They cite LinkedIn profiles with 25 connections as easy tell tale signs. Well, I've got news for you: hacked LinkedIn profiles. Happened to a colleague of mine. Profile with more than a thousand genuine, reputable connections got hacked. Picture and name got changed to something East Asian sounding/looking. CV got changed to US defense contracting. Luckily this tripped some automatic account lockdown otherwise it might have well gone undiscovered for a while. Few people will remember every single LinkedIn connection, there's no notification of name change in messages etc. Quite likely this profile was sold to North Korean fake IT workers.
Also, many people like me don't even have LinkedIn profiles. The "pick up your work computer in person" idea sounds like a much more reliable method to me.
Yeah, pick up your computer in person will not work if you live 2d travel away. If my remote job told me to pick up the computer in person after 8h of interviews and tests I'd be seriously pissed off. If they advertised it in the beginning I'd not have applied.
In my country (Poland) courier companies offer this service of "id checking and contract signing". You can have a courier deliver a contract, check the recipient's photo ID and confirm their identity, have the person sign the contract, return it and the courier takes it back.
If there is no such service available there is only one way to prevent this from happening, proper screening of candidates. In my 20+ years of working for Fortune 500 companies in positions not far from the top only 1 - a Japanese one actually screened my educational background and called my references and past employers to verify.
If employees worry they will loose some really good candidates that have no documentable background ask them to do some other security check. Do a video call from the main street of their home town. Or some other thing randomly selected from a set of 5. If the role is really important hire someone to visit the remote worker in their home and deliver that laptop in person. But don't expect them to travel to pick it up.
Sounds reasonable to me that the companies that hire to work remotely would like to have some live meet-ups once in a while. For the most part I wouldn't see a problem traveling to an employer's office for a week or so to start.
For working parents, it's pretty tricky. I ran a few remote organisations, and while there were usually decision makers that wanted mandatory meetups, I always tried to make it as optional as possible, and to eliminate the need for those where feasible.
In the age of vibe coding and North Korean fake workers, I'd probably go another way though. Trusting your remote workers used to be easier from my perspective.
You know the saying "trust but verify" :-) As mentioned before I think we need robust verification in place for things like new hire identity, but you mentioned an additional thing "vibe coding". The most obvious response to this is to have merge checks that run a bunch of tests on important stuff, and peer review.
My current place of work has rolled out both copilot and gemini coding assistants to everyone and so far I've not seen the expected flood of lower quality code or code clearly written by AI and not even being understood by the submitter. We're talking ~80 devs in 3 timezones just in my project. This is very encouraging.
Unless like me you live 8h travel by road away, and there are no reasonable flights, to the nearest office.
I made a decision long ago. Either a job is remote (I apply) in which case it has to really be remote. Or it is hybrid(I don't apply). If there is a day in a week/month/year that you're required to visit it is no longer 100% remote. This especially applies if it requires international travel, doubly so to certain places that make such travel even a bigger hassle than it needs to be (I didn't think US will be on this list in my lifetime, but here we are).
Perhaps I'm just annoyed it is very common in this job market (at least when I looked last ~2 years ago) to advertise 100% remote jobs, have 3 interviews during which you're assured "yes,100% remote" and then either get a contract that has provisions allowing for it to be revoked, or even being told verbally, or not even being told, but pressured as time goes by, no actually you're expected to visit. I had a client like this once. Otherwise a good job. The manager of my team got constantly a lot of crap that his people are "never in" despite the company hiring the whole team as a remote.
There are plenty of people in business that would love that whole remote thing to dissappear. It starts with "come to the office once a month for a night out, we'll pay for your hotel", then it's just "come to the office once a month", then it's 2 weeks, 1 week, then it's 3 days a week, and then it's just Friday you work from home, but no one actually works on that day, but you so you're blocked on most of what you do.
Who are these people? Managers that never learned how to manage remote teams, HR that worries their dept will be cut down, branch/country directors that can't show the visiting "leadership" an office buzzing with activity, and that guy who decided it's a good idea to buy a huge office building in the city centre a month before covid started (I've already worked fully remote for 3 years before covid started, but it was just me and another guy in a team of 9, now it is much better when the entire team is remote, there is no "us and them").
Sorry, just as luditites wanted to go to the power of muscle from the power of steam, there is no going back. The advantages to everyone are too great. To the employee, don't have to explain I hope, to the employer, lower cost and much bigger hiring market, to the entire world there is less travel and entire generations of people not wasting 20% of their waking hours on travel...
I'm guessing many people working in security don't have LinkedIn profiles. It's not like you want to advertise a stint in Fort Meade, and then a list of people someone might contact to get access to you, or pull some social engineering. Or advertise your TS/SCI in your profile.
There's more and more places where the less visible presence online you have, the more you're a good fit for the position.
Surely North Korea could arrange people to do this, too. They already have people on the ground in the US e.g. to open bank accounts, and they only need this for candidates that actually get the job, not every interview.
You might say the people who interviewed the candidate should be there when he picks up his laptop. But this is already an extremely remote-friendly company, the interviewers might never be in the office. He's going to pick it up from the IT department in the basement and at best they will take a photograph of his face.
Jeff Geerling recently discussed being contacted by the FBI to learn more about minature KVMs, one of the devices North Korean fake IT workers use to appear to be coming from other countries https://www.youtube.com/watch?v=Lc2hB2AwHso
In this case, the KVMs are plugged into multiple laptops being run in people's basement/spare bedroom, it seems. Someone will earn a set amount per laptop per month, to accept a company-supplied laptop (from a us company) then plug in one of these little KVMs to give a remote worker access without as much ease in detection.
> "I live in a travel trailer. I don’t have running water; I don’t have a working bathroom. And now I don’t have heat,” she said. “I’m really scared. I don’t know what to do."
Whn people have no solutions for basic problems they become the problem.
So the main difference over more typical remote desktop methods is that it pretends to be a physical display and keyboard to fool the PC it's remoting into in if it's overly locked down?
Feels like there's otherwise a hundred different ways to already do remote control without any extra hardware.
All the alternatives have a risk of setting off D&R tripwires. Assuming these things can spoof their device IDs so they look like a Logitech keyboard etc, I think the cost of the hardware setup is gonna easily pay for itself in terms of harder detection.
Detection and response - basically any remote access software usage is very likely to trigger an alert to the IT security team, either from the antivirus or EDR (endpoint detection and response, the most famous is Crowdstrike)
So I must be really dumb here but what exactly does the kvm do? It's just stated that it has an Ethernet port and an HDMI and therefore can remote control a computer? And he said the North Koreans are putting them on people's computers as if North Koreans breaking into people's apartments is a common occurrence we've all experienced? And why did the FBI contact him about this?
There's obviously some context I'm missing here, I always thought kvm was the Linux kennel virtualization system...
In this context the abbreviation stands for “keyboard, video, and mouse”. These are hardware devices you physically connect to a computer and then you can remotely see the computer’s screen and input keyboard and mouse inputs to it via the network.
> It's just stated that it has an Ethernet port and an HDMI and therefore can remote control a computer?
Yes. That is the purpose of a KVM device.
> he said the North Koreans are putting them on people's computers
What is described here is a scam perpetrated by North Korean state to gain funds despite economic sanctions trying to prevent it from doing so.
The scheme involves someone pretending to be a legitimate remote worker working from a legitimate location, but in reality they are performing the work from North Korea. The person working the remote IT job in North Korea gets a pitance, while the state pockets the larger part of the money paid to them.
As part of the scheme the remote worker gets a laptop from their western employer. Corporate IT installs all kind of security measures on the laptop, but also grants it means to access internal resources. The scammer can’t ship the laptop to North Korea and use it directly because if that gets detected they will be found out and fired. They also can’t install software based remote access tools because corporate IT might detect those too. So they use a KVM to remotely use the laptop from North Korea and stay on the job as long as they can.
> as if North Koreans breaking into people's apartments is a common occurrence
The scheme does not involve North Koreans breaking into apartments.
> And why did the FBI contact him about this?
Who knows. Jeff seems to have described how to use a particular cheap KVM in the past. Likely this KVM device is used by the scammers. Maybe he has connections to the KVMs manufacturer? Maybe the FBI thought he does?
> I always thought kvm was the Linux kennel virtualization system...
It sounds like the North Koreans pay 1 person in the US to have a ton of laptops with KVMs attached to them, and those laptops are remotely used by North Koreans.
Not to be confused with Kernel-based virtual machine (also called KVM):
I imagine they mean a remote KVM. So you remote into a PC sitting in a basement in someones house in the US. You then make all your outgoing internet from thta setup and your IP address would look legit.
But if you had a farm of them and one guy maintaining them, rather than sticking it in your parents basement with nobody to maintain it, that might be something different.
Something is amiss here...Developers make hundreds of applications to even get a reply much less an interview...While apparently, barely English literate North Korean IT workers are getting all the jobs :-) Time to praise the Supreme Leader on LinkedIn ?
Scammers are good at the scam. They are good at telling the right lies, they often work in teams (lead finders, closers, and everything in between), use automation where appropriate, etc.
A single dev might have trouble cracking the lead finding code, the resume code, the interview code, etc while and avoiding telling any lies that will get then fired 3 weeks into the job. But a team who all treat the application process as a full time job? It's a lot easier.
Also when a dev gets good at finding a job, they stop looking. Scammers get good at it and then keep getting better.
Maybe these North Korean scammers could make good money by selling their job application tips and tricks to actual talented out of work engineers. They seem to not be struggling to get these jobs, unlike actual developers who are struggling.
Very likely the jobs these North Koreans are getting would not be considered a good job by the devs struggling to find one. As a starter when you plan to phone it in from North Korea you can accept a salary which would not be liveable for a local and stil make it worth it for you.
I have gotten multiple emails from wonky email addresses offering to have me interview for jobs and they will take care of the work if I get hired. fake names tons of money for me. I just have to nail the interview.
My resume is shiny enough and I've gotton hired enough times im a good candidate for this kind of scam.
This feels like a very ham fisted approach for them though. 99% of engineers are going to ignore or not take seriously these kinds of out of the blue offers.
These people aren’t constrained by the bounds of reality. They’re applying with claims of having attended Harvard and then worked at Meta and now they’re applying to your company.
> As US-based companies become more aware of the fake IT worker problem, the job seekers are increasingly targeting European employers, too.
All the US companies I've worked for made sure I was legit before I could log into anything, so I assume background checks to be ubiquitous there, save for the cheapest companies. European employers on the other hand...
The thing I don't like is that US companies take it too far, to the point they're violating my privacy and making me uncomfortable.
Why do you need to do a hard credit check before you give me an offer? Why do you need to know exactly how much I owe on my credit cards, car, house, how much I'm paying per month, and how much I've made at every job for the past 7 years?
That feels... excessive. And weird. And kind of unfair. Now you know my paycheck, and the paycheck before that, and how desperate I am. Well, there goes negotiations.
It feels like you're going through some kind of security clearance.
To be honest, getting insight and access to a major company's networks and maybe customer data is perhaps the same kind of risk to the company as it is for the government to give someone access to (top) secret files. It might not be so much a negotiating tactic as awareness that more sophisticated spies and criminals than the ones in the OP article are targeting your company.
> That feels... excessive. And weird. And kind of unfair. Now you know my paycheck, and the paycheck before that, and how desperate I am. Well, there goes negotiations.
- don't or rarely offer remote jobs, so they often don't have this problem.
- even if they do some video or phone interview for pre-screening, they nearly always expect the prospective employee to come to a live interview if they are not weeded out by this pre-screening. It is thus expected that you at least live in a country from where you can easily travel to the place where the employer is located.
- often expect their employees to be able to speak the national language, or at least learn it fast. This also makes times hard for North Korean fake IT workers.
I live in Finland, and while it is not universal it is extremely common for IT-companies to have a working-language of English.
The country is small and hires both immigrants, and people who specifically relocate to start working at the English-only companies, as well as local candidates.
Learning Finnish will obviously make your life easier, in many many ways, but companies themselves do not seem to expect or require it.
I've heard this before about Finland and found it really interesting as to my knowledge English isn't particularly more societally prevalent in Finland than in nearby countries such as Sweden, Denmark or the Netherlands. Any idea if it's as common in those countries as well? By the sounds of it in Finland there's more IT companies operating in English than in Finnish.
It’s definitely common in Denmark, enough that it’s a perennial national debate. Maersk is a huge employer that officially made their corporate language English something like 20 years ago, which spawned discussions about whether you should need to speak a foreign language to get a job in your own country. In practice the answer is yes, for some sectors.
I worked for years in an English-language work environment in Denmark (I am not Danish), and learned maybe a handful of phrases of spoken Danish the entire time. I was expected to be able to read the occasional email in Danish, but 1) written Danish is not hard in comparison, and 2) even years ago Google Translate was good enough.
It would have been nice from a social perspective to have known more spoken Danish, but my employer didn’t really care, and it isn’t easy to learn if you don’t have strong local connections. Danes will just immediately switch to English by default, and even if you ask them to continue in Danish, you need a decent level of Danish pronunciation to make yourself understood, which is not trivial to get to.
In The Netherlands I think it's pretty rare to require Dutch in IT related jobs. I know of one software company that recently initiated a policy of only hiring Dutch speakers and I suspect it will really hurt their hiring going forward. When they initiated the policy they also retroactively exempted all the great developers that already worked there who could not speak Dutch.
I’ve never had this experience. Never once was I flew in for an interview and, in two of the previous companies I’ve worked for, I did not speak the language.
I wouldn't say that's generally true, at least in NL the work language in IT is often, probably almost always, English. I know people who have worked here for ~10 years who barely speak any Dutch.
I’ve seen reports from people who were contacted by companies asking to use their identity for jobs. The deal was that the company used their likeness and identity to secure the job, but they would do all of the work and split the paycheck with them.
There are a million reasons why this is a bad idea, but I’m sure they don’t have trouble finding people excited to collect free paychecks.
Great interview, good questions, really solid candidate.
His first day on the job, his English went to shit.
Then he refused to pick up the phone or call me back. Lame excuses about how it’s loud there, then he lost his voice, then scheduled a call with the real “Jeff” the American who couldn’t answer anything about what we had discussed an hour earlier.
Reported to Upwork but I sort of doubt they did much about it.
Video calls super important and asking questions that wouldn’t be a normal interview question. Helps to have candidates walk through and explain code they haven’t seen to reduce any prep work that may have happened. I’ve got a few questions I ask that no one is preparing for. I’ve interviewed a couple people that seemed kinda sus, maybe not working as someone else but definitely lied about their capabilities but somehow passing the coding test. This was before LLMs ruined everything too.
I also got contacted via LinkedIn by a “normal” profile of a Dutch guy with normal connections, that was even connected to people I know, offering me the same. I politely suggested it’s not a great idea and declined
The background checks don't always work because they typically use stolen identities or use the identities of Americans that they've paid. They basically have to in order to pass I-9 verification.
There are also different levels of background checks. For instance, previous employment verification can be time consuming so some companies skip it. Checking references aren't useful because they can be faked (you have to run background checks with employment verification on the references to make sure they are who they say they are).
Where I am in Europe you couldn't even get a (legal!) job in a bar without showing proper ID, and having your identification (id card number) checked and be present in the contract.
The fact that "fake people" can be employed for high level IT companies in the US is just unfathomable to me.
That’s only one of the scams. You pass background checks if you’re new to the US. It’s a fairly common grift to place contract programmers at big companies with fake degrees and experience, who then send the work back to Asia to be done overnight. It’s easier now with ChatGPT - you can send photos of screens and instantly extract the text.
You also have people who outsource themselves. That’s one of the ways that the people who work multiple jobs pull it off.
I’d be shocked if that was still true after the first time someone tried it. If you’re running an undercover operation, you’re going to give your agents backing to say whatever they need to say to maintain their cover.
That’s why it’s important to remember that not all state-level attacks are created equal. Intelligence agencies can create fake personas at varying levels of cost and realism, but if North Korea is doing that for revenue they’re not going to spend the same kind of resources they would trying to get, say, nuclear weapons data.
The situation here is significantly asymmetric: the attacker has to do a lot of work to build a realistic persona but the defense can make that much harder with a few basic checks. It’s been cost-effective in the past because companies were skimping on their hiring and internal security, similar to how the identity theft crisis was mostly a crisis in companies doing due diligence.
It's not naive at all. Most of these threats can be thwarted by simply following basic business and security best practices. Many hiring managers are lazy and incompetent, and don't even do the bare minimum.
If someone asked me to criticize KJU, that would be the end of the conversation. I criticize people on my own or not at all. I suppose I would become a false positive.
Even with the context of knowing the fake worker problem?
If so, I suppose that’s another good reason to ask the question. It filters out both North Korean fakes and people who are going to be doctrinaire about small things.
I think I would encourage companies that are experiencing problems with unwittingly hiring fake employees (North Korean or otherwise) to ask such bizarre questions. Or they could just flat out state that they have been having such problems and will therefore be implementing schemes to detect fake employees.
I would very much appreciate that. I think it would be grand if they could even put that in the job posting right up front. It would help me cross that company off the list of places I would be willing to work. I personally don't want to work at a place that cannot tell whether I am real or fake.
If a company asked me anything about the leader of North Korea during an interview for a tech job, I would conclude that they were not a serious company.
What I think about any country leader is totally irrelevant to tech work. So the company is either 1. Wasting my time with a totally irrelevant question or 2. Their hiring process is so vulnerable, they can’t even tell if a candidate is fake. Neither of those would make me particularly excited about that company.
It was 2 min of hate ;) and this clearly isn't the same as trying to rile people up; it's a thin attempt to get people to self report if they are lying with some sort of higher level "gotcha".
Feels like the story about disconnecting Chinese gamers from matches automatically by typing "tiananmen square" or the story of the Battle of Siffin with one side putting pages of the quoran on their spears in hopes the enemy wouldn't fight that way. Unclear how accurate the stories are or how effective it may have been but kind of interesting at least.
Please do not foster this concept that I have a responsibility to proactively criticize ever fascist regime of the past century in order to dispel implicit notions that I am "supporting" them in vague undefined ways.
To be basically informed about, yes. An educated person should probably have a view about broad topics like North Korea, and whether Pyongyang is more worthy of criticism than praise. And I don’t want to work with someone who is open to the morality of the Kim regime.
It isn't your place to know the political sympathies of everyone, nor is it your place to decide what constitutes 'support' about every possible issue. It is simply not viable to do this if you want to work together with large, diverse groups of people. There are people with objectionable but private views in the world and in the workplace, deal with it. This is entirely separate from people's public views.
I would find that question extremely weird in a job interview for a normal job, and I have no problem saying that the Kim regime is one of the most horrible regimes ever.
I don't consider myself to know enough to criticize.
Of course what little I do know is all negative. But I've paid only limited attention, and I get nothing from primary sources.
I expect the same from practically everyone -- perhaps excepting South Koreans who at least speak the language. I'd consider it good judgment to say that you just can't meaningfully answer the question.
I'd read a statement you hand me, if you thought that would suffice. But I'll admit I'd consider that weird and likely useless.
Because "educate yourself" is quite possibly the most annoying, low effort thing you can say to someone whom you think should know something that they don't. Either share the information with them or don't engage at all; there's no need to be a dick about it.
In the case of North Korea, my excuse is "I haven't put the time into it because it's a small country on the other end of the earth -- nuclear armed, but without effective delivery devices and massively outgunned. I wasn't prepared to give a lot more detail in the context of an interview that isn't about geopolitics. If you want me to research I can."
I would never allow any potential client ask me ANY political questions. Not because I like any political figure but because I am trying not to encourage fucking thought control. I hope we are not on Nazi Germany yet. It is just simply not their fucking business. On the other hand if they offer me a million in cold hard cash just for that I would tell then anything they want to hear.
The punchline of the joke isn’t that it’s weird to put a price on X, but that it makes it rather hollow to start that same paragraph with four different variations of “I would never do X!”.
It’s kind of like an Abbott and Costello routine. I would never do that! How dare you suggest that. You’re a commie. The scum of the earth. I’m above that. Gimme five bucks I’ll do it right now.
You'll likely have to be careful with profiling here. You'll probably need to have documentation/proof that you ask this question to all candidates regardless of race or immigration status. And yes, that means you'll need to ask it to people that clearly aren't North Korean (though that maybe be a good thing in general as I'm sure the next step for the NK regime would be to pay people who are not Asian or who have American accents to do interviews if the practice became widespread)
Maybe more likely that they just assume they are caught, or assume the likelihood of getting caught is higher when there is overt screening for North Koreans.
Similar to why email scammers don’t need good grammar, filtering out difficult cases quickly and move on to easier ones.
I don't really understand the logistics of this to be honest. From the article it doesn't sound like these people have false IDs, they just make fake LinkedIn profiles?
In a lot of countries certainly here in Germany your employer has to pay social security contributions and needs your insurance, healthcare information etc. In addition if you're a foreigner you need to know their legal status to see if they can even work. Like what do these scammed companies do, just wire money to some guy they interviewed on social media and ship company property to random addresses? Is that even legal in most places?
They presumably wire the money to a person operating in the US who sends a portion of that money to the NK employee. The US person is then the one in the company payroll files. At least that's my understanding.
We should definitely go after those folks, but it's not pleasant, as many of them may be having their own issues that add to the problem.
One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money. We have entire industries that sell narratives, rationalizing these compromises.
This is exacerbated by the current employment problems. They keep talking about how unemployment is down, but I think we all know folks that are un (or under-) employed, and the difficulties they are having, finding work.
Someone in that state, is fertile ground for money- and job-laundering bad actors. It sucks to punish them, but that is what we need to do, to discourage the practice.
> One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money.
A US person without adequate cashflow is likely to not be able to have food, housing, clothing, medical care, etc. A lack of morals are not what causes people to do anything to make money, it's a lack of money in a capitalist society. Blaming people for systemic problems is incredibly regressive.
Quite a few people will have adequate food, housing, etc and still dispense with morals for money. Some studies suggest that having more money makes one more dishonest rather than less.
The problems are indeed systemic, but it's not just lack of money. The system is constructed around the love of money, such that too much is never enough.
My understanding is for a US employee, the employer is supposed to confirm eligibility to work in the first 3 days of employment. Some form of government id plus a social security card or a passport or something like that. IRS form I-9
Otoh, if these positions are independent contractors, form I-9 isn't required. Just a tax id for reporting purposes.
I would imagine whoever is hosting the laptops may be authorized to work in the US and could also be convinced to provide identity documentation. I think there's a lot of borrowing of documentation by immigrants/migrants who are not authorized to work in the US; so there's probably a marketplace somewhere too.
In three decades, I’ve had some call me to check a reference only twice for private sector jobs. The federal government actually does this as part of background checks so it works but you need to want to badly enough to pay real money.
The other problem is liability: companies often tell their employees not to give references for fear of being sued if the employee doesn’t work out, and most companies don’t expect useful information from them unless someone left in a way which has a public record like a court case. The federal checks don’t have that problem because not answering honestly is a crime. You’d need some kind of shield for honest statements for the private sector to really get accurate assessments, and that’s tricky to do in a way which allows the most useful opinions.
I would really like to see one of these deepfake videos that managed to trick any competent interviewer into thinking it was real. I couldn't find anything like that on Youtube. Even in highly controlled environments the deepfake videos can be immediately recognized.
I keep hearing about this and honestly I don’t get it how does this continue to happen?
Here I am, a real human, decent person and a nice guy lol
yet I can’t find a good job.
What are these companies doing, how is this possible?
They aren’t telling the truth when they apply. They’ll use stolen identities, fabricated backgrounds, fake reference checks, hacked LinkedIn profiles.
They are professionals at lying and interviewing. When it’s your job to get jobs and you’re doing it with organized support, you will find something.
They also don’t really care if the job is good or bad. They’re just farming any and all jobs they can get and hanging on to them until they’re pushed out. At many companies, that can take years.
The Norks basically just steal a very qualified persons identity and info and then use that info to apply for jobs. So on paper, the job applicant looks pretty good but its just all larping from the threat actors. For being such a hermit kingdom, they are very good at infiltrating large companies and stealing cryptocurrencies.
The part that's really sad is that we have tons of out of work devs right now. This sort of thing only makes it harder for the legitimate people to get hired. An easy fix for this is for a place like Pearson to set up verified interview centers, which will allow for verified virtual interviews (on both sides of the table).
Another solution might be UNIONS that would have __membership verification__ including things like citizenship (which country(ies) are they a citizen of?), skills tests and training, etc.
Just like competition requires 5+ similarly sized entities for a healthy marketplace of companies, my informal opinion is that unions probably similarly shouldn't have overwhelming market share. However my feeling on contracts between unions and corporations is that the contract should be negotiated between multiple companies and multiple unions to produce the most level playing field possible.
I like that software engineering doesnt require/encourage unions, contrary to other big industries.
As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job.
Ive previpusly been in a union for a company and the experience did not encourage a competitive working environment. When layoffs came, Jr employees get sacked before more senior union members (not neccesarily the best technical staff just becuase they worked there long time).
I have family/friends in unions (non software devs) that have had similar experiences to mine.
Devs are the factory workers of today. You’re going to be sorry in 10 years when AI is fully mature and all the cheap talent overseas takes every US dev job just like it did to factory workers in the 90s and there’s no unions to even attempt to slow it.
I believe what they mean is that software devs are the lowest of the low of the totem pole for making software. We, manually, put together the software. We're the lowest level part of the chain. In that way, we're the factory workers of software.
I'm sorry you feel that way about software. I suppose if your bedrock is JavaScript or Python and you've been bashing out CRUD apps it might seem that way.
We've actually been automating away our job since the beginning of software. Compilers have been thing for like 80 years now. We've had auto-complete, static analysis, automated testing tools etc. for decades. What about the poor assembly programmers? What about the people who were bit banging serial protocols for a living?
Yes, we have automated away most of our job, however we are still the bottom of the totem pole.
For example, Amazon warehouse are also mostly automated. Still, workers who move boxes around and scan barcodes are the bottom of the totem pole of the operation. They're the people manually making Amazon work. You can't get any lower, otherwise then you'd become a machine.
> What about the poor assembly programmers? What about the people who were bit banging serial protocols for a living?
Those jobs are mostly obsolesced, so the totem pole has "moved up", but we're still at the bottom.
You have to ask the question, who is manually making the product and putting it together piece by piece? For factories, it's assembly line workers. For McDonald's, it's the burger flippers and the board worker. For software, it's us.
We have a misconception that since we are educated and relatively well-paid we are not like that. In terms of our business function, what we actually do for products and companies, our roles are of the same type. That's not a bad thing - this can serve as a gentle reminder to curb any delusions of grandeur.
"One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job."
And on the other side, you can have a degree and experience and still not get a job due to the wild criteria and games that get played in various interviews.
I've been working in the tech industry for about twenty years now, and I desperately want unions. Sticking your neck out alone sucks to begin with and only sucks harder the more time goes forward.
Same. Back when I first got into IT, I was surrounded by (similar) nerds whose self-esteem was defined by being the smartest person in the room. Compensation was often higher than other white-collar jobs, so they (we) were happy to overlook the long hours and non or poorly compensated on-call shifts.
Most IT work now, whether dev or admin side, is not rocket science. It’s mostly approachable work and no one should settle for being abused by employers for some outdated, ingrained, cultural baggage.
Why unions? Why not just more protective labor laws? Why bet on some political organisation to protect you, instead of being able to take your employer to court yourself?
A retort being familiar does not mean it isn't true or real.
Millions upon millions of ppl at every income level have experienced working in and around unions and not all of them came away with a positive experience.
Do these same criticisms also apply to corporations? I've worked for some absolutely shitty corps that have abused and taken advantage of their labor. Should we abolish corporations?
These criticisms of unions are always pulled out but then never equally applied to corporations.
Corporations are providing people with jobs and clients with value (or they go out of business).
Unions, especially failing ones, don't inherently provide any net benefit to society. They may as well be engaged in little more than self-preservation and zero-sum games.
Therefore, I believe unions deserve a different type of scrutiny than corporations.
It didn’t come by itself, it came in the wake of a comment that outlined a process whereby unions have a negative effect on new applicants in the job market.
The disagreement then was “I’ve heard that argument before.” - “ok that doesn’t make it wrong” <— that last sentence is what you’re replying to.
>None of this is a reason to not organize to better represent the interests of labor.
unions restrict the supply of labor and this results in (price increase) better wages for the union's members. However, overall the total dollar amount transferred from employers to labor goes down (employment decrease), so the "class" of all workers (employed and unemployed) see their per capita wages go down. and if that's not enough, the industry grows more slowly so the problem only gets worse for everyone in the future (trickle down) this is the underlying reason for europe's lower year over year economic growth compared to the US
is the reason. it's not a moral or ethical or even income distribution issue, it's just how markets operate.
I just took economics, this is what is taught at any school with a serious economics program. (it's non-serious, though still can be good, if calculus is not a prerequisite)
> As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
This is true in the same way that it’s true that all democracies turn into the majority oppressing everyone else, or get captured by oligarchs, or vote to raise taxes to fund social until the economy collapses, etc. – which is to say not at all. Unions CAN fail that way but it’s not a given. We shouldn’t give up on a useful tool because it can be failed, we should talk about how to keep it healthy.
For example, I’ve seen the no-degree route you talk about made easier by unions because it forced merit hiring rather than hiring more dudes with social ties from certain colleges. Again, that’s not guaranteed – you’d be forgiven for wondering if the Teamsters were a deep cover operation to discredit the concept of unions – but social institutions aren’t magic: they work to the extent that we make them work.
They are fine, but struggle with remote work in general because fundamentally the leverage the union has is a monopoly on labor, which is compromised by a global labor force.
Why add more gatekeepers to the industry? It also doesn't really make sense for an IT worker to want to negotiate as a collective when individual salary and benefits are some of the best in the world.
The interview process in US is already insanely ridiculous, but this would only add an additional level of crazy to it. Honestly, licensing would be less bad by comparison.
Can you describe what you see as the insanely ridiculous interview process? Most of the interviews I have initiated are something like:
- 30 minute recruiter call
- 30-60 minute manager call
- 2x 60 minute leetcode easy/medium
- 1x 60 minute STAR behavioral
- 1x 60 minute systems design or maybe doubling up on a previous category
So for a total investment of what, 6 hours, I can go from a cold call to an offer of something like 150k-300k/y? And I'm not even playing in the FAANG ecosystem.
I'm not sure if we are experiencing different processes, or we have different opinions about what kind of time / reward tradeoff is reasonable.
Everything except the 30-60 minute manager call is a waste of time and money for everyone involved.
You just need to ask a couple of open-ended questions about the candidate's preferred programming language and/or some technical details of a past project they've worked on to get an idea of whether they are reasonably competent or not. It shouldn't take more than 10-15 minutes to go through. The majority of rest of the meeting can consist of the candidate asking you questions and/or chit-chatting to make sure the vibes aren't off.
What you are trying to judge is whether or not they can do the job, which you can really only tell once they are actually doing the job anyways. So you pay extra attention to what they do for the first couple of days/weeks after you've hired them and if it's obvious things are not going to work out you let them go. Most places have laws that are amenable to hiring someone on an initial trial period before stronger employee protections kick in.
In general, most of the pathologies of the hiring process can be solved by treating it as a satisfier problem instead of an optimizer problem.
There's a wide spectrum between "extremely efficient" and "insanely ridiculous". To keep it short, I think the incentives are pretty well aligned here. There's not much of an incentive for either party to waste our collective time.
I would be interested to explore a "quick hire, quick fire" philosophy, but I'm not sure it would lead to overall greater satisfaction. Employers don't like to fire people and employees don't like to be fired.
6 hours per application, plus another hundred hours of leetcode practice.
Because, let's be real, not a lot of us are writing leetcode type solutions in our shitty web devs jobs where we center a div. So we need to practice, and more importantly, memorize. Companies don't want a solution, they don't even want a good solution, they want one particular solution. That requires memorization.
The part where I have to rehearse solving ridiculous problems for a few weeks in my free time so I can perform them to the interviewer and then never use the skills again. It’s typically 2 medium/hard problems solved optimally in 20 minutes each with no errors if I want to beat the competition.
It can suck. I've definitely had some low points where I screw up an easy question and lost out on a place I wanted to work. I also understand that companies can't afford to make a bad hire often. My experience has been that interviewers are interested in the ability to recognize and fix mistakes, communicate about the problem, etc, and have had multiple occasions where I never even got around to filling out a couple pseudocode comments and still got passed.
I don't think I've rehearsed for an interview ever. (And to your question in another thread, yes, I've interviewed since 2015. Multiple times, thanks to a layoff.)
> It’s typically 2 medium/hard problems solved optimally in 20 minutes each with no errors if I want to beat the competition.
I have also definitely made errors in interviews, and gotten hired. If I had to guess, it is a lot more about how you handle those. (To a degree. E.g., in one question, which was a coding challenge, I could solve it, but I was pretty sure my solution was not efficient. I voiced that, voiced why my gut was thinking it could probably be better, but I didn't ever get the full solution. In another one, I was just asked for past experience; I didn't think I had much to offer, voiced what I did have. I still to this day like the question, because it was a tough question, and the person who asked it really pressed me — in a good way, in that I could see that she took her own role/work seriously — on why I thought I was qualified.)
I've also had a call where me & the interview were definitely not connecting, at all. That wasn't going to work out, so nothing was lost?
As an interviewer,
> It’s typically 2 medium/hard problems solved optimally in 20 minutes each
… add 5 min for entry pleasantries and padding, 10 for questions for you at the end, and that's an hour, which is often all the time the recruiter schedules. And honestly, that's usually enough.
I don't ask hard problems. Easy ones sift out candidates. Where I ask coding questions, the first is almost always designed around "can the candidate write a for loop?" and the second is around basic datastructure comprehension. (Can you recognize situations that require a hashtable? a queue? and apply those to the problem.) Often a parsing question. Essentially CS 201, or easier, though I do not care if you know big-oh notation.
Most interviews I've been a part of fit that MO, and I've done interviewing with startups and with FAANG-sized companies.
> each with no errors if I want to beat the competition.
It's not about beating the competition. SWE hiring IME is never zero-sum. Two phenomenal candidates are two hires.
Maybe you’re just smarter than me or you’re applying for different jobs. I don’t really care about your interview process. I just need a few months of practice so I can perform LC hards in 20 minutes to achieve my goals
Wouldn't the issue be that an interview center could take money to lie/etc? When I start a job I would have to go through I-9 verification - if that process is not good enough to weed out fakes, how would another verification work better?
> Wouldn't the issue be that an interview center could take money to lie/etc? When I start a job I would have to go through I-9 verification - if that process is not good enough to weed out fakes, how would another verification work better?
You just need to have a US citizen's SSN and birthday to beat the I-9 verification. And "beat" is a strong word. I-9 is just a form that the employer asks the employees to submit, there's no requirement for the employer to do anything with it.
So you can just say that your SSN is 555-55-5555 and your birthday is 01-01-2001 and you'll "pass" the verification. It'll be detected only when the employer submits the Form-944.
There's E-Verify that requires a picture ID and more information, but it's not mandatory.
You’d lose out on people who don’t live near an interview center and potentially have legal issues if people had disabilities that impacted their ability to travel to an interview center but not their ability to do the job.
Maybe everyone who is enthusiastic about traveling to an interview center could do it, and the remainder can undergo heavy vetting? Perhaps a cost & safety optimized approach if tuned right.
Yeah, I was thinking of the Pearson testing centers because they're already prpctored to prevent cheating and setup for identity verification. But co-working spacings could certainly work too. That might be even more viable in Europe.
That’s not the question: it’s about trust and honesty. The problem with North Korean workers is that they are a huge security risk because they aren’t working as free people but as agents of their government. That might not be a guaranteed disaster if they’re just generating cash revenue but it’s a huge security risk if the North Korean government has any reason to subvert your company or customers.
Maybe first give them freedom. As long as their CVs are fake, their faces and experience are fake, and they're spying for their government, nobody should be hiring them.
Eh we're all victims of where we were born. I'm not about to hold someone's state against them. Unless i suppose it's a certain state that didn't exist 100 years ago and had to forcibly move people to make room.
It's a very profound statement (perhaps unintentionally so). Most of us wouldn't even be doing the work we do if we did not have to pay ransom money to our rulers. And then there are unwanted children and all of that...
The problem isn’t the people but the government which controls every aspect of their lives. If I hire a remote worker from England, I don’t have much reason to worry that they’re secretly working for MI-5 and plotting to infiltrate our systems unless I work for a drug cartel or military supplier, and I have a high degree of confidence that if they engage in misconduct they’re subject to a real legal system. If you hire a North Korean, abuse is far more plausible since the invention of cryptocurrency has helped them immensely when it comes to getting and laundering ransoms – and with nobody actually in a country subject to the jurisdiction of a government which cares what you think, they’re going to see it as a safe operation even if it brings you considerable harm.
Just like I don't blame people for hating me because I'm a symbol of ongoing colonization, I expect people to be ok if I blame them for ongoing atrocities carried out in their name in public with no shame or believable justification.
If North Korea is just as bad, at least they're smart enough to not let me see evidence that invades my dreams.
Please re-read the article: These aren’t helpless people looking for jobs where they can do good work. This is a state-sponsored activity to exfiltrate source code, customer data, and in many cases extort the companies by demanding ransoms.
Assuming they have offices at all. My previous employer didn’t even have an office until 6 months after I was hired, and half the employees in the country were at the very minimum a decent 3-4h drive away from the office anyway. I’ve only ever met a handful of members of my team in person. The remaining employees were split up on 3 different continents.
A lot of companies have gone completely remote including a fully remote interview process because COVID basically mandated that and many companies kept doing it after COVID subsided because it was working.
But, yes, this will likely change that. In person interviews and onboarding will probably become the norm with fully remote teams as more companies become aware of the risks.
You can. Just like everyone can use a good password. Yet many dont.
Also there is a good reason not to make week 1 in person. You reduce your access to talent. I know we are in the everyone RTO and do 100hrs a week part of the BSiness cycle. But still.
Workers are currently in a bear market. No company has problems “accessing” talent, at least today. They aren’t going to lose a candidate by simply insisting on an in-person step, whether it be an in-person interview or a week of in-person work.
> Also there is a good reason not to make week 1 in person. You reduce your access to talent.
… I don't think candidates are going to turn down a company in droves for an initial 1 week onsite. You make it sound like you're losing access to all remotes.
> 100 people. Working full time. Cannot take leave at last minute (or may not have it to take).
You're misinterpreting the thread. The context here is that the candidate is post-hire (…candidate is perhaps a poor word, but in the context of TFA, it makes more sense), so they're employed by the same company they're visiting.
I.e., the suggestion here is that Person A's employer E flies A out to E's headquarters to work for ~1 week.
Then you meet them in person, and can visually see they're not some fraudster in NK.
I.e., you start in-person, and transition to remote after 1wk.
The cost isn't an issue. If I'm a well paid pro looking at 10 interview pipelines. I ain't taking say 3 weeks off work to do my top 3 interviews. It's insane. Pay my flights and 20k might consider it.
It might work for grads or people out of work if it is well paid e.g. at least pro rata od the target salary. But that's a subset so if the employer chooses this they narrow their pool.
They definitely can.
For my first 3 months it was obligatory to show up to the office.
The office was basically a apartment room, and very small. But it got the job done.
Not really. You need a visa (or equivalent) to enter most countries. This can take months to apply for and receive. And you can stretch that period out even longer by claiming that you don't have a passport and need to apply for one first.
In Germany, if a company want to hire some talent from a foreign country, this problem is solved by the general rule "The employment starts as soon as the visa problems have been resolved, and you are in Germany." Big companies often have a department that helps with visa problems.
So, if you stretch the period, the employment simply starts later.
What’s the end game for these scammers once they get the job? I understand there’s a question of espionage if they’re collecting intel from these companies, but do they also do their jobs? Or do they disappear as soon as they’re hired and collect as much data and money until they get fired? Do they actually know how to do IT work?
The article mentions ransoming company data or source code as one outcome.
For many scammers (not North Korean specifically) it’s just one big game of collecting as many paychecks from as many companies as you can until they fire you.
For some multi-job people, the game is to continuously apply to companies and then let any company that is paying attention fire them after 1-3 months. Repeat long enough and you might find your way into a couple companies where your demands are so low that you can do all the jobs in a couple hours per day because your managers are so checked out that they don’t care. Ride this until the company lays off the whole underperforming team, then find the next jobs.
The supposed problem is being peddled by a company called Socure, who, coincidentally, offer the solution to this problem. There are absolutely "fake" remote workers floating around but to suppose this is some grand security-focused North Korean government conspiracy rather than people from poorer nations trying to get paid is without evidence. "North Korean" job applicants has become a meme, any suspicious looking applicant is being labelled "North Korean" by people who've read articles planted by Socure. If this were a grand North Korean government orchestrated conspiracy we would not see hundreds of job applicants engaging in exactly the same strategy for the same job.
Yeah I get your skepticism, but this is really a huge issue in many industries. We are seeing it with an alarmingly high rate. You don't need a technical solution though, as the article points out, some stuff is just process change:
In person final interview, gov issued ID checks, initial hardware delivery in office, etc.
I’ve also seen this pattern at a pervasive rate but I think it’s mostly shady overemployment / outsourcing agencies, with NK as a tag along. It doesn’t matter either way since the countermeasures are the same (besides the stupid meme KJU junk).
> but to suppose this is some grand security-focused North Korean government conspiracy rather than people from poorer nations trying to get paid is without evidence.
> If only governments could provide a very simple “check identity” service online. I think this should be a basic service nowadays.
Slovenia issues personal certificates so you can identify yourself online. Mostly used for banking and e-gov. The commercial space has decided it’s too cumbersome.
Fantastic idea. Started rolling out when I was in college some 15 years ago. You go to the same place that issues your govt ID and you can also get the equivalent of an SSH cert issued by the government that guarantees you are you, your identity was verified at point of issuance, etc.
Unfortunately it’s about as fiddly to use as SSH. Okay for nerds, way cumbersome for normal humans who just want to log into their bank and pay their taxes damn it. Last I remember (moved to USA ~10 years ago) getting their e-signing browser widgets/extensions to work reliably on non-windows machines was hell. Most Mac/Linux users ran a whole VMWare VM just to do taxes once a year.
Imagine if you had to provide your government ID to use any website.
Even for employment I find the idea iffy, but seeing as it's in response to an actual non-imagined problem, I suppose it's the most reasonable solution to that...
You lack some imagination. One could verify their identity against a government service once every let’s say 5 years. You get a public link/code that you can share with employers (or banks or real state agencies or…) so that they can use the link/code against a government service to verify that you are who you claim to be.
Adding a session token in the middle of the process of a website getting your government ID won't stop the website getting your government ID though? Either way the website learns your full name and address, and you can only ever have one account - which will make you extra careful not to violate any real or imagined rules - the chilling effect on speech is still there.
They provide, don't they? In Russia there are "gosuslugi" (government services) that banks and other organizations can use to confirm identity. However, if you sign up, then you will receive draft notices for military service through the app so you better not sign up.
I am not sure it would resolve the issue. About 10 or so years ago I was contacted on LinedIn with offer to "rent my name and face" for a team of Chinese remote workers (probably not those exact words). I rejected the offer without asking for details. Not sure if they were actually from China.
Isn't that what the E-Verify [1] system was supposed to be? Several companies are now discovering it's not all it's cracked up to be, as ICE shows up at their door.
Yes. It confirms someone with a particular name, DOB, and SSN is authorized to work in the US. It doesn't confirm that the person claiming to be that person actually is that person. It relies on the employer to be able to match the applicant to the photo in e-verify, which isn't always an easy task.
We don't need a general identity service though. We need to know whether someone is authorized to work for a US employer, right? How can a DPRK worker have the necessary authorization? If they use someone else's identity, isn't that something e verify should catch? If these are US citizens/nationals/residents working out of DPRK, who cares?
I suspect some of the fake job postings are schemes to harvest that type of data. If I live in Atlanta and someone uses my identity to get a job in Seattle, how long will it take for me to learn about the company in Seattle that thinks it hired me, especially if they don't use my home address.
One of the many reasons I don't like to give references, social security number, date of birth, and so on to anyone except the end client hiring manager. I don't really care if the talent manager software has a required field to put last four of social security number. I simply don't trust random job postings to keep my information secure.
Would it help if I could query some IRS service to check what paychecks have been sent to me? Does this have a delay of a quarter year or more?
How do these people avoid getting the people they impersonated and or scammed in trouble with the IRS?
They can buy, steal, or hire yours. If it were a general identity service, yours would get tracked. But if it's just a matter of authorization, with no authentication, they'd just use it indefinitely.
I've definitely gotten something similar to this in dev slacks offering to use my upwork/linkedin to get a job and then I hand it off to someone else. They claim they'll pay 30-50k/y.
I think the paranoia and fear this kind of idea promotes is perhaps the point of all of it.
Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
Also, we need steps towards reducing the possible tools that fake workers could leverage. These steps would put a strain on some recent technological developments. A strange and wild paradox.
Inform what companies directly? If it's this pervasive, that's not going to be effective.
I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
And in the process of confirming that this was fishy, I contacted one of the past employers he claimed after doing my best to confirm _they_ weren't in any way part of the scam. They confirmed he had never worked there. I sent them his LinkedIn and portfolio site in case they wanted to chase down getting their name removed.
They told me that this was super concerning because the screenshots in his portfolio of the app he worked on for them were real screenshots... for an unreleased app that was only available internally and had never even been demoed for clients.
They'd already been breached and had god knows what exfiltrated. They found out because we caught an attempt to get hired at _our_ company and let them know.
Nobody outside of a couple of technical staff at our company had even _heard_ of this. Nobody at the other company had. The fix, to me, seems to be making people involved in hiring more aware of this. If anything, it seems we should be talking about this _more_ and _more publicly_.
Is your company involved in infrastructural or emerging tech in any way?
Forgive my frankness, but these worries about infiltrators have priority in important, large companies. I am very sure agencies responsible for this can contact these handful of important companies directly.
So, you're right. In the current age we live in, no one cares about your small SaaS company, and you're being used to spread unecessary paranoia and fear.
We're in a niche, extremely boring industry. We have an extremely small client base. We do line-of-business/sales management applications for something akin to like... light switches and light fixtures. The most exclusive thing we have access to is wholesale pricing from manufacturers. We don't handle payments. The extent of PII we handle is "name and email" from when someone emails out a quote.
We are the epitome of uninteresting to a foreign actor. Being "uninteresting" apparently does not disqualify you.
We also do not hire overseas (the applicant claimed to be from California) and offer a good US wage. We weren't targeted or vulnerable because we were being "greedy".
So if I'm reading all your posts correctly the problem is:
* You're a Fortune 500 that's a valuable target.
* Okay, well, you're in emerging markets or infrastructure then.
* Okay, well, the problem's really that you're being greedy hiring overseas.
* Okay, well, the problem's that you're not paying sufficient office expenses and _that's_ greedy.
Isn't this the best way to start an infiltration, though? Like hiring a janitor or cleaner, who is able to access the office during off hours, and can start planting false information, which is then used by a more relevant company years later?
Greed meets greed. Companies hiring cheap labor, being exploited in several fronts.
It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
Keep focused. Small companies never mattered for nations, they are irrelevant. Spreading paranoia will not solve their over-reliance on this exploited offshore problem. It will likely lead them to bankrupcy.
Ultimately, it doesn't invalidate what I said. It actually makes my comment more relevant.
> It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
It's not offshore. Infiltrators are pretending that they're in the US. I first saw this 2 years ago, and they were pretty clumsy back then: always blurred background (and refusing to unblur it) and/or doing calls from a windowless office. You could even see their eyes moving, like they're reading the script.
This year they became much fancier. They use backgrounds with the real time-of-day and weather illumination. The eyes no longer move unnaturally, etc.
Remote working is in the same vein as offshoring. One enables the other, they're co-dependent. Both are based on greed. In the case of remote working, is avoiding having offices, avoiding paying certain kinds of insurance, etc.
You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
Again, greed meets greed.
Now it's too late. IT companies will not survive a full return to office, and they won't survive remote working as well.
The very idea that someone could be using technology to fake an identity was unthinkable. Now that it is not, there's really no place safe.
If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
I think there are still ways out of this, but we're reaching an inflection point that will be hard to overcome.
---
Your commentary seems to provide a valid point of view, and although you disagree, you reinforce my main point.
> Remote working is in the same vein as offshoring.
No, they're not.
> You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
We should get rid of electricity, then.
> If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
> I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
I'm in a similar situation. The HR leads company is trying to filter out the fakes, but they can't catch everyone.
Apparently, the infiltrators specifically target the companies in the 10-50 people range. In smaller companies everybody knows what everybody else is doing, so infiltrators will be swiftly uncovered. And larger companies typically have a well-established HR department that will catch obvious fakes without good cover.
But these mid-range companies provide the best chance for the fakes to get at least a couple of paychecks before being uncovered. And they likely won't bother with going to the FBI to chase down the payments.
[Background: We both know companies should (must?) inform the feds if they accidentally (illegally?) hire someone as a part of fraud perpetrated against them.]
>And they likely won't bother
Thank you for your insight. Unfortunate! The rationale makes sense—the temptation to sweep under the rug—but doesn’t make it right, which as established we both know.
…you can perhaps tell I was frustrated with what seemed to be an argument against actually taking this course of action; hope replying here is better than arguing directly downthread esp. in case I misunderstood something
I'm not saying "shouldn't". It's more likely "don't bother".
Interacting with the law enforcement takes time executives' time, it might bring in complications (legal liability for personal data leaks, etc.), and even in the best case the company is not going to get their money back.
So, it's a big problem that everyone should know about but do nothing except post shit on news?
No, you should bother. You should bother a lot. Get in contact with the FBI, make a huge deal about it. You think one company can handle a spy agency? That's bad advice.
You are mixing hypothetical scenarios with reality.
My argument was to inform high value targets first, since they are more at risk and capable of developing a fix.
I also argued for slowing down the development of technology that can help infiltrators.
Go back, read the discussion, see how far you are from the simple truth. Someone is making IT companies paranoid, either on purpose or by mistake. Probably, by greed or as a consequence to it.
Why try to hide it? It’s like public disclosures of security vulnerabilities. You directly contact the few people who have actionable data and means to address the problem, then you tell the world that they’re impacted and should be aware that such a problem exists so we don’t repeat it.
> Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
One key component for this scheme to work is to have local US persons act as intermediaries. While some may already know something shady is going on, and be complicit, some might not understand the entire scope of what they're being part of. Publicly discussing it might encourage some people to come forward / avoid being involved in the future.
Living up to your screen name I see, but in all seriousness, I fully agree. The average person running the laptops in a spare bedroom may have no idea the scope of what they're involved with. Especially if they're being duped as well.
Imagine a non technical person being told they're helping run an "edge data center, close to the users. Running our laptops helps Netflix/facebook/etc (insert big tech name of your choice) run faster for you and your neighbors and well pay you to do it."
Easy to imagine a non technical person buying that lie.
NK "fake employee" finds a non technical American to run their laptop farm by lying to them that running these laptops is helping make their access to some service faster.
I'm sure many, many countries have botnets. I have a bunch of those countries which I consider irresponsible and wreckless in my radar, not only north korea.
These aren't botnets in the traditional sense. These operations need a US-based laptop (they receive it by mail, from the "target" corporation upon employment) and they also need the mini-kvm device to be plugged in. Then the remote agents connect via that kvm, to make detection harder. To an enterprise IDS/IPS the laptop seems connected from a residential, US IP address (expected).
They've already arrested some people involved in this, they have devices as evidence. It's pretty well documented at this point.
My imagination is very expansive, I can come up with grand scopes that movies and conspiracy theorists would never dream of.
Reality is much simpler though. Greed, I already said it. Typical human defects.
It seems that you are not comprehending who needs to come forward. Entire industries, entire parties. They simply won't, they would rather see the world burn than admit such mistakes. It has happened before.
I’m not sure it’s good for anyone to keep SMB’s in the dark, as they have the most surface area and least expertise and budget to respond. It seems like a net benefit to publicize the issue and get every IT hiring manager thinking about it.
Keeping it quiet and only disclosing to larger firms means that lots of small firms will hire these people, with the economic and IP harms they entails.
As you said, small businessess have less expertise and budget to deal with the problem.
Telling your gramma she has a virus only makes her become afraid, she won't magically gain the ability to identify it. That's my whole reasoning here. It makes things worse.
I suspect it could be worse than that. It feels like certain countries' tech sectors are being partly taken over by IT workers from foreign intelligence agencies or from foreign entities with ulterior motives. Especially when you consider countries with small populations and few natives in the tech sector.
For example, in Australia, it seems like at least 8/10 software engineers are foreign-born. Most of those are probably genuine (not from intelligence agencies) but Australia has such a tiny native population of engineers compared to that of most foreign countries in its vicinity that it wouldn't be difficult for a country like China or India to overwhelm our tech industry with a few highly-placed workers in order to gain political leverage. I was thinking that there might be more software engineers working for Indian and Chinese intelligence agencies in the world than there are native-born software engineers in Australia (of all kinds). It's a numbers' game.
North Korea seems like the tip of the iceberg there though it is an easy example to talk about because everyone understands how the North Korean government operates and everyone agrees about the threat they pose compared to more subtle threats from other countries which aren't seen as opponents (at least not to the same extent).
But also, consider a company like Facebook which hires maybe 20K or so software devs. A country like India which has a large number of software developers, if it wanted, could easily put together a task force to infiltrate and take over Facebook in a focused decade-long effort if that was its intent. They almost certainly do have some people inside every major tech company right now.
If a group can have a few highly placed people inside a target company, they could then recruit more of their group into the company and start promoting their own until they have full control over the critical systems. It's a weakness of our current highly centralized tech sector.
Something else that could happen is a foreign intelligence agency could wait for people to get promoted naturally and then reach out to dual-nationals which they have leverage over (e.g. because of family members or assets owned in the foreign country) and then use that to demand favors. Then they could help coordinate the engineers to recruit more of their own to achieve even more control. Different groups would form factions within the target company and every normal employee would be unwittingly pushed out because anyone trying to 'improve or simplify things' would be seen as a threat to various nefarious agendas which rely on complexity to hide backdoors or algorithm exploits.
Imagine how valuable it would be if you could hijack's Google's search algorithm or Facebook's recommendation engines to prioritize your group's businesses and/or agendas.
>If a group can have a few highly placed people inside a target company, they could then recruit more of their group into the company and start promoting their own until they have full control over the critical systems. It's a weakness of our current highly centralized tech sector.
Isnt the critique of Indian managers that they favor indian ppl?
The LinkedIn thing is very weird, what about all the guys that worked for another company for a long time and didn't bother with LinkedIn? I don't buy that, but the trend of these guys not showing up in-person at all is very suspicious, though not impossible. There are all kinds of reasons people want to do remote work, and some of those reasons might preclude an in-person meeting (like you might find out about a disability).
Still, I agree that's pretty suspicious. However, they didn't offer any proof whatsoever these guys are from North Korea or any motivation for why they would be doing this from North Korea. So, that sounds like potential U.S. propaganda.
They said they worked with the FBI, which honestly is a red flag for that kind of thing. Rather, if a company states without proof they're from NK, it's very likely BS. If the feds say it's North Korea without proof, it's definitely BS (they have resources to prove it!). If the Feds say it and provide proof, then we can talk about the proof.
Direct impact: Outsourcing breeds a culture of unverified and verified-just-once remote work.
Indirect impact: Outsourcing is a cost-driven effort where after a certain level of competence, the bottom-line is the only measurable metric that matters so it’s a race to the bottom with patchwork efforts to “fix” issues like OP.
Making domestic options cost-equivalent with punitive outcomes for hiring NK workers.
Otherwise, I stand by my argument. The support infrastructure we built to support remote work and offshore teams
have made this an easy attack channel.
Maybe this is a real problem, IDK. But this article is so scant on actual details, and is mostly just weasel-wording it's way to "it's a problem, trust us."
> Chief among these disconnects were "shallow" LinkedIn profiles paired with "beefy resumes," she explained, citing job-seeker claims of working at Meta, attending Ivy League schools, developing major tech companies' flagship products … but then only having 25 LinkedIn connections.
LinkedIn is not the end-all be-all of résumés, and my coworkers have wildly varying numbers of connections.
> "We've certainly seen applicants that fit into this category with various IOCs [indicators of compromise] that we've shared with partners and peers," Snowflake CISO Brad Jones told The Register.
This is an abuse of the technical term IoC to try and dress up what amounts to "my gut hunch".
> Once the recruitment team began meeting via video conferences with some of the applicants, they noted extremely Western-sounding names, like James Anderson, paired with East Asian appearances and accented English, in much higher numbers than they expected.
That's just discriminatory.
> "You can't profile people, […] *But*
sigh
> The fraudster's answers weren't word-for-word ChatGPT, Little noted. "These people are smart, they're not unskilled, they're sophisticated," she said.
… no, that's because that's not how LLMs work.
> routing everything through a VPN
I'm not even sure how you would know this about a candidate.
> These IOCs, or indicators of compromise, include email addresses, physical addresses, and phone numbers that have been flagged as associated with non-legitimate candidates.
This is begging the question: the candidate is suss because they're suss. What makes the email address et al. "flagged"?
> The final step is always an in-person interview.
I mean … if you're not doing that, then … okay, I see how the scammers got to you.
> "We require people to come to the office to pick up their computer," Robinson said as an example.
I mean, if you pay for the plane tickets, the hotels, the taxis, the meals, and the time, sure, I guess.
If this is truly a problem — and maybe it is — the Register's reporting is so unspecific that it leaves us with no details of how we might tell, what to look out for (in ways that doesn't run afoul of racial discrimination, or seen elsewhere in the comments, political discrimination). It leaves me thinking this is an ad designed to leave me going "I'd have to hire a company that specializes in this to know if I'm being affected by it."
So, again, the answering to this and most every other hiring ill in software over the past 15-20 years is… licensing.
So, let’s think about this logically. There is no baseline of candidate identification or competence in software and the jobs pay very well in physically comfortable conditions. It makes sense that unqualified liars would apply for these positions. Why shouldn’t they? I am honestly curious how far the fraud and incompetence can go and devalue the industry before someone cares enough to tackle the problem l.
The answer to this is for companies to do even a modicum of personnel vetting.
At the very least, make your remote candidate show up in person for their onboarding. A plane ticket and a few days of accomodation and meals is cheap in the grand scheme of things, and giving the opportunity to meet their team is good relationship building.
Sight their ID before you issue them with an account, give them a laptop etc.
They generally make no enquiries at all into the applicant’s bona fides.
The candidate sends in fake or stolen documents where the picture on the drivers license doesn’t even vaguely resemble the person who appeared on Zoom.
When you have an applicant who says they were born in Tennessee and that they’ve apparently lived in the U.S. for their whole life, you would normally expect them to speak English with native proficiency and at least have an American-sounding accent.
If they say they live in, say, Seattle, you’d expect they could carry on at least a basic conversation about their local area.
Even this basic level of attention to detail nonetheless escapes many HR departments and hiring managers.
> If they say they live in, say, Seattle, you’d expect they could carry on at least a basic conversation about their local area.
When I was working at $LargeCompany, we were encouraged to NOT engage in small talk with applicants beyond the regular politeness. It's too easy to ask questions that would open the company to discrimination lawsuits.
I have known many people born in the US who learn English as a second language with a think accent. Employers have to use legally qualified means to discriminate applicants to avoid violations of various laws.
Irrelevant to the OP unless you explain why North Koreans would be prevented from obtaining these licenses: it's not like there aren't competent developers in North Korea.
If your explanation is that the license grantor will verify that the applicant is a resident of a Western country, than the employer can just do the same verification of job applicants, dispensing with the need for the occupational license.
The way these people are being caught are things like dodgy LinkedIn profiles or refusing in person meetings so I would think a licensing process designed around things which would be expensive to fake: in person government ID checks, periodic exams, peer evaluations, etc. The trick would be actually doing that in person, which could be a useful thing for conferences - treat an afternoon at PyCon or re:Invent as the cost of renewing your professional credentials if you don’t live near a major city or university.
Yeah, I was thinking that if you were looking for an industry license it would probably be more useful if it also covered skills or work experience in some way since that helps multiple weak points of the common hiring processes but you’re quite right that it would raise the bad considerably if they had to basically run everyone like actual spies with robust fake identities.
I recommend researching what comprises professional licensing. If you have absolutely no frame of reference I can understand why you would be so confused.
If there is an US person providing the identity, what's stopping them from also providing the license.
I guess the main problem is, if you are a company with bad management structure, and you see your new coworker has really weird patterns, inconsistencies in their talking, why would you tell the manager about it? You can just mind your own business. It was them who hired them after all.
It is trying to avoid hiring an ethnicity by saying things that a specific ethnicity would find offensive, but not others so you can filter them out of the hiring process.
That is not what that's about. It is trying to avoid hiring people who work for a foreign government by asking them to say things that would be illegal in their country. It has nothing to do with ethnicity and everything to do with nationality.
Nobody is trying to avoid hiring an ethnicity. There are plenty of Koreans that would still be hired, those from South Korea and everywhere other than North Korea.
I hate how this is acceptable to make such claims about another country without providing any evidence. Same goes for Chinese or Russian hackers. It’s just whoever the US government is unhappy about.
The article itself is evidence. There are many more links in it to other stories that report on basically the same or similar incidents. There are also several names in the article itself that you can research or probe on your own to tell if it's coming from a trustworthy source.
Consider also the author: it's written by an actual journalist/editor with a large body of pre-existing work in the field, and many of the claims written are backed up by quotes from a named source. It's not like they're writing all this and hiding it behind the weasel phrase 'according to a source close to the matter'.
The register too is actually UK founded, so it's not even American.
Your reaction is just so typical of people nowadays - just assume it's all 'made up' without any effort in debunking or picking apart any specific claims.
There's evidence, large investigations, and arrests aplenty already.
Justice Department Announces Coordinated, Nationwide Actions to Combat North Korean Remote Information Technology Workers’ Illicit Revenue Generation Schemes (justice.gov)
Law Enforcement Actions Across 16 States Result in Charges, Arrest, and Seizures of 29 Financial Accounts, 21 Fraudulent Websites, and Approximately 200 Computers
..
Today, the United States Attorney’s Office for the District of Massachusetts and the National Security Division announced the arrest of U.S. national Zhenxing “Danny” Wang of New Jersey pursuant to a five-count indictment. The indictment describes a multi-year fraud scheme by Wang and his co-conspirators to obtain remote IT work with U.S. companies that generated more than $5 million in revenue.
North Korea would never, in a million billion years, either accept peace, or actually honour it. NK is a hideously oppressive, violent, dictatorship, which would invade SK in a microsecond if it thought it could get away with it.
I think it astounding - staggering - to point the finger here at USA.
If you were not a long term, serious poster, I would think you were a fake account.
No, one side declaring the end to a war does not end that war, this is one of the worst foreign policy takes I've ever heard. The NK regime is secure because of the war, they will poison pill any negotiation by demanding South Korea become part of the north.
They convinced Ukraine to give up their nukes, promising that they'd be safe. I don't think there's any chance of convincing North Korea to follow the same path.
You don't have to be an evil North Korean to do that. Outsources have been doing it since time immemorial because they can't achieve sales in any other way (or, through direct corruption - often offshore outsourcing shops are owned by managers of their clients, who effectively use them as tools for siphoning money away).
Hopefully the fear of foreign actors will put an end to this too.
I have to hand it to North Korea on the inventive revenue streams. This is a country under sanctions for decades that has developed some of the most clever IT scams for siphoning money from the west. Between this and the Lazarus group the country has brought in Fortune 500 company kinds of money to keep itself afloat.
This is entirely US's companies fault for not favorizing people from 1st world countries. At this point it's not a question of $ but not really giving a shit.
If you have 2 candidates and one is from lets say Czech Republic and the other one from 3rd world then it's fully on you for getting screwed over.
Could have read the article. All involved companies hired US-based workers who received company-provided laptops and set up remote access on them for North Koreans.
It's been over 75 years. It could not be clearer that this attempt to punish the ordinary people who live in North Korea for having a government that the US finds disagreeable will not succeed in somehow fomenting revolution. What it has succeeded in doing, apparently, is sustaining a level of poverty and isolation that motivates even crazy schemes like this.
Here's how to actually stop it: stop weaponizing poverty to beat a Cold War-era dead horse, and end the damn sanctions.
Russia was an important trading partner for many European countries. Especially important for Germany. Basically no sanctions. Freedom of movement with fairly good visa policies. No great internet firewall. How much did all this help to prevent another huge war between two European countries?
Different behaviors have different motivations, contexts, and causes. It's extremely clear that these, like other criminal moneymaking schemes in the DPRK, are directly and closely related to the high degree of isolation of the DPRK and the difficulty of getting capital into it.
Of course lifting the sanctions won't also end all spycraft, or ensure an end to geopolitical conflict. Those aren't things I have claimed or would claim.
And the primary reason to end such sanctions is not any benefit to imperialist nations but because of the fact that they inflict misery on ordinary people indefinitely and (not essential, but adding insult to injury) uselessly.
> they inflict misery on ordinary people indefinitely
Pyongyang was making its people miserable before there were sanctions. America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
> Pyongyang was making its people miserable before there were sanctions.
Whether or not we approve of Pyongyang is completely irrelevant to every point I've made. The questions are (a) whether the sanctions have had a material negative effect on the North Korean people, and (b) what they have accomplished. The answers are "yes" and "nothing of any use", neither of which is controversial. And our fixation with North Korea and the evil we wrought there obviously doesn't begin with sanctions but with millions of tons of bombs, tens of thousands of tons of napalm on arable land, or the destruction of the People's Republic of Korea (not the DPRK), a functioning government that existed in both the North and South before the US invaded (literally reinstating colonial Japanese governors as officials).
> America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
The US was directly involved in the division of Korea even before all that. Frankly, your entire comment has been not only extremely handwave-y but deeply dishonest.
Ergh, something did get lost in a rewrite of my comment between tons of bombs and pounds of bombs: it's "only" over half a million tons of bombs. Many hundreds of millions of pounds, "only" over 650,000 tons. The range given for napalm was accurate; it's over 30,000 tons.
They cite LinkedIn profiles with 25 connections as easy tell tale signs. Well, I've got news for you: hacked LinkedIn profiles. Happened to a colleague of mine. Profile with more than a thousand genuine, reputable connections got hacked. Picture and name got changed to something East Asian sounding/looking. CV got changed to US defense contracting. Luckily this tripped some automatic account lockdown otherwise it might have well gone undiscovered for a while. Few people will remember every single LinkedIn connection, there's no notification of name change in messages etc. Quite likely this profile was sold to North Korean fake IT workers.
Also, many people like me don't even have LinkedIn profiles. The "pick up your work computer in person" idea sounds like a much more reliable method to me.
Yeah, pick up your computer in person will not work if you live 2d travel away. If my remote job told me to pick up the computer in person after 8h of interviews and tests I'd be seriously pissed off. If they advertised it in the beginning I'd not have applied.
In my country (Poland) courier companies offer this service of "id checking and contract signing". You can have a courier deliver a contract, check the recipient's photo ID and confirm their identity, have the person sign the contract, return it and the courier takes it back.
If there is no such service available there is only one way to prevent this from happening, proper screening of candidates. In my 20+ years of working for Fortune 500 companies in positions not far from the top only 1 - a Japanese one actually screened my educational background and called my references and past employers to verify.
If employees worry they will loose some really good candidates that have no documentable background ask them to do some other security check. Do a video call from the main street of their home town. Or some other thing randomly selected from a set of 5. If the role is really important hire someone to visit the remote worker in their home and deliver that laptop in person. But don't expect them to travel to pick it up.
Sounds reasonable to me that the companies that hire to work remotely would like to have some live meet-ups once in a while. For the most part I wouldn't see a problem traveling to an employer's office for a week or so to start.
For working parents, it's pretty tricky. I ran a few remote organisations, and while there were usually decision makers that wanted mandatory meetups, I always tried to make it as optional as possible, and to eliminate the need for those where feasible.
In the age of vibe coding and North Korean fake workers, I'd probably go another way though. Trusting your remote workers used to be easier from my perspective.
You know the saying "trust but verify" :-) As mentioned before I think we need robust verification in place for things like new hire identity, but you mentioned an additional thing "vibe coding". The most obvious response to this is to have merge checks that run a bunch of tests on important stuff, and peer review.
My current place of work has rolled out both copilot and gemini coding assistants to everyone and so far I've not seen the expected flood of lower quality code or code clearly written by AI and not even being understood by the submitter. We're talking ~80 devs in 3 timezones just in my project. This is very encouraging.
Unless like me you live 8h travel by road away, and there are no reasonable flights, to the nearest office.
I made a decision long ago. Either a job is remote (I apply) in which case it has to really be remote. Or it is hybrid(I don't apply). If there is a day in a week/month/year that you're required to visit it is no longer 100% remote. This especially applies if it requires international travel, doubly so to certain places that make such travel even a bigger hassle than it needs to be (I didn't think US will be on this list in my lifetime, but here we are).
Perhaps I'm just annoyed it is very common in this job market (at least when I looked last ~2 years ago) to advertise 100% remote jobs, have 3 interviews during which you're assured "yes,100% remote" and then either get a contract that has provisions allowing for it to be revoked, or even being told verbally, or not even being told, but pressured as time goes by, no actually you're expected to visit. I had a client like this once. Otherwise a good job. The manager of my team got constantly a lot of crap that his people are "never in" despite the company hiring the whole team as a remote.
There are plenty of people in business that would love that whole remote thing to dissappear. It starts with "come to the office once a month for a night out, we'll pay for your hotel", then it's just "come to the office once a month", then it's 2 weeks, 1 week, then it's 3 days a week, and then it's just Friday you work from home, but no one actually works on that day, but you so you're blocked on most of what you do.
Who are these people? Managers that never learned how to manage remote teams, HR that worries their dept will be cut down, branch/country directors that can't show the visiting "leadership" an office buzzing with activity, and that guy who decided it's a good idea to buy a huge office building in the city centre a month before covid started (I've already worked fully remote for 3 years before covid started, but it was just me and another guy in a team of 9, now it is much better when the entire team is remote, there is no "us and them").
Sorry, just as luditites wanted to go to the power of muscle from the power of steam, there is no going back. The advantages to everyone are too great. To the employee, don't have to explain I hope, to the employer, lower cost and much bigger hiring market, to the entire world there is less travel and entire generations of people not wasting 20% of their waking hours on travel...
If I was in the US I'd be investing in "verification centers" right now
I think of the network of testing centers used for various certifications as a model and even something that could be repurposed.
If I recall, certain government jobs already need something like that you can get at the post office?
So notary publics?
I'm guessing many people working in security don't have LinkedIn profiles. It's not like you want to advertise a stint in Fort Meade, and then a list of people someone might contact to get access to you, or pull some social engineering. Or advertise your TS/SCI in your profile.
There's more and more places where the less visible presence online you have, the more you're a good fit for the position.
Perhaps I don't know the people who aren't advertising it but I see plenty of people advertising their time in natsec or their clearances
> Perhaps I don't know the people who aren't advertising it
Not picking on you, but that's kind of a tautology :)
Surely North Korea could arrange people to do this, too. They already have people on the ground in the US e.g. to open bank accounts, and they only need this for candidates that actually get the job, not every interview.
You might say the people who interviewed the candidate should be there when he picks up his laptop. But this is already an extremely remote-friendly company, the interviewers might never be in the office. He's going to pick it up from the IT department in the basement and at best they will take a photograph of his face.
But it is so late in the process to catch them - hours wasted by so many people.
True, but at that point it's still not too late to prevent paying money that will ultimately end up in the NK government hands.
If it was the norm, the fake worker problem would go away, and the hours would not be wasted.
[dead]
Jeff Geerling recently discussed being contacted by the FBI to learn more about minature KVMs, one of the devices North Korean fake IT workers use to appear to be coming from other countries https://www.youtube.com/watch?v=Lc2hB2AwHso
In this case, the KVMs are plugged into multiple laptops being run in people's basement/spare bedroom, it seems. Someone will earn a set amount per laptop per month, to accept a company-supplied laptop (from a us company) then plug in one of these little KVMs to give a remote worker access without as much ease in detection.
The Wall Street Journal had an article about the people running these North Korean laptop farms.
https://www.wsj.com/business/north-korea-remote-jobs-e4daa72...
> "I live in a travel trailer. I don’t have running water; I don’t have a working bathroom. And now I don’t have heat,” she said. “I’m really scared. I don’t know what to do."
Whn people have no solutions for basic problems they become the problem.
So the main difference over more typical remote desktop methods is that it pretends to be a physical display and keyboard to fool the PC it's remoting into in if it's overly locked down?
Feels like there's otherwise a hundred different ways to already do remote control without any extra hardware.
All the alternatives have a risk of setting off D&R tripwires. Assuming these things can spoof their device IDs so they look like a Logitech keyboard etc, I think the cost of the hardware setup is gonna easily pay for itself in terms of harder detection.
What does "D&R" stand for in this context?
Detection and response - basically any remote access software usage is very likely to trigger an alert to the IT security team, either from the antivirus or EDR (endpoint detection and response, the most famous is Crowdstrike)
The most infamous at this point one could say.
Either way you've heard of them :)
> Feels like there's otherwise a hundred different ways to already do remote control without any extra hardware
This way the worker doesn't have to know 100 different ways to remote into the machine, just one
> amount per laptop per month
Curious what typical rates would be.
So I must be really dumb here but what exactly does the kvm do? It's just stated that it has an Ethernet port and an HDMI and therefore can remote control a computer? And he said the North Koreans are putting them on people's computers as if North Koreans breaking into people's apartments is a common occurrence we've all experienced? And why did the FBI contact him about this?
There's obviously some context I'm missing here, I always thought kvm was the Linux kennel virtualization system...
> what exactly does the kvm do?
In this context the abbreviation stands for “keyboard, video, and mouse”. These are hardware devices you physically connect to a computer and then you can remotely see the computer’s screen and input keyboard and mouse inputs to it via the network.
> It's just stated that it has an Ethernet port and an HDMI and therefore can remote control a computer?
Yes. That is the purpose of a KVM device.
> he said the North Koreans are putting them on people's computers
What is described here is a scam perpetrated by North Korean state to gain funds despite economic sanctions trying to prevent it from doing so.
The scheme involves someone pretending to be a legitimate remote worker working from a legitimate location, but in reality they are performing the work from North Korea. The person working the remote IT job in North Korea gets a pitance, while the state pockets the larger part of the money paid to them.
As part of the scheme the remote worker gets a laptop from their western employer. Corporate IT installs all kind of security measures on the laptop, but also grants it means to access internal resources. The scammer can’t ship the laptop to North Korea and use it directly because if that gets detected they will be found out and fired. They also can’t install software based remote access tools because corporate IT might detect those too. So they use a KVM to remotely use the laptop from North Korea and stay on the job as long as they can.
> as if North Koreans breaking into people's apartments is a common occurrence
The scheme does not involve North Koreans breaking into apartments.
> And why did the FBI contact him about this?
Who knows. Jeff seems to have described how to use a particular cheap KVM in the past. Likely this KVM device is used by the scammers. Maybe he has connections to the KVMs manufacturer? Maybe the FBI thought he does?
> I always thought kvm was the Linux kennel virtualization system...
Same abreviation, but different thing.
KVM in this context stands for keyboard, video, mouse. There are multiple types of these KVMs, and the ones discussed here are remote KVMs.
https://en.wikipedia.org/wiki/KVM_switch#KVM_over_IP_(IPKVM)
It sounds like the North Koreans pay 1 person in the US to have a ton of laptops with KVMs attached to them, and those laptops are remotely used by North Koreans.
Not to be confused with Kernel-based virtual machine (also called KVM):
https://en.wikipedia.org/wiki/Kernel-based_Virtual_Machine
KVM (keyboard, video, mouse): https://en.wikipedia.org/wiki/KVM_switch In particular, https://en.wikipedia.org/wiki/KVM_switch#KVM_over_IP_(IPKVM)
It seems they don’t break into someone’s apartment but instead pay someone to stick a kvm connected laptop somewhere in the apartment.
I imagine they mean a remote KVM. So you remote into a PC sitting in a basement in someones house in the US. You then make all your outgoing internet from thta setup and your IP address would look legit.
Its not just North Koreans using them. Its also everyday US citizens who want to be digital nomads.
When i looked at https://www.reddit.com/r/digitalnomad/ a few years ago it didn't seem like any solution really worked reliably.
But if you had a farm of them and one guy maintaining them, rather than sticking it in your parents basement with nobody to maintain it, that might be something different.
Something is amiss here...Developers make hundreds of applications to even get a reply much less an interview...While apparently, barely English literate North Korean IT workers are getting all the jobs :-) Time to praise the Supreme Leader on LinkedIn ?
People are single but romance scams exist.
Scammers are good at the scam. They are good at telling the right lies, they often work in teams (lead finders, closers, and everything in between), use automation where appropriate, etc.
A single dev might have trouble cracking the lead finding code, the resume code, the interview code, etc while and avoiding telling any lies that will get then fired 3 weeks into the job. But a team who all treat the application process as a full time job? It's a lot easier.
Also when a dev gets good at finding a job, they stop looking. Scammers get good at it and then keep getting better.
Maybe these North Korean scammers could make good money by selling their job application tips and tricks to actual talented out of work engineers. They seem to not be struggling to get these jobs, unlike actual developers who are struggling.
Very likely the jobs these North Koreans are getting would not be considered a good job by the devs struggling to find one. As a starter when you plan to phone it in from North Korea you can accept a salary which would not be liveable for a local and stil make it worth it for you.
I have gotten multiple emails from wonky email addresses offering to have me interview for jobs and they will take care of the work if I get hired. fake names tons of money for me. I just have to nail the interview.
My resume is shiny enough and I've gotton hired enough times im a good candidate for this kind of scam.
This feels like a very ham fisted approach for them though. 99% of engineers are going to ignore or not take seriously these kinds of out of the blue offers.
1% will be plenty in the current market, eh?
These people aren’t constrained by the bounds of reality. They’re applying with claims of having attended Harvard and then worked at Meta and now they’re applying to your company.
Their resume goes in front of yours in line.
I would not say they are getting the jobs but they are getting interviews.
They probably use many identities
[flagged]
[flagged]
> As US-based companies become more aware of the fake IT worker problem, the job seekers are increasingly targeting European employers, too.
All the US companies I've worked for made sure I was legit before I could log into anything, so I assume background checks to be ubiquitous there, save for the cheapest companies. European employers on the other hand...
The thing I don't like is that US companies take it too far, to the point they're violating my privacy and making me uncomfortable.
Why do you need to do a hard credit check before you give me an offer? Why do you need to know exactly how much I owe on my credit cards, car, house, how much I'm paying per month, and how much I've made at every job for the past 7 years?
That feels... excessive. And weird. And kind of unfair. Now you know my paycheck, and the paycheck before that, and how desperate I am. Well, there goes negotiations.
It feels like you're going through some kind of security clearance.
To be honest, getting insight and access to a major company's networks and maybe customer data is perhaps the same kind of risk to the company as it is for the government to give someone access to (top) secret files. It might not be so much a negotiating tactic as awareness that more sophisticated spies and criminals than the ones in the OP article are targeting your company.
Who's doing a hard credit pull at all, especially before salary's negotiated and the offer's extended?
It's a thing, but I'm not in the business of naming names. IMO we should just nip this in the bud and make it illegal.
> That feels... excessive. And weird. And kind of unfair. Now you know my paycheck, and the paycheck before that, and how desperate I am. Well, there goes negotiations.
I think that's partly the point.
> European employers on the other hand...
Many European employers
- don't or rarely offer remote jobs, so they often don't have this problem.
- even if they do some video or phone interview for pre-screening, they nearly always expect the prospective employee to come to a live interview if they are not weeded out by this pre-screening. It is thus expected that you at least live in a country from where you can easily travel to the place where the employer is located.
- often expect their employees to be able to speak the national language, or at least learn it fast. This also makes times hard for North Korean fake IT workers.
I live in Finland, and while it is not universal it is extremely common for IT-companies to have a working-language of English.
The country is small and hires both immigrants, and people who specifically relocate to start working at the English-only companies, as well as local candidates.
Learning Finnish will obviously make your life easier, in many many ways, but companies themselves do not seem to expect or require it.
I've heard this before about Finland and found it really interesting as to my knowledge English isn't particularly more societally prevalent in Finland than in nearby countries such as Sweden, Denmark or the Netherlands. Any idea if it's as common in those countries as well? By the sounds of it in Finland there's more IT companies operating in English than in Finnish.
It’s definitely common in Denmark, enough that it’s a perennial national debate. Maersk is a huge employer that officially made their corporate language English something like 20 years ago, which spawned discussions about whether you should need to speak a foreign language to get a job in your own country. In practice the answer is yes, for some sectors.
I worked for years in an English-language work environment in Denmark (I am not Danish), and learned maybe a handful of phrases of spoken Danish the entire time. I was expected to be able to read the occasional email in Danish, but 1) written Danish is not hard in comparison, and 2) even years ago Google Translate was good enough.
It would have been nice from a social perspective to have known more spoken Danish, but my employer didn’t really care, and it isn’t easy to learn if you don’t have strong local connections. Danes will just immediately switch to English by default, and even if you ask them to continue in Danish, you need a decent level of Danish pronunciation to make yourself understood, which is not trivial to get to.
In The Netherlands I think it's pretty rare to require Dutch in IT related jobs. I know of one software company that recently initiated a policy of only hiring Dutch speakers and I suspect it will really hurt their hiring going forward. When they initiated the policy they also retroactively exempted all the great developers that already worked there who could not speak Dutch.
I’ve never had this experience. Never once was I flew in for an interview and, in two of the previous companies I’ve worked for, I did not speak the language.
This is at least the experience that I (and many people who I know) had.
> I did not speak the language
As I implied: if you are really talented, you don't have to speak the native language yet, but it is expected that you learn it fast.
Maybe I was lucky there (or unlucky depending on the point of view). I’ve even worked for years for a French company without learning French.
I wouldn't say that's generally true, at least in NL the work language in IT is often, probably almost always, English. I know people who have worked here for ~10 years who barely speak any Dutch.
I’ve seen reports from people who were contacted by companies asking to use their identity for jobs. The deal was that the company used their likeness and identity to secure the job, but they would do all of the work and split the paycheck with them.
There are a million reasons why this is a bad idea, but I’m sure they don’t have trouble finding people excited to collect free paychecks.
We got catfished by an outsourcer on Upwork.
Great interview, good questions, really solid candidate.
His first day on the job, his English went to shit.
Then he refused to pick up the phone or call me back. Lame excuses about how it’s loud there, then he lost his voice, then scheduled a call with the real “Jeff” the American who couldn’t answer anything about what we had discussed an hour earlier.
Reported to Upwork but I sort of doubt they did much about it.
Video calls super important and asking questions that wouldn’t be a normal interview question. Helps to have candidates walk through and explain code they haven’t seen to reduce any prep work that may have happened. I’ve got a few questions I ask that no one is preparing for. I’ve interviewed a couple people that seemed kinda sus, maybe not working as someone else but definitely lied about their capabilities but somehow passing the coding test. This was before LLMs ruined everything too.
We had a video call. He did great.
It was day1 on Slack that the issue was immediately apparent.
I also got contacted via LinkedIn by a “normal” profile of a Dutch guy with normal connections, that was even connected to people I know, offering me the same. I politely suggested it’s not a great idea and declined
In Indian dev groups, we gets ads for "job support" and "interview support" for recruiting people into frauds.
I was once contacted on LinkedIn by an individual asking to use my identity to work in the US
The background checks don't always work because they typically use stolen identities or use the identities of Americans that they've paid. They basically have to in order to pass I-9 verification.
There are also different levels of background checks. For instance, previous employment verification can be time consuming so some companies skip it. Checking references aren't useful because they can be faked (you have to run background checks with employment verification on the references to make sure they are who they say they are).
Yes, it generally don't work. Thats why you will find many F1 student with 8 years of experience.....
Where I am in Europe you couldn't even get a (legal!) job in a bar without showing proper ID, and having your identification (id card number) checked and be present in the contract.
The fact that "fake people" can be employed for high level IT companies in the US is just unfathomable to me.
That’s only one of the scams. You pass background checks if you’re new to the US. It’s a fairly common grift to place contract programmers at big companies with fake degrees and experience, who then send the work back to Asia to be done overnight. It’s easier now with ChatGPT - you can send photos of screens and instantly extract the text.
You also have people who outsource themselves. That’s one of the ways that the people who work multiple jobs pull it off.
> You also have people who outsource themselves. That’s one of the ways that the people who work multiple jobs pull it off.
that's not a scam - that's the new work smarter, not harder method of earning money.
I can’t find the tweet but apparently you can also filter these folks out by asking them to criticize Kim Jong Un
I’d be shocked if that was still true after the first time someone tried it. If you’re running an undercover operation, you’re going to give your agents backing to say whatever they need to say to maintain their cover.
It's very naive to think you can win against any state-level advanced persistent threat.
That’s why it’s important to remember that not all state-level attacks are created equal. Intelligence agencies can create fake personas at varying levels of cost and realism, but if North Korea is doing that for revenue they’re not going to spend the same kind of resources they would trying to get, say, nuclear weapons data.
The situation here is significantly asymmetric: the attacker has to do a lot of work to build a realistic persona but the defense can make that much harder with a few basic checks. It’s been cost-effective in the past because companies were skimping on their hiring and internal security, similar to how the identity theft crisis was mostly a crisis in companies doing due diligence.
It's not naive at all. Most of these threats can be thwarted by simply following basic business and security best practices. Many hiring managers are lazy and incompetent, and don't even do the bare minimum.
If someone asked me to criticize KJU, that would be the end of the conversation. I criticize people on my own or not at all. I suppose I would become a false positive.
Even with the context of knowing the fake worker problem?
If so, I suppose that’s another good reason to ask the question. It filters out both North Korean fakes and people who are going to be doctrinaire about small things.
Companies ask a lot of weird questions instead of asking what they really want to know: "will you join a union?"
I think I would encourage companies that are experiencing problems with unwittingly hiring fake employees (North Korean or otherwise) to ask such bizarre questions. Or they could just flat out state that they have been having such problems and will therefore be implementing schemes to detect fake employees.
I would very much appreciate that. I think it would be grand if they could even put that in the job posting right up front. It would help me cross that company off the list of places I would be willing to work. I personally don't want to work at a place that cannot tell whether I am real or fake.
perhaps a better solution would be to ask an opinion about KJU... not to "criticize" him this feels pretty dystopic indeed, like 15m of hate...
If a company asked me anything about the leader of North Korea during an interview for a tech job, I would conclude that they were not a serious company.
What I think about any country leader is totally irrelevant to tech work. So the company is either 1. Wasting my time with a totally irrelevant question or 2. Their hiring process is so vulnerable, they can’t even tell if a candidate is fake. Neither of those would make me particularly excited about that company.
It was 2 min of hate ;) and this clearly isn't the same as trying to rile people up; it's a thin attempt to get people to self report if they are lying with some sort of higher level "gotcha".
Feels like the story about disconnecting Chinese gamers from matches automatically by typing "tiananmen square" or the story of the Battle of Siffin with one side putting pages of the quoran on their spears in hopes the enemy wouldn't fight that way. Unclear how accurate the stories are or how effective it may have been but kind of interesting at least.
It was 2 min of hate
Inflation.
Lol the ever increasing cost of living gets you in places you don't always expect!
Sounds just like something a North Korean would say
Honestly, sounds like a red flag if even a legitimate applicant is unwilling to voice an opinion on the Kim regime.
Please do not foster this concept that I have a responsibility to proactively criticize ever fascist regime of the past century in order to dispel implicit notions that I am "supporting" them in vague undefined ways.
To be basically informed about, yes. An educated person should probably have a view about broad topics like North Korea, and whether Pyongyang is more worthy of criticism than praise. And I don’t want to work with someone who is open to the morality of the Kim regime.
It isn't your place to know the political sympathies of everyone, nor is it your place to decide what constitutes 'support' about every possible issue. It is simply not viable to do this if you want to work together with large, diverse groups of people. There are people with objectionable but private views in the world and in the workplace, deal with it. This is entirely separate from people's public views.
[dead]
I would find that question extremely weird in a job interview for a normal job, and I have no problem saying that the Kim regime is one of the most horrible regimes ever.
I don't consider myself to know enough to criticize.
Of course what little I do know is all negative. But I've paid only limited attention, and I get nothing from primary sources.
I expect the same from practically everyone -- perhaps excepting South Koreans who at least speak the language. I'd consider it good judgment to say that you just can't meaningfully answer the question.
I'd read a statement you hand me, if you thought that would suffice. But I'll admit I'd consider that weird and likely useless.
If you know so little about a major, long term authoritarian dictatorship, consider this evidence you need to educate yourself.
This was dead because?
Because "educate yourself" is quite possibly the most annoying, low effort thing you can say to someone whom you think should know something that they don't. Either share the information with them or don't engage at all; there's no need to be a dick about it.
Because it was a low-effort, uselessly snarky answer to a valid opinion.
Especially when the reality is everyone “knows” so much that isn’t true or that is true but they could never personally confirm it.
I am not 100% that North Korea exists. I’m pretty sure, but I can’t KNOW it without going there.
So while dictators are bad, the Kim’s are probably bad, sorry if I don’t go to the deep end repeating everything that someone else taught me.
[flagged]
You're right; there are limits to that excuse.
In the case of North Korea, my excuse is "I haven't put the time into it because it's a small country on the other end of the earth -- nuclear armed, but without effective delivery devices and massively outgunned. I wasn't prepared to give a lot more detail in the context of an interview that isn't about geopolitics. If you want me to research I can."
Look, that’s better than pretending there’s nothing wrong with North Korea, because you wasn’t there personally and hence cannot talk of the matter.
100%
It's not a false positive. It's a true positive
If the person is so obnoxious as to not be able to give such a silly statement, imagine how they would be fun in your team
Without context it seems like a weird trick question, like phishing tests and most corporate training.
I can ask people to criticize trump before hiring them?
Replace North Korean leader with Biden and Trump, how that sounds?
Pretty sure a huge number of Americans would happily curse both with the fire of a thousand suns.
On demand? Also will this trigger some discrimination law?
You can legally discriminate on the basis of political views.
(IANAL.) Whether that is legal depends on jurisdiction, in the US. CA has protections, for example.
In California?
It sounds like you are supporting those villains, justifying their atrocities.
I would never allow any potential client ask me ANY political questions. Not because I like any political figure but because I am trying not to encourage fucking thought control. I hope we are not on Nazi Germany yet. It is just simply not their fucking business. On the other hand if they offer me a million in cold hard cash just for that I would tell then anything they want to hear.
> I would never…
> … if they offer me a million…
This is exactly like that famous joke! :D “Mam I believe we’ve already established that. At this point, we’re just negotiating.”
You nailed it. If they want to pry into my private things they better pay for it ;)
The punchline of the joke isn’t that it’s weird to put a price on X, but that it makes it rather hollow to start that same paragraph with four different variations of “I would never do X!”.
It’s kind of like an Abbott and Costello routine. I would never do that! How dare you suggest that. You’re a commie. The scum of the earth. I’m above that. Gimme five bucks I’ll do it right now.
There is a big difference between saying you gonna do it and actually doing it.
[flagged]
I disagree with all of them. Sleep well
[flagged]
You'll likely have to be careful with profiling here. You'll probably need to have documentation/proof that you ask this question to all candidates regardless of race or immigration status. And yes, that means you'll need to ask it to people that clearly aren't North Korean (though that maybe be a good thing in general as I'm sure the next step for the NK regime would be to pay people who are not Asian or who have American accents to do interviews if the practice became widespread)
Maybe more likely that they just assume they are caught, or assume the likelihood of getting caught is higher when there is overt screening for North Koreans.
Similar to why email scammers don’t need good grammar, filtering out difficult cases quickly and move on to easier ones.
I don't really understand the logistics of this to be honest. From the article it doesn't sound like these people have false IDs, they just make fake LinkedIn profiles?
In a lot of countries certainly here in Germany your employer has to pay social security contributions and needs your insurance, healthcare information etc. In addition if you're a foreigner you need to know their legal status to see if they can even work. Like what do these scammed companies do, just wire money to some guy they interviewed on social media and ship company property to random addresses? Is that even legal in most places?
They presumably wire the money to a person operating in the US who sends a portion of that money to the NK employee. The US person is then the one in the company payroll files. At least that's my understanding.
We should definitely go after those folks, but it's not pleasant, as many of them may be having their own issues that add to the problem.
One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money. We have entire industries that sell narratives, rationalizing these compromises.
This is exacerbated by the current employment problems. They keep talking about how unemployment is down, but I think we all know folks that are un (or under-) employed, and the difficulties they are having, finding work.
Someone in that state, is fertile ground for money- and job-laundering bad actors. It sucks to punish them, but that is what we need to do, to discourage the practice.
I agree but I don't actually feel bad about punishing people for committing fraud (as long as we punish all people fairly, etc).
> People will do almost anything, and compromise all their personal values, for money
I think this demonstrates what their ACTUAL values are or at get very least the priority of those values.
> One of the big problems with the US, is that we worship money like a god. People will do almost anything, and compromise all their personal values, for money.
A US person without adequate cashflow is likely to not be able to have food, housing, clothing, medical care, etc. A lack of morals are not what causes people to do anything to make money, it's a lack of money in a capitalist society. Blaming people for systemic problems is incredibly regressive.
Quite a few people will have adequate food, housing, etc and still dispense with morals for money. Some studies suggest that having more money makes one more dishonest rather than less.
The problems are indeed systemic, but it's not just lack of money. The system is constructed around the love of money, such that too much is never enough.
> Some studies suggest that having more money makes one more dishonest rather than less.
What came first, money or dishonesty?
My understanding is for a US employee, the employer is supposed to confirm eligibility to work in the first 3 days of employment. Some form of government id plus a social security card or a passport or something like that. IRS form I-9
Otoh, if these positions are independent contractors, form I-9 isn't required. Just a tax id for reporting purposes.
I would imagine whoever is hosting the laptops may be authorized to work in the US and could also be convinced to provide identity documentation. I think there's a lot of borrowing of documentation by immigrants/migrants who are not authorized to work in the US; so there's probably a marketplace somewhere too.
Because it's contractors. You are not an employer in that person's country.
That’s part of what is being exposed here. The hiring process for many companies is not very robust. I doubt many even check references
In three decades, I’ve had some call me to check a reference only twice for private sector jobs. The federal government actually does this as part of background checks so it works but you need to want to badly enough to pay real money.
The other problem is liability: companies often tell their employees not to give references for fear of being sued if the employee doesn’t work out, and most companies don’t expect useful information from them unless someone left in a way which has a public record like a court case. The federal checks don’t have that problem because not answering honestly is a crime. You’d need some kind of shield for honest statements for the private sector to really get accurate assessments, and that’s tricky to do in a way which allows the most useful opinions.
They're targeting locales and companies with less stringent checks.
I would really like to see one of these deepfake videos that managed to trick any competent interviewer into thinking it was real. I couldn't find anything like that on Youtube. Even in highly controlled environments the deepfake videos can be immediately recognized.
Here’s one example, although I don’t know if this is a North Korean.
https://www.linkedin.com/feed/update/urn:li:activity:7292604...
I keep hearing about this and honestly I don’t get it how does this continue to happen? Here I am, a real human, decent person and a nice guy lol yet I can’t find a good job. What are these companies doing, how is this possible?
They aren’t telling the truth when they apply. They’ll use stolen identities, fabricated backgrounds, fake reference checks, hacked LinkedIn profiles.
They are professionals at lying and interviewing. When it’s your job to get jobs and you’re doing it with organized support, you will find something.
They also don’t really care if the job is good or bad. They’re just farming any and all jobs they can get and hanging on to them until they’re pushed out. At many companies, that can take years.
The Norks basically just steal a very qualified persons identity and info and then use that info to apply for jobs. So on paper, the job applicant looks pretty good but its just all larping from the threat actors. For being such a hermit kingdom, they are very good at infiltrating large companies and stealing cryptocurrencies.
I am building a free service to counter exactly this problem.
This has been going on since 2018 at least and I have flagged thousands of such applicants.
Speak some more on this.
Yes please, I'm also interested in hearing more about what you're building CyberMacGyver
I'm curious why free?
The part that's really sad is that we have tons of out of work devs right now. This sort of thing only makes it harder for the legitimate people to get hired. An easy fix for this is for a place like Pearson to set up verified interview centers, which will allow for verified virtual interviews (on both sides of the table).
Another solution might be UNIONS that would have __membership verification__ including things like citizenship (which country(ies) are they a citizen of?), skills tests and training, etc.
Just like competition requires 5+ similarly sized entities for a healthy marketplace of companies, my informal opinion is that unions probably similarly shouldn't have overwhelming market share. However my feeling on contracts between unions and corporations is that the contract should be negotiated between multiple companies and multiple unions to produce the most level playing field possible.
At least in the US,
I like that software engineering doesnt require/encourage unions, contrary to other big industries.
As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job.
Ive previpusly been in a union for a company and the experience did not encourage a competitive working environment. When layoffs came, Jr employees get sacked before more senior union members (not neccesarily the best technical staff just becuase they worked there long time).
I have family/friends in unions (non software devs) that have had similar experiences to mine.
Devs are the factory workers of today. You’re going to be sorry in 10 years when AI is fully mature and all the cheap talent overseas takes every US dev job just like it did to factory workers in the 90s and there’s no unions to even attempt to slow it.
And in an unlikely case that there were a union, US would lose competition to China and the union will be involuntarily disbanded.
Factory workers are the factory workers of today.
I believe what they mean is that software devs are the lowest of the low of the totem pole for making software. We, manually, put together the software. We're the lowest level part of the chain. In that way, we're the factory workers of software.
I'm sorry you feel that way about software. I suppose if your bedrock is JavaScript or Python and you've been bashing out CRUD apps it might seem that way.
We've actually been automating away our job since the beginning of software. Compilers have been thing for like 80 years now. We've had auto-complete, static analysis, automated testing tools etc. for decades. What about the poor assembly programmers? What about the people who were bit banging serial protocols for a living?
Yes, we have automated away most of our job, however we are still the bottom of the totem pole.
For example, Amazon warehouse are also mostly automated. Still, workers who move boxes around and scan barcodes are the bottom of the totem pole of the operation. They're the people manually making Amazon work. You can't get any lower, otherwise then you'd become a machine.
> What about the poor assembly programmers? What about the people who were bit banging serial protocols for a living?
Those jobs are mostly obsolesced, so the totem pole has "moved up", but we're still at the bottom.
You have to ask the question, who is manually making the product and putting it together piece by piece? For factories, it's assembly line workers. For McDonald's, it's the burger flippers and the board worker. For software, it's us.
We have a misconception that since we are educated and relatively well-paid we are not like that. In terms of our business function, what we actually do for products and companies, our roles are of the same type. That's not a bad thing - this can serve as a gentle reminder to curb any delusions of grandeur.
I get it now.
Good luck then.
Can't say I have much sympathy for American devs after what they've done with the place.
"One great thing about being a dev in the US, u dont need a degree, learn a lot, can apply and get a great job."
And on the other side, you can have a degree and experience and still not get a job due to the wild criteria and games that get played in various interviews.
I've been working in the tech industry for about twenty years now, and I desperately want unions. Sticking your neck out alone sucks to begin with and only sucks harder the more time goes forward.
Same. Back when I first got into IT, I was surrounded by (similar) nerds whose self-esteem was defined by being the smartest person in the room. Compensation was often higher than other white-collar jobs, so they (we) were happy to overlook the long hours and non or poorly compensated on-call shifts.
Most IT work now, whether dev or admin side, is not rocket science. It’s mostly approachable work and no one should settle for being abused by employers for some outdated, ingrained, cultural baggage.
Why unions? Why not just more protective labor laws? Why bet on some political organisation to protect you, instead of being able to take your employer to court yourself?
labour laws don't happen by themselves…
You trot out all the familiar retorts. None of this is a reason to not organize to better represent the interests of labor.
A retort being familiar does not mean it isn't true or real.
Millions upon millions of ppl at every income level have experienced working in and around unions and not all of them came away with a positive experience.
Do these same criticisms also apply to corporations? I've worked for some absolutely shitty corps that have abused and taken advantage of their labor. Should we abolish corporations?
These criticisms of unions are always pulled out but then never equally applied to corporations.
Corporations are providing people with jobs and clients with value (or they go out of business).
Unions, especially failing ones, don't inherently provide any net benefit to society. They may as well be engaged in little more than self-preservation and zero-sum games.
Therefore, I believe unions deserve a different type of scrutiny than corporations.
You can say the same thing about democratic governments, or capitalism, etc. etc.
By itself that's not a meaningful observation.
It didn’t come by itself, it came in the wake of a comment that outlined a process whereby unions have a negative effect on new applicants in the job market.
The disagreement then was “I’ve heard that argument before.” - “ok that doesn’t make it wrong” <— that last sentence is what you’re replying to.
>None of this is a reason to not organize to better represent the interests of labor.
unions restrict the supply of labor and this results in (price increase) better wages for the union's members. However, overall the total dollar amount transferred from employers to labor goes down (employment decrease), so the "class" of all workers (employed and unemployed) see their per capita wages go down. and if that's not enough, the industry grows more slowly so the problem only gets worse for everyone in the future (trickle down) this is the underlying reason for europe's lower year over year economic growth compared to the US
is the reason. it's not a moral or ethical or even income distribution issue, it's just how markets operate.
Surely you deserve a nobel prize for having solved economy where everyone else was just doing guesswork?
I just took economics, this is what is taught at any school with a serious economics program. (it's non-serious, though still can be good, if calculus is not a prerequisite)
The fact that economists disagree all the time is due to economics laws being just opinions.
> As unions mature they protect the employment of their members, not prospective members who are unemployed applying for jobs.
This is true in the same way that it’s true that all democracies turn into the majority oppressing everyone else, or get captured by oligarchs, or vote to raise taxes to fund social until the economy collapses, etc. – which is to say not at all. Unions CAN fail that way but it’s not a given. We shouldn’t give up on a useful tool because it can be failed, we should talk about how to keep it healthy.
For example, I’ve seen the no-degree route you talk about made easier by unions because it forced merit hiring rather than hiring more dudes with social ties from certain colleges. Again, that’s not guaranteed – you’d be forgiven for wondering if the Teamsters were a deep cover operation to discredit the concept of unions – but social institutions aren’t magic: they work to the extent that we make them work.
That’s not how unions work.
They are fine, but struggle with remote work in general because fundamentally the leverage the union has is a monopoly on labor, which is compromised by a global labor force.
These people are using stolen identities of real people in many cases.
Or they’re applying as international remote workers, where you wouldn’t expect them to be members of your country’s union anyway.
Widespread union membership with verifications wouldn’t solve anything.
Exactly - it's too bad certain rich assholes back in the day squashed the unions forming for software devs and VFX workers
Why add more gatekeepers to the industry? It also doesn't really make sense for an IT worker to want to negotiate as a collective when individual salary and benefits are some of the best in the world.
The interview process in US is already insanely ridiculous, but this would only add an additional level of crazy to it. Honestly, licensing would be less bad by comparison.
Can you describe what you see as the insanely ridiculous interview process? Most of the interviews I have initiated are something like:
So for a total investment of what, 6 hours, I can go from a cold call to an offer of something like 150k-300k/y? And I'm not even playing in the FAANG ecosystem.I'm not sure if we are experiencing different processes, or we have different opinions about what kind of time / reward tradeoff is reasonable.
Everything except the 30-60 minute manager call is a waste of time and money for everyone involved.
You just need to ask a couple of open-ended questions about the candidate's preferred programming language and/or some technical details of a past project they've worked on to get an idea of whether they are reasonably competent or not. It shouldn't take more than 10-15 minutes to go through. The majority of rest of the meeting can consist of the candidate asking you questions and/or chit-chatting to make sure the vibes aren't off.
What you are trying to judge is whether or not they can do the job, which you can really only tell once they are actually doing the job anyways. So you pay extra attention to what they do for the first couple of days/weeks after you've hired them and if it's obvious things are not going to work out you let them go. Most places have laws that are amenable to hiring someone on an initial trial period before stronger employee protections kick in.
In general, most of the pathologies of the hiring process can be solved by treating it as a satisfier problem instead of an optimizer problem.
There's a wide spectrum between "extremely efficient" and "insanely ridiculous". To keep it short, I think the incentives are pretty well aligned here. There's not much of an incentive for either party to waste our collective time.
I would be interested to explore a "quick hire, quick fire" philosophy, but I'm not sure it would lead to overall greater satisfaction. Employers don't like to fire people and employees don't like to be fired.
6 hours per application, plus another hundred hours of leetcode practice.
Because, let's be real, not a lot of us are writing leetcode type solutions in our shitty web devs jobs where we center a div. So we need to practice, and more importantly, memorize. Companies don't want a solution, they don't even want a good solution, they want one particular solution. That requires memorization.
Surely you are not getting through every round of interviews at these companies and suddenly failing on the last step.
How many hours of interview prep did you include?
The part where I have to rehearse solving ridiculous problems for a few weeks in my free time so I can perform them to the interviewer and then never use the skills again. It’s typically 2 medium/hard problems solved optimally in 20 minutes each with no errors if I want to beat the competition.
It can suck. I've definitely had some low points where I screw up an easy question and lost out on a place I wanted to work. I also understand that companies can't afford to make a bad hire often. My experience has been that interviewers are interested in the ability to recognize and fix mistakes, communicate about the problem, etc, and have had multiple occasions where I never even got around to filling out a couple pseudocode comments and still got passed.
Have you interviewed since 2015?
I don't think I've rehearsed for an interview ever. (And to your question in another thread, yes, I've interviewed since 2015. Multiple times, thanks to a layoff.)
> It’s typically 2 medium/hard problems solved optimally in 20 minutes each with no errors if I want to beat the competition.
I have also definitely made errors in interviews, and gotten hired. If I had to guess, it is a lot more about how you handle those. (To a degree. E.g., in one question, which was a coding challenge, I could solve it, but I was pretty sure my solution was not efficient. I voiced that, voiced why my gut was thinking it could probably be better, but I didn't ever get the full solution. In another one, I was just asked for past experience; I didn't think I had much to offer, voiced what I did have. I still to this day like the question, because it was a tough question, and the person who asked it really pressed me — in a good way, in that I could see that she took her own role/work seriously — on why I thought I was qualified.)
I've also had a call where me & the interview were definitely not connecting, at all. That wasn't going to work out, so nothing was lost?
As an interviewer,
> It’s typically 2 medium/hard problems solved optimally in 20 minutes each
… add 5 min for entry pleasantries and padding, 10 for questions for you at the end, and that's an hour, which is often all the time the recruiter schedules. And honestly, that's usually enough.
I don't ask hard problems. Easy ones sift out candidates. Where I ask coding questions, the first is almost always designed around "can the candidate write a for loop?" and the second is around basic datastructure comprehension. (Can you recognize situations that require a hashtable? a queue? and apply those to the problem.) Often a parsing question. Essentially CS 201, or easier, though I do not care if you know big-oh notation.
Most interviews I've been a part of fit that MO, and I've done interviewing with startups and with FAANG-sized companies.
> each with no errors if I want to beat the competition.
It's not about beating the competition. SWE hiring IME is never zero-sum. Two phenomenal candidates are two hires.
Maybe you’re just smarter than me or you’re applying for different jobs. I don’t really care about your interview process. I just need a few months of practice so I can perform LC hards in 20 minutes to achieve my goals
Wouldn't the issue be that an interview center could take money to lie/etc? When I start a job I would have to go through I-9 verification - if that process is not good enough to weed out fakes, how would another verification work better?
> Wouldn't the issue be that an interview center could take money to lie/etc? When I start a job I would have to go through I-9 verification - if that process is not good enough to weed out fakes, how would another verification work better?
You just need to have a US citizen's SSN and birthday to beat the I-9 verification. And "beat" is a strong word. I-9 is just a form that the employer asks the employees to submit, there's no requirement for the employer to do anything with it.
So you can just say that your SSN is 555-55-5555 and your birthday is 01-01-2001 and you'll "pass" the verification. It'll be detected only when the employer submits the Form-944.
There's E-Verify that requires a picture ID and more information, but it's not mandatory.
I forgot e-verify is separate, seems like a better thing to mandate
Maybe.
You’d lose out on people who don’t live near an interview center and potentially have legal issues if people had disabilities that impacted their ability to travel to an interview center but not their ability to do the job.
Maybe everyone who is enthusiastic about traveling to an interview center could do it, and the remainder can undergo heavy vetting? Perhaps a cost & safety optimized approach if tuned right.
Interesting idea! This seems like a natural extension of the coworking space business concept.
Yeah, I was thinking of the Pearson testing centers because they're already prpctored to prevent cheating and setup for identity verification. But co-working spacings could certainly work too. That might be even more viable in Europe.
Not sure why that comment got downvoted. It doesn't seem to detract from the topic at hand.
Not sure if it's feasible, but it's definitely something to consider.
I don't really see north korean workers as any less deserving of work
That’s not the question: it’s about trust and honesty. The problem with North Korean workers is that they are a huge security risk because they aren’t working as free people but as agents of their government. That might not be a guaranteed disaster if they’re just generating cash revenue but it’s a huge security risk if the North Korean government has any reason to subvert your company or customers.
Maybe first give them freedom. As long as their CVs are fake, their faces and experience are fake, and they're spying for their government, nobody should be hiring them.
Eh we're all victims of where we were born. I'm not about to hold someone's state against them. Unless i suppose it's a certain state that didn't exist 100 years ago and had to forcibly move people to make room.
>Eh we're all victims of where we were born.
It's a very profound statement (perhaps unintentionally so). Most of us wouldn't even be doing the work we do if we did not have to pay ransom money to our rulers. And then there are unwanted children and all of that...
The problem isn’t the people but the government which controls every aspect of their lives. If I hire a remote worker from England, I don’t have much reason to worry that they’re secretly working for MI-5 and plotting to infiltrate our systems unless I work for a drug cartel or military supplier, and I have a high degree of confidence that if they engage in misconduct they’re subject to a real legal system. If you hire a North Korean, abuse is far more plausible since the invention of cryptocurrency has helped them immensely when it comes to getting and laundering ransoms – and with nobody actually in a country subject to the jurisdiction of a government which cares what you think, they’re going to see it as a safe operation even if it brings you considerable harm.
Really? Even when everything about them is fake, and the most productive thing they're likely to do is spying on you?
I also don't hold people's place of birth against them, but there are some very reasonable limits to that.
> I'm not about to hold someone's state against them.
You don’t understand. These people are working for the state.
They’re not getting nice remote jobs to support their families. Infiltrating these companies is their job from the state of North Korea.
[dead]
Why make the exception for that state? None of the people applying for jobs were involved or even alive when it happened.
Just like I don't blame people for hating me because I'm a symbol of ongoing colonization, I expect people to be ok if I blame them for ongoing atrocities carried out in their name in public with no shame or believable justification.
If North Korea is just as bad, at least they're smart enough to not let me see evidence that invades my dreams.
Please re-read the article: These aren’t helpless people looking for jobs where they can do good work. This is a state-sponsored activity to exfiltrate source code, customer data, and in many cases extort the companies by demanding ransoms.
Can’t they just make week 1 in person compulsory?
You can easily dress that up as an onboarding thing and would solve this, no?
Assuming they have offices at all. My previous employer didn’t even have an office until 6 months after I was hired, and half the employees in the country were at the very minimum a decent 3-4h drive away from the office anyway. I’ve only ever met a handful of members of my team in person. The remaining employees were split up on 3 different continents.
A lot of companies have gone completely remote including a fully remote interview process because COVID basically mandated that and many companies kept doing it after COVID subsided because it was working.
But, yes, this will likely change that. In person interviews and onboarding will probably become the norm with fully remote teams as more companies become aware of the risks.
You can. Just like everyone can use a good password. Yet many dont.
Also there is a good reason not to make week 1 in person. You reduce your access to talent. I know we are in the everyone RTO and do 100hrs a week part of the BSiness cycle. But still.
Workers are currently in a bear market. No company has problems “accessing” talent, at least today. They aren’t going to lose a candidate by simply insisting on an in-person step, whether it be an in-person interview or a week of in-person work.
Yes I acknowledge that. Right now you can toss candidates because they didn't join your Discord 1am on a Sunday and still find hires.
But it does reduce your pool anyway and access to cheaper and /or better people.
It’s not a bear market for the best candidates. I know plenty of people who have found new jobs in the last 6 months.
Many of them would have said no to in-person interviews.
Candidates who are already well-known in their fields are generally not plausible candidates for this scam.
> Also there is a good reason not to make week 1 in person. You reduce your access to talent.
… I don't think candidates are going to turn down a company in droves for an initial 1 week onsite. You make it sound like you're losing access to all remotes.
Lets forget global and look at US.
100 people. Working full time. Cannot take leave at last minute (or may not have it to take). Average distance to your office 1000 miles.
How many will come to your on-site.
> 100 people. Working full time. Cannot take leave at last minute (or may not have it to take).
You're misinterpreting the thread. The context here is that the candidate is post-hire (…candidate is perhaps a poor word, but in the context of TFA, it makes more sense), so they're employed by the same company they're visiting.
I.e., the suggestion here is that Person A's employer E flies A out to E's headquarters to work for ~1 week.
Then you meet them in person, and can visually see they're not some fraudster in NK.
I.e., you start in-person, and transition to remote after 1wk.
Just bite the bullet and pay to fly them out for a week and pay for a shitty La Quinta with a view of the suburban office park.
I mean, airlines do it for pilots. How much of a hit to compensation would that be for software developers? Less than 5% for the first year?
The cost isn't an issue. If I'm a well paid pro looking at 10 interview pipelines. I ain't taking say 3 weeks off work to do my top 3 interviews. It's insane. Pay my flights and 20k might consider it.
It might work for grads or people out of work if it is well paid e.g. at least pro rata od the target salary. But that's a subset so if the employer chooses this they narrow their pool.
> Can’t they just make week 1 in person compulsory?
Yes, but you'll have people making all kinds of excuses and how they only eat from this specific place that delivers on DoorDash and etc etc
(but honestly I think this would be an improvement)
They definitely can. For my first 3 months it was obligatory to show up to the office. The office was basically a apartment room, and very small. But it got the job done.
Not really. You need a visa (or equivalent) to enter most countries. This can take months to apply for and receive. And you can stretch that period out even longer by claiming that you don't have a passport and need to apply for one first.
In Germany, if a company want to hire some talent from a foreign country, this problem is solved by the general rule "The employment starts as soon as the visa problems have been resolved, and you are in Germany." Big companies often have a department that helps with visa problems.
So, if you stretch the period, the employment simply starts later.
What’s the end game for these scammers once they get the job? I understand there’s a question of espionage if they’re collecting intel from these companies, but do they also do their jobs? Or do they disappear as soon as they’re hired and collect as much data and money until they get fired? Do they actually know how to do IT work?
The article mentions ransoming company data or source code as one outcome.
For many scammers (not North Korean specifically) it’s just one big game of collecting as many paychecks from as many companies as you can until they fire you.
For some multi-job people, the game is to continuously apply to companies and then let any company that is paying attention fire them after 1-3 months. Repeat long enough and you might find your way into a couple companies where your demands are so low that you can do all the jobs in a couple hours per day because your managers are so checked out that they don’t care. Ride this until the company lays off the whole underperforming team, then find the next jobs.
Have your new hire turn up and meet with the team on day one.
They'll soon twig if that's not the person who's getting called into a quick meeting in 5 minutes to discuss some new issue.
The supposed problem is being peddled by a company called Socure, who, coincidentally, offer the solution to this problem. There are absolutely "fake" remote workers floating around but to suppose this is some grand security-focused North Korean government conspiracy rather than people from poorer nations trying to get paid is without evidence. "North Korean" job applicants has become a meme, any suspicious looking applicant is being labelled "North Korean" by people who've read articles planted by Socure. If this were a grand North Korean government orchestrated conspiracy we would not see hundreds of job applicants engaging in exactly the same strategy for the same job.
https://www.socure.com/blog/hiring-the-enemy-employment-frau...
https://www.paulgraham.com/submarine.html
Yeah I get your skepticism, but this is really a huge issue in many industries. We are seeing it with an alarmingly high rate. You don't need a technical solution though, as the article points out, some stuff is just process change: In person final interview, gov issued ID checks, initial hardware delivery in office, etc.
I’ve also seen this pattern at a pervasive rate but I think it’s mostly shady overemployment / outsourcing agencies, with NK as a tag along. It doesn’t matter either way since the countermeasures are the same (besides the stupid meme KJU junk).
Many users here don’t seem to understand that they are reading content marketing.
But when the FBI tells you, you might really have a problem, as happened at one company I was at several years ago.
[flagged]
Ok but plan for a long sleep.
> but to suppose this is some grand security-focused North Korean government conspiracy rather than people from poorer nations trying to get paid is without evidence.
Uhh... I have news for you: https://www.fbi.gov/wanted/cyber/dprk-it-workers
North Koreax folk
Not sure why this is downvoted. There’s now abundant evidence it’s happening.
I have a feeling there may be a Nork "flash mob" going on, like when someone says bad stuff about Musk.
If only governments could provide a very simple “check identity” service online. I think this should be a basic service nowadays.
> If only governments could provide a very simple “check identity” service online. I think this should be a basic service nowadays.
Slovenia issues personal certificates so you can identify yourself online. Mostly used for banking and e-gov. The commercial space has decided it’s too cumbersome.
Fantastic idea. Started rolling out when I was in college some 15 years ago. You go to the same place that issues your govt ID and you can also get the equivalent of an SSH cert issued by the government that guarantees you are you, your identity was verified at point of issuance, etc.
Unfortunately it’s about as fiddly to use as SSH. Okay for nerds, way cumbersome for normal humans who just want to log into their bank and pay their taxes damn it. Last I remember (moved to USA ~10 years ago) getting their e-signing browser widgets/extensions to work reliably on non-windows machines was hell. Most Mac/Linux users ran a whole VMWare VM just to do taxes once a year.
Imagine if you had to provide your government ID to use any website.
Even for employment I find the idea iffy, but seeing as it's in response to an actual non-imagined problem, I suppose it's the most reasonable solution to that...
You lack some imagination. One could verify their identity against a government service once every let’s say 5 years. You get a public link/code that you can share with employers (or banks or real state agencies or…) so that they can use the link/code against a government service to verify that you are who you claim to be.
Adding a session token in the middle of the process of a website getting your government ID won't stop the website getting your government ID though? Either way the website learns your full name and address, and you can only ever have one account - which will make you extra careful not to violate any real or imagined rules - the chilling effect on speech is still there.
They provide, don't they? In Russia there are "gosuslugi" (government services) that banks and other organizations can use to confirm identity. However, if you sign up, then you will receive draft notices for military service through the app so you better not sign up.
I am not sure it would resolve the issue. About 10 or so years ago I was contacted on LinedIn with offer to "rent my name and face" for a team of Chinese remote workers (probably not those exact words). I rejected the offer without asking for details. Not sure if they were actually from China.
If you sell your identity, you are accountable. That works in real life too; So there’s less incentive in doing it.
Isn't that what the E-Verify [1] system was supposed to be? Several companies are now discovering it's not all it's cracked up to be, as ICE shows up at their door.
[1] https://www.e-verify.gov/
E-verify is just to check employment authorization, it's not a general identity service.
Yes. It confirms someone with a particular name, DOB, and SSN is authorized to work in the US. It doesn't confirm that the person claiming to be that person actually is that person. It relies on the employer to be able to match the applicant to the photo in e-verify, which isn't always an easy task.
We don't need a general identity service though. We need to know whether someone is authorized to work for a US employer, right? How can a DPRK worker have the necessary authorization? If they use someone else's identity, isn't that something e verify should catch? If these are US citizens/nationals/residents working out of DPRK, who cares?
> We need to know whether someone is authorized to work for a US employer, right?
E-verify is only for US residents, and depends on the employer interacting in person with the prospective employee.
Its primary goal is to check that someone is a legal resident, so it has no bearing on hiring remote foreign workers.
I suspect some of the fake job postings are schemes to harvest that type of data. If I live in Atlanta and someone uses my identity to get a job in Seattle, how long will it take for me to learn about the company in Seattle that thinks it hired me, especially if they don't use my home address.
One of the many reasons I don't like to give references, social security number, date of birth, and so on to anyone except the end client hiring manager. I don't really care if the talent manager software has a required field to put last four of social security number. I simply don't trust random job postings to keep my information secure.
Would it help if I could query some IRS service to check what paychecks have been sent to me? Does this have a delay of a quarter year or more?
How do these people avoid getting the people they impersonated and or scammed in trouble with the IRS?
You would also exclude everyone that is not a US resident; which might or might not be what you want.
I would guess many (most?) of the places with this problem are actually fine with people that aren't living in the US; just not in North Korea.
They can buy, steal, or hire yours. If it were a general identity service, yours would get tracked. But if it's just a matter of authorization, with no authentication, they'd just use it indefinitely.
[flagged]
I've definitely gotten something similar to this in dev slacks offering to use my upwork/linkedin to get a job and then I hand it off to someone else. They claim they'll pay 30-50k/y.
Sounds like my IRL value just keeps going up.
I think the paranoia and fear this kind of idea promotes is perhaps the point of all of it.
Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
Also, we need steps towards reducing the possible tools that fake workers could leverage. These steps would put a strain on some recent technological developments. A strange and wild paradox.
Inform what companies directly? If it's this pervasive, that's not going to be effective.
I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
And in the process of confirming that this was fishy, I contacted one of the past employers he claimed after doing my best to confirm _they_ weren't in any way part of the scam. They confirmed he had never worked there. I sent them his LinkedIn and portfolio site in case they wanted to chase down getting their name removed.
They told me that this was super concerning because the screenshots in his portfolio of the app he worked on for them were real screenshots... for an unreleased app that was only available internally and had never even been demoed for clients.
They'd already been breached and had god knows what exfiltrated. They found out because we caught an attempt to get hired at _our_ company and let them know.
Nobody outside of a couple of technical staff at our company had even _heard_ of this. Nobody at the other company had. The fix, to me, seems to be making people involved in hiring more aware of this. If anything, it seems we should be talking about this _more_ and _more publicly_.
Is your company involved in infrastructural or emerging tech in any way?
Forgive my frankness, but these worries about infiltrators have priority in important, large companies. I am very sure agencies responsible for this can contact these handful of important companies directly.
So, you're right. In the current age we live in, no one cares about your small SaaS company, and you're being used to spread unecessary paranoia and fear.
Other company was, indeed, AI Startup #528532.
We're in a niche, extremely boring industry. We have an extremely small client base. We do line-of-business/sales management applications for something akin to like... light switches and light fixtures. The most exclusive thing we have access to is wholesale pricing from manufacturers. We don't handle payments. The extent of PII we handle is "name and email" from when someone emails out a quote.
We are the epitome of uninteresting to a foreign actor. Being "uninteresting" apparently does not disqualify you.
We also do not hire overseas (the applicant claimed to be from California) and offer a good US wage. We weren't targeted or vulnerable because we were being "greedy".
You do hire remote workers, don't you?
If you had to hire workers in office, would you have space and infrastructure for all of them?
From my perspective, this would solve the issue. Unless you're worried about in-person north korea spies.
I don't know man, seems like you're living in some cold war mind trap or something.
So if I'm reading all your posts correctly the problem is:
I think we can call it done here.You're not reading correctly. Go back to my first comment, it's all there.
Isn't this the best way to start an infiltration, though? Like hiring a janitor or cleaner, who is able to access the office during off hours, and can start planting false information, which is then used by a more relevant company years later?
If you start thinking like this, then no one will ever feel safe.
I think this kind of idea is stupid.
30 people. Damn. I suppose they must be casting a massive net. Pretty concerning.
North Korea has a shortage of foreign currency.
It's not just espionage. They need US dollars to pay for smugglers.
Greed meets greed. Companies hiring cheap labor, being exploited in several fronts.
It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
Keep focused. Small companies never mattered for nations, they are irrelevant. Spreading paranoia will not solve their over-reliance on this exploited offshore problem. It will likely lead them to bankrupcy.
Ultimately, it doesn't invalidate what I said. It actually makes my comment more relevant.
> It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
It's not offshore. Infiltrators are pretending that they're in the US. I first saw this 2 years ago, and they were pretty clumsy back then: always blurred background (and refusing to unblur it) and/or doing calls from a windowless office. You could even see their eyes moving, like they're reading the script.
This year they became much fancier. They use backgrounds with the real time-of-day and weather illumination. The eyes no longer move unnaturally, etc.
You miss the point.
Remote working is in the same vein as offshoring. One enables the other, they're co-dependent. Both are based on greed. In the case of remote working, is avoiding having offices, avoiding paying certain kinds of insurance, etc.
You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
Again, greed meets greed.
Now it's too late. IT companies will not survive a full return to office, and they won't survive remote working as well.
The very idea that someone could be using technology to fake an identity was unthinkable. Now that it is not, there's really no place safe.
If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
I think there are still ways out of this, but we're reaching an inflection point that will be hard to overcome.
---
Your commentary seems to provide a valid point of view, and although you disagree, you reinforce my main point.
> Remote working is in the same vein as offshoring.
No, they're not.
> You are also re-inforcing my original conclusion that what enables these workers is the very same tech that companies are investing on.
We should get rid of electricity, then.
> If a crisis occours, and the US president goes to Air Force 1, transmits from there, how could you be sure he's not a north korean infiltrator? You can't.
Now you're really reaching.
> We should get rid of electricity, then.
Pathetic.
> I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
I'm in a similar situation. The HR leads company is trying to filter out the fakes, but they can't catch everyone.
Apparently, the infiltrators specifically target the companies in the 10-50 people range. In smaller companies everybody knows what everybody else is doing, so infiltrators will be swiftly uncovered. And larger companies typically have a well-established HR department that will catch obvious fakes without good cover.
But these mid-range companies provide the best chance for the fakes to get at least a couple of paychecks before being uncovered. And they likely won't bother with going to the FBI to chase down the payments.
[Background: We both know companies should (must?) inform the feds if they accidentally (illegally?) hire someone as a part of fraud perpetrated against them.]
>And they likely won't bother
Thank you for your insight. Unfortunate! The rationale makes sense—the temptation to sweep under the rug—but doesn’t make it right, which as established we both know.
…you can perhaps tell I was frustrated with what seemed to be an argument against actually taking this course of action; hope replying here is better than arguing directly downthread esp. in case I misunderstood something
Why shouldn't they go to the FBI?
I strongly recommend going to official authorities if you believe you're being duped by a foreign nation spy or conspirator.
If they ignore you, it's more likely that you're not that important, like I said previously.
> Why shouldn't they go to the FBI?
I'm not saying "shouldn't". It's more likely "don't bother".
Interacting with the law enforcement takes time executives' time, it might bring in complications (legal liability for personal data leaks, etc.), and even in the best case the company is not going to get their money back.
So, it's a big problem that everyone should know about but do nothing except post shit on news?
No, you should bother. You should bother a lot. Get in contact with the FBI, make a huge deal about it. You think one company can handle a spy agency? That's bad advice.
Sure, feel free to tell that to every mid-size company.
You are mixing hypothetical scenarios with reality.
My argument was to inform high value targets first, since they are more at risk and capable of developing a fix.
I also argued for slowing down the development of technology that can help infiltrators.
Go back, read the discussion, see how far you are from the simple truth. Someone is making IT companies paranoid, either on purpose or by mistake. Probably, by greed or as a consequence to it.
Why try to hide it? It’s like public disclosures of security vulnerabilities. You directly contact the few people who have actionable data and means to address the problem, then you tell the world that they’re impacted and should be aware that such a problem exists so we don’t repeat it.
Private disclosures for more sensitive vulnerabilities are a recommended practice. In your analogy, that's why I aluded to.
In such cases, you only share the sensitive vulnerability publicly once there is a fix. For this case, there seems to be no fix.
One could think of it as a way to promote more scrutinized hiring processes, but it actually encourages widespread paranoia and fear.
It seems your analogy is valid, but the conclusion is that it supports what I said.
> Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
One key component for this scheme to work is to have local US persons act as intermediaries. While some may already know something shady is going on, and be complicit, some might not understand the entire scope of what they're being part of. Publicly discussing it might encourage some people to come forward / avoid being involved in the future.
Living up to your screen name I see, but in all seriousness, I fully agree. The average person running the laptops in a spare bedroom may have no idea the scope of what they're involved with. Especially if they're being duped as well.
Imagine a non technical person being told they're helping run an "edge data center, close to the users. Running our laptops helps Netflix/facebook/etc (insert big tech name of your choice) run faster for you and your neighbors and well pay you to do it."
Easy to imagine a non technical person buying that lie.
I'm having a hard time understanding your imagined scenario.
Can you please explain it better?
NK "fake employee" finds a non technical American to run their laptop farm by lying to them that running these laptops is helping make their access to some service faster.
Sounds very convoluted.
I'm sure many, many countries have botnets. I have a bunch of those countries which I consider irresponsible and wreckless in my radar, not only north korea.
These aren't botnets in the traditional sense. These operations need a US-based laptop (they receive it by mail, from the "target" corporation upon employment) and they also need the mini-kvm device to be plugged in. Then the remote agents connect via that kvm, to make detection harder. To an enterprise IDS/IPS the laptop seems connected from a residential, US IP address (expected).
They've already arrested some people involved in this, they have devices as evidence. It's pretty well documented at this point.
Please, share the well documented evidence (media articles won't do).
My imagination is very expansive, I can come up with grand scopes that movies and conspiracy theorists would never dream of.
Reality is much simpler though. Greed, I already said it. Typical human defects.
It seems that you are not comprehending who needs to come forward. Entire industries, entire parties. They simply won't, they would rather see the world burn than admit such mistakes. It has happened before.
I’m not sure it’s good for anyone to keep SMB’s in the dark, as they have the most surface area and least expertise and budget to respond. It seems like a net benefit to publicize the issue and get every IT hiring manager thinking about it.
Can you elaborate more? It seems that you disagree but I'm missing the rationale behind it.
Keeping it quiet and only disclosing to larger firms means that lots of small firms will hire these people, with the economic and IP harms they entails.
As you said, small businessess have less expertise and budget to deal with the problem.
Telling your gramma she has a virus only makes her become afraid, she won't magically gain the ability to identify it. That's my whole reasoning here. It makes things worse.
I suspect it could be worse than that. It feels like certain countries' tech sectors are being partly taken over by IT workers from foreign intelligence agencies or from foreign entities with ulterior motives. Especially when you consider countries with small populations and few natives in the tech sector.
For example, in Australia, it seems like at least 8/10 software engineers are foreign-born. Most of those are probably genuine (not from intelligence agencies) but Australia has such a tiny native population of engineers compared to that of most foreign countries in its vicinity that it wouldn't be difficult for a country like China or India to overwhelm our tech industry with a few highly-placed workers in order to gain political leverage. I was thinking that there might be more software engineers working for Indian and Chinese intelligence agencies in the world than there are native-born software engineers in Australia (of all kinds). It's a numbers' game.
North Korea seems like the tip of the iceberg there though it is an easy example to talk about because everyone understands how the North Korean government operates and everyone agrees about the threat they pose compared to more subtle threats from other countries which aren't seen as opponents (at least not to the same extent).
But also, consider a company like Facebook which hires maybe 20K or so software devs. A country like India which has a large number of software developers, if it wanted, could easily put together a task force to infiltrate and take over Facebook in a focused decade-long effort if that was its intent. They almost certainly do have some people inside every major tech company right now.
If a group can have a few highly placed people inside a target company, they could then recruit more of their group into the company and start promoting their own until they have full control over the critical systems. It's a weakness of our current highly centralized tech sector.
Something else that could happen is a foreign intelligence agency could wait for people to get promoted naturally and then reach out to dual-nationals which they have leverage over (e.g. because of family members or assets owned in the foreign country) and then use that to demand favors. Then they could help coordinate the engineers to recruit more of their own to achieve even more control. Different groups would form factions within the target company and every normal employee would be unwittingly pushed out because anyone trying to 'improve or simplify things' would be seen as a threat to various nefarious agendas which rely on complexity to hide backdoors or algorithm exploits.
Imagine how valuable it would be if you could hijack's Google's search algorithm or Facebook's recommendation engines to prioritize your group's businesses and/or agendas.
>If a group can have a few highly placed people inside a target company, they could then recruit more of their group into the company and start promoting their own until they have full control over the critical systems. It's a weakness of our current highly centralized tech sector.
Isnt the critique of Indian managers that they favor indian ppl?
That critique is by the same section of our society that also believes that it's the "jews" that are behind this so ...
It’s likely that some variant of what you’re describing is actively taking place right now.
An required in-person verification due diligence step would stop this, no?
Feel like at least one coworker might be better if they were this.
The LinkedIn thing is very weird, what about all the guys that worked for another company for a long time and didn't bother with LinkedIn? I don't buy that, but the trend of these guys not showing up in-person at all is very suspicious, though not impossible. There are all kinds of reasons people want to do remote work, and some of those reasons might preclude an in-person meeting (like you might find out about a disability).
Still, I agree that's pretty suspicious. However, they didn't offer any proof whatsoever these guys are from North Korea or any motivation for why they would be doing this from North Korea. So, that sounds like potential U.S. propaganda.
They said they worked with the FBI, which honestly is a red flag for that kind of thing. Rather, if a company states without proof they're from NK, it's very likely BS. If the feds say it's North Korea without proof, it's definitely BS (they have resources to prove it!). If the Feds say it and provide proof, then we can talk about the proof.
What's clear is that this isn't just a security problem
Maybe this, with mandatory senior executive and board accountability, will be the wakeup call to stop the outsourcing problem of the last 50 years.
This has nothing to do with outsourcing. These guys are getting hired as permanent employees as often as they’re being engaged as contractors.
My mistake. I meant “off-shoring”.
This is only possible in the scale we see today, because of the infrastructure built to support off-shore and remote work.
What does this have to do with outsourcing?
It’s about incentives.
Direct impact: Outsourcing breeds a culture of unverified and verified-just-once remote work.
Indirect impact: Outsourcing is a cost-driven effort where after a certain level of competence, the bottom-line is the only measurable metric that matters so it’s a race to the bottom with patchwork efforts to “fix” issues like OP.
Making domestic options cost-equivalent with punitive outcomes for hiring NK workers.
This is about in-house employees. Not outsourcing.
My mistake in term. I meant “off-shoring”.
Otherwise, I stand by my argument. The support infrastructure we built to support remote work and offshore teams have made this an easy attack channel.
How is it off-shoring if they are hiring "US citizens living in the US"?
Oh, so they’re interviewing in-person?
Or perhaps, off-shoring support and infrastructure is what enabled and made-normal this sort of remote interviewing and work in the first place.
[flagged]
the funneling of money from the us to other countries for workers
the companies located here should only hire here
[flagged]
That’s bad faith quip. The US is a competitive market with ground rules.
Maybe this is a real problem, IDK. But this article is so scant on actual details, and is mostly just weasel-wording it's way to "it's a problem, trust us."
> Chief among these disconnects were "shallow" LinkedIn profiles paired with "beefy resumes," she explained, citing job-seeker claims of working at Meta, attending Ivy League schools, developing major tech companies' flagship products … but then only having 25 LinkedIn connections.
LinkedIn is not the end-all be-all of résumés, and my coworkers have wildly varying numbers of connections.
> "We've certainly seen applicants that fit into this category with various IOCs [indicators of compromise] that we've shared with partners and peers," Snowflake CISO Brad Jones told The Register.
This is an abuse of the technical term IoC to try and dress up what amounts to "my gut hunch".
> Once the recruitment team began meeting via video conferences with some of the applicants, they noted extremely Western-sounding names, like James Anderson, paired with East Asian appearances and accented English, in much higher numbers than they expected.
That's just discriminatory.
> "You can't profile people, […] *But*
sigh
> The fraudster's answers weren't word-for-word ChatGPT, Little noted. "These people are smart, they're not unskilled, they're sophisticated," she said.
… no, that's because that's not how LLMs work.
> routing everything through a VPN
I'm not even sure how you would know this about a candidate.
> These IOCs, or indicators of compromise, include email addresses, physical addresses, and phone numbers that have been flagged as associated with non-legitimate candidates.
This is begging the question: the candidate is suss because they're suss. What makes the email address et al. "flagged"?
> The final step is always an in-person interview.
I mean … if you're not doing that, then … okay, I see how the scammers got to you.
> "We require people to come to the office to pick up their computer," Robinson said as an example.
I mean, if you pay for the plane tickets, the hotels, the taxis, the meals, and the time, sure, I guess.
If this is truly a problem — and maybe it is — the Register's reporting is so unspecific that it leaves us with no details of how we might tell, what to look out for (in ways that doesn't run afoul of racial discrimination, or seen elsewhere in the comments, political discrimination). It leaves me thinking this is an ad designed to leave me going "I'd have to hire a company that specializes in this to know if I'm being affected by it."
So, again, the answering to this and most every other hiring ill in software over the past 15-20 years is… licensing.
So, let’s think about this logically. There is no baseline of candidate identification or competence in software and the jobs pay very well in physically comfortable conditions. It makes sense that unqualified liars would apply for these positions. Why shouldn’t they? I am honestly curious how far the fraud and incompetence can go and devalue the industry before someone cares enough to tackle the problem l.
The answer to this is for companies to do even a modicum of personnel vetting.
At the very least, make your remote candidate show up in person for their onboarding. A plane ticket and a few days of accomodation and meals is cheap in the grand scheme of things, and giving the opportunity to meet their team is good relationship building.
Sight their ID before you issue them with an account, give them a laptop etc.
> The answer to this is for companies to do even a modicum of personnel vetting.
They do. That is clearly not enough.
They generally make no enquiries at all into the applicant’s bona fides.
The candidate sends in fake or stolen documents where the picture on the drivers license doesn’t even vaguely resemble the person who appeared on Zoom.
When you have an applicant who says they were born in Tennessee and that they’ve apparently lived in the U.S. for their whole life, you would normally expect them to speak English with native proficiency and at least have an American-sounding accent.
If they say they live in, say, Seattle, you’d expect they could carry on at least a basic conversation about their local area.
Even this basic level of attention to detail nonetheless escapes many HR departments and hiring managers.
> If they say they live in, say, Seattle, you’d expect they could carry on at least a basic conversation about their local area.
When I was working at $LargeCompany, we were encouraged to NOT engage in small talk with applicants beyond the regular politeness. It's too easy to ask questions that would open the company to discrimination lawsuits.
I have known many people born in the US who learn English as a second language with a think accent. Employers have to use legally qualified means to discriminate applicants to avoid violations of various laws.
Irrelevant to the OP unless you explain why North Koreans would be prevented from obtaining these licenses: it's not like there aren't competent developers in North Korea.
If your explanation is that the license grantor will verify that the applicant is a resident of a Western country, than the employer can just do the same verification of job applicants, dispensing with the need for the occupational license.
The way these people are being caught are things like dodgy LinkedIn profiles or refusing in person meetings so I would think a licensing process designed around things which would be expensive to fake: in person government ID checks, periodic exams, peer evaluations, etc. The trick would be actually doing that in person, which could be a useful thing for conferences - treat an afternoon at PyCon or re:Invent as the cost of renewing your professional credentials if you don’t live near a major city or university.
Even an in person ID check would suffice.
For most of the West, this is an extremely difficult bar to clear for a North Korean national working out of China.
Yeah, I was thinking that if you were looking for an industry license it would probably be more useful if it also covered skills or work experience in some way since that helps multiple weak points of the common hiring processes but you’re quite right that it would raise the bad considerably if they had to basically run everyone like actual spies with robust fake identities.
I recommend researching what comprises professional licensing. If you have absolutely no frame of reference I can understand why you would be so confused.
OK, so you cannot answer my question.
Why would I? I don’t think you would understand the answer.
If there is an US person providing the identity, what's stopping them from also providing the license.
I guess the main problem is, if you are a company with bad management structure, and you see your new coworker has really weird patterns, inconsistencies in their talking, why would you tell the manager about it? You can just mind your own business. It was them who hired them after all.
I don’t understand your question about licensing. A professional license isn’t a physical artifact.
Edit: If you don’t know what licensing is why are you replying to a comment about it? Most of the comments here read like this and it’s really weird.
FWIW, it the "insult Kim Jong-Un" meme that's been going around doesn't work
Did you try it? What did the person say?
How do you know?
[flagged]
How is it racist?
It is trying to avoid hiring an ethnicity by saying things that a specific ethnicity would find offensive, but not others so you can filter them out of the hiring process.
That is not what that's about. It is trying to avoid hiring people who work for a foreign government by asking them to say things that would be illegal in their country. It has nothing to do with ethnicity and everything to do with nationality.
Nobody is trying to avoid hiring an ethnicity. There are plenty of Koreans that would still be hired, those from South Korea and everywhere other than North Korea.
I dont think KJU is held in high esteem by the defector community.
[dead]
[flagged]
[flagged]
company finally swipes right only to get catfished by a DPRK agent
nice
I hate how this is acceptable to make such claims about another country without providing any evidence. Same goes for Chinese or Russian hackers. It’s just whoever the US government is unhappy about.
The article itself is evidence. There are many more links in it to other stories that report on basically the same or similar incidents. There are also several names in the article itself that you can research or probe on your own to tell if it's coming from a trustworthy source.
Consider also the author: it's written by an actual journalist/editor with a large body of pre-existing work in the field, and many of the claims written are backed up by quotes from a named source. It's not like they're writing all this and hiding it behind the weasel phrase 'according to a source close to the matter'.
The register too is actually UK founded, so it's not even American.
Your reaction is just so typical of people nowadays - just assume it's all 'made up' without any effort in debunking or picking apart any specific claims.
I've interviewed these people. They really exist! I did not know they were North Korean, but it would not surprise me.
There's evidence, large investigations, and arrests aplenty already.
Justice Department Announces Coordinated, Nationwide Actions to Combat North Korean Remote Information Technology Workers’ Illicit Revenue Generation Schemes (justice.gov)
https://www.justice.gov/opa/pr/justice-department-announces-...
(12 days ago) https://news.ycombinator.com/item?id=44431853
..What evidence is lacking here?
This is a problem the USA caused, and could easily solve, by dissolving the armistice and declaring an end to the Korean war.
only seven countries are currently participating in the embargo and sanction of North Korea, (at the behest of the united states.)
North Korea would never, in a million billion years, either accept peace, or actually honour it. NK is a hideously oppressive, violent, dictatorship, which would invade SK in a microsecond if it thought it could get away with it.
I think it astounding - staggering - to point the finger here at USA.
If you were not a long term, serious poster, I would think you were a fake account.
No, one side declaring the end to a war does not end that war, this is one of the worst foreign policy takes I've ever heard. The NK regime is secure because of the war, they will poison pill any negotiation by demanding South Korea become part of the north.
They convinced Ukraine to give up their nukes, promising that they'd be safe. I don't think there's any chance of convincing North Korea to follow the same path.
You don't have to be an evil North Korean to do that. Outsources have been doing it since time immemorial because they can't achieve sales in any other way (or, through direct corruption - often offshore outsourcing shops are owned by managers of their clients, who effectively use them as tools for siphoning money away).
Hopefully the fear of foreign actors will put an end to this too.
I have to hand it to North Korea on the inventive revenue streams. This is a country under sanctions for decades that has developed some of the most clever IT scams for siphoning money from the west. Between this and the Lazarus group the country has brought in Fortune 500 company kinds of money to keep itself afloat.
This is entirely US's companies fault for not favorizing people from 1st world countries. At this point it's not a question of $ but not really giving a shit.
If you have 2 candidates and one is from lets say Czech Republic and the other one from 3rd world then it's fully on you for getting screwed over.
Could have read the article. All involved companies hired US-based workers who received company-provided laptops and set up remote access on them for North Koreans.
It's been over 75 years. It could not be clearer that this attempt to punish the ordinary people who live in North Korea for having a government that the US finds disagreeable will not succeed in somehow fomenting revolution. What it has succeeded in doing, apparently, is sustaining a level of poverty and isolation that motivates even crazy schemes like this.
Here's how to actually stop it: stop weaponizing poverty to beat a Cold War-era dead horse, and end the damn sanctions.
Russia was an important trading partner for many European countries. Especially important for Germany. Basically no sanctions. Freedom of movement with fairly good visa policies. No great internet firewall. How much did all this help to prevent another huge war between two European countries?
Different behaviors have different motivations, contexts, and causes. It's extremely clear that these, like other criminal moneymaking schemes in the DPRK, are directly and closely related to the high degree of isolation of the DPRK and the difficulty of getting capital into it.
Of course lifting the sanctions won't also end all spycraft, or ensure an end to geopolitical conflict. Those aren't things I have claimed or would claim.
And the primary reason to end such sanctions is not any benefit to imperialist nations but because of the fact that they inflict misery on ordinary people indefinitely and (not essential, but adding insult to injury) uselessly.
> they inflict misery on ordinary people indefinitely
Pyongyang was making its people miserable before there were sanctions. America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
> Pyongyang was making its people miserable before there were sanctions.
Whether or not we approve of Pyongyang is completely irrelevant to every point I've made. The questions are (a) whether the sanctions have had a material negative effect on the North Korean people, and (b) what they have accomplished. The answers are "yes" and "nothing of any use", neither of which is controversial. And our fixation with North Korea and the evil we wrought there obviously doesn't begin with sanctions but with millions of tons of bombs, tens of thousands of tons of napalm on arable land, or the destruction of the People's Republic of Korea (not the DPRK), a functioning government that existed in both the North and South before the US invaded (literally reinstating colonial Japanese governors as officials).
> America isn’t at the centre of the universe—we didn’t cause every geopolitical ripple that ever was.
The US was directly involved in the division of Korea even before all that. Frankly, your entire comment has been not only extremely handwave-y but deeply dishonest.
https://www.npr.org/2022/09/07/1121427407/survivors-of-a-mas...
Ergh, something did get lost in a rewrite of my comment between tons of bombs and pounds of bombs: it's "only" over half a million tons of bombs. Many hundreds of millions of pounds, "only" over 650,000 tons. The range given for napalm was accurate; it's over 30,000 tons.
Exactly. Trade ties only go so far.
But this pov isn’t always rooted in pragmatism. Free market ideologues also think that free markets will bring world peace.
Ah yes, bec that’s worked out so well with china.
Anyone with internet access in NK is working at the behest of the government.