↑
tencentshill 13 minutes ago
Will be interesting to see what actual lawyers think, and how much money they'll charge to read this wall of text.
an hour ago
Comment deletedNDlurker an hour ago
Update: I asked Gemini to summarize this for me, so here's the AI generated tl;Dr on an AI chat
Here is how your story translates into a classic, high-impact Hacker News post. It focuses on the systemic failure, the technical metrics, the forensic defense, and the programmatic solution—exactly what the HN community values.
---
### *Tell HN: I found massive ghost billing on a DoD cyber stack. They fired me. Here is the forensic playbook.*
*TL;DR:* I was working as a Senior Software Engineer for a subcontractor (MAXISIQ) under a major Defense Prime (Booz Allen Hamilton) on the Joint Cyber Warfighting Architecture (JCAP). I uncovered systemic Labor Category (LCAT) fraud and a suppressed CAT-1 security spillage. I disclosed it Sunday, surrendered my credentials Monday, and was fired Tuesday under a fabricated "security threat" pretext. Here is how I used hardware logs and federal reporting to trap their legal team, and how we can automate the detection of this fraud.
---
### *The Exploit: "Product Substitution" via LCAT Fraud*
The core issue is a classic defense contracting grift scaled up: billing the government for "Senior Software Engineers" who aren't actually doing senior-level work (or any work at all).
The forensic reality on the project's primary code repository (`JCW-Nile`) was undeniable:
* *My Velocity:* 250+ commits per month. * *The "Ghost" Seniors:* Multiple personnel billed at the exact same Senior rate, maintaining a footprint of *less than 2 commits annually*.
On top of the financial fraud, I found a *CAT-1 security spillage* (hardcoded credentials on a Tier-1 system). When I reported it, management ordered me to stop editing the code, leaving the vulnerability live in production.
### *The Retaliation and the "Deadman" Bluff*
On Sunday, I dropped a comprehensive disclosure to 1,000+ program stakeholders.
By Monday morning, the Prime pressured the Sub to "cauterize the leak." I was placed on indefinite leave and forced to surrender my Common Access Card (CAC) and government credentials. Knowing they were about to wipe my commit history to hide the 250 vs. <2 disparity, I made a tactical bluff under duress: I told them I had a VPS "deadman's trigger" monitoring the logs.
On Tuesday at 12:35 PM, the Subcontractor's CPO—with outside Big Law counsel (Troutman Pepper) CC'd—fired me, citing the "deadman's trigger" as an unauthorized security threat.
### *The Counter-Exploit: Using Immutable Logs against HR*
They thought the "threat" pretext would shield them from whistleblower retaliation laws (10 U.S.C. § 4712). They didn't realize they had trapped themselves in a forensic impossibility.
I immediately lawyered up (Qui Tam/False Claims Act) and filed with the DoD OIG, the SEC, and the FBI, laying out the physical trap:
1. *The Access Lockout:* I couldn't have posed a digital threat on Tuesday because they took my CAC on Monday. I was locked out of the "crime scene." 2. *The Hardware Time-Gap:* The company laptop they claimed I used for "unauthorized conduct" hadn't been powered on in 7 days. The CMOS and system logs act as a silent, immutable witness in my favor. 3. *The Preemption:* I instantly called the FBI to clarify the VPS bluff. The FBI agent dismissed the threat allegation entirely and confirmed they are now working the underlying fraud case.
I effectively robbed their corporate lawyers of their element of surprise by establishing the forensic baseline with federal agencies before the ink on my termination letter was dry.
### *The Blueprint: Project `whyyoulying*`
We don't need multi-year DCAA (Defense Contract Audit Agency) audits to catch this. We need a basic diffing script. I am proposing an automated forensic tool for federal investigators that I'm calling `whyyoulying`.
It works by cross-referencing financial billing data against technical repository metadata:
* *Ingest A:* DCAA/DCMA billing records (Employee Name, Billed LCAT, Hours Invoiced). * *Ingest B:* GitLab/Bitbucket commit metadata from government servers. * *The Heuristic:* If `Billed_Level == "Senior"` AND `Annual_Commits < 10`, automatically flag for False Claims Act investigation.
Furthermore, the tool can map HR termination timelines against protected disclosure dates to detect "rapid cauterization" cover-ups by Prime contractors.
---
*Takeaway:* If you are blowing the whistle in the cleared space, HR and Big Law will try to frame you as a security risk to void your protections. *Surrender your hardware early, document the offline time-gap, immediately clear any defensive bluffs with the FBI, and let the server logs do the talking.*