with sanctions but with millions of tons of bombs, tens of thousands of tons of napalm on arable land, or the destruction of the People's Republic of Korea (not the DPRK), a functioning government that existed in both the North and South before the US invaded (literally reinstating colonial Japanese governors as officials).
> America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
The US was directly involved in the division of Korea even before all that. Frankly, your entire comment has been not only extremely handwave-y but deeply dishonest.
https://www.npr.org/2022/09/07/1121427407/survivors-of-a-mas...
Exactly. Trade ties only go so far.
But this pov isn’t always rooted in pragmatism. Free market ideologues also think that free markets will bring world peace.
Ah yes, bec that’s worked out so well with china.
Anyone with internet access in NK is working at the behest of the government.
I hate how this is acceptable to make such claims about another country without providing any evidence. Same goes for Chinese or Russian hackers. It’s just whoever the US government is unhappy about.
The article itself is evidence. There are many more links in it to other stories that report on basically the same or similar incidents. There are also several names in the article itself that you can research or probe on your own to tell if it's coming from a trustworthy source.
Consider also the author: it's written by an actual journalist/editor with a large body of pre-existing work in the field, and many of the claims written are backed up by quotes from a named source. It's not like they're writing all this and hiding it behind the weasel phrase 'according to a source close to the matter'.
The register too is actually UK founded, so it's not even American.
Your reaction is just so typical of people nowadays - just assume it's all 'made up' without any effort in debunking or picking apart any specific claims.
I've interviewed these people. They really exist! I did not know they were North Korean, but it would not surprise me.
What evidence is lacking here?
There's evidence, large investigations, and arrests aplenty already.
Justice Department Announces Coordinated, Nationwide Actions to Combat North Korean Remote Information Technology Workers’ Illicit Revenue Generation Schemes (justice.gov)
https://www.justice.gov/opa/pr/justice-department-announces-...
(12 days ago) https://news.ycombinator.com/item?id=44431853
..