Dailydave mailing list archives
Re: Can Dave be cloned?
From: David Stein <david.r.stein () gmail com>
Date: Wed, 6 Oct 2004 11:56:24 -0400
Thanks for all the input! Some quick responses:
From: Thomas Fischbacher <Thomas.Fischbacher () Physik Uni-Muenchen DE> My advice is: specifically look for lisp and haskell hackers. These are the most advanced languages around, and if someone evidently has fun using them, your chances are good that he's quite a sophisticated person.
Interesting! I know some lisp but haven't used it for years, and I don't know any haskell at all (never heard of it, in fact). I should have mentioned that I'm looking for people more technically skilled than I am, which is another degree of difficulty. I'd been thinking along the lines of perl and/or python--anyone else think I should stress other languages?
Don't care whether they are below 25, don't write them off as too old/too unflexible/too unexperienced in the real world just because they have a PhD. If you have a python project and they come up with the idea of using stackless python instead, just let them do so (if possible). Pose the problems and the constraints and let them think of their own. What these people hate is being told to go for solutions where they just know they could do better if you let them.
On this I think I do pretty well. I'm trying to find people who are smarter than I am and know more than I do, and once I do I try to stay out of their way as much as possible. Two of our best researchers have PhD's in math, so certainly we're not rejecting anyone as overqualified--quite the contrary.
From: Kevin Ponds <kponds () gmail com> Personally, though graduation is still a few months away, it looks like I'm going for the MegaCorp. I'd rather get a job where I could do advanced and puzzling work all day, but they're offering a really good amount, in a good city, I already had an internship with them, and I'm almost sick of looking.
And it seems like most people I end up talking to really don't want to do advanced and puzzling work, they want to do something easy that they already know how to do. The willingnesss to take an intellectual risk and enjoy it is itself a rare and valuable attribute.
My advice, look where the college graduates will look. Post on SecurityFocus jobs, different security forums and mailing lists, etc. Stay relevant, and don't post job advertisements in low traffic lists that like to stay on subject.
I will of course end up posting to the SecurityFocus jobs list, but the jobs that are being advertised there are different enough from what I'm looking for that I'm very pessimistic. (I would say that a CISSP wouldn't be an absolute disqualification, as long as the holder wasn't especially proud of it ;). I wish I could afford to take out a full-page ad in the Washington Post, but I don't have any recruiting budget.
From: Jason Lewis <jlewis () packetnexus com> The more people I work with, the more I think what you looking for is very rare. I find that people coming out of school know a lot about software, but have never had to troubleshoot a windows95 box or a network. They just don't understand how everything surrounding their software interacts. That seems to lead to a different thought process and less innovation.
Yes, I often think that geezers like me who grew up writing programs in hex and entering them using the front panel switches have a more useful mental model of a computer. OTOH I'm pretty sure I wouldn't hire myself for the jobs I'm trying to fill ;)
From: Michael Murray <mmurray () episteme ca> I went through this exact same issue when I opened a new office for our vuln research group, and found only one (somewhat frightening) answer: you have to put in the work. To find a handful of really strong people who could put up with the intensity of our schedule and tasks (requiring pretty much the same set of qualifications you have), we went through around 700 resumes, and over 200 really intense interviews (including more than a few Java and MCSE experts... ;)
Yuk! That is certainly what I don't want to hear. If I had time to interview 200 people, I wouldn't need more employees. Realistically I'm going to have to cut the interviews down to 10-20 at most, with maybe another 20 or so telephone interviews. I can slog through hundreds of resumes well enough if I have to. From: Matt Hargett <matt () use net>
You also can't teach a "cowboy" (as I call them) to produce quality code consistently, in my experience. I've had decent results in pairing junior cowboys with senior folks, but I learned at previous companies not to hire someone just because that have m4d sk1llz. At least, not in a product development or sysadmin context; maybe in the research/exploit dev context, this makes more sense. (Or I'm just stupid.)
I can put up with quite a bit of "cowboy" because I am doing R&D work. I don't insist or expect heavyweight process, but quality code is a must. In other words, I have no problem with the lone gunslinger as long as they are a dead-eye shot.
From: robert () dyadsecurity com Sad truth is that our industry is saturated with people who can not accurately self assess their own strengths and weaknesses. We have people with no understanding of how computers really work learning how to run automated wizards and passing as security experts.
And you have companies saying that they want "security experts" when they really want people who are the computer equivalents of those rent-a-cops who sit in the lobby watching the TV monitors. And good luck trying to explain to HR what the difference is!
There is a huge difference between an exploit writer and a security researcher. While the exploit writer may have a highly honed knack for finding and exploiting a buffer overflow, a security analyst is able to find additional attack vectors outside of the well known problem set.
Yes, and I would add that while anyone with sufficient intelligence can learn to write a buffer overflow, being a true security analyst is not a skill but a way of looking at the world. When I do interviews I ask some pretty strange questions trying to figure out if the applicant looks at the world in that way or not.
From: Gadi Evron <ge () linuxbox org> I believe looking for good employees of *this* kind is a difficult thing, however, it *can* be extremely easy.
It's easy when I get a personal recommendation from someone I trust.
There are a few things we have to realize when it comes to *our* kind of people: 1. Most of them are crazy (I know I am). 2. Because of 1 above, HR would flunk them - which is a good sign.
That's why I try to bypass ("help out" ) our HR department by getting applicants to send me their resumes and then walking them down to HR myself. That way I get to interview them before they are screened out.
3. There are just a few of them in every school (1-3). 4. If you don't know them already, or know somebody who knows them - you are wasting your time looking.
Actually, I have gotten lucky in the past even with postings to SecurityFocus's jobs list, I just had to wade through the pile of wrong choices to find the right one. What I'd like to do this time is to write the announcement in such a way that the right people are encouraged and the wrong people are deterred. And then I'd like to post the announcement in the perfect place(s) where the right people will read it and the wrong people will not.
5. Once you decided to hire one of them, only question left in my opinion, due to their skillz vs. personality question, and our business being security - their reliability.
Yes, I've had a couple of technically good people who had to be encouraged to seek other employment because they were not responsible about showing up for work and actually doing their jobs. And one was so obnoxious to be around that good technical skills were not enough.
Thing is, it's a process. Resume's mass-sent via email don't usually help. Also, high-standards usually deter a lot of candidates. [...]They are rarely in college! Although that happens. Why demand a college degree?
Unfortunately I am quite limited in this respect by my corporate HR department. If they don't have a college degree, I can't pay them very much. If I had my own company I wouldn't care, but I don't. I try to be as flexible as possible in considering experience in lieu of education, and considering what is "relevant" education. One of my best engineers majored in philosophy.
HR hates (most) of them, remember, they *are* crazy.
So true. Since I work for a big company, I need the ones who are just sane enough to function within a corporate environment, at least when necessary. Thanks to all, David -- David Stein david.r.stein () gmail com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Can Dave be cloned? David Stein (Oct 05)
- Re: Can Dave be cloned? Kevin Ponds (Oct 05)
- Re: Can Dave be cloned? robert (Oct 05)
- Re: Can Dave be cloned? ken_i_m (Oct 06)
- Re: Can Dave be cloned? robert (Oct 05)
- Re: Can Dave be cloned? Jason Lewis (Oct 05)
- Re: Can Dave be cloned? Matt Hargett (Oct 05)
- Re: Can Dave be cloned? Michael Murray (Oct 05)
- Re: Can Dave be cloned? Matt Hargett (Oct 05)
- Re: Can Dave be cloned? Karl Shea (Oct 06)
- Re: Can Dave be cloned? Gadi Evron (Oct 06)
- Re: Can Dave be cloned? David Stein (Oct 06)
- Re: Can Dave be cloned? Gadi Evron (Oct 06)
- Re: Can Dave be cloned? Gadi Evron (Oct 06)
- Re: Can Dave be cloned? David Stein (Oct 06)
- Re: Can Dave be cloned? Orac (Oct 06)
- Re: Can Dave be cloned? Peter Busser (Oct 07)
- Re: Can Dave be cloned? Thomas Fischbacher (Oct 08)
- <Possible follow-ups>
- RE: Can Dave be cloned? kquest (Oct 05)
- RE: Can Dave be cloned? Andrew R. Reiter (Oct 05)
- RE: Can Dave be cloned? Maynor, David (ISS Atlanta) (Oct 05)
- Re: Can Dave be cloned? Karl Shea (Oct 06)
- Re: Can Dave be cloned? ken_i_m (Oct 07)
(Thread continues...)
- Re: Can Dave be cloned? Kevin Ponds (Oct 05)