Comment by alganet 18 hours ago
I think the paranoia and fear this kind of idea promotes is perhaps the point of all of it.
Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
Also, we need steps towards reducing the possible tools that fake workers could leverage. These steps would put a strain on some recent technological developments. A strange and wild paradox.
Is your company involved in infrastructural or emerging tech in any way?
Forgive my frankness, but these worries about infiltrators have priority in important, large companies. I am very sure agencies responsible for this can contact these handful of important companies directly.
So, you're right. In the current age we live in, no one cares about your small SaaS company, and you're being used to spread unecessary paranoia and fear.
Other company was, indeed, AI Startup #528532.
We're in a niche, extremely boring industry. We have an extremely small client base. We do line-of-business/sales management applications for something akin to like... light switches and light fixtures. The most exclusive thing we have access to is wholesale pricing from manufacturers. We don't handle payments. The extent of PII we handle is "name and email" from when someone emails out a quote.
We are the epitome of uninteresting to a foreign actor. Being "uninteresting" apparently does not disqualify you.
We also do not hire overseas (the applicant claimed to be from California) and offer a good US wage. We weren't targeted or vulnerable because we were being "greedy".
You do hire remote workers, don't you?
If you had to hire workers in office, would you have space and infrastructure for all of them?
From my perspective, this would solve the issue. Unless you're worried about in-person north korea spies.
I don't know man, seems like you're living in some cold war mind trap or something.
Greed meets greed. Companies hiring cheap labor, being exploited in several fronts.
It was a decision for several companies to spread thin their offshore hiring. They practically invited infiltrators in.
Keep focused. Small companies never mattered for nations, they are irrelevant. Spreading paranoia will not solve their over-reliance on this exploited offshore problem. It will likely lead them to bankrupcy.
Ultimately, it doesn't invalidate what I said. It actually makes my comment more relevant.
> I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
I'm in a similar situation. The HR leads company is trying to filter out the fakes, but they can't catch everyone.
Apparently, the infiltrators specifically target the companies in the 10-50 people range. In smaller companies everybody knows what everybody else is doing, so infiltrators will be swiftly uncovered. And larger companies typically have a well-established HR department that will catch obvious fakes without good cover.
But these mid-range companies provide the best chance for the fakes to get at least a couple of paychecks before being uncovered. And they likely won't bother with going to the FBI to chase down the payments.
[Background: We both know companies should (must?) inform the feds if they accidentally (illegally?) hire someone as a part of fraud perpetrated against them.]
>And they likely won't bother
Thank you for your insight. Unfortunate! The rationale makes sense—the temptation to sweep under the rug—but doesn’t make it right, which as established we both know.
…you can perhaps tell I was frustrated with what seemed to be an argument against actually taking this course of action; hope replying here is better than arguing directly downthread esp. in case I misunderstood something
> Why shouldn't they go to the FBI?
I'm not saying "shouldn't". It's more likely "don't bother".
Interacting with the law enforcement takes time executives' time, it might bring in complications (legal liability for personal data leaks, etc.), and even in the best case the company is not going to get their money back.
Why try to hide it? It’s like public disclosures of security vulnerabilities. You directly contact the few people who have actionable data and means to address the problem, then you tell the world that they’re impacted and should be aware that such a problem exists so we don’t repeat it.
Private disclosures for more sensitive vulnerabilities are a recommended practice. In your analogy, that's why I aluded to.
In such cases, you only share the sensitive vulnerability publicly once there is a fix. For this case, there seems to be no fix.
One could think of it as a way to promote more scrutinized hiring processes, but it actually encourages widespread paranoia and fear.
It seems your analogy is valid, but the conclusion is that it supports what I said.
> Why this is being discussed publicly? It seems way more reasonable to inform IT companies directly, or investigate it outside media attention.
One key component for this scheme to work is to have local US persons act as intermediaries. While some may already know something shady is going on, and be complicit, some might not understand the entire scope of what they're being part of. Publicly discussing it might encourage some people to come forward / avoid being involved in the future.
Living up to your screen name I see, but in all seriousness, I fully agree. The average person running the laptops in a spare bedroom may have no idea the scope of what they're involved with. Especially if they're being duped as well.
Imagine a non technical person being told they're helping run an "edge data center, close to the users. Running our laptops helps Netflix/facebook/etc (insert big tech name of your choice) run faster for you and your neighbors and well pay you to do it."
Easy to imagine a non technical person buying that lie.
My imagination is very expansive, I can come up with grand scopes that movies and conspiracy theorists would never dream of.
Reality is much simpler though. Greed, I already said it. Typical human defects.
It seems that you are not comprehending who needs to come forward. Entire industries, entire parties. They simply won't, they would rather see the world burn than admit such mistakes. It has happened before.
As you said, small businessess have less expertise and budget to deal with the problem.
Telling your gramma she has a virus only makes her become afraid, she won't magically gain the ability to identify it. That's my whole reasoning here. It makes things worse.
Inform what companies directly? If it's this pervasive, that's not going to be effective.
I work at a small (~30 person) SaaS company. We interviewed what I took to be a case of this the other day (all the classic signs). Nobody would be keeping an eye on our hires or letting us know about this.
And in the process of confirming that this was fishy, I contacted one of the past employers he claimed after doing my best to confirm _they_ weren't in any way part of the scam. They confirmed he had never worked there. I sent them his LinkedIn and portfolio site in case they wanted to chase down getting their name removed.
They told me that this was super concerning because the screenshots in his portfolio of the app he worked on for them were real screenshots... for an unreleased app that was only available internally and had never even been demoed for clients.
They'd already been breached and had god knows what exfiltrated. They found out because we caught an attempt to get hired at _our_ company and let them know.
Nobody outside of a couple of technical staff at our company had even _heard_ of this. Nobody at the other company had. The fix, to me, seems to be making people involved in hiring more aware of this. If anything, it seems we should be talking about this _more_ and _more publicly_.