In my country (Poland) courier companies offer this service of "id checking and contract signing". You can have a courier deliver a contract, check the recipient's photo ID and confirm their identity, have the person sign the contract, return it and the courier takes it back.
If there is no such service available there is only one way to prevent this from happening, proper screening of candidates. In my 20+ years of working for Fortune 500 companies in positions not far from the top only 1 - a Japanese one actually screened my educational background and called my references and past employers to verify.
If employees worry they will loose some really good candidates that have no documentable background ask them to do some other security check. Do a video call from the main street of their home town. Or some other thing randomly selected from a set of 5. If the role is really important hire someone to visit the remote worker in their home and deliver that laptop in person. But don't expect them to travel to pick it up.
In the age of vibe coding and North Korean fake workers, I'd probably go another way though. Trusting your remote workers used to be easier from my perspective.
My current place of work has rolled out both copilot and gemini coding assistants to everyone and so far I've not seen the expected flood of lower quality code or code clearly written by AI and not even being understood by the submitter. We're talking ~80 devs in 3 timezones just in my project. This is very encouraging.
I made a decision long ago. Either a job is remote (I apply) in which case it has to really be remote. Or it is hybrid(I don't apply). If there is a day in a week/month/year that you're required to visit it is no longer 100% remote. This especially applies if it requires international travel, doubly so to certain places that make such travel even a bigger hassle than it needs to be (I didn't think US will be on this list in my lifetime, but here we are).
Perhaps I'm just annoyed it is very common in this job market (at least when I looked last ~2 years ago) to advertise 100% remote jobs, have 3 interviews during which you're assured "yes,100% remote" and then either get a contract that has provisions allowing for it to be revoked, or even being told verbally, or not even being told, but pressured as time goes by, no actually you're expected to visit. I had a client like this once. Otherwise a good job. The manager of my team got constantly a lot of crap that his people are "never in" despite the company hiring the whole team as a remote.
There are plenty of people in business that would love that whole remote thing to dissappear. It starts with "come to the office once a month for a night out, we'll pay for your hotel", then it's just "come to the office once a month", then it's 2 weeks, 1 week, then it's 3 days a week, and then it's just Friday you work from home, but no one actually works on that day, but you so you're blocked on most of what you do.
Who are these people? Managers that never learned how to manage remote teams, HR that worries their dept will be cut down, branch/country directors that can't show the visiting "leadership" an office buzzing with activity, and that guy who decided it's a good idea to buy a huge office building in the city centre a month before covid started (I've already worked fully remote for 3 years before covid started, but it was just me and another guy in a team of 9, now it is much better when the entire team is remote, there is no "us and them").
Sorry, just as luditites wanted to go to the power of muscle from the power of steam, there is no going back. The advantages to everyone are too great. To the employee, don't have to explain I hope, to the employer, lower cost and much bigger hiring market, to the entire world there is less travel and entire generations of people not wasting 20% of their waking hours on travel...
If I recall, certain government jobs already need something like that you can get at the post office?
There's more and more places where the less visible presence online you have, the more you're a good fit for the position.
Not picking on you, but that's kind of a tautology :)
You might say the people who interviewed the candidate should be there when he picks up his laptop. But this is already an extremely remote-friendly company, the interviewers might never be in the office. He's going to pick it up from the IT department in the basement and at best they will take a photograph of his face.
https://www.wsj.com/business/north-korea-remote-jobs-e4daa72...
Whn people have no solutions for basic problems they become the problem.
Feels like there's otherwise a hundred different ways to already do remote control without any extra hardware.
This way the worker doesn't have to know 100 different ways to remote into the machine, just one
There's obviously some context I'm missing here, I always thought kvm was the Linux kennel virtualization system...
In this context the abbreviation stands for “keyboard, video, and mouse”. These are hardware devices you physically connect to a computer and then you can remotely see the computer’s screen and input keyboard and mouse inputs to it via the network.
> It's just stated that it has an Ethernet port and an HDMI and therefore can remote control a computer?
Yes. That is the purpose of a KVM device.
> he said the North Koreans are putting them on people's computers
What is described here is a scam perpetrated by North Korean state to gain funds despite economic sanctions trying to prevent it from doing so.
The scheme involves someone pretending to be a legitimate remote worker working from a legitimate location, but in reality they are performing the work from North Korea. The person working the remote IT job in North Korea gets a pitance, while the state pockets the larger part of the money paid to them.
As part of the scheme the remote worker gets a laptop from their western employer. Corporate IT installs all kind of security measures on the laptop, but also grants it means to access internal resources. The scammer can’t ship the laptop to North Korea and use it directly because if that gets detected they will be found out and fired. They also can’t install software based remote access tools because corporate IT might detect those too. So they use a KVM to remotely use the laptop from North Korea and stay on the job as long as they can.
> as if North Koreans breaking into people's apartments is a common occurrence
The scheme does not involve North Koreans breaking into apartments.
> And why did the FBI contact him about this?
Who knows. Jeff seems to have described how to use a particular cheap KVM in the past. Likely this KVM device is used by the scammers. Maybe he has connections to the KVMs manufacturer? Maybe the FBI thought he does?
> I always thought kvm was the Linux kennel virtualization system...
Same abreviation, but different thing.
https://en.wikipedia.org/wiki/KVM_switch#KVM_over_IP_(IPKVM)
It sounds like the North Koreans pay 1 person in the US to have a ton of laptops with KVMs attached to them, and those laptops are remotely used by North Koreans.
Not to be confused with Kernel-based virtual machine (also called KVM):
It seems they don’t break into someone’s apartment but instead pay someone to stick a kvm connected laptop somewhere in the apartment.
When i looked at https://www.reddit.com/r/digitalnomad/ a few years ago it didn't seem like any solution really worked reliably.
But if you had a farm of them and one guy maintaining them, rather than sticking it in your parents basement with nobody to maintain it, that might be something different.
Scammers are good at the scam. They are good at telling the right lies, they often work in teams (lead finders, closers, and everything in between), use automation where appropriate, etc.
A single dev might have trouble cracking the lead finding code, the resume code, the interview code, etc while and avoiding telling any lies that will get then fired 3 weeks into the job. But a team who all treat the application process as a full time job? It's a lot easier.
Also when a dev gets good at finding a job, they stop looking. Scammers get good at it and then keep getting better.
My resume is shiny enough and I've gotton hired enough times im a good candidate for this kind of scam.
This feels like a very ham fisted approach for them though. 99% of engineers are going to ignore or not take seriously these kinds of out of the blue offers.
Their resume goes in front of yours in line.
All the US companies I've worked for made sure I was legit before I could log into anything, so I assume background checks to be ubiquitous there, save for the cheapest companies. European employers on the other hand...
Why do you need to do a hard credit check before you give me an offer? Why do you need to know exactly how much I owe on my credit cards, car, house, how much I'm paying per month, and how much I've made at every job for the past 7 years?
That feels... excessive. And weird. And kind of unfair. Now you know my paycheck, and the paycheck before that, and how desperate I am. Well, there goes negotiations.
To be honest, getting insight and access to a major company's networks and maybe customer data is perhaps the same kind of risk to the company as it is for the government to give someone access to (top) secret files. It might not be so much a negotiating tactic as awareness that more sophisticated spies and criminals than the ones in the OP article are targeting your company.
I think that's partly the point.
Many European employers
- don't or rarely offer remote jobs, so they often don't have this problem.
- even if they do some video or phone interview for pre-screening, they nearly always expect the prospective employee to come to a live interview if they are not weeded out by this pre-screening. It is thus expected that you at least live in a country from where you can easily travel to the place where the employer is located.
- often expect their employees to be able to speak the national language, or at least learn it fast. This also makes times hard for North Korean fake IT workers.
The country is small and hires both immigrants, and people who specifically relocate to start working at the English-only companies, as well as local candidates.
Learning Finnish will obviously make your life easier, in many many ways, but companies themselves do not seem to expect or require it.
I worked for years in an English-language work environment in Denmark (I am not Danish), and learned maybe a handful of phrases of spoken Danish the entire time. I was expected to be able to read the occasional email in Danish, but 1) written Danish is not hard in comparison, and 2) even years ago Google Translate was good enough.
It would have been nice from a social perspective to have known more spoken Danish, but my employer didn’t really care, and it isn’t easy to learn if you don’t have strong local connections. Danes will just immediately switch to English by default, and even if you ask them to continue in Danish, you need a decent level of Danish pronunciation to make yourself understood, which is not trivial to get to.
> I did not speak the language
As I implied: if you are really talented, you don't have to speak the native language yet, but it is expected that you learn it fast.
There are a million reasons why this is a bad idea, but I’m sure they don’t have trouble finding people excited to collect free paychecks.
Great interview, good questions, really solid candidate.
His first day on the job, his English went to shit.
Then he refused to pick up the phone or call me back. Lame excuses about how it’s loud there, then he lost his voice, then scheduled a call with the real “Jeff” the American who couldn’t answer anything about what we had discussed an hour earlier.
Reported to Upwork but I sort of doubt they did much about it.
It was day1 on Slack that the issue was immediately apparent.
There are also different levels of background checks. For instance, previous employment verification can be time consuming so some companies skip it. Checking references aren't useful because they can be faked (you have to run background checks with employment verification on the references to make sure they are who they say they are).
The fact that "fake people" can be employed for high level IT companies in the US is just unfathomable to me.
You also have people who outsource themselves. That’s one of the ways that the people who work multiple jobs pull it off.
that's not a scam - that's the new work smarter, not harder method of earning money.
The situation here is significantly asymmetric: the attacker has to do a lot of work to build a realistic persona but the defense can make that much harder with a few basic checks. It’s been cost-effective in the past because companies were skimping on their hiring and internal security, similar to how the identity theft crisis was mostly a crisis in companies doing due diligence.
If so, I suppose that’s another good reason to ask the question. It filters out both North Korean fakes and people who are going to be doctrinaire about small things.
I would very much appreciate that. I think it would be grand if they could even put that in the job posting right up front. It would help me cross that company off the list of places I would be willing to work. I personally don't want to work at a place that cannot tell whether I am real or fake.
What I think about any country leader is totally irrelevant to tech work. So the company is either 1. Wasting my time with a totally irrelevant question or 2. Their hiring process is so vulnerable, they can’t even tell if a candidate is fake. Neither of those would make me particularly excited about that company.
Feels like the story about disconnecting Chinese gamers from matches automatically by typing "tiananmen square" or the story of the Battle of Siffin with one side putting pages of the quoran on their spears in hopes the enemy wouldn't fight that way. Unclear how accurate the stories are or how effective it may have been but kind of interesting at least.
Inflation.
https://chatgpt.com/share/687a8963-81e8-8004-b457-432fae79d4...
Of course what little I do know is all negative. But I've paid only limited attention, and I get nothing from primary sources.
I expect the same from practically everyone -- perhaps excepting South Koreans who at least speak the language. I'd consider it good judgment to say that you just can't meaningfully answer the question.
I'd read a statement you hand me, if you thought that would suffice. But I'll admit I'd consider that weird and likely useless.
I am not 100% that North Korea exists. I’m pretty sure, but I can’t KNOW it without going there.
So while dictators are bad, the Kim’s are probably bad, sorry if I don’t go to the deep end repeating everything that someone else taught me.
In the case of North Korea, my excuse is "I haven't put the time into it because it's a small country on the other end of the earth -- nuclear armed, but without effective delivery devices and massively outgunned. I wasn't prepared to give a lot more detail in the context of an interview that isn't about geopolitics. If you want me to research I can."
It's not a false positive. It's a true positive
If the person is so obnoxious as to not be able to give such a silly statement, imagine how they would be fun in your team
> … if they offer me a million…
This is exactly like that famous joke! :D “Mam I believe we’ve already established that. At this point, we’re just negotiating.”
It’s kind of like an Abbott and Costello routine. I would never do that! How dare you suggest that. You’re a commie. The scum of the earth. I’m above that. Gimme five bucks I’ll do it right now.
Similar to why email scammers don’t need good grammar, filtering out difficult cases quickly and move on to easier ones.
In a lot of countries certainly here in Germany your employer has to pay social security contributions and needs your insurance, healthcare information etc. In addition if you're a foreigner you need to know their legal status to see if they can even work. Like what do these scammed companies do, just wire money to some guy they interviewed on social media and ship company property to random addresses? Is that even legal in most places?
One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money. We have entire industries that sell narratives, rationalizing these compromises.
This is exacerbated by the current employment problems. They keep talking about how unemployment is down, but I think we all know folks that are un (or under-) employed, and the difficulties they are having, finding work.
Someone in that state, is fertile ground for money- and job-laundering bad actors. It sucks to punish them, but that is what we need to do, to discourage the practice.
> People will do almost anything, and compromise all their personal values, for money
I think this demonstrates what their ACTUAL values are or at get very least the priority of those values.
A US person without adequate cashflow is likely to not be able to have food, housing, clothing, medical care, etc. A lack of morals are not what causes people to do anything to make money, it's a lack of money in a capitalist society. Blaming people for systemic problems is incredibly regressive.
The problems are indeed systemic, but it's not just lack of money. The system is constructed around the love of money, such that too much is never enough.
What came first, money or dishonesty?
Otoh, if these positions are independent contractors, form I-9 isn't required. Just a tax id for reporting purposes.
I would imagine whoever is hosting the laptops may be authorized to work in the US and could also be convinced to provide identity documentation. I think there's a lot of borrowing of documentation by immigrants/migrants who are not authorized to work in the US; so there's probably a marketplace somewhere too.
The other problem is liability: companies often tell their employees not to give references for fear of being sued if the employee doesn’t work out, and most companies don’t expect useful information from them unless someone left in a way which has a public record like a court case. The federal checks don’t have that problem because not answering honestly is a crime. You’d need some kind of shield for honest statements for the private sector to really get accurate assessments, and that’s tricky to do in a way which allows the most useful opinions.
https://www.linkedin.com/feed/update/urn:li:activity:7292604...
They are professionals at lying and interviewing. When it’s your job to get jobs and you’re doing it with organized support, you will find something.
They also don’t really care if the job is good or bad. They’re just farming any and all jobs they can get and hanging on to them until they’re pushed out. At many companies, that can take years.
This has been going on since 2018 at least and I have flagged thousands of such applicants.
Just like competition requires 5+ similarly sized entities for a healthy marketplace of companies, my informal opinion is that unions probably similarly shouldn't have overwhelming market share. However my feeling on contracts between unions and corporations is that the contract should be negotiated between multiple companies and multiple unions to produce the most level playing field possible.
I like that software engineering doesnt require/encourage unions, contrary to other big industries.
As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job.
Ive previpusly been in a union for a company and the experience did not encourage a competitive working environment. When layoffs came, Jr employees get sacked before more senior union members (not neccesarily the best technical staff just becuase they worked there long time).
I have family/friends in unions (non software devs) that have had similar experiences to mine.
We've actually been automating away our job since the beginning of software. Compilers have been thing for like 80 years now. We've had auto-complete, static analysis, automated testing tools etc. for decades. What about the poor assembly programmers? What about the people who were bit banging serial protocols for a living?
For example, Amazon warehouse are also mostly automated. Still, workers who move boxes around and scan barcodes are the bottom of the totem pole of the operation. They're the people manually making Amazon work. You can't get any lower, otherwise then you'd become a machine.
> What about the poor assembly programmers? What about the people who were bit banging serial protocols for a living?
Those jobs are mostly obsolesced, so the totem pole has "moved up", but we're still at the bottom.
You have to ask the question, who is manually making the product and putting it together piece by piece? For factories, it's assembly line workers. For McDonald's, it's the burger flippers and the board worker. For software, it's us.
We have a misconception that since we are educated and relatively well-paid we are not like that. In terms of our business function, what we actually do for products and companies, our roles are of the same type. That's not a bad thing - this can serve as a gentle reminder to curb any delusions of grandeur.
Good luck then.
Can't say I have much sympathy for American devs after what they've done with the place.
And on the other side, you can have a degree and experience and still not get a job due to the wild criteria and games that get played in various interviews.
Most IT work now, whether dev or admin side, is not rocket science. It’s mostly approachable work and no one should settle for being abused by employers for some outdated, ingrained, cultural baggage.
Millions upon millions of ppl at every income level have experienced working in and around unions and not all of them came away with a positive experience.
These criticisms of unions are always pulled out but then never equally applied to corporations.
Unions, especially failing ones, don't inherently provide any net benefit to society. They may as well be engaged in little more than self-preservation and zero-sum games.
Therefore, I believe unions deserve a different type of scrutiny than corporations.
By itself that's not a meaningful observation.
The disagreement then was “I’ve heard that argument before.” - “ok that doesn’t make it wrong” <— that last sentence is what you’re replying to.
unions restrict the supply of labor and this results in (price increase) better wages for the union's members. However, overall the total dollar amount transferred from employers to labor goes down (employment decrease), so the "class" of all workers (employed and unemployed) see their per capita wages go down. and if that's not enough, the industry grows more slowly so the problem only gets worse for everyone in the future (trickle down) this is the underlying reason for europe's lower year over year economic growth compared to the US
is the reason. it's not a moral or ethical or even income distribution issue, it's just how markets operate.
This is true in the same way that it’s true that all democracies turn into the majority oppressing everyone else, or get captured by oligarchs, or vote to raise taxes to fund social until the economy collapses, etc. – which is to say not at all. Unions CAN fail that way but it’s not a given. We shouldn’t give up on a useful tool because it can be failed, we should talk about how to keep it healthy.
For example, I’ve seen the no-degree route you talk about made easier by unions because it forced merit hiring rather than hiring more dudes with social ties from certain colleges. Again, that’s not guaranteed – you’d be forgiven for wondering if the Teamsters were a deep cover operation to discredit the concept of unions – but social institutions aren’t magic: they work to the extent that we make them work.
They are fine, but struggle with remote work in general because fundamentally the leverage the union has is a monopoly on labor, which is compromised by a global labor force.
Or they’re applying as international remote workers, where you wouldn’t expect them to be members of your country’s union anyway.
Widespread union membership with verifications wouldn’t solve anything.
- 30 minute recruiter call
- 30-60 minute manager call
- 2x 60 minute leetcode easy/medium
- 1x 60 minute STAR behavioral
- 1x 60 minute systems design or maybe doubling up on a previous category
I'm not sure if we are experiencing different processes, or we have different opinions about what kind of time / reward tradeoff is reasonable.
You just need to ask a couple of open-ended questions about the candidate's preferred programming language and/or some technical details of a past project they've worked on to get an idea of whether they are reasonably competent or not. It shouldn't take more than 10-15 minutes to go through. The majority of rest of the meeting can consist of the candidate asking you questions and/or chit-chatting to make sure the vibes aren't off.
What you are trying to judge is whether or not they can do the job, which you can really only tell once they are actually doing the job anyways. So you pay extra attention to what they do for the first couple of days/weeks after you've hired them and if it's obvious things are not going to work out you let them go. Most places have laws that are amenable to hiring someone on an initial trial period before stronger employee protections kick in.
In general, most of the pathologies of the hiring process can be solved by treating it as a satisfier problem instead of an optimizer problem.
I would be interested to explore a "quick hire, quick fire" philosophy, but I'm not sure it would lead to overall greater satisfaction. Employers don't like to fire people and employees don't like to be fired.
Because, let's be real, not a lot of us are writing leetcode type solutions in our shitty web devs jobs where we center a div. So we need to practice, and more importantly, memorize. Companies don't want a solution, they don't even want a good solution, they want one particular solution. That requires memorization.
> It’s typically 2 medium/hard problems solved optimally in 20 minutes each with no errors if I want to beat the competition.
I have also definitely made errors in interviews, and gotten hired. If I had to guess, it is a lot more about how you handle those. (To a degree. E.g., in one question, which was a coding challenge, I could solve it, but I was pretty sure my solution was not efficient. I voiced that, voiced why my gut was thinking it could probably be better, but I didn't ever get the full solution. In another one, I was just asked for past experience; I didn't think I had much to offer, voiced what I did have. I still to this day like the question, because it was a tough question, and the person who asked it really pressed me — in a good way, in that I could see that she took her own role/work seriously — on why I thought I was qualified.)
I've also had a call where me & the interview were definitely not connecting, at all. That wasn't going to work out, so nothing was lost?
As an interviewer,
> It’s typically 2 medium/hard problems solved optimally in 20 minutes each
… add 5 min for entry pleasantries and padding, 10 for questions for you at the end, and that's an hour, which is often all the time the recruiter schedules. And honestly, that's usually enough.
I don't ask hard problems. Easy ones sift out candidates. Where I ask coding questions, the first is almost always designed around "can the candidate write a for loop?" and the second is around basic datastructure comprehension. (Can you recognize situations that require a hashtable? a queue? and apply those to the problem.) Often a parsing question. Essentially CS 201, or easier, though I do not care if you know big-oh notation.
Most interviews I've been a part of fit that MO, and I've done interviewing with startups and with FAANG-sized companies.
> each with no errors if I want to beat the competition.
It's not about beating the competition. SWE hiring IME is never zero-sum. Two phenomenal candidates are two hires.
You just need to have a US citizen's SSN and birthday to beat the I-9 verification. And "beat" is a strong word. I-9 is just a form that the employer asks the employees to submit, there's no requirement for the employer to do anything with it.
So you can just say that your SSN is 555-55-5555 and your birthday is 01-01-2001 and you'll "pass" the verification. It'll be detected only when the employer submits the Form-944.
There's E-Verify that requires a picture ID and more information, but it's not mandatory.
You’d lose out on people who don’t live near an interview center and potentially have legal issues if people had disabilities that impacted their ability to travel to an interview center but not their ability to do the job.
Not sure if it's feasible, but it's definitely something to consider.
It's a very profound statement (perhaps unintentionally so). Most of us wouldn't even be doing the work we do if we did not have to pay ransom money to our rulers. And then there are unwanted children and all of that...
I also don't hold people's place of birth against them, but there are some very reasonable limits to that.
You don’t understand. These people are working for the state.
They’re not getting nice remote jobs to support their families. Infiltrating these companies is their job from the state of North Korea.
If North Korea is just as bad, at least they're smart enough to not let me see evidence that invades my dreams.
You can easily dress that up as an onboarding thing and would solve this, no?
But, yes, this will likely change that. In person interviews and onboarding will probably become the norm with fully remote teams as more companies become aware of the risks.
Also there is a good reason not to make week 1 in person. You reduce your access to talent. I know we are in the everyone RTO and do 100hrs a week part of the BSiness cycle. But still.
But it does reduce your pool anyway and access to cheaper and /or better people.
Many of them would have said no to in-person interviews.
… I don't think candidates are going to turn down a company in droves for an initial 1 week onsite. You make it sound like you're losing access to all remotes.
100 people. Working full time. Cannot take leave at last minute (or may not have it to take). Average distance to your office 1000 miles.
How many will come to your on-site.
You're misinterpreting the thread. The context here is that the candidate is post-hire (…candidate is perhaps a poor word, but in the context of TFA, it makes more sense), so they're employed by the same company they're visiting.
I.e., the suggestion here is that Person A's employer E flies A out to E's headquarters to work for ~1 week.
Then you meet them in person, and can visually see they're not some fraudster in NK.
I.e., you start in-person, and transition to remote after 1wk.
I mean, airlines do it for pilots. How much of a hit to compensation would that be for software developers? Less than 5% for the first year?
It might work for grads or people out of work if it is well paid e.g. at least pro rata od the target salary. But that's a subset so if the employer chooses this they narrow their pool.
Yes, but you'll have people making all kinds of excuses and how they only eat from this specific place that delivers on DoorDash and etc etc
(but honestly I think this would be an improvement)
So, if you stretch the period, the employment simply starts later.
For many scammers (not North Korean specifically) it’s just one big game of collecting as many paychecks from as many companies as you can until they fire you.
For some multi-job people, the game is to continuously apply to companies and then let any company that is paying attention fire them after 1-3 months. Repeat long enough and you might find your way into a couple companies where your demands are so low that you can do all the jobs in a couple hours per day because your managers are so checked out that they don’t care. Ride this until the company lays off the whole underperforming team, then find the next jobs.
They'll soon twig if that's not the person who's getting called into a quick meeting in 5 minutes to discuss some new issue.
https://www.socure.com/blog/hiring-the-enemy-employment-frau...
Uhh... I have news for you: https://www.fbi.gov/wanted/cyber/dprk-it-workers
Slovenia issues personal certificates so you can identify yourself online. Mostly used for banking and e-gov. The commercial space has decided it’s too cumbersome.
Fantastic idea. Started rolling out when I was in college some 15 years ago. You go to the same place that issues your govt ID and you can also get the equivalent of an SSH cert issued by the government that guarantees you are you, your identity was verified at point of issuance, etc.
Unfortunately it’s about as fiddly to use as SSH. Okay for nerds, way cumbersome for normal humans who just want to log into their bank and pay their taxes damn it. Last I remember (moved to USA ~10 years ago) getting their e-signing browser widgets/extensions to work reliably on non-windows machines was hell. Most Mac/Linux users ran a whole VMWare VM just to do taxes once a year.
Even for employment I find the idea iffy, but seeing as it's in response to an actual non-imagined problem, I suppose it's the most reasonable solution to that...
E-verify is only for US residents, and depends on the employer interacting in person with the prospective employee.
Its primary goal is to check that someone is a legal resident, so it has no bearing on hiring remote foreign workers.
Would it help if I could query some IRS service to check what paychecks have been sent to me? Does this have a delay of a quarter year or more?
How do these people avoid getting the people they impersonated and or scammed in trouble with the IRS?
I would guess many (most?) of the places with this problem are actually fine with people that aren't living in the US; just not in North Korea.
Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
Also, we need steps towards reducing the possible tools that fake workers could leverage. These steps would put a strain on some recent technological developments. A strange and wild paradox.
I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
And in the process of confirming that this was fishy, I contacted one of the past employers he claimed after doing my best to confirm _they_ weren't in any way part of the scam. They confirmed he had never worked there. I sent them his LinkedIn and portfolio site in case they wanted to chase down getting their name removed.
They told me that this was super concerning because the screenshots in his portfolio of the app he worked on for them were real screenshots... for an unreleased app that was only available internally and had never even been demoed for clients.
They'd already been breached and had god knows what exfiltrated. They found out because we caught an attempt to get hired at _our_ company and let them know.
Nobody outside of a couple of technical staff at our company had even _heard_ of this. Nobody at the other company had. The fix, to me, seems to be making people involved in hiring more aware of this. If anything, it seems we should be talking about this _more_ and _more publicly_.
Forgive my frankness, but these worries about infiltrators have priority in important, large companies. I am very sure agencies responsible for this can contact these handful of important companies directly.
So, you're right. In the current age we live in, no one cares about your small SaaS company, and you're being used to spread unecessary paranoia and fear.
We're in a niche, extremely boring industry. We have an extremely small client base. We do line-of-business/sales management applications for something akin to like... light switches and light fixtures. The most exclusive thing we have access to is wholesale pricing from manufacturers. We don't handle payments. The extent of PII we handle is "name and email" from when someone emails out a quote.
We are the epitome of uninteresting to a foreign actor. Being "uninteresting" apparently does not disqualify you.
We also do not hire overseas (the applicant claimed to be from California) and offer a good US wage. We weren't targeted or vulnerable because we were being "greedy".
If you had to hire workers in office, would you have space and infrastructure for all of them?
From my perspective, this would solve the issue. Unless you're worried about in-person north korea spies.
I don't know man, seems like you're living in some cold war mind trap or something.
* You're a Fortune 500 that's a valuable target.
* Okay, well, you're in emerging markets or infrastructure then.
* Okay, well, the problem's really that you're being greedy hiring overseas.
* Okay, well, the problem's that you're not paying sufficient office expenses and _that's_ greedy.
I think this kind of idea is stupid.
It's not just espionage. They need US dollars to pay for smugglers.
It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
Keep focused. Small companies never mattered for nations, they are irrelevant. Spreading paranoia will not solve their over-reliance on this exploited offshore problem. It will likely lead them to bankrupcy.
Ultimately, it doesn't invalidate what I said. It actually makes my comment more relevant.
It's not offshore. Infiltrators are pretending that they're in the US. I first saw this 2 years ago, and they were pretty clumsy back then: always blurred background (and refusing to unblur it) and/or doing calls from a windowless office. You could even see their eyes moving, like they're reading the script.
This year they became much fancier. They use backgrounds with the real time-of-day and weather illumination. The eyes no longer move unnaturally, etc.
Remote working is in the same vein as offshoring. One enables the other, they're co-dependent. Both are based on greed. In the case of remote working, is avoiding having offices, avoiding paying certain kinds of insurance, etc.
You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
Again, greed meets greed.
Now it's too late. IT companies will not survive a full return to office, and they won't survive remote working as well.
The very idea that someone could be using technology to fake an identity was unthinkable. Now that it is not, there's really no place safe.
If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
I think there are still ways out of this, but we're reaching an inflection point that will be hard to overcome.
---
Your commentary seems to provide a valid point of view, and although you disagree, you reinforce my main point.
No, they're not.
> You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
We should get rid of electricity, then.
> If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
Now you're really reaching.
I'm in a similar situation. The HR leads company is trying to filter out the fakes, but they can't catch everyone.
Apparently, the infiltrators specifically target the companies in the 10-50 people range. In smaller companies everybody knows what everybody else is doing, so infiltrators will be swiftly uncovered. And larger companies typically have a well-established HR department that will catch obvious fakes without good cover.
But these mid-range companies provide the best chance for the fakes to get at least a couple of paychecks before being uncovered. And they likely won't bother with going to the FBI to chase down the payments.
>And they likely won't bother
Thank you for your insight. Unfortunate! The rationale makes sense—the temptation to sweep under the rug—but doesn’t make it right, which as established we both know.
…you can perhaps tell I was frustrated with what seemed to be an argument against actually taking this course of action; hope replying here is better than arguing directly downthread esp. in case I misunderstood something
I strongly recommend going to official authorities if you believe you're being duped by a foreign nation spy or conspirator.
If they ignore you, it's more likely that you're not that important, like I said previously.
I'm not saying "shouldn't". It's more likely "don't bother".
Interacting with the law enforcement takes time executives' time, it might bring in complications (legal liability for personal data leaks, etc.), and even in the best case the company is not going to get their money back.
No, you should bother. You should bother a lot. Get in contact with the FBI, make a huge deal about it. You think one company can handle a spy agency? That's bad advice.
My argument was to inform high value targets first, since they are more at risk and capable of developing a fix.
I also argued for slowing down the development of technology that can help infiltrators.
Go back, read the discussion, see how far you are from the simple truth. Someone is making IT companies paranoid, either on purpose or by mistake. Probably, by greed or as a consequence to it.
In such cases, you only share the sensitive vulnerability publicly once there is a fix. For this case, there seems to be no fix.
One could think of it as a way to promote more scrutinized hiring processes, but it actually encourages widespread paranoia and fear.
It seems your analogy is valid, but the conclusion is that it supports what I said.
One key component for this scheme to work is to have local US persons act as intermediaries. While some may already know something shady is going on, and be complicit, some might not understand the entire scope of what they're being part of. Publicly discussing it might encourage some people to come forward / avoid being involved in the future.
Imagine a non technical person being told they're helping run an "edge data center, close to the users. Running our laptops helps Netflix/facebook/etc (insert big tech name of your choice) run faster for you and your neighbors and well pay you to do it."
Easy to imagine a non technical person buying that lie.
Can you please explain it better?
I'm sure many, many countries have botnets. I have a bunch of those countries which I consider irresponsible and wreckless in my radar, not only north korea.
They've already arrested some people involved in this, they have devices as evidence. It's pretty well documented at this point.
Reality is much simpler though. Greed, I already said it. Typical human defects.
It seems that you are not comprehending who needs to come forward. Entire industries, entire parties. They simply won't, they would rather see the world burn than admit such mistakes. It has happened before.
Telling your gramma she has a virus only makes her become afraid, she won't magically gain the ability to identify it. That's my whole reasoning here. It makes things worse.
Sounds like my IRL value just keeps going up.
For example, in Australia, it seems like at least 8/10 software engineers are foreign-born. Most of those are probably genuine (not from intelligence agencies) but Australia has such a tiny native population of engineers compared to that of most foreign countries in its vicinity that it wouldn't be difficult for a country like China or India to overwhelm our tech industry with a few highly-placed workers in order to gain political leverage. I was thinking that there might be more software engineers working for Indian and Chinese intelligence agencies in the world than there are native-born software engineers in Australia (of all kinds). It's a numbers' game.
North Korea seems like the tip of the iceberg there though it is an easy example to talk about because everyone understands how the North Korean government operates and everyone agrees about the threat they pose compared to more subtle threats from other countries which aren't seen as opponents (at least not to the same extent).
But also, consider a company like Facebook which hires maybe 20K or so software devs. A country like India which has a large number of software developers, if it wanted, could easily put together a task force to infiltrate and take over Facebook in a focused decade-long effort if that was its intent. They almost certainly do have some people inside every major tech company right now.
If a group can have a few highly placed people inside a target company, they could then recruit more of their group into the company and start promoting their own until they have full control over the critical systems. It's a weakness of our current highly centralized tech sector.
Something else that could happen is a foreign intelligence agency could wait for people to get promoted naturally and then reach out to dual-nationals which they have leverage over (e.g. because of family members or assets owned in the foreign country) and then use that to demand favors. Then they could help coordinate the engineers to recruit more of their own to achieve even more control. Different groups would form factions within the target company and every normal employee would be unwittingly pushed out because anyone trying to 'improve or simplify things' would be seen as a threat to various nefarious agendas which rely on complexity to hide backdoors or algorithm exploits.
Imagine how valuable it would be if you could hijack's Google's search algorithm or Facebook's recommendation engines to prioritize your group's businesses and/or agendas.
Isnt the critique of Indian managers that they favor indian ppl?
Still, I agree that's pretty suspicious. However, they didn't offer any proof whatsoever these guys are from North Korea or any motivation for why they would be doing this from North Korea. So, that sounds like potential U.S. propaganda.
They said they worked with the FBI, which honestly is a red flag for that kind of thing. Rather, if a company states without proof they're from NK, it's very likely BS. If the feds say it's North Korea without proof, it's definitely BS (they have resources to prove it!). If the Feds say it and provide proof, then we can talk about the proof.
This is only possible in the scale we see today, because of the infrastructure built to support off-shore and remote work.
Direct impact: Outsourcing breeds a culture of unverified and verified-just-once remote work.
Indirect impact: Outsourcing is a cost-driven effort where after a certain level of competence, the bottom-line is the only measurable metric that matters so it’s a race to the bottom with patchwork efforts to “fix” issues like OP.
Making domestic options cost-equivalent with punitive outcomes for hiring NK workers.
Otherwise, I stand by my argument. The support infrastructure we built to support remote work and offshore teams have made this an easy attack channel.
Or perhaps, off-shoring support and infrastructure is what enabled and made-normal this sort of remote interviewing and work in the first place.
the companies located here should only hire here
> Chief among these disconnects were "shallow" LinkedIn profiles paired with "beefy resumes," she explained, citing job-seeker claims of working at Meta, attending Ivy League schools, developing major tech companies' flagship products … but then only having 25 LinkedIn connections.
LinkedIn is not the end-all be-all of résumés, and my coworkers have wildly varying numbers of connections.
> "We've certainly seen applicants that fit into this category with various IOCs [indicators of compromise] that we've shared with partners and peers," Snowflake CISO Brad Jones told The Register.
This is an abuse of the technical term IoC to try and dress up what amounts to "my gut hunch".
> Once the recruitment team began meeting via video conferences with some of the applicants, they noted extremely Western-sounding names, like James Anderson, paired with East Asian appearances and accented English, in much higher numbers than they expected.
That's just discriminatory.
> "You can't profile people, […] *But*
sigh
> The fraudster's answers weren't word-for-word ChatGPT, Little noted. "These people are smart, they're not unskilled, they're sophisticated," she said.
… no, that's because that's not how LLMs work.
> routing everything through a VPN
I'm not even sure how you would know this about a candidate.
> These IOCs, or indicators of compromise, include email addresses, physical addresses, and phone numbers that have been flagged as associated with non-legitimate candidates.
This is begging the question: the candidate is suss because they're suss. What makes the email address et al. "flagged"?
> The final step is always an in-person interview.
I mean … if you're not doing that, then … okay, I see how the scammers got to you.
> "We require people to come to the office to pick up their computer," Robinson said as an example.
I mean, if you pay for the plane tickets, the hotels, the taxis, the meals, and the time, sure, I guess.
If this is truly a problem — and maybe it is — the Register's reporting is so unspecific that it leaves us with no details of how we might tell, what to look out for (in ways that doesn't run afoul of racial discrimination, or seen elsewhere in the comments, political discrimination). It leaves me thinking this is an ad designed to leave me going "I'd have to hire a company that specializes in this to know if I'm being affected by it."
So, let’s think about this logically. There is no baseline of candidate identification or competence in software and the jobs pay very well in physically comfortable conditions. It makes sense that unqualified liars would apply for these positions. Why shouldn’t they? I am honestly curious how far the fraud and incompetence can go and devalue the industry before someone cares enough to tackle the problem l.
At the very least, make your remote candidate show up in person for their onboarding. A plane ticket and a few days of accomodation and meals is cheap in the grand scheme of things, and giving the opportunity to meet their team is good relationship building.
Sight their ID before you issue them with an account, give them a laptop etc.
They do. That is clearly not enough.
The candidate sends in fake or stolen documents where the picture on the drivers license doesn’t even vaguely resemble the person who appeared on Zoom.
When you have an applicant who says they were born in Tennessee and that they’ve apparently lived in the U.S. for their whole life, you would normally expect them to speak English with native proficiency and at least have an American-sounding accent.
If they say they live in, say, Seattle, you’d expect they could carry on at least a basic conversation about their local area.
Even this basic level of attention to detail nonetheless escapes many HR departments and hiring managers.
When I was working at $LargeCompany, we were encouraged to NOT engage in small talk with applicants beyond the regular politeness. It's too easy to ask questions that would open the company to discrimination lawsuits.
If your explanation is that the license grantor will verify that the applicant is a resident of a Western country, than the employer can just do the same verification of job applicants, dispensing with the need for the occupational license.
For most of the West, this is an extremely difficult bar to clear for a North Korean national working out of China.
I guess the main problem is, if you are a company with bad management structure, and you see your new coworker has really weird patterns, inconsistencies in their talking, why would you tell the manager about it? You can just mind your own business. It was them who hired them after all.
Edit: If you don’t know what licensing is why are you replying to a comment about it? Most of the comments here read like this and it’s really weird.
Consider also the author: it's written by an actual journalist/editor with a large body of pre-existing work in the field, and many of the claims written are backed up by quotes from a named source. It's not like they're writing all this and hiding it behind the weasel phrase 'according to a source close to the matter'.
The register too is actually UK founded, so it's not even American.
Your reaction is just so typical of people nowadays - just assume it's all 'made up' without any effort in debunking or picking apart any specific claims.
Justice Department Announces Coordinated, Nationwide Actions to Combat North Korean Remote Information Technology Workers’ Illicit Revenue Generation Schemes (justice.gov)
https://www.justice.gov/opa/pr/justice-department-announces-...
(12 days ago) https://news.ycombinator.com/item?id=44431853
Law Enforcement Actions Across 16 States Result in Charges, Arrest, and Seizures of 29 Financial Accounts, 21 Fraudulent Websites, and Approximately 200 Computers
Today, the United States Attorney’s Office for the District of Massachusetts and the National Security Division announced the arrest of U.S. national Zhenxing “Danny” Wang of New Jersey pursuant to a five-count indictment. The indictment describes a multi-year fraud scheme by Wang and his co-conspirators to obtain remote IT work with U.S. companies that generated more than $5 million in revenue. > It’s just whoever the US government is unhappy about.
only seven countries are currently participating in the embargo and sanction of North Korea, (at the behest of the united states.)
I think it astounding - staggering - to point the finger here at USA.
If you were not a long term, serious poster, I would think you were a fake account.
I have to hand it to North Korea on the inventive revenue streams. This is a country under sanctions for decades that has developed some of the most clever IT scams for siphoning money from the west. Between this and the Lazarus group the country has brought in Fortune 500 company kinds of money to keep itself afloat.
If you have 2 candidates and one is from lets say Czech Republic and the other one from 3rd world then it's fully on you for getting screwed over.
Here's how to actually stop it: stop weaponizing poverty to beat a Cold War-era dead horse, and end the damn sanctions.
Of course lifting the sanctions won't also end all spycraft, or ensure an end to geopolitical conflict. Those aren't things I have claimed or would claim.
And the primary reason to end such sanctions is not any benefit to imperialist nations but because of the fact that they inflict misery on ordinary people indefinitely and (not essential, but adding insult to injury) uselessly.
Pyongyang was making its people miserable before there were sanctions. America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
Whether or not we approve of Pyongyang is completely irrelevant to every point I've made. The questions are (a) whether the sanctions have had a material negative effect on the North Korean people, and (b) what they have accomplished. The answers are "yes" and "nothing of any use", neither of which is controversial. And our fixation with North Korea and the evil we wrought there obviously doesn't begin with sanctions but with millions of tons of bombs, tens of thousands of tons of napalm on arable land, or the destruction of the People's Republic of Korea (not the DPRK), a functioning government that existed in both the North and South before the US invaded (literally reinstating colonial Japanese governors as officials).
> America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
The US was directly involved in the division of Korea even before all that. Frankly, your entire comment has been not only extremely handwave-y but deeply dishonest.
But this pov isn’t always rooted in pragmatism. Free market ideologues also think that free markets will bring world peace.
Anyone with internet access in NK is working at the behest of the government.