[HN Gopher] FBI: Stolen PII and deepfakes used to apply for remo...
___________________________________________________________________
FBI: Stolen PII and deepfakes used to apply for remote tech jobs
Author : mikece
Score : 170 points
Date : 2022-06-28 15:21 UTC (7 hours ago)
(HTM) web link (www.bleepingcomputer.com)
(TXT) w3m dump (www.bleepingcomputer.com)
| hijohnnylin wrote:
| MANAGER: "hey uh, my friend at a different company said you
| applied for a job there this week?"
|
| EMPLOYEE: "uhhhhhh.... that was... uhhh... a deepfake who also
| stole my information?"
|
| MANAGER: "oh okay. yeah of course you would never try to
| double/triple your salary by taking multiple remote tech jobs
| with zero oversight. my friend said it seemed so real haha.
| deepfake are so good now. im gonna report this to the FBI, people
| need to know."
|
| EMPLOYEE: "yea haha amazing. anyway i gotta get back to not-my-
| other-job"
| spudlyo wrote:
| I was surprised that this was a real thing when I stumbled upon
| the r/overemployed subreddit. Not sure how many of the folks
| who self-report their success in doing this are LARPers, but
| it's remarkable that anyone gets away with this.
|
| I have a hard enough time attending all the meetings and
| completing my work in my actual job, I couldn't imagine taking
| on another and balancing the two somehow.
| roflyear wrote:
| Lots of people are doing it!
| vsareto wrote:
| MANAGER: "okay, now we need to make sure we never hire a
| deepfake. all technical interviews are now proctored with
| identity verification and random shocks of pain. failing to
| react to a shock appropriately will immediately disqualify
| someone from the 8th round interview"
| mistrial9 wrote:
| from this point of view -- it says more about the "job market"
| and forgery-for-pay than the deepfakes .. it was one year ago I
| saw a video documentary on young men from various places, in the
| keep of handlers who charged them rent and maintenance while they
| applied for remote tech jobs. The handlers were show to clean-up
| or embellish skill sets, claim English skills or write responses
| for the applicants, and other fraudulent activity. Meanwhile, on
| the other side of that, investors have put money into hiring
| companies who want to follow in the Monster dot com path but more
| specialized skills or particular clients. The work of outsourcing
| is just never done it seems, and apparently pays investors and
| handlers well enough to do these things. Deepfakes makes it part
| show-business, which is not new either, really.
| goatcode wrote:
| I was recently approached by a firm that it seems does a
| similar thing to what you've described. As a native english
| speaking tech professional, they wanted me to assist others in
| initial video interviews for tech positions. I don't know how
| any amount of spin or perspective could sell such a thing as
| anything but fraud. I honestly couldn't even put together how
| it would work long term, but I suppose with the nature of some
| remote work, it might be possible by a committed actor or
| agency. It's creepy as heck, and reminds me of that movie
| "Gattica."
| jstarfish wrote:
| > I don't know how any amount of spin or perspective could
| sell such a thing as anything but fraud.
|
| It might be fraud, it might not. This sounds like SOP for
| literally every "recruitment" outfit I've ever encountered.
| Every single one encouraged candidates to tailor their
| credentials to the job requirements.
| Scoundreller wrote:
| I think that documentary was published in 2009:
|
| https://www.theonion.com/more-american-workers-outsourcing-o...
| mistrial9 wrote:
| not that one -- will look for links; definitely in covid-19
| era, the one I saw
| Reason077 wrote:
| Makes you wonder how many jobs out there are _already_ being done
| by deepfakes.
| landryraccoon wrote:
| I didn't know having multiple remote jobs simultaneously wasn't
| kosher. Why resort to Hollywood? I do it all the time. It's
| called being a contractor.
| WalterBright wrote:
| It isn't kosher if you were hired as a full time employee.
| WalterBright wrote:
| Soon AI bots will be applying for remote jobs.
| tflinton wrote:
| I've had remote candidates in India lip sync an interview, but I
| don't think it was deep fakes, but rather the audio was coming
| from someone off screen while the person on screen was trying to
| mimic them.
|
| My guess is someone was trying to help them get the job, i'm not
| sure to what end though and regardless, we didn't hire the
| person.
| johndhi wrote:
| I'm not sure this is a greater risk than currently exists with in
| person interviews.
| tablespoon wrote:
| > While some of the deepfake recordings used are convincing
| enough, others can be easily detected due to various sync
| mismatches, mainly spoofing the applicants' voices.
|
| > "Complaints report the use of voice spoofing, or potentially
| voice deepfakes, during online interviews of the potential
| applicants," the US federal law enforcement agency added.
|
| Something about this doesn't smell right:
|
| 1) Don't video deepfakes require _lots_ of high-quality input
| video (which is why they were often made of Obama)? Where would
| an attacker get this for some rando?
|
| 2) Why would voice deep-fakes even be necessary, given the
| interviewee is very unlikely to be known by the interviewer? I
| suppose it could be used to fake accents, but I don't think that
| would be an issue for a "remote tech job" -- just steal an
| identity that could plausibly have your accent.
| mirker wrote:
| Regarding 1) and following 2) you only need to make realistic-
| enough video that it passes as a person and is similar enough
| to the target person. For example, you can have a pretrained
| model (e.g., using zero targeted data) and search for some
| configuration that is closest to the target person. You only
| need to match a few variables (e.g., ethnicity, gender, hair
| color, age) before the fake is plausible.
| chrismarlow9 wrote:
| Regarding 1, you setup a fake company and interview the
| candidate in multiple rounds. Record the interviews and then
| use them as input for deep fake.
|
| Edit: you could also approach them as a love interest and get
| the video through chats.
|
| I'd also be curious to see if there's an overlapping former
| employer between the candidates. If you found an archive of
| some employers zoom meetings you have all you need.
|
| Okay I'm gonna stop before I get paranoid.
| 13of40 wrote:
| In the second year of COVID I was hiring for a dev position
| and got a really good candidate who came across as a very
| bright, outgoing young woman, who got "hire" decisions from 4
| of 4 interviewers. She worked with us for about 6 months
| remotely, but never turned her camera on after the interview
| loop, and in retrospect she seemed like a totally different
| person than who we interviewed. The conspiracy theorist in me
| says she used a double to do the interviews. No need to deep
| fake anyone.
| datavirtue wrote:
| Winner!
| chrismarlow9 wrote:
| Interviews as a service. Interesting idea and thanks for
| sharing.
| tablespoon wrote:
| One of my previous leads suspects a contractor did
| something like this for an in-person role. We only did one
| or two phone interviews for such roles, and the guy did
| well enough to get brought on for a 3 month contract or
| something. The guy who showed up didn't seem to know as
| much as the interviewee, and was always on the phone. My
| lead suspected he was getting help from "somewhere else."
| In retrospect, he suspects the guy who showed up may have
| had a different foreign-country X regional accent than the
| person who interviewed, but it's impossible to know for
| sure.
|
| He speculated that some unscrupulous but relatively
| knowledgeable guy was sitting in for the interviews, and
| then coaching the incompetent applicants day to day for a
| cut of their pay.
|
| In the end he just let the contract lapse. Not a whole lot
| you can do since it would be really hard to prove any kind
| of malfeasance, and to make the accusation would just make
| you look crazy and paranoid.
| 908B64B197 wrote:
| There was a place that hired a consultant for a project a
| friend worked on, and she was... I don't think she could
| write code at all. Like, had trouble manually inserting
| fragments into an XML file despite fragments with the
| same structure already being in the file.
|
| Her productivity skyrocketed at night however, and she
| generally had working code in the morning, which lead to
| rumors that her husband or someone in her home country
| was doing the work (would have been daytime over there).
| Nobody really complained. She wore a hijab and the
| company had just hired it's first "diversity officer" so
| maybe that's why. Thankfully they stopped using that
| vendor not long after. It's a story a friend told me a
| long time ago. I didn't and couldn't fact-check it.
|
| The husband's theory came from the fact she apparently
| mentioned her husband was also a software consultant.
| rvnx wrote:
| That's fine if people helped her after work, it means she
| is struggling a bit technically and she has to work
| after-hours to learn. It's ok. It means she is dedicated
| to her job but lacks some skills and is trying to learn.
| The result is also the most important.
| Ancapistani wrote:
| > That's fine if people helped her after work
|
| Depending on the industry, it's definitely _not_ fine.
|
| I work in healthcare. If one of our employees was giving
| a foreign national access to our internal systems, that
| would be a Very Big Deal.
| daniel-cussen wrote:
| I'd rather look crazy and paranoid in that scenario than
| do nothing.
| kache_ wrote:
| datavirtue wrote:
| So, fire every dev immediately?
| kache_ wrote:
| verve_rat wrote:
| dbetteridge wrote:
| What an out of touch take.
|
| There's a million reasons someone may not be comfortable
| having their video on that don't involve fraud.
| kache_ wrote:
| 13of40 wrote:
| Where I work right now, the status quo is to have your
| camera on in meetings with other managers, but have all
| cameras off for meetings with individual contributors. To
| be honest, at this point the idea that we're anything
| more than just voices in the cloud is a nuisance more
| than anything else. I have a new intern who apparently
| keeps coming by my office for meetings expecting me to be
| there, when I'm actually sitting in the park on my 5G
| hotspot on the other side of town. I do wonder if this is
| just the last gasps of a brief moment of freedom, though,
| or if it's going to be the way we do business long term.
| Nextgrid wrote:
| Regularly, yes. But _all_ the time? Come on.
| [deleted]
| tablespoon wrote:
| > Regularly, yes. But _all_ the time? Come on.
|
| I have literally _never_ turned on my video despite 2+
| years of working remote. None of my team has either. The
| only people who ever do are director-level and above.
|
| You are out of touch. Not every workplace is your
| workplace.
| kache_ wrote:
| tablespoon wrote:
| > What has your team shipped?
|
| What kind of question is that? We've shipped our
| deliverables.
|
| It may be surprising to you, but grainy and awkward video
| of coworkers in zoom shirts looking at their other
| monitor is not actually required for people to get things
| done.
| icedchai wrote:
| This is true. Turning on the camera for video calls
| seemed very rare, pre-covid. We basically treated them
| like conference calls, with screen sharing.
| heavyset_go wrote:
| > _1) Don 't video deepfakes require lots of high-quality input
| video (which is why they were often made of Obama)? Where would
| an attacker get this for some rando?_
|
| I imagine that at some point, or even now, we can use transfer
| learning for deep fakes and just train existing models on a
| limited data set for "good enough" deep fakes.
| jstarfish wrote:
| > Why would voice deep-fakes even be necessary, given the
| interviewee is very unlikely to be known by the interviewer? I
| suppose it could be used to fake accents,
|
| You have it backwards-- the point is accent _elimination_. You
| don 't need to sound like someone else, but you do need to
| _not_ sound like someone of your own locale.
| hgsgm wrote:
| Accents can only be changed, not eliminated.
| Calavar wrote:
| That's a strange dichotomy to make. How is accent
| elimination different from an accent change from a
| nonstandard accent to a standard accent?
| tablespoon wrote:
| > You don't need to sound like someone else, but you do need
| to not sound like someone of your own locale.
|
| That doesn't make any sense though, given how many real tech
| workers are immigrants with accents.
|
| What you say does make sense for someone trying to do certain
| kinds of fraud (e.g. an Indian scammer pretending to be an
| IRS agent demanding iTunes gift cards), but not for applying
| for a tech job.
| jstarfish wrote:
| Immigrants are people you can hold legally accountable for
| fraud. Someone who catfishes their way into a remote-work
| job and is untouchable by domestic law, not so much.
|
| There are some ethnic boundaries across which some
| employers are not willing to entrust remote work, and the
| response by the impacted demographic appears to be to
| double down on the fraud that led to the stereotypes to
| begin with.
| quantified wrote:
| We've been very concerned earlier about what deepfaking a world
| leader might result in. Still a concern on that, but we can have
| endless amounts of additional fun with realistic deepfaking B-
| and C-list celebs and all "influencers" who have left enormous
| trails of audio and video.
|
| Picture an adversary setting up a large deepfake campaign
| involving hundreds or thousands of fakes, esp coordinated with
| their use of the hundreds or thousands of curated social media
| profiles that have been raised on a media farm.
| mmebane wrote:
| With social media influencers, you don't even have to worry
| much about the deepfakes glitching - the usage of filters is
| rampant enough that glitches have been completely normalized.
| treeman79 wrote:
| Had an influencer make me up crap about a her work. Hundreds
| of people calling her out on it. Her fans did not care.
| Comments all got buried or deleted.
|
| The fans would come up with dumbest possible rebuttals.
| Basically they liked her she was pretty therefore she was
| right about everything. And all the easy to verify facts were
| not important.
| tluyben2 wrote:
| There are entire subreddits devoted to how incredibly fake
| instagram and TikTok people make themselves look with filters
| so yes, this is already normal with real people. It would not
| take much.
| sva_ wrote:
| You could probably grow a farm of deep fakes on some social
| media site, talking to each other about peculiar niche things
| using language models, and once that farm is big enough use it
| to shift opinions/attack. It's scary how small groups of
| people, or even an individual could do that.
| ramesh31 wrote:
| >You could probably grow a farm of deep fakes on some social
| media site, talking to each other about peculiar niche things
| using language models, and once that farm is big enough use
| it to shift opinions/attack. It's scary how small groups of
| people, or even an individual could do that.
|
| You've just described half of Twitter's MAUs.
| pempem wrote:
| It also feels very like ender's game near the end of the
| book
| corrral wrote:
| I recently read a near-future sci-fi story (linked somewhere
| on here, I think) about an AI breaking out of its contained
| environment and taking over the world before we could figure
| out what happened and stop it (took a couple weeks, IIRC).
|
| The TL;DR is that once it had enough compromised machines to
| run social media botnets, it was all over. It could use those
| to confound efforts to coordinate and compare data, to
| misdirect huge numbers of people and cause all kinds of
| chaos, and to smear opponents before they could get their
| message out (fakes or actual stolen information--it hardly
| mattered, all it needed to do was neutralize certain people
| for a few days). The story contrived to have a secret project
| that was able to try to resist it after that (spoiler: didn't
| help) but otherwise the social media botnets were enough for
| it to buy several days in which no-one was able to
| effectively work against it.
| tablespoon wrote:
| > You could probably grow a farm of deep fakes on some social
| media site, talking to each other about peculiar niche things
| using language models, and once that farm is big enough use
| it to shift opinions/attack. It's scary how small groups of
| people, or even an individual could do that.
|
| Wouldn't that be fairly easy to detect because the accounts
| would belong to an isolated, tightly-connected cluster?
| quantified wrote:
| State actors can design societies with lots of different
| clusters. It's all in the simulator you design. And a large
| actor could easily require that its humans engage with
| members of this society to connect them with humanity.
| [deleted]
| Magi604 wrote:
| I know there is a growing movement of people who are doubling up
| on remote jobs, trying to work two of them (or more!) at the same
| time to hack the income game. Surely some of these people are
| using deepfakes to help avoid detection that they are doing those
| things.
| datavirtue wrote:
| "there is a growing movement of people who are doubling up on
| remote jobs"
|
| Citation needed
| dc-programmer wrote:
| r/overemployed
|
| However I think a substantial number of posts are creative
| writing exercises
| heavyset_go wrote:
| It's WallStreetBets-esque. Not sure if it's reached the
| stage where most of the people on that subreddit are taking
| ironic advice unironically like we saw with WSB.
| paraph1n wrote:
| Actually, a citation is hardly needed here.
|
| 1. People want more money.
|
| 2. Remote jobs are becoming much more common as of late.
|
| 3. It is (much) easier to double up on remote jobs than non-
| remote jobs.
|
| 4. Doubling up on remote jobs results in more money.
|
| 5. Therefore, there is a growing movement of people who are
| doubling up on remote jobs. QED.
|
| I mean, it's pretty unlikely that this argument doesn't hold.
| I feel like you'd need a citation to counter it.
| cj wrote:
| This happened to me, twice, and my company is < 20 people. Of
| those 20, 2 had multiple jobs. We hired a guy who found us on
| HN Who's Hiring who turned out to be working 3 (THREE!!) full
| time jobs, each paying $140k+.
|
| He quit when I started putting deadlines on work when he
| started falling behind. I got suspicious, reached out to his
| prior company's CEO to ask if he was still employed, and turns
| out he was! Then came the discovery of the 3rd company...
|
| For hiring managers out there: make sure candidates have a
| linkedin profile that lists your current company as their
| current place of employment (both employees with 2+ jobs had
| their LinkedIn hidden for obvious reasons), and always run
| background checks that include employment verification screens.
| dontbenebby wrote:
| What industry? Over in infosec, they seem to just do courtesy
| interviews to suss out if I did some ecrime the feds are
| sniffing about, find out they were incorrect, then not even
| have the common courtesy to drop the act and offer to pay me as
| a consultant rather than treat job interviews as fishing
| expeditions.
| mwint wrote:
| I'm having a hard time parsing this comment, can you expand
| on who's doing what?
| dontbenebby wrote:
| Oh, I'd have someone connect me with say, an interview with
| the Software Engineering Institute or RAND. They'd have me
| speak to between six and twenty people about say, how I
| would work to secure CERT's vulerability stockpile.
|
| Then they'd refuse to hire me, refuse to address the issues
| I discussed, and then sometimes one of the interviewers
| would pass that information to the Russians or Chinese
| leading to a massive break ala OPM or Solarwinds even after
| Senator Wyden sent Chris Soghoian or someone of similar
| skill adjacent to the Omnidynar group to go ask some hard
| questions.
|
| In parallel, folks with non-US passports would obstruct any
| applications I made in private industry in favor of those
| with their same passport.
|
| It was all super frustrating, since my CV had the
| appearance of someone with a deep commitment to nonprofit
| work, when it often more than I made decisions like "Being
| a PhD student pays slightly better than a Papa John's
| employee and I'll eventually find something more permanent
| doing the latter".
|
| Lately, looking back, I wonder if I'd have been better off
| saving up then moving to Thailand like one of my old
| drinking buddies did. (I don't drink alcohol anymore, and
| I'm spending the afternoon reading HN as I work on some
| technical projects I'll probably never put online, since it
| seems no amount of code publication leads me to a fair
| interview -- all it does is give tools for others to use in
| their "work")
|
| Happy to reply again if the above is unclear -- I made sure
| to not use a nym that doesn't include my legal name, for
| privacy -- I could have been _much_ more detailed :-)
| ForHackernews wrote:
| > Happy to reply again if the above is unclear
|
| ...
|
| > Then they'd refuse to hire me, refuse to address the
| issues I discussed, and then sometimes one of the
| interviewers would pass that information to the Russians
| or Chinese leading to a massive break ala OPM or
| Solarwinds even after Senator Wyden sent Chris Soghoian
| or someone of similar skill adjacent to the Omnidynar
| group to go ask some hard questions.
|
| This paragraph is exceedingly unclear and may hint at the
| reasons why you are struggling to get hired. This reads
| as some mix of narcissistic personality disorder /
| conspiratorial thinking. You write like a native (or
| near-native) English speaker, but your composition is all
| over the place.
|
| I don't mean this unkindly, but have you ever spoken with
| a mental health professional? Many technical folks are
| neuroatypical and this can sometimes be a barrier to
| traditional stable employment.
| bsder wrote:
| > This paragraph is exceedingly unclear
|
| That's putting it mildly.
|
| Based on the writing, my best career advice to this
| person would be to take a community college English
| composition class and/or join the local Toastmasters.
|
| Extra time spent working on communication skills almost
| always pays off more than extra time spent on technical
| skills.
| jstarfish wrote:
| I get the impression they are being deliberately obtuse,
| but that's not uncommon in this field (to be fair, so is
| schizophrenia/NPD).
|
| This individual claims to be somehow involved in two
| high-profile national security incidents. It's not beyond
| plausibility that they are being exploited for
| information by companies who don't want to be seen
| associating with them. Snowden would receive the same
| treatment.
| ForHackernews wrote:
| > This individual claims to be somehow involved in two
| high-profile national security incidents. It's not beyond
| plausibility...
|
| Hacker news does attract some singular individuals from
| time to time, but I would suggest the _more_ plausible
| scenario is that this person has untreated mental health
| issues.
| z3t4 wrote:
| Some jobs seem to only want you around for your
| experience/expertise, like baby-sitting and preventing fires.
| You could theoretically make everything so stable that when
| something fails a secondary system kicks in, and all you do is
| to debug when that happens and make it even more stable. Just
| make sure you have an excuse to not work on site or they will
| keep you busy with meetings, admin, and reports. But one day
| there will be the the perfect storm and all systems on your 15
| different full time jobs will go down. You could always call in
| sick that day, but then they would hire more ppl like you.
| PragmaticPulp wrote:
| The deepfakes and stolen PII discussed in the article are for
| identity theft: The candidate steals the identity of someone
| with an impressive LinkedIn background and then presumably
| hopes that the company takes their background at face value and
| doesn't ask too many hard questions in the interview. The
| company then completes reference and background checks on the
| victim. They might also use this identity theft to qualify for
| jobs that aren't available in their location due to contractual
| and/or legal restrictions.
|
| The "overemployed" people generally aren't performing identity
| theft like this. Having multiple jobs ranges anywhere from
| legal to fraud depending on contracts they've signed or how
| they've misrepresented themselves (it's not uncommon to see
| suggestions to take multiple hourly jobs and then exaggerate
| the number of hours worked, for example). However, adding
| identity theft on top would elevate what they're doing to a
| major crime, which is not something that would help them.
| foobar2021 wrote:
| It's not legal for some people to hold multiple jobs because
| of visa restrictions. So that could be a motivation for the
| added risk.
| hnlmorg wrote:
| "remote" doesn't have to mean "foreign". It just means your
| daily "physical office" isn't company premises.
| ClumsyPilot wrote:
| that's too small a subset people - you should be looking at
| it from the angle of 'what are crimi at businesses doing at
| scale for profit"
| throw10920 wrote:
| This seems a little bit odd. Working exactly 40 hours a week is
| stressful enough - is it really worth it to double both your
| salary and your hours? I think I'd want at least 4x the salary
| in order to work 80-hour weeks - or is this practice mostly
| done by workaholics that _enjoy_ long hours?
| _trampeltier wrote:
| I wonder if there are cases, where worker just outsource some
| of the work to a guy in a cheaper country.
| hnlmorg wrote:
| There have been documented cases of that happening. One
| story I read, the employee only got found out because there
| was unusual VPN activity. Such as valid logins from
| (possibly?) Chinese IPs.
| cj wrote:
| I employed an Account Execs (sales people) last year who
| paid for virtual assistants (out of pocket) to do 50% of
| their daily work. I didn't find out about it until after we
| let him go due to performance issues. Apparently virtual
| assistants don't make great sales people.
|
| I've also employed an engineer with multiple jobs (3
| total). He's an active HN reader. I (sadly) wish they would
| have at least tried to outsource their work rather than not
| do the work at all and miss all their deadlines.
| roflyear wrote:
| The trick is to not double your hours. Idk if it works.
| strikelaserclaw wrote:
| If you work 3-4+ years in a big company, you would most
| likely had the social credibility and knowledge of the
| systems to get your work done in 15-20 hrs a week. So if you
| get a new job, maybe you work a solid 30 hrs for that
| company, 50 hrs a week is manageable.
| andreilys wrote:
| The trick is not working 40 hours :-)
| jdironman wrote:
| Its probably done by people who snag lower effort remote jobs
| and do the minimum viable to be considered "good enough".
| humanistbot wrote:
| If you want to buy a house in any major city in a G7 country,
| a single SWE salary isn't enough anymore.
| corrral wrote:
| I think the idea is you work two jobs that pay for 40 hours
| but only require 10-15 hours each, not to be noticeably worse
| than average.
| TrackerFF wrote:
| Lots and lots of "average" jobs have FAR less than 40 hours
| of actual work, but are still 100% positions. This obviously
| also depends on the individual doing the work - some work
| very efficiently, while others can be very slow.
|
| People then get the idea that they can juggle two jobs like
| that - but the trouble is usually not the work itself, but
| conflicting meetings and such.
| Kaze404 wrote:
| I used to think this was possible but simply out of what I
| consider acceptable. Some time ago I worked for a week while
| interviewing for a company that required candidates to do
| paid work for them, and it was the most miserable week of my
| life. I wouldn't do this for an extended amount of time for
| any amount of money. It's not worth it.
| PragmaticPulp wrote:
| The people who do this aren't interested in putting in full
| workweeks and delivering good work.
|
| Their goal is to find jobs and managers with low
| expectations, then sandbag as much as possible ("Gee, this
| task is harder than I thought. Going to take a couple weeks
| longer than we estimated!").
|
| Had a team member try this and an old company. We caught on
| quickly when they couldn't keep up with their workload and
| were constantly unavailable during the day. Really sucked for
| the rest of the team who had to pick up the slack this person
| created by pretending to work full time.
| harles wrote:
| I think this highlights one of the most important problems
| with people taking on multiple tech jobs: it's the fellow
| employees that suffer the most. Some lost money is a drop
| in a bucket for most big companies, but other people just
| trying to do well at a single job really pay the price.
| iwork3jobs wrote:
| There are companies where the level of expertise is so
| low, you look like a genius beside them. I did this, I
| worked several jobs in parallel. The pay was... not
| really amazing, about 8k/mo when I had 3 projects at the
| same time. And in most of the cases I was a main player
| in some important parts of the system. I think _some_
| people caught on. But I also think they didn't care that
| much because I solved their problems, unblocked their
| people and was always responsive, if push came to shove,
| I would put in the extra time to make the damn thing work
| and ship it.
| ClumsyPilot wrote:
| well if the work got done, and stuff shipped, then it
| does not look like anyone has the right to be angry.
|
| i personally tried to do two jobs (with full agreement
| from both sides) splitting my week half half. It was a
| real struggle, but it is possible.
| Nextgrid wrote:
| It's actually really hard if you approach this from a
| well-meaning perspective, because typically you'd still
| be selecting the jobs based on your normal (when having a
| single job) criteria.
|
| The key is to turn the thing upside down and seek out the
| jobs you'd normally reject - shifty companies with lower
| pay, bad tooling, tons of bureaucracy, etc - basically a
| place where no sane developer would willingly apply.
| Then, you'll be the smartest person in the room without
| having to do anything special and the extra bureaucracy
| can be either automated away or come in handy as an
| excuse when you fall behind, while the lower pay isn't
| really a problem if you have 4 of them running
| concurrently.
| ClumsyPilot wrote:
| then beurocrats are a feature protecting you, not a bug
| ishjoh wrote:
| 8k/mo total or per project?
| iwork3jobs wrote:
| Total. Rates were... not great. They sucked, honestly, at
| least compared to what I hear on here on HN. Slightly
| over 45 Eur/h all project rates summed. Somewhere in
| Eastern Europe. That's great for someone who grew up and
| went through college on about 150 USD/month, so of course
| I felt like a king.
| kache_ wrote:
| Maybe don't have such low expectations that someone can
| moonlight your job for shits. Fire non performers fast.
| roflyear wrote:
| Companies take forever to fire people.
| moneywoes wrote:
| Why go through all that hassle of faking another persons ID?
| Another resume etc
| kevin_thibedeau wrote:
| Equifax will narc on you. Bow down before your data broker
| overlords.
| mardifoufs wrote:
| Hireright can also be nasty with the background checks, to
| the point of asking you to correct irrelevant minor typos
| (say, a space) in you credit file before validating your
| identity.
| walrus01 wrote:
| People outside the US/Canada who might not be otherwise
| eligible to be hired as a W2 or T4 equivalent employee.
|
| If you have a US resident's stolen PII and can somehow set up
| a bank account to receive ACH direct deposits, and are a good
| enough social engineer, can possibly get hired under that
| name.
| lemoncookiechip wrote:
| This is both fascinating and a scary reminder of what the future
| has in store for us in a deepfake world.
| chrisco255 wrote:
| What's scary to me isn't the scammers using deep fakes to get
| jobs, but the mid managers dumb enough to fall for it.
| goatcode wrote:
| >mid managers dumb enough to fall for it
|
| There are a lot of dumb middle managers out there. In some
| cases, the position and the intelligence are co-dependent, I
| suspect. It's truly terrifying, if you think about it.
| FrenchDevRemote wrote:
| add non optimal lightning and compression and you would fall
| for it too
|
| state of the art deepfakes are pretty much indistinguishable
| from reality
| chrisco255 wrote:
| I don't pay attention to lighting when I interview
| candidates for a technical position.
| FrenchDevRemote wrote:
| well exactly, you wouldn't notice the tricks used to make
| it completely indistinguishable from reality, you
| wouldn't notice the pitch perfect voice, you wouldn't
| notice anything if it's done by a professional
| workingon wrote:
| The point they are making is that if you're hiring a fake
| person for a job who can't do the job, some of the
| screening questions should've let you pick up on that.
| And if you don't you're at best a bad interviewer.
| throwaway2048 wrote:
| Who says they can't do the job? It would be easy for a
| tech-knowledgeable scammer to interview at 100 companies,
| collect 100 pay-cheques and then dissapear.
| chrisco255 wrote:
| I think that's a more realistic possibility. That you
| have an actual software engineer with tech knowledge
| doing old fashioned social engineering and doesn't care
| how many times they get fired. But the AI in this case is
| just providing a fake profile pic. It's not that deep, as
| the commenters in this thread are suggesting.
| jstarfish wrote:
| Especially with people who speak broken English, this is
| easy to game though. Multiple people could be sitting
| behind a voice obfuscator and responding to questions as-
| needed. Inconsistencies are explained as nervousness.
| Video and voice desync can be handwaved away by poor
| connection.
|
| You dismiss people who fall for this as bad interviewers
| but I don't think you appreciate how sophisticated fraud
| has become-- with teleconferencing (anything internet-
| based, really), you never _truly_ know you 're
| interacting with who you think you are. You may not find
| out until they've collected a few paychecks, made copies
| of all your IP and disappeared into the night.
| chrisco255 wrote:
| They are bad interviewers who should not be interviewing
| technical candidates if they fall for any such scheme,
| which is impractical and unrealistic in practice. I don't
| care about their broken english, I care about their
| technical competency. I'm sorry, but they aren't going to
| dupe me out of my expertise, unless they are actual
| software developers. But even an actual developer with
| the right experience could steal anything you give them
| access to. If you have concern about that, then you hire
| domestic and you require ID verification and you avoid
| contractors, so you know that you can at least prosecute
| them if they do.
|
| Any company who is hiring off the internet,
| internationally, on the basis of a deepfake and a resume
| and is granting them elevated access to client PII on day
| one deserves to be exploited and deserves to be sued by
| their clients.
| notahacker wrote:
| Sure, but we're not talking about professionals spending
| hours perfecting takes, we're talking about people
| supposedly manipulating their own voice - probably to
| represent a completely different accent - in real time
| whilst being interviewed by someone probably paying an
| unusual amount of attention to tone of voice, possible
| hesitation etc. If people have the skills to do that
| near-flawlessly for 30 minutes, they probably don't need
| to bid on random non-deepfake work using someone else's
| ID...
|
| Even if interviewers don't suspect deepfakes, the audio
| artefacts of deepfakes (odd intonation, mispronunciation
| and pauses) are going to sound suspiciously like someone
| who isn't very confident in their answers or is
| bullshitting. Much easier for poor English speakers just
| to draft in a person who speaks better English and maybe
| knows more about the actual work for the interview...
| 2OEH8eoCRo0 wrote:
| Everything you think you know about a person when remote
| hiring can be expressed as a series of bits. You aren't above
| falling for it either. This will become much more difficult
| to detect.
| chrisco255 wrote:
| A series of bits can be enormously complex, so you aren't
| saying much with that statement. You act as if checking the
| right bits off is some trivial thing for a sufficiently
| long chain of bits. Even guessing something as small as 16
| bits in a row correctly is non-trivial, but scale it up to
| 256 bits and you've got yourself state of the art security.
| I don't care how much AI you have. No AI or assembled team
| of scammers short of having an outright social engineer who
| is also a real software engineer is going to pull that off
| against a technical interviewer with critical thinking and
| interpersonal skills.
| Melting_Harps wrote:
| > This is both fascinating and a scary reminder of what the
| future has in store for us in a deepfake world.
|
| Social engineering has always been a thing, check out this
| Darknet Diary podcast about the Lazeraus hacking collective
| group (suspected to be N. Korean digital Army) and how they
| have try/tried to infiltrate their way into crytocurrency based
| exchanges--and have succeeded in the past--using all kinds of
| methods including hijacking CVs from Linkedin.
|
| The truth is that while the advent of deepfakes and even text
| to image AI/ML based tech has muddled the waters even more,
| it's always been a challenge to not encounter some level of
| difficulty when dealing with verification. Fraud is and will
| always remain a component in daily operations of any
| organization.
|
| We have a saying in the Bitcoin space that i think applies
| here: Do not trust, verify.
|
| And this is why I think people need to understand that the
| usecases for an immutable ledger can and will go beyond just a
| digital token (it's only the backbone), and these usecases (the
| limbs and appendages to continue with the body metaphor) will
| become more imperative in the 21st Century: you can manipulate
| all you want via social media and many have, but if verified
| sources with proper validation is stored on an immutable ledger
| with a cryptographic proof of work blockchain that is
| impossible to alter then you can essentially have the closest
| thing to verifiable truth Online.
|
| Jacob Applbaum said it best when he said that to maintain
| security online you'll likely have to adopt 2 or more
| identities separate from each other to continue to have some
| level of assurance that your personas are not traceable to your
| real ID in a World where Doxxing became 'a thing' Online. I
| wonder hat he has to say about the OPSEC/INFOSEC space now that
| we have the ability to mimic people Online so closely with very
| little resources.
|
| 0: https://darknetdiaries.com/episode/119/
| samstave wrote:
| Without DeepFakes: I know several people in tech in the bay area
| who locally interviewed for contracts, got the job, then
| outsourced all tasks to eastern-eu folks whom they hired as a sub
| and project managed them.
|
| Basically, hiring an consulting company masked as an individual.
| frereubu wrote:
| An amusing short story related to this problem from This American
| Life, where the employers allow themselves to be fooled for a
| while, even without deepfakes:
| https://www.thisamericanlife.org/770/my-lying-eyes/prologue-...
|
| Edit: and this technique is mentioned in one of the replies:
| https://twitter.com/staringispolite/status/15200939675592499...
| taylorfinley wrote:
| Relevant twitter thread from a hiring manager who had one of
| these interviews:
| https://twitter.com/jonwu_/status/1520072367069876224
| whimsicalism wrote:
| Seems like scant evidence to conclude that you were
| interviewing a North Korea hacker but I guess many on
| blockchain twitter are more credulous than I am.
|
| > The "Okay?" is a DEAD FUCKING GIVEAWAY this guy is Korean.
|
| ....right.
| superfrank wrote:
| I agree. The guy posted that tweet even admits that he's
| jumping to conclusions.
|
| First tweet:
|
| > No bullshit I think I just interviewed a North Korean
| hacker.
|
| 21st tweet:
|
| > In reality, I have no idea if these even were North Korean
| hackers. Bobby could've been, well, just a really incompetent
| dude.
| notahacker wrote:
| An interviewee speaking quite formal English quite badly,
| punctuating sentences with question words and having an
| accent that _isn 't_ Korean-American but sounds a bit like
| it, and interviewing somewhere with lot of background noise
| because he apparently doesn't have an independent space to
| work in is actually pretty consistent with him being from
| Hong Kong like he said he was...
| mhh__ wrote:
| Well I can tell someone is dutch based on their accent, it's
| not that far fetched.
| __derek__ wrote:
| The logical turn after "For better or worse, this is where I
| hang up, a little shaken." is really something else.
| deadbunny wrote:
| Doesn't sound like any of the techniques used in the article
| were used in that thread, no deep fake vide, no deep faked
| voice. Just some Korean person (possibly) trying to gain access
| via remote working policies, and not very well by the sounds of
| it.
| 99_00 wrote:
| 1. Secure a bunch low skill remote jobs.
|
| 2. Have low pay foreign workers work the jobs
|
| 3. Keep 50% of the salary give worker 50% and run Heath insurance
| scams.
| mellavora wrote:
| 1) Secure a bunch of low skill remote jobs
|
| 2) automate git co-pilot
|
| 3) keep 100% of salary and run health insurance scams
___________________________________________________________________
(page generated 2022-06-28 23:00 UTC)