Oh, I have an even better one for all of you along similar lines. Dug it out of Wayback Machine. Company thought it was one of those "advanced persistent threat" malware from super-hackers in China. Nope. The enterprise just hired someone who was as enterprising as them. :)<p><a href="https://web.archive.org/web/20130320154454/http://securityblog.verizonbusiness.com/2013/01/14/case-study-pro-active-log-review-might-be-a-good-idea/" rel="nofollow">https://web.archive.org/web/20130320154454/http://securitybl...</a><p>Led me to create a security scheme for pulling off the same thing without detection. Depends on circumstances of course. Posted it on Schneier blog with the rest of my essays. I still wonder if I was first to do security scheme or protocol for self-outsourcing. Fun thought experiment if nothing else.<p><a href="http://www.schneier.com/blog/archives/2013/01/friday_squid_bl_360.html#c1102977" rel="nofollow">http://www.schneier.com/blog/archives/2013/01/friday_squid_b...</a>
...and that's why it's a bad idea to separate QA from your dev team. In the long run, everyone would've been happier if his role on the dev team had been to automate the tests and then continue to work on more interesting things. If he and his company had taken that route, he'd be a very well-qualified and well-paid senior engineer right now.