Get best of the week

What types of fraud have I encountered in freelance and outsourcing

I know that people love stories in which the author was deceived or about events along the way of becoming. So I hope you will be interested.

The first type of fraud I came across in 2000, when I received an order to correct a printer error. When I found out that the customer had Windows 95 installed, I took a standard set of floppy disks for system repair / restoration and drove to hell, since it was a factory outside the city.
Arriving, I quickly completed the quest with a checkpoint, a janitor and a pass and finally got into the office of the director. Which turned on me an antediluvian-looking computer, on which it stood proudly ... Windows 3.11!

I was completely dumbfounded, since we were talking about Windows 95. Yes, and I had a set of floppy disks (which by the way didn’t even fit in the form factor) from Windows 95. I informed the director about that.

To which he said that he did not understand anything in the versions, it is possible that he had confused something. And he gave a box of eight distribution disks. Having found the printer drivers there and rearranged them, which of course didn’t work, I suggested trying to install Windows 95, where they probably solved this problem.

To which the director said that this is impossible - there are 286, while Windows 95 requires 386.

Hmm, is it not strange that a person who confuses versions knows so well about system requirements?

In general, I left by evening, on a business bus, hungry, because no shamanism helped, they didn’t pay me anything, and the dining room worked only for the factory employees, and I didn’t take any money with me, considering that why should I take it if I and so pay? (Yes, I was young and stupid then).

There were a lot of options for such fraud, the most epic of which was the search for a system administrator who would put ISP Manager on the server. The highlight was that the server was a virtual machine on the IBM System S390. Moreover, all this was hidden carefully - the output of / proc / cpuinfo was faked by the mounted file, some utilities were replaced or simply deleted. Of course, the executable file for the i386 architecture will not work on the s390 system. Dude, if you read it now - write, why did you start all this?

The moral is simple - before you get to work, you need to spend some time auditing the environment to make sure that it meets the requirements stated by the customer.

The second type of fraud has recently been very popular on the Upwork Freelance service. As now - I don’t know, these nerds blocked me, demanding a state-standard DevOps Engineer diploma (lolshto?).

Usually it was a small project with a small one-time payment, which can be solved in a maximum of a couple of hours. At the same time, the customer is very persistently inquiring about your experience and the projects that you have decided, which are completely not relevant to this order and motivating with the fact that there are many artists and he wants to choose the best for himself.

Okay, the executor is selected, the task itself is to update PHP, because yum does not work and throws an error (rpm database broke, it's okay). And so you go on ssh like that and suddenly you feel that something is wrong. Somehow everything is slow and lagging. You watch the system boot - and it is 80% wa. And in the logs - messages about problems with the disk. And you are like this:
β€” , , ! - . , rpm, yum php.
β€” ! . yum, php? .
β€” ? , , .
β€” ? , ( , , ?) . php.
β€” . - php, …
β€” , php , .

You - update the PHP version simply by downloading rpm and unpacking their contents on the system, display the phpinfo file in the browser on its website and take a screenshot. And in an hour:
β€” , php !
β€” , ! !
β€” .
β€” ???
β€” . . . . php , β€” β€œβ€. .
β€” ! !
β€” … .
β€” , !
β€” php .
β€” ! !!! !!!

However, the next day he returned and apologized for yesterday, saying that he was so shocked by the news that his disk was dying. And he offered to pay extra for cloning the system. I insisted that first we must make a calculation for the work already done, since his project was actually completed. After half a day of reproaches and excuses, he finally closed the project as completed and threw money.
β€” , , ?
β€” , . .
β€” , ? ! paypal ( , paypal).
β€” paypal ( ).
β€” ! , Western Union.
β€” - , .
β€” , , .
β€” IP-KVM .
β€” ! !
β€” ???
β€” β€” , $200/. !
β€” . , , IP-KVM?
β€” . .
β€” ?
β€” , ?
β€” . IP-KVM, .
β€” , !
β€” $200 , .
β€” !!!
- Uh, no. This is the amount the hoster will charge you for connecting IP-KVM, so you will lose this money in any case if you make an order to someone else. And in my case, this will be an additional incentive to do everything efficiently and quickly.
- That sounds logical. Ok, do it.

You - put the recovery system in the former swap partition, reboot and mount the disks, do rsync with skipping all the beaten files (there were a lot of them, but they turned out to be mostly not critical).
- Everything is ready, the system works from a new disk, you can check
- you are just a diamond!

Then he puts you one star in a review and writes nasty things. Exchange administrations do not care about you and your arguments.

Morality - if you meet a customer who, under the guise of one task, is trying to shift another (others), motivating him to be more expensive directly, lose him. Because then it will turn out to be more expensive for myself (I lost a bunch of potential orders for that review, which was removed but it was too late).

The next version of fraud was somewhat similar to the previous one, but with its domestic, so to speak, nuances. He thrived on one dump that claims to be a freelance exchange with a safe deal.

It all started quite banal - you need to update the php version, because one of the sites required a major update without which some plugin would not work. I asked for confirmation in the chat that the global php update will have an effect on all sites, and if it does not have support for the latest version, they will stop working.

I received confirmation, as well as payment in a safe way (in fact, I did not receive anything, the money hung on the exchange).
β€” , .
β€” -, !
β€” , .
β€” , ! -!
β€” , β€” .
β€” -, - , !
β€” ?
β€” , . !
β€” β€” , - .
β€” ! - php, !
β€” ???
β€” php, ! !
β€” ???!!!
β€” , . , .
β€” , , ?
β€” , ! !!!

You - spit on this insolent inadequacy, then write in support, you understand that inadequacy is the norm for the domestic freelance market and close this horror forever.

The moral is not to go to garbage dumps; there is still nothing interesting there. If on foreign exchanges fraudsters are people with acting talents, then we have sad inadequate louts.

The following fraud is already something worthy of respect. Customers have a very complex cloud project in AWS, the documentation on which they actually do not have, except for README.md in the root of the repository.

The file itself is incredibly long, in which fragments of sequences of actions in the Tarantino style are written in lengthy expressions, and in such a way that you need to completely keep this huge file in your head:

To place the infrastructure, you first need to run a special script that generates a CloudFormation template, which is divided into parts and poured into S3, after which it creates the necessary infrastructure. Moreover, in the script itself there is exactly one error in a very unobvious place (people are not so wrong, damn it!), In the template that it generates there is also an error - and this is far from all.

Because to host the application, you need to take another repository, create a million CI variables, values ​​from CloudFormation to execute, and run CI on the second repository.
He will create a script from CodeDeploy that will not work - because there is an error and you need to demolish the infrastructure and again edit the CloudFormation template.

And then in another repository you look at the CI script, which calls the Pitnov script, which contains in fact only the shell command, which forms a docker image in which there should be configs for the puppet deployment that you forgot to put, because there is no mention of this instruction anywhere and it all ends with awsfabric, which is called somewhere between this chaos, takes credits not from the CI environment, not from the docker image, but from a separate config, which was made by the first script, but about which no mention at all .

Do you know what is the most chic? The customer had 2 projects on this miracle platform, and all errors were repeated in number - but in different places. Roughly speaking, in one template there was an incorrect version of RDS that destroyed the entire flow, and in another, CloudFront was attached to the wrong S3 bucket.

Of course, the customer claimed that there’s nothing to be done there, and those who did it all β€” perform a literal two-hour delivery. And I readily believe in it:

The very style of errors and documentation, as well as anal-oral deployment, suggests that the developers made a whole complex system that allows you to generate an obfuscated version of the project in such a way as to make it as difficult as possible for an outsider: documentation sections are mixed, but at the same time they are logically correct a document with a million notes like β€œsee section 2 above”. Deployment is also divided into several parts, in two of which mistakes are not fatal for the deployment itself, but which lead to an unworkable result in the final, and the final piece is obfuscated by deep nesting and another division.

After that, if you do not have information about the places where errors were generated and a master script that automatically links all three parts, passing them tons of parameters, those two hours of its work flow perfectly in two weeks, for which you can feel great a real IT goldsmith, after which the customer will finally be disappointed in your work.

Moral - if someone really wants to bind a customer to himself, then with a sufficient level of skill he will do it very easily. Just be able to recognize it in time and say solid no. Three days were enough for me.

And the last, most impudent and interesting type of fraud is IT-gaslighting.
Suppose you decrypted the obfuscated method described above and were able to configure the deployment.

However, nothing happens after the pipeline. Everything went without errors, the result was successful - but nothing has changed. How is that?

And here's how - the runner itself, on which the CI / CD is tied, is located with the developer of this entire project, which the customer was never in the know about.

And on this runner at the very beginning there is a message that the container for the pipeline cannot be created, since there is already a container with the same name and it will be used. After which everything starts without errors.

Of course, the problem is in the runner, but at the same time, the developer agrees with everything that the customer passes to him - to nail down the container, recreate the runner ... but in fact does nothing.

If the customer is more or less adequate, then you can show it to him by changing the deployment file so that some command is executed there, for example, echo with the current date. And to demonstrate that the modified script is not executed there, since the script itself actually lies in the container and only variables are transferred there.

However, in this case too, you won’t be able to do much - if you create your own runner, then ... correctly - it will no longer run the deployment of all old customer projects, and the developer will naturally not give access to the runner, but simply discard the documentation, which is completely different from which is actually installed on the runner: for example, in the documentation, the basic image can be AWS AMI, while some custom Alpine Linux is used and apk is used instead of yum in the script, and so on.

And even if the customer agrees that the developer is to blame for everything, then he will not be able to refuse it. There is no access to the runner and what is actually used there is unknown, since you can’t even execute commands there. If you create your own by trial and error, it will take a lot of time, and the customer traditionally needed yesterday.

Well, if the customer is the most ordinary, then you will be to blame and he will not believe any arguments.

Morality - if you think that everything should work for you, but it doesn’t work - it’s possible that it’s not you who are to blame, but that was originally intended by the creator of the system.

Is it possible that you also encountered similar scammers, or maybe you fell victim to a fundamentally new approach from a customer-scammer, which differs from the banal β€œpromised - did not pay”? Write in the comments! I read them with pleasure and often answer them.

Source: https://habr.com/ru/post/undefined/

More articles:


All Articles