Sunday’s blabber

Don’t forget to set your clocks one hour back!

This night must have been prelude to Halloween. I’ve got 11 Chinese asking for free hosting (with no apparent web site details) and one guy from New York who was so security conscious that he didn’t provide his return e-mail address… But hey, what can I do. People want everything for free and when you’re giving it to them – they don’t care to receive it. So much for good intentions.

Raising your concern

After some thought-sharing with friends, I’ve got some links to visit and some things to read. Results were petrifying, to say the least. It’s not like it’s the end of the world, but it does raise the concern of outsourcing in a whole.

The web forum I had a chance to visit (no url here for obvious reasons) is dedicated to carding. You don’t know what this is? Oh, that’s easy – carding is when you open your monthly statement honestly believing that you’ve paid off this credit card last month and then – mwa-ha-ha (aka evil laughter) you see that you have spent quite some money ordering stuff you had no idea about and that goods were shipped somewhere you also have no idea of. That’s it, you just have been carded. Meaning – your credit card’s number have been stolen by someone else and all the money used for ordering some goods that were shipped across the country.

But how is this possible? – you might want to ask. And here’s where the concern arises. Some credit card numbers are stolen by bad guys who invade large companies, steal large amounts of numbers. Banks usually are aware of this, take charge and change your number and pin almost immediately. This is bad for the banks, but simply an inconviniece for you.

What’s worse – is when numbers are stolen from small merchants. The following example is actually a real-world example that I have found on the above mentioned forum. No names were given, so unfortunately I cannot warn the owners of the card or other people who might be affected. The credit card information that was stolen included credit card numbers, CVV2 codes, billing addresses, phone numbers – pretty much all the information you need to make an order on an merchant web site. The interesting thing is – how it got stolen. It was not from a security breach (which would be understandable), however it was from the scripts that were developed by outsourcing vendor. Apparently someone didn’t review the code after it was submitted by programmers from Russia. The trick is that some vendors keep the credit card information in their databases (God knows why). So, when user pays for service or goods the credit card info gets submitted to the database. The programmer only had to make one additional PHP line that e-mails him same data that gets transmitted to the merchant’s credit card processor. This way the process of stealing credit cards gets automated…

Back from article mode. When I outsource things there are two requests that must be met. First – I must see the source code. Second – I myself will install all the scripts. This usually weeds out those, who wish to plant their “seeds of evil” in otherwise perfectly working scripts (and they must work properly, because otherwise the owner or clients would suspect the problem). Ofcourse it doesn’t totally guarantee the security, but it assures at least some additional level of protection for customers.

On the other hand – there’s no way that owner of the store can protect himself from the chargeback if someone makes a purchase with a stolen credit card. Unfortunately…

How I ended up thinking of indian guys

There’s this friend of mine, who says he used to run two of largest Russian immigrants message board communities in the past. We got acquainted when he found my forum and I found his. We both (with our associates and fellows) went to fancy place called banya (Russian bath) and had an idea of joining our not-so-crowded forums together, for a bigger impact. Some time had passed and I have found myself managing this huge project that involves not only two forums joining together, but building a huge portal that one day, hopefully, will serve as a home for many people who tired of our competitors.

The first thing was to finalize the specs. We have gathered numerous times, discussed this in the e-mail conversations and on the message board. Finally I got a small, 2-page word document with short description of each feature we want on our web site. It was done just to give the programmers the scoop on the project, merely an idea of what needs to be done. So far so good. After finalizing this first draft I have approached a group of russian programmers who are led (AKA project managed) by a lady, who calls herself Iris on some forums. She’s running a forum on a very popular message board system, giving support and help to russian-speaking users. So far her guys were a great help and I was thinking that they would be more than happy to take on a paid assignment.

So I wrote her a letter, describing in brief the necessary features and asking if she could recommend someone. She, actually, did more then that. She set up a private topic on her own private message board for discussing my project. Which we did – sort of.

It all started with her demanding… okay, not really demanding – rigidly asking if we would agree to her licensing terms. They would be as follows: we’re no more than licenced users, we have no rights to use the software on any other web site except the two that were mentioned in the project description, we have no rights to sell the scripts, we have no rights to any profits they incur by selling those scripts. Basically, it all boiled down to this – they write the scripts for us, per our requests, for our money, but the only right we have is to use them on our site, they hold rights to everything else. Okay, – we said,- it’s not quite fair, but our plan was not to profit from this script, but to profit from use of it. So finally we agreed. It took us one evening (actually – around 20 minutes) to discuss the issue and make a decision. It took Iris almost all day to stop bitching and explain the whole issue to me earlier.

Next thing – we started discussing the project. We had a great time posting same questions over and over again, because she wasn’t answering my questions and I couldn’t answer hers since she didn’t provide enough information. For example she asked three times how, when and on which terms would a programmer receive his pay. First time I replied that we have no problem transferring funds over any service that is similar to Western Union. That was accepted. Second time I answered that I want to see demo of the proposed work first. Was offered to look at third party scripts, but not actual team’s accomplishments. Third time I said – show me at least something you’ve done. I was accused of accusing them in demanding money before work. I was going nuts, instead of polite conversations I have daily with various people, she was talking to me like I was a fraud, trying to steal her own work in a clear daylight. Still, I thought to myself, at the end of the day it’s the programmer who is going to do the work, not her. So I continued patiently to explain our project needs and requirements for the sake of the guy who would (probably) have to implement the whole thing. She ended up saying that they, anyway, developing the portal we’re interested in even without our participation, it’s much lighter than the one we need, and if we’re interested to give them a shout. I responded that I had shouted for two pages already, so my intentions should be (to any clearly thinking person) pretty clear. Now we’re waiting for programmer to show up…

I also posted all the relevant discussions on my forum for my partner to take a look. His reaction was almost same as mine – he said “Start looking at other teams. These guys don’t seem to be really excited with the work”. Which I, ofcourse, already was doing, since the thought was pretty apparent. So, I went to (ex and posted brief of the project there. Today (one day from posting the project) I have at least one offer from a company (they seem to be guys from India) who’ve done many projects both on and beyond. They claim they are happy with pricing/time frame. They have 94 reviews and total of $52, 168 worth of projects. The only con I was able to dig from reviews is that these guys sometime don’t deliver on time, but since we don’t have a deadline – it’s okay. They also claim they can start right away.

Now, with all my respect for Russian programmers and desire to help my former country to get more outsourced jobs, I seriously thinking of giving this project to the guys from India. So much for being supportive of the country and people I like…