http://bit.ly/ZPrw25

* And another usability vs security tradeoff problem – big issue with password reset page at Skype that allowed hackers to take control over any account. Very good response from the company to take down the page and then investigate.

http://tnw.co/TEGXqH

* I would have thought that NASA took care of encrypting sensitive information on employees’ laptops a long time ago. Apparently it didn’t until now.

http://bbc.in/TLkTu7

* And another “I would have thought” one. Adobe got hacked through an SQL injection and passwords have been hashed with MD5 (no random per-user salt either I guess). It is a second hack in less than a month, time to fire someone?

http://bit.ly/ZvHVtq

* If you don’t want to get a pat-down from TSA, then you can simply change a number, generate a new bar code, and
print a new boarding pass:

http://bit.ly/UgLKBT

* Core PS3 encryption key finally leaked. It was just a matter of time and I am surprised it lasted that long:

http://bit.ly/R0Lh0G

* Ops… Don’t post passwords on the wall. Really.

http://bit.ly/Saj2AT

* Ops… Don’t dump sensitive documents on the street (even after you shred them):

http://bit.ly/YhGdwO

* Ops… Apple lost iPhone4s in an SF bar. Google lost Nexus 4 in an SF bar. I think I see the pattern here. I can predict the future news story title: “Microsoft lost Windows phone in an SF bar” but I doubt anyone would care:

http://bit.ly/RSZPRS

P.S. Thanks to everyone for sending the news stories!

http://bit.ly/Ood1en

* A fascinating story about CIA agent who broke into foreign embassies to steal codes:

http://bit.ly/SCdP0q

* If you have your phone number on Facebook profile then it is public and anyone can grab it:

http://tnw.co/VQRDpQ

* The best way to force people to think about security is to get them to pay for not having it. Manchester Police was fined for saving un-encrypted private data:

http://bit.ly/RxrNlp

* Sounds like there is a potential large scale attack on the online US banking in the works. Time to get the 2-factor authentication setup on your online bank account:

http://bit.ly/R31ymm

* NIST selected a new hashing algorithm SHA-3. It is not clear why they rushed it since there are no known attacks or weaknesses in SHA-2. The new algorithm is *very* different from the old ones though:

http://bit.ly/RxrNlp

* NY master keys are available for sell on eBay:

http://huff.to/V78y7c

* You might have heard about quantum cryptography. A good article on the subject if you want to learn what is actually behind the buzz-word:

http://bit.ly/QwU5w3

* Next time you go to a hospital, you should ask your doctor if she has an antivirus on this fancy piece of medical equipment she plans to use on you:

http://bit.ly/Wl7D3E

* And another frightening news about medicine – an attack on a pacemaker using a “secret” function:

http://bit.ly/Tu6Mra

1) “I was responsible for …”

This is the phrase I often see in technical resumes. And it has a big meaning for me because I value ownership and responsibility in the team. However, if you put this phrase in your resume, then please be prepared to answer not only “what?” questions about the project but also “why?”. And please don’t answer that “I don’t know why we did it this way, I was not making this decision, the architect/team lead/some other random guy did”. It is perfectly normal to have someone else make some decisions on your project. Either because the decision was made before your time, or because the level or scope of the decision is above or below your pay grade, or because the way things are setup inside your company. However, I strongly believe that a true owner of a project/product/system/subsystem should very clearly understand and agree with every decision made in his/her area of responsibility. If you don’t understand why things are done the way they are done and just follow the directions, then you are not probably qualified to make other decisions in this area at all. And you are definitely not responsible for your project. The other guy who makes and understands the decisions is. Worse, it also shows me that the candidate doesn’t know his/her limits or doesn’t understand the limits at all. Thanks, I’ll pass.

2) “I rate my experience in X 10 out of 10″

During the interview, I try to ask questions that match the candidates overall experience as well as his/her experience in a particular technology. I want to ask you a question that will challenge you. Thus, a candidate with 10/10 knowledge of PHP will get a question I would ask Rasmus and a candidate with 10/10 rating for MySQL will get a question I saved for Monty. The bar will be set high and a very few candidates are able to meet it. The more important part is that I actually do not expect every web developer I hire to be 10/10 in PHP, MySQL, and every other technology we use. There are always things to learn. And there is always Google to find details and more information when needed. The 10/10 candidate who failed the question is just a sign of an “inflated” the resume. Thanks, I’ll pass.

3) “I have experience with A, B, C, D, E, F, …, X, Y, Z. And many other related things.”

For any technology I define a “minimum equipment list” that anyone with even a basic exposure to this technology should know and understand. This is indeed a “minimum” list: for Java you need to know about garbage collection; for SQL databases – about joins and transactions; – you got the idea. If you have a technology listed on your resume, then I feel it is a fair game to ask questions about these basic things. And if a candidate has no clue what I am asking about then the only logical conclusion for me is that the resume have been “inflated”. Thanks, I’ll pass.

4) “I know you use technology X but I think you should actually use technology Y”

As an engineer you should understand that there is no silver bullet technology that works everywhere and all the times. Each technology choice is a tradeoff. One solution gives you one set of pluses and minuses. And another solution gives you another set. To make a decision, you have to compare the pluses and minuses of each solution against your priorities and objectives. And then find the one that works best for you. It is great to be passionate about technology, but I don’t believe that after minutes or even hours of the interview, a candidate knows and understands the tradeoffs behind the technology choices made by myself, my team and my company over the years. Thus, a candidate just shows his or her lack of ability to make rational technology decisions based on facts. Thanks, I’ll pass.

BTW, I am hiring

The first and only option that comes to mind is the copyright law. As any art work, Apple’s designs are protected by the copyright law. And it seems natural that Apple should go after Samsung using the copyright law. However, the copyright law includes two key provisions that make it impossible: idea/expression differentiation and fair-use doctrine. Thus, Samsung doesn’t violate the copyright law unless it copies Apple’s icons pixel by pixel, or builds its phone with the exact iPhone dimensions and buttons.

The patents and the copyright law in the current form are outdated and don’t match the reality of the fast moving and fast copying 21st century. However, if as a society we want to reward inventors and original artists, then we need to find a way to fix patent and copyright laws. The other proposed options (e.g. government grants/prizes) are even worse solutions to the problem. And it is not too hard to fix them. First, we should drastically reduce the protection period to 1 year or may be even less. The long protection period provided by both the patents and the copyright law actually shifts the risk/reward tradeoff in the wrong direction and makes it easier for companies or pirates to decide to infringe on patents or copy the digital content. Nobody in 21st century is going to wait years until patent expires or the art work goes into public domain. Second, we should build into the patent law an automatic way to license the patent and pay reasonable licensing fees w/o the need to negotiate with the patent holder. Third, we should include “fair use”-type clause into the patent law to ensure that university and other research organizations can freely use patents. And the last but not the least, we should drastically speed up the approval of patents. Patents should be granted automatically and review on patents should be performed only if someone wants to challenge them. The patents database will be the place to go to find out how to solve a problem to avoid duplication of efforts, not a sacred place you (as engineer) should never look at because of the fear to be sued for knowingly infringing on a patent.

“How should we implement Scrum?” was first question they asked. If you haven’t heard about Scrum, then you only need to know that it’s a modern project management technique based on iterative approach. Some call it the ultimate solution for all problems. Some think it is a complete BS. The truth is probably somewhere in the middle.

“Why do you need Scrum?” immediately I knew that this will be a fun conversation.

“All startups use Scrum,” they replied.

“But what is your goal? Use Scrum? Or build the product and the company?”

The two founders made a common mistake – they mistakenly thought that the “tool” is their “goal”. There are many ways to slice the pie. There are some requirements for slicing it (e.g. the number of slices) but the end goal is not to slice the pie but to eat it. If you spend your time designing the best way to slice the pie, then you probably will go home hungry. Focus on the “tool” and you will miss the “goal”. The tool is just a tool at the end.

Another common question I often get asked is about choosing the best programming language, framework or database to build a new project or a product. My answer is typically “it’s irrelevant”. Unless you make a big and obvious mistake choosing C++ for building a CMS-like website, you will do fine with any tool. You should look not at the “best” tool but at other factors, for example, what kind of experience and knowledge your team has. This is way more important than 10% performance gain of language X vs. language Y.

It turned out that the two founders didn’t need Scrum just yet. Their engineering team had some issues but they were delivering mostly on time with acceptable quality. Their Director of Engineering was using an Excel spreadsheet for project management and it was completely enough for the size of the team and the current project complexity. Instead of discussing Scrum implementation, we discussed how the project management system in their company should evolve over time as the startup grows; what metrics they should watch for to make sure things are under control; and how to minimize the project management costs because it is also just a tool.

Good luck, John and Tim! I’ll see you for coffee in 6 months or so.