Back in 1999, DefCon attendees were viewed with great suspicion by employers. When a manager of the NSA or a big company became known at the conference, he was overrun by attendees trying to give him their resume, but were mostly denied. Whenever I described any knowledge of hacking methods, the response was always fear. So I stopped going into detail, even when the job is computer security. These days though, people (without a record) who know how hacking is done and how to defend against it, are actively recruited.
A couple years ago I had the two technical phone interviews with Microsoft, and was invited to the three-day on-campus interview process. The way it works is you interview with one manager after another, directors, line managers, project managers, sr. devs, and so on — and if any one of them says No, all the rest of your interviews are canceled.
So I made it though the first and second days, including a technical interview with the Director of Security for the Interactive Entertainment Business. (where I was interviewing to be a Sr Security Program Manager) Then on my third day, the very last interview was with the Key Manager, who was responsible for all IEB encryption keys. He asked, “How would you protect the transmission of private encryption keys, worldwide?” I suggested ‘dark fiber’, which is unused fiberoptic cable, excess capacity that exists going almost everywhere, and can be leased. On their own fiber, keys would be physically isolated from all other traffic. And even when keys are transmitted on a fiber with other traffic, if they used a different ‘color’ (since channels are defined by ‘color’ — frequency), the keys would still be protected by the laws of physics. He really liked that idea. Next he said, “I see here on your resume that you are a ‘Certified Ethical Hacker’. Take me though the compromise of a Windows machine.” Well by this time, I was completely exhausted and I did not recognize that this was a very conservative guy who is paid to be paranoid, and I should be careful… so I just laid it all out. I took him through reconaissance, port knocking, directory characterization, SQL injection, buffer overflow, Metasploit functions, compromise, privilege escalation to the user more powerful than Admin, rootkit, backdoor, acquiring the SAM (password) file and cracking all the passwords in that. When I finished I noticed he was staring at me with his mouth open, and he’d turned a little gray. He went to his computer and began typing fast. I got home to the dreaded email that I was not selected. He must have thought, This guy is an Evil Hacker. How else could he have come by this information? It could only be because he has actually illegally hacked. But he never recognized that my background is intel, as it says on my resume, and I’ve been interested in electronic security since the Air Force, where it was my job. Das liegt mir im Blut.
Six months later I was invited again to the Microsoft three-day on-campus interviews, in the Storage division, again for security. This time I was careful and circumspect at every stage, but on the second day I was rejected for ‘not being technical enough’, lol. I grieved for a month. Was I too careful this time, or are these amateurs?
Microsoft isn’t my be-all and end-all and I’ve applied with other companies. But the notes in Microsoft’s systems on me will last forever and who knows what they say, so I lost hope with them. If they don’t recognize me, their loss. But this May I got a call from the recruiter for Microsoft Research and Development. He asked why I hadn’t applied lately, and I told him straight-up what had happened. He said firmly that “the past is the past” and that I should definitely keep applying. He said there’s a new manager in charge of R&D and I should apply for jobs there and in other departments as well. He actually recognized what I know and was assuring me. That was nice.,'after' => '') )