The Entrepreneur Forum | Startups | Entrepreneurship | Starting a Business | Motivation | Success

Watch for this fraud on Upwork

Rabby

Gold Contributor
FASTLANE INSIDER
Read Millionaire Fastlane
I've Read UNSCRIPTED
Speedway Pass
Aug 26, 2018
627
1,486
419
Florida
I wanted to document something we discovered recently. You probably already know that if you post a job on upwork for software developers, you'll get plenty of bozo applications. However, there are also some honest to goodness frauds, and they tend to follow two patterns.

Here's what they do.

1. They link to their github, where you'll find that they've been working on some project for years. You read the code and, maybe, you think, wow, this is really sophisticated. You look at the commit history, and see that they are the lead developer. Maybe they're the only developer. Wow! "A" player! What a catch! But wait. Unfortunately what you are looking at is someone else's work, and they are attempting to take credit for it by rewriting the commit history (so that you see <bozo> as the author of each iteration of code, rather than the real author). I don't know what they do if you hire them... probably thrash around and and make excuses while billing you, until you fire them. And maybe steal your code if you give them access to your project.

2. They run a script that creates thousands of fake files, one for almost every day of the year, for a period of years. The script checks these into git, back-dating them... the whole thing happens in seconds. The project is then uploaded to github, which honors the fake dates, and it looks like the person has been regularly contributing code for years.

I know people have different levels of sophistication regarding software development. If you're an experienced programmer, this probably would not fool you... at least not if you spent 10 minutes or so looking through the repositories and evaluating code (eg: you would wonder why there was such a large project, yet it had not been starred or forked). Someone who knows "just enough" could easily be fooled. I think these people are preying on small business owners who don't know any better, and probably also corporate outsourcing recruiters who have been told what to look for (such as regular commits, lines of code, etc). I just thought it was worth mentioning here, and I hope it will help someone avoid being defrauded.
 

Don't like ads? Remove them while supporting the forum. Subscribe.

Einfamilienhaus

Contributor
Read Millionaire Fastlane
I've Read UNSCRIPTED
Feb 8, 2019
50
92
118
I would like to understand how can I separate to fake one from the good one?

Are there any tools I can use? Or on what should I pay attention exactly?
 

ApparentHorizon

Gold Contributor
Speedway Pass
Apr 1, 2016
829
2,391
553
Greenville, SC
Great catch!

I've been hiring developers there for the past 3 years. Few bad apples, but got it down to a process now.

Most important of which, is creating my own test questions, related to the project at hand.

One of my lowest requirements is a resume/portfolio. Which is only factored in between the remaining applicants.
 

dkostadinov01

Contributor
May 31, 2019
25
33
17
I would like to understand how can I separate to fake one from the good one?

Are there any tools I can use? Or on what should I pay attention exactly?
They would have been a student in Computer Science's college and have history of geek stuff... It's typically the self-taught who have missed logic development exercises(which are not easy at all, it took me 2 years) and have to rely on this stuff.
 
OP
OP
Rabby

Rabby

Gold Contributor
FASTLANE INSIDER
Read Millionaire Fastlane
I've Read UNSCRIPTED
Speedway Pass
Aug 26, 2018
627
1,486
419
Florida
I would like to understand how can I separate to fake one from the good one?

Are there any tools I can use? Or on what should I pay attention exactly?
There are a few things that will help. Sometimes, the readme or some other part of a plagiarized repo will have a reference to the original project, which you can then lookup. Often, the original has been starred and forked a lot, while the fake never has (although, I think the fakers will adapt this eventually... they'll just create fake github accounts to star and fork their plagiarized repos).

The starring and forking, for now, is a hint. If someone appears to have been working on a project for years, and it is quite large and sophisticated, it's a little mysterious for them to be the only one working on it. Not that it's impossible, but you might look into why.

If they are just faking git commits, they'll have lots of small changes to giles - like changing one number in a file. Often, at the end of all the changes, the changed files will be deleted, leaving a relatively small, clean repo. In actual practice, nobody would do this... would you add a few numbers to a file in your code every day and then delete it after doing that for a few years? Of course not. They're counting on you just looking at the amount of activity, and maybe reading some of the code, but not noticing that the activity was faked.

For code that has been packaged via Ruby Gems, NPM packages, Lua rocks, etc., you can probably find the real package, which will correctly attribute the real author. If you then go look at the real project's github, you'll see all the same git commits, but made by other people (the real authors). Look back at the plagiarizer's account, and you'll see those commits all rewritten to make it look like they did the work.

I think Mr. G is going to start a white paper on the topic, and we'll work on it together to show the frauds that are being perpetrated, how they do it, some ways to detect it, etc. I'll post here when that's done (assuming we do it... let me know if you would want to read it). Mr. G was quite peeved... being a long time developer and open source contributor, he would like to see the plagiarizers go down in flames.
 

Einfamilienhaus

Contributor
Read Millionaire Fastlane
I've Read UNSCRIPTED
Feb 8, 2019
50
92
118
I think Mr. G is going to start a white paper on the topic, and we'll work on it together to show the frauds that are being perpetrated, how they do it, some ways to detect it, etc. I'll post here when that's done (assuming we do it... let me know if you would want to read it). Mr. G was quite peeved... being a long time developer and open source contributor, he would like to see the plagiarizers go down in flames.
Please share it! Would be great! Since I have a bad experience with one of the "Developers" I'm more carefully with who I'm working with. And I need to learn how can I identify to fake one
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.



Don't like ads? Remove them while supporting the forum. Subscribe to become an INSIDER.

Post New Topic

Please SEARCH before posting.
Please select the BEST category.

Post new topic

Fastlane Insiders

View the forum AD FREE.
Private, unindexed content
Detailed process/execution threads
Monthly conference calls with doers
Ideas needing execution, more!

Join Fastlane Insiders.

Top Bottom