Re: Can Dave be cloned?

[David Stein <david.r.stein () gmail com>]

Thanks for all the input!  Some quick responses:

> From: Thomas Fischbacher <Thomas.Fischbacher () Physik Uni-Muenchen DE>
> My advice is: specifically look for lisp and haskell hackers. These are 
> the most advanced languages around, and if someone evidently has fun using 
> them, your chances are good that he's quite a sophisticated person.

Interesting!  I know some lisp but haven't used it for years, and I
don't know any haskell at all (never heard of it, in fact).  I should
have mentioned that I'm looking for people more technically skilled
than I am, which is another degree of difficulty.  I'd been thinking
along the lines of perl and/or python--anyone else think I should
stress other languages?

> Don't care whether they are below 25, don't write them off as too old/too 
> unflexible/too unexperienced in the real world just because they have a 
> PhD. If you have a python project and they come up with the idea of using 
> stackless python instead, just let them do so (if possible). Pose the 
> problems and the constraints and let them think of their own. What these 
> people hate is being told to go for solutions where they just know they 
> could do better if you let them.

On this I think I do pretty well.  I'm trying to find people who are
smarter than I am and know more than I do, and once I do I try to stay
out of their way as much as possible.  Two of our best researchers
have PhD's in math, so certainly we're not rejecting anyone as
overqualified--quite the contrary.

> From: Kevin Ponds <kponds () gmail com>
> Personally, though graduation is still a few months away, it looks
> like I'm going for the MegaCorp.  I'd rather get a job where I could
> do advanced and puzzling work all day, but they're offering a really
> good amount, in a good city, I already had an internship with them,
> and I'm almost sick of looking.

And it seems like most people I end up talking to really don't want to
do advanced and puzzling work, they want to do something easy that
they already know how to do.  The willingnesss to take an intellectual
risk and enjoy it is itself a rare and valuable attribute.

> My advice, look where the college graduates will look.  Post on
> SecurityFocus jobs, different security forums and mailing lists, etc. 
> Stay relevant, and don't post job advertisements in low traffic lists
> that like to stay on subject.

I will of course end up posting to the SecurityFocus jobs list, but
the jobs that are being advertised there are different enough from
what I'm looking for that I'm very pessimistic.  (I would say that a
CISSP wouldn't be an absolute disqualification, as long as the holder
wasn't especially proud of it ;).  I wish I could afford to take out a
full-page ad in the Washington Post, but I don't have any recruiting
budget.

> From: Jason Lewis <jlewis () packetnexus com>
> The more people I work with, the more I think what you looking for is 
> very rare.  I find that people coming out of school know a lot about 
> software, but have never had to troubleshoot a windows95 box or a 
> network.  They just don't understand how everything surrounding their 
> software interacts.  That seems to lead to a different thought process 
> and less innovation.

Yes, I often think that geezers like me who grew up writing programs
in hex and entering them using the front panel switches have a more
useful mental model of a computer.  OTOH I'm pretty sure I wouldn't
hire myself for the jobs I'm trying to fill ;)

> From: Michael Murray <mmurray () episteme ca>
> I went through this exact same issue when I opened a new office for our vuln
> research group, and found only one (somewhat frightening) answer: you have
> to put in the work.  To find a handful of really strong people who could put
> up with the intensity of our schedule and tasks (requiring pretty much the
> same set of qualifications you have), we went through around 700 resumes,
> and over 200 really intense interviews (including more than a few Java and
> MCSE experts... ;)

Yuk!  That is certainly what I don't want to hear.  If I had time to
interview 200 people, I wouldn't need more employees.  Realistically
I'm going to have to cut the interviews down to  10-20 at most, with
maybe another 20 or so telephone interviews.  I can slog through
hundreds of resumes well enough if I have to.

From: Matt Hargett <matt () use net>
> You also can't teach a "cowboy" (as I call them) to produce quality code 
> consistently, in my experience. I've had decent results in pairing 
> junior cowboys with senior folks, but I learned at previous companies 
> not to hire someone just because that have m4d sk1llz. At least, not in 
> a product development or sysadmin context; maybe in the research/exploit 
> dev context, this makes more sense. (Or I'm just stupid.)

I can put up with quite a bit of "cowboy" because I am doing R&D work.
 I don't insist or expect heavyweight process, but quality code is a
must.  In other words, I have no problem with the lone gunslinger as
long as they are a dead-eye shot.

> From: robert () dyadsecurity com
> Sad truth is that our industry is saturated with people who can not
> accurately self assess their own strengths and weaknesses.  We have
> people with no understanding of how computers really work learning how
> to run automated wizards and passing as security experts.

And you have companies saying that they want "security experts" when
they really want people who are the computer equivalents of those
rent-a-cops who sit in the lobby watching the TV monitors.  And good
luck trying to explain to HR what the difference is!

> There is a huge difference between an exploit writer and a security
> researcher.  While the exploit writer may have a highly honed knack for
> finding and exploiting a buffer overflow, a security analyst is able to
> find additional attack vectors outside of the well known problem set.

Yes, and I would add that while anyone with sufficient intelligence
can learn to write a buffer overflow, being a true security analyst is
not a skill but a way of looking at the world.  When I do interviews I
ask some pretty strange questions trying to figure out if the
applicant looks at the world in that way or not.

> From: Gadi Evron <ge () linuxbox org>
> I believe looking for good employees of *this* kind is a difficult 
> thing, however, it *can* be extremely easy.

It's easy when I get a personal recommendation from someone I trust.

> There are a few things we have to realize when it comes to *our* kind of 
> people:
> 1. Most of them are crazy (I know I am).
> 2. Because of 1 above, HR would flunk them - which is a good sign.

That's why I try to bypass ("help out" ) our HR department by getting
applicants to send me their resumes and then walking them down to HR
myself.  That way I get to interview them before they are screened
out.

> 3. There are just a few of them in every school (1-3).
> 4. If you don't know them already, or know somebody who knows them - you 
> are wasting your time looking.

Actually, I have gotten lucky in the past even with postings to
SecurityFocus's jobs list, I just had to wade through the pile of
wrong choices to find the right one.  What I'd like to do this time is
to write the announcement in such a way that the right people are
encouraged and the wrong people are deterred.  And then I'd like to
post the announcement in the perfect place(s) where the right people
will read it and the wrong people will not.

> 5. Once you decided to hire one of them, only question left in my 
> opinion, due to their skillz vs. personality question, and our business 
> being security - their reliability.

Yes, I've had a couple of technically good people who had to be
encouraged to seek other employment because they were not responsible
about showing up for work and actually doing their jobs.  And one was
so obnoxious to be around that good technical skills were not enough.

> Thing is, it's a process. Resume's mass-sent via email don't usually 
> help. Also, high-standards usually deter a lot of candidates.
> [...]They are rarely in college! Although that happens. Why demand a college 
> degree?

Unfortunately I am quite limited in this respect by my corporate HR
department.  If they don't have a college degree, I can't pay them
very much.  If I had my own company I wouldn't care, but I don't.  I
try to be as flexible as possible in considering experience in lieu of
education, and considering what is "relevant" education.  One of my
best engineers majored in philosophy.

> HR hates (most) of them, remember, they *are* crazy.

So true.  Since I work for a big company, I need the ones who are just
sane enough to function within a corporate environment, at least when
necessary.

Thanks to all,

David
--
David Stein
david.r.stein () gmail com
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave