Security Newsletter – November 2012

Leave a reply

* Passwords are dead? I don’t think so. The main cause for the Wired author hack is the lack of clear security policies for the customer support personnel. Obviously, there is a tradeoff between customer experience and security. Support teams are rewarded for providing better customer experience. Thus, security is an after-thought at best:

http://bit.ly/ZPrw25

* And another usability vs security tradeoff problem – big issue with password reset page at Skype that allowed hackers to take control over any account. Very good response from the company to take down the page and then investigate.

http://tnw.co/TEGXqH

* I would have thought that NASA took care of encrypting sensitive information on employees’ laptops a long time ago. Apparently it didn’t until now.

http://bbc.in/TLkTu7

* And another “I would have thought” one. Adobe got hacked through an SQL injection and passwords have been hashed with MD5 (no random per-user salt either I guess). It is a second hack in less than a month, time to fire someone?

http://bit.ly/ZvHVtq

* If you don’t want to get a pat-down from TSA, then you can simply change a number, generate a new bar code, and
print a new boarding pass:

http://bit.ly/UgLKBT

* Core PS3 encryption key finally leaked. It was just a matter of time and I am surprised it lasted that long:

http://bit.ly/R0Lh0G

* Ops… Don’t post passwords on the wall. Really.

http://bit.ly/Saj2AT

* Ops… Don’t dump sensitive documents on the street (even after you shred them):

http://bit.ly/YhGdwO

* Ops… Apple lost iPhone4s in an SF bar. Google lost Nexus 4 in an SF bar. I think I see the pattern here. I can predict the future news story title: “Microsoft lost Windows phone in an SF bar” but I doubt anyone would care:

http://bit.ly/RSZPRS

P.S. Thanks to everyone for sending the news stories!

Security Newsletter – October 2012

Leave a reply

* How does NSA secures President’s iPad? Reminds me the old joke that the only way to secure a computer is to remove network card, USB jacks, keyboard, monitor, then lock it in a safe and destroy keys from the safe:

http://bit.ly/Ood1en

* A fascinating story about CIA agent who broke into foreign embassies to steal codes:

http://bit.ly/SCdP0q

* If you have your phone number on Facebook profile then it is public and anyone can grab it:

http://tnw.co/VQRDpQ

* The best way to force people to think about security is to get them to pay for not having it. Manchester Police was fined for saving un-encrypted private data:

http://bit.ly/RxrNlp

* Sounds like there is a potential large scale attack on the online US banking in the works. Time to get the 2-factor authentication setup on your online bank account:

http://bit.ly/R31ymm

* NIST selected a new hashing algorithm SHA-3. It is not clear why they rushed it since there are no known attacks or weaknesses in SHA-2. The new algorithm is *very* different from the old ones though:

http://bit.ly/RxrNlp

* NY master keys are available for sell on eBay:

http://huff.to/V78y7c

* You might have heard about quantum cryptography. A good article on the subject if you want to learn what is actually behind the buzz-word:

http://bit.ly/QwU5w3

* Next time you go to a hospital, you should ask your doctor if she has an antivirus on this fancy piece of medical equipment she plans to use on you:

http://bit.ly/Wl7D3E

* And another frightening news about medicine – an attack on a pacemaker using a “secret” function:

http://bit.ly/Tu6Mra

How To Fail My Interview

6 Replies

It is very easy to fail my technical interview. Yet, if you need some tips on how to do it fast and easy, please read on.

1) “I was responsible for …”

This is the phrase I often see in technical resumes. And it has a big meaning for me because I value ownership and responsibility in the team. However, if you put this phrase in your resume, then please be prepared to answer not only “what?” questions about the project but also “why?”. And please don’t answer that “I don’t know why we did it this way, I was not making this decision, the architect/team lead/some other random guy did”. It is perfectly normal to have someone else make some decisions on your project. Either because the decision was made before your time, or because the level or scope of the decision is above or below your pay grade, or because the way things are setup inside your company. However, I strongly believe that a true owner of a project/product/system/subsystem should very clearly understand and agree with every decision made in his/her area of responsibility. If you don’t understand why things are done the way they are done and just follow the directions, then you are not probably qualified to make other decisions in this area at all. And you are definitely not responsible for your project. The other guy who makes and understands the decisions is. Worse, it also shows me that the candidate doesn’t know his/her limits or doesn’t understand the limits at all. Thanks, I’ll pass.

2) “I rate my experience in X 10 out of 10″

During the interview, I try to ask questions that match the candidates overall experience as well as his/her experience in a particular technology. I want to ask you a question that will challenge you. Thus, a candidate with 10/10 knowledge of PHP will get a question I would ask Rasmus and a candidate with 10/10 rating for MySQL will get a question I saved for Monty. The bar will be set high and a very few candidates are able to meet it. The more important part is that I actually do not expect every web developer I hire to be 10/10 in PHP, MySQL, and every other technology we use. There are always things to learn. And there is always Google to find details and more information when needed. The 10/10 candidate who failed the question is just a sign of an “inflated” the resume. Thanks, I’ll pass.

3) “I have experience with A, B, C, D, E, F, …, X, Y, Z. And many other related things.”

For any technology I define a “minimum equipment list” that anyone with even a basic exposure to this technology should know and understand. This is indeed a “minimum” list: for Java you need to know about garbage collection; for SQL databases – about joins and transactions; – you got the idea. If you have a technology listed on your resume, then I feel it is a fair game to ask questions about these basic things. And if a candidate has no clue what I am asking about then the only logical conclusion for me is that the resume have been “inflated”. Thanks, I’ll pass.

4) “I know you use technology X but I think you should actually use technology Y”

As an engineer you should understand that there is no silver bullet technology that works everywhere and all the times. Each technology choice is a tradeoff. One solution gives you one set of pluses and minuses. And another solution gives you another set. To make a decision, you have to compare the pluses and minuses of each solution against your priorities and objectives. And then find the one that works best for you. It is great to be passionate about technology, but I don’t believe that after minutes or even hours of the interview, a candidate knows and understands the tradeoffs behind the technology choices made by myself, my team and my company over the years. Thus, a candidate just shows his or her lack of ability to make rational technology decisions based on facts. Thanks, I’ll pass.

BTW, I am hiring :)