Jun 222014

Perhaps this should be subtitled Why I’ll Never Work at Microsoft.

I don’t know, I don’t know, I don’t know where to begin, as the song goes.

I started writing here on a whim. I don’t look at the traffic it may or may not get, and I haven’t accepted any comments or feedback to date; it’s simply a place for some thoughts, observations, and a tip or two, and I’ve found from time to time I enjoy putting something down.

But I’ve been around the block a time or two, as the saying goes. I’ve been the top security architect for four fortune 500 companies (including the largest security company in the world), started my own lil company (worked to get over $20 million in venture funding from tippy-top tier investors, got up to 50 employees, and then suddenly ended when the CEO left for a larger company a couple of weeks before a funding round), wrote a book, wrote some software and did some research that other folks seemed to like, testified to congress, got a gold album from the recording industry, and generally went on with life.

The last decade or so has been pretty odd, tho, with respect to finding work.

Interviews can be stressful on both sides; I’ve interviewed countless people over the years, and mostly try to get a sense of who they are, what they care about, and where their passions are; beyond surface technical matter how much can you really find out in an hour? (Not to mention by the time I talk to them they’ve already run through some lower folks.) In my experience good people make good employees, and unless I need something really, really specific, I’d rather have a good person learn on the job than a jerk who knows how to do it but will always be a jerk.

Big companies are the strangest; they really need experienced people to help them out, but they don’t seem to know how to effectively go about it.

Take Amazon, which I’ve talked to a few times. I remember a phone interview some time ago where someone was asking me about The Coroner’s Toolkit (forensics software I’d written back in the day with Wietse), and about my contribution to the same; they had looked at the software and was convinced I did very little coding. I was a bit puzzled, but they insisted they had looked and I’d apparently done almost none of the work. It wasn’t until some time later that I realized that they had probably done a count of the lines of code and not realized that the source code for the file command, which we had included a port of, was about 2/3 of the total package source (it’s a pretty bloated pig dog), wasn’t written by either of us (plus Wietse wrote all the C code, which is substantially larger in line count than the perl I wrote in.)

Another Amazon phone interview featured forensics as well (not sure why, but people like talking about it, I guess); they asked me about what I’d do to gather evidence in a break in. I don’t think they knew who the hell I was, and why I was talking to him was unclear, but it was clear from their tone that he thought he knew forensics and was out to test me. It was also clear from the conversation that he… well, perhaps didn’t know forensics quite as well as he thought he did. But I answered him in detail, talking about freezing memory (this was long before capturing memory was in vogue) and so forth. I prefaced it all by saying that this wasn’t what most people did… but he was nonplussed nonetheless.

I’ll end the Amazon saga by recounting one last interview anecdote. I freely tell people that I’m not a programmer; I’m not that great at coding (why Wietse , one of the world’s best, if not best, security programmers, puts up with me is anyone’s guess), I’m slow, make mistakes, but in the end things seem to work for the most part. I’d actually never had an interview where someone asked me to code prior to this; after all, if you wanted to see my code, it’s out there, and everyone has … acquired it in various products, so who cares. But they had a problem they wanted me to solve by using recursion. Now me and recursion go way back; to me it’s a parlor trick for the most part, and it personally takes me a long time to work it out and put something down in the few times I’ve actually needed to use it. But he was determined, and we proceeded to waste 45 mins on this little program, after which he said “well, I hope you know security better than you know how to program.”

Programmers are an interesting lot. Perhaps he personally wrote Amazon’s backend, and the world uses his code daily. But (a) I’d bet that more people have learned from and used my code than his, (b) I know I’m not a programmer, and (c) what the fuck did this have to do with working at Amazon? And, for the record, yes, I’d like to think I know security better than programming, but I’d already said that in the interview.

Microsoft takes the cake, however. The first time I talked to them was at the research arm; they do really interesting stuff there (although very different than the sort of work I do) and are a high-octane organization. After various interviews and giving me a rather nice case of wine it was clear that they wanted to hire me. But when they got down to the details… they said, well, we’ll hire you, but you can’t do any further work with Wietse (my long-time pal and coconspirator), because he works at IBM’s Watson labs, who they viewed as a competitor.

I wish I was making this up, although I hear they’ve changed this mindset.

A couple of years ago I had another interview (yes, I know, glutton for punishment, but I actually like Amazon and Microsoft) with MS. They pointed at the next person who was interviewing me, but they didn’t introduce us. Nor did he say his name, he just started talking about programming. I’ve mentioned I’m not a programmer, and told him as such, but he was determined to really test me nonetheless. He asked me to do a rather academically interesting programming exercise involving a spinning wheel (his humor or music knowledge wasn’t up to snuff when he didn’t get a Blood Sweat and Tears reference, but I digress.)

Some people like to make sure you know how much that they know; he was certainly one of those, what a boorish fellow. He insisted, ad nauseam, in driving home this fact and that I didn’t know how to solve this problem that I could really care less about; that was the entire interview, although at the end I asked him what he did – graphic drivers for virtual systems, as I recall. Now that would have been an interesting conversation, but… alas.

In the end I played along with his game, and thanked him for a very interesting time. That last part was true – it was, to me, fascinating that someone could be so clueless and socially inept to not only not introduce themselves and what they did in an interview, but that a company would allow these sorts of people to be gatekeepers to their inner sanctums.

I must say that I simply don’t understand why these and other big companies feel that it’s important – as a matter of policy – to do programming interviews in not only non programming positions, but titles that are fairly high up on the food chain. And that their interviewing practices are so… ineffective. It’s not that I think I’m so great that they need me or anything… but they’re hiring me for security, presumably, so why do they never talk about that?

It could be that they have essentially no innovative or strategic security thinkers who could actually have a conversation about security – or that they think I couldn’t have that conversation. It could be that they have no one who has read or used anything I’ve done in the last quarter century (although, if that’s the case, why are they talking to me?) that might have some critique or awareness. Or it could be that I’m missing the point.

In any case that’s probably why I’m not working for one of them now. C’est la vie.

 Posted by at 4:50 pm on June 22, 2014

Sorry, the comment form is closed at this time.