Slashdot Mirror
Want a Security Pro? Get Politically Incorrect and Learn Geek Culture
coondoggie writes "While complaints can be heard far and wide that it's hard to find the right IT security experts to defend the nation's cyberspace, the real problem in hiring security professionals is the roadblocks put up by lawyers and human resources personnel and a complete lack of understanding of geek culture, says security consultant Winn Schwartau. Take Janet Napolitano, U.S. secretary of the Department of Homeland Security, who has said the country can't find the right people for network defense. The real problem is a misunderstanding of computer geeks, their personalities, habits and their backgrounds, said Schwartau today during his talk at the Hacker Halted information security conference."
My mother's basement is well defended !!!!!!!
People who accept an 80k for 40k for the govt.
And the Catholic Church could prop up its declining clergy membership by recruiting straight from the local sex offender registry.
Seriously, what the fuck? "Legal niceties" is another term for these rules are in place because we don't want to get fucked over again by someone we trusted. They're there for a reason, and actively circumventing them to search for applicants is inviting yourself to get burned. Maybe some of them could be relaxed, sure, like the one-time drug offense bit for security clearances. But just saying "they're narrowing our pool of applicants!"...Shit, Sherlock, that's why they exist!
Everything is better with chainsaws.
think they deserve special treatment and don't have to be clean, social, pleasant, accountable workers.
newsflash: they do.
Corps and Gov are right to want to make more geeks, so they don't have to make do with the half-defective ones.
The Cloud - because you don't care if your apps and data are up in the air.
Your assumption is that the government hires people capable to actually solve the problem. It does, but only in war times. In war times you lose ground when you follow the wrong path. When yo sent the horses against the machine guns. Governments are not interested to actually solve the problem but rather to be in charge of the problem. We know that many security issues could be solved. Simply spent a few millions on security reviews of commonly executed code. and order the companies to provide bug fixes or apply punitive damages, make them partly liable for not fixing security issues.
This isn't even specific to the IT field. This is a problem with every organization that hires people. Unless the organization is too small to have lawyers or human resources.
I haven't met a too many good hackers who haven't, at least at one time, engaged in some drug use -- whether it be smoking weed (usually), tripping on mushrooms/acid, or cocaine etc..it seems to permeate the culture quite a bit.
A couple three-letter agencies once tried to recruit me, but I didn't want to stop going to festivals/parties, smoking pot, etc. It felt like I would have to become a square and this job would be my life, and I'd have to disown much of the culture I was associated with previously. Plus, I thought if I went forward, I'd never get past the polygraph where they ask you tons of questions about drug use, and it would just be a waste of time.
For context, I am an IT professional with a specialization in security and about 20-40% of my workload is security related.
Maybe if drug testing wasn't required, these agencies would get more applicants. But no one wants to piss in a cup on a monthly basis to work at a rate of pay less than they could get at companies that don't drug test.
While not terribly talented and hardly the sort of person likely to hold down a decent paying job (let alone know how to write out a resume or pass an interview) these are the sort of people who find the gaps. Recruiting them to work for you may be iffy. Once they have a paycheck, can afford a sports car, some decent clothes and can afford to go out they slowly cease to be the people you wanted.
Best to just hire them on a per item contract and toss them a burrito now and then.
A feeling of having made the same mistake before: Deja Foobar
This is nothing new to the IT industry in general and has been going on for years. It's only moved to "Security" now because the wave of nerds that 10 years ago were hired for "basic IT" are now sufficiently advanced where connecting a network together is trivial and their knowledge has moved on.
Of the type of non-conformist individual with considerable hacking skills who should be a hiring target.
I think there is a wide skill range when it comes to hiring someone with security expertise than just programming alone. And everyone knows HR can't figure out how to hire a skillful programmer over a random Joe who talks himself up. So what hope does HR in finding a security expert, when there's a lot of bullshitters who claim to be good at security but don't know anything?
I know about encryption, and I've found security flaws in applications such as Adobe's P2P networking, but I wouldn't consider myself a security expert or apply to one of those jobs. Yet, I know a lot more than a great deal of people selling themselves as security experts.
God spoke to me
They need to hire a Relationship Manager.
"Ich bin ein nerd"
Required reading for internet skeptics
Sounds like a way to get some Black Hats working directly for the DOD and Homeland Security. Hiring Black Hats is good only when you know they are a Black Hat, and that usually requires they get arrested first. If they are a sketchy unscroupoulous looking person then stay away. They already have to be on the lookout for the Normal Looking Black Hat Anon that's slipped into the organization they shouldn't be putting people that are clearly a risk in.
It's not that they're the wrong IT Security Experts to defend the nation's cyberspace, it's that they're the wrong people to work for the Bureau or the Agency or DHS or SS. So the problem isn't a lack of people who know their stuff, it's a lack of people who fit the typical "agent" pigeonhole.
I know I'll never work for the Government because I have family in Mexico and I'd rather not have Federal noses up my ass whenever one of my many (many) cousins has a wedding or baptism that I'd like to attend.
Unless the organization is too small to have lawyers or human resources.
And this is why I gave up working for big organisations - I want to spend my time doing a useful job rather than constantly battling against other departments (such as HR) who seem intent on making sure there's as little productivity as possible.
http://blog.nexusuk.org
There are two big barriers for government IT hiring:
Pay scale
The GS payscale doesn't map well to high-end IT skills. So often you end up with the marginally qualified, or those rare individuals who are not only not in it for the money, but somehow find a way to turn down offers every quarter from another round of head-hunters.
Extra scrutiny
The government security and screening process is a lot tougher than many commercial enterprises. It leads to ironic debtor-prison type situations where an otherwise qualified guy about to have his house foreclosed can't get the job because he is a security risk because he needs the money. The government just doesn't want to take the risk he will be try to pay off his bills by selling access to the highest bidder.
If you've ever worked for the government, you'll know that they ensure it's hard for them to hire anyone.
Really? Congress could have fooled me to think otherwise.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
One has to wonder why it's so difficult for them to find people vs. other engineering disciplines. I'd suspect that the sort of people that excel at poking and prodding security vulnerabilities take a similar attitude to social rules; i.e. challenging assumptions and testing limits.
First of all, tfa misses it's point completely, but hits on a bigger one. How to tell a crap sec pro from a good one, and at least I believe the answer isn't on paper. HR does background checks on anybody in any dept. , so saying this is discriminant is to generalize the entire work force, same with drug testing. Culturally... well you gotta have somebody that fits in with the team, otherwise you got bigger problems than network security. Most hacker / security types I know of you can't really tell apart from mainstream culture, the same intelligence that lets a sec pro do their work can also be applied to society's norms and standards. The guy who stays up nights and then forgets to shave and shower in the morning isn't an ideal candidate because just like they can't apply themselves to the real world, they probably won't be able to apply business logic to say creating group policy in active directory.
Now here's where it gets really overcast grey, I put DNS on my resume and you put DNS on yours, I understand DNS cache poisoning, you don't, to HR, to even technical non-sec managers, this looks the same, but guess what, you want the guy who understands how DNS applies to security, not networking. How to tell them apart? Very very hard & resource intensive, a test, interview questions, a real-world scenario. HR wouldn't know where to begin. And it's scary to hire a sec pro who doesn't know what they're doing. Security+ is basically networking + some common sense (ex. don't allow anonymous relay on your exchange server), but a dedicated attack hacker will come equipped with knowledge far greater than this, so unless the sec pro actually knows what they're doing, they're useless. Thoughts? Solutions? Ideas?
Private sector pays IT sec folks 6 figures+, last time I googled the salaries of the alphabet boys I wasn't very impressed.
Example: http://www.glassdoor.com/Salary/FBI-Salaries-E24637.htm
Example: http://www.criminaljusticeschoolinfo.com/fbi-agent-salary.html
KERNEL PANIC -SIGFAULT AT ADDRESS #51A54D07
I've had to turn on firewalls and set security policies at several places I worked at. The admins there just didn't seem to care. One guy even turned off all the firewalls and set dictionary passwords on root. After I took over and when I asked him why he disabled them, he said it wasn't necessary. On one system that apparently kept getting hacked, he had to disable direct ssh logins to root. He never completely removed the vestiges of the attack and I saw numerous brute force attempts in the logs. I turned on the firewall and installed fail2ban. I was also able to track down the attack vector to a user who logged in remotely from his laptop during a visit to Europe. Once I had the guy reinstall his laptop and change all his passwords, the attacks diminished.
Especially in small companies, a lot of people became sysadmins because the happened to be the guy that knew some basic tech. They weren't trained as sysadmins, nor were they really technically savvy. They just knew more than their coworkers. There isn't really a sysadmin degree out there. I started out as a programmer porting code between Unix, Windows and PreOSX Macs, but I understood security, even during the dotcom boom.
If you've ever worked for the government, you'll know that they ensure it's hard for them to hire anyone.
Really? Congress could have fooled me to think otherwise.
Congress doesn't get hired, the get elected. The process for the later is even more f'd up than the process for the former.
Network security is a position of trust. There is basically no way around this: implicit in running a network is that you have the tools to see what's on it. Encryption only goes so far in such situations, particularly at agencies tasked, in part, with getting at encrypted data.
This adds up to some employers requiring a greater degree of trust in their employees than is currently the norm. Some geeks, it seems, are unwilling to come to terms with the fact that their life choices may have made them poor security risks in that context. The cases where the risk isn't because of a life choice are sadder, but the risk is just as real, and to ask agencies with bona fide requirements for absolute trust to simply ignore those risks is insane.
This year's Defcon had a HUGE push by Homeland security and the CIA attempting to recruit. It was funny going to watch Bruce Schneier talk and someone told him that and he bascially said "I hope you didn't believe anything they said". They guy from Homeland security seemed like a good guy and was tring to actually hire good people, but my only question to everything he said was "You do realize you work for Janet N.?"
The Federal government has become a joke. If you go out on a limb for them and it becomes slightly inconvient for them they hang you out to dry. You find them doing something wrong and think about whistleblowing, you will be fired and probably sued (see ATF guy who told about Fast and Furious). You interrogate terrorits and you will be threatened with jail (See CIA agents at Gitmo). They have a history of stomping on people who might make them look bad.
No thanks. The Federal government is corrupt beyond fixing. Anyone who goes in to do the right thing will end up being a casuality.
The author obviously doesn't know very much about government security practice, even though their handbook is available online for anybody who can Google.
The assumption that there are no qualified, committed, and skilled professionals in the industry who are not geeks (quasi social outcasts) is totally false. There are a lot of us out there that don't look, smell or act like such employees who are willing and able to do this job. If you show up looking like this stereotype and fail the drug test what do you think HR is going to do? Don't let the door hit you on the way out.
I think the real story *should* be that if you really want a job and you don't like to show up during office hours, dressed for work, with combed hair, demonstrating basic social graces and you refuse to give up illegal drug use, your membership in Anonymous and all the other nasty things "Geek Culture" brings to the table, Just go look someplace else for a job. Somehow, I don't think there are very many private companies who will put up with you as a security professional.
An important point: Except in some relatively minor respects such as slang vocabulary, hackers don't get to be the way they are by imitating each other. Rather, it seems to be the case that the combination of personality traits that makes a hacker so conditions one's outlook on life that one tends to end up being like other hackers whether one wants to or not (much as bizarrely detailed similarities in behavior and preferences are found in genetic twins raised separately).
General Appearance
Intelligent. Scruffy. Intense. Abstracted. Surprisingly for a sedentary profession, more hackers run to skinny than fat; both extremes are more common than elsewhere. Tans are rare.
Dress
Hackers dress for comfort, function, and minimal maintenance hassles rather than for appearance (some, perhaps unfortunately, take this to extremes and neglect personal hygiene). They have a very low tolerance of suits and other ‘business’ attire; in fact, it is not uncommon for hackers to quit a job rather than conform to a dress code. When they are somehow backed into conforming to a dress code, they will find ways to subvert it, for example by wearing absurd novelty ties.
Female hackers almost never wear visible makeup, and many use none at all.
Physical Activity and Sports
Many (perhaps even most) hackers don't follow or do sports at all and are determinedly anti-physical. Among those who do, interest in spectator sports is low to non-existent; sports are something one does, not something one watches on TV.
Further, hackers avoid most team sports like the plague. Video games being a notable exception, both in terms of team play and consideration as a sport... Hacker sports are almost always primarily self-competitive ones involving concentration, stamina, and micromotor skills: martial arts, bicycling, auto racing, kite flying, hiking, rock climbing, aviation, target-shooting, sailing, caving, juggling, skiing, skating, skydiving, scuba diving. Hackers' delight in techno-toys also tends to draw them towards hobbies with nifty complicated equipment that they can tinker with.
The popularity of martial arts in the hacker culture deserves special mention. Many observers have noted it, and the connection has grown noticeably stronger over time. In the 1970s, many hackers admired martial arts disciplines from a distance, sensing a compatible ideal in their exaltation of skill through rigorous self-discipline and concentration.
Today, martial arts seems to have become firmly established as the hacker exercise form of choice, and the martial-arts culture combining skill-centered elitism with a willingness to let anybody join seems a stronger parallel to hacker behavior than ever. Common usages in hacker slang un-ironically analogize programming to kung fu (thus, one hears talk of “code-fu” or in reference to specific skills like “HTML-fu”).
Education
Nearly all hackers past their teens are either college-degreed or self-educated to an equivalent level. The self-taught hacker is often considered (at least by other hackers) to be better-motivated, and may be more respected, than his school-shaped counterpart. Academic areas from which people often gravitate into hackerdom include (besides the obvious computer science and electrical engineering) physics, mathematics, linguistics, and philosophy.
Food
Ethnic. Spicy. Oriental, esp. Chinese and most esp. Szechuan, Hunan, and Mandarin (hackers consider Cantonese vaguely déclassé). Hackers prefer the exotic; for example, the Japanese-food fans among them will eat with gusto such delicacies as fugu (poisonous pufferfish) and whale. Thai food has experienced flurries of popularity. Where available, high-quality Jewish delicatessen food is much esteemed. A visible minority of Southwestern and Pacific Coast hackers prefers Mexican.
For those all-night hacks, pizza and microwaved burritos are big. Interestingly, though the mainst
So you've worked for the Government?
From my experience at the federal level, it's only hard to FIRE a government employee.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
was confirmation of my opinion that "political correctness" now means "any kind of attitude or phenomenon that I don't like, but I can't be bothered to articulate a proper argument against". A bit like "inappropriate", really.
Security operations on a production network is so different from, say, vulnerability research that it's wrong to use the same term to refer to both.
Then you have to specify what kind of trust you're after. There's an sf story where a character muses about a thug "I would trust him with the crown jewels, but not with my daughter".
...had a Top Secret / SCI (secure, compartmentalized information) clearance.
They crawled up his ass with the Hubble telescope, looked for people he knows, then went and crawled up the ass of *those* people to find out who *they* know that might know Manning. They hooked him up to a polygraph. They checked, re-checked, cross-checked and followed every single link, social media page, every parking ticket, every word on his school records.
It takes months to do a SSBI.
And yet, when Manning encountered something that he knew for a confirmed fact that what he was seeing/hearing/reading was against the law, he tried to do the right thing, but got shot down by his chain of command. Feeling as though he had no other choice, he allegedly turned the info over to Wikileaks.
What the heck do you suppose a "geek", someone who by their very nature has issues with authority, probably has personal issues around justice, and has tendencies towards just about every "ism" that your average government puts people on watchlists for, is going to do when they see/hear/read something that they think is wrong????
Nabbing geeks off the street to "hack the planet" is fine and dandy for movies about the end of the world, but it doesn't work so well in real life.
[End Of Line]
The author mentions things like one-time/minor drug use offenses and an unwillingness to kiss ass (btw, the latter isn't something HR can really screen for, and there are plenty of other talented professionals in other sectors who've been unfairly burned for this -- it isn't unique to "geek culture"), but falters when it comes to discussing just what he means by "personality." If what he's speaking to is more tolerance for people who see the world in a different way, he's absolutely got a point, and it's one that applies to far more industries than just security. Lots of good, smart folks suffer career setbacks for *actual* outside-the-box thinking (which needs to be distinguished from in-the-rarely-explored-corner-of-the-box thinking, which is what most employers actually want when they ask for people to think "outside the box"). Lots of industries and jobs require a four-year degree when the value of such a degree is attenuated, at best. Lots of people in all kinds of fields get overlooked just because they don't have that magical four-year degree even when their real-world experience and ability and willingness to learn more than make up for it. IMNSHO, that's a loss to society no matter which sector it affects.
But I worry that his mention of "lawyers" may be code for things like anti-harassment workplace rules. I can get behind saying we should tolerate oddness and even occasional brusqueness in service of higher-quality job performance. But I worry, based on the word choice employed, that it's being implicitly suggested that entire swaths of the population are worth counting out for a marginal increase in security. "Geek culture" broadly has been criticized, and in my view often rightly so, for an apparent tendency towards unpalatable points of view vis-a-vis the GLBTQ community, women, racial minorities, religious minorities, etc. In my experience, this is less a case of anonymity revealing what we don't want to see (that explains trolling and maybe a little bit more, but not everything) and more a case of arrested adolescence. As someone who was a bit of an ostracized nerd as a kid, I sincerely do empathize with the tendency to want to crawl into a hole and say "fuck you, world" as a response to unkindness. But there comes a time when no amount of talent makes up for a willful refusal to function in a diverse society. It's one thing to ask coworkers to shrug their shoulders that some of the security guys don't do small talk; it's entirely another to ask them to look the other way when their company's security system is run by a literal neo-Nazi.
It may very well be that the author didn't mean that all boundaries should be done away with. But the article is far from clear on that point.
I have worked for the Federal Government for some time now (6-7 years). Below is a brief detail of my hiring/firing history.
1 - Apply for intern job (summer 2004), a month (month!) later, go on an interview, be told that I "got the job". Two months (!) later, I start. The first 50 hours are entirely paperwork. I work 20 hours/week for a year after this.
2 - Due to the conditions on my hire, I was only allowed to be employed for 12 months. The plan is to fire me on a Friday, and hire me on Monday (more paperwork). Somebody gets sick, or lazy, or something (never found out). I end up unemployed for a month. My supervisor gives me a bonus (equal to a weeks pay... $240), as an apology.
3 - I get my degree, and get hired on as a full time employee. I start the process early, but it takes three months (during which I work full time at less than half of the full time rate).
4 - I take a temporary assignment. This takes 9 months to set up. It is a two month assignment.
5 - I take another temporary assignment. We don't fill out the paperwork, as it is a lateral for the same pay on the other side of the building.
6 - I find new employment (June 2010). A position is opened up with my name on it. I start mid-January 2011.
Among my group, one of them took over a year to hire (and had to jump through a "temporary hire" hoop in order to wait out a hiring freeze), one of them took 9 months to hire (full time federal), one of them took nine months to hire (full time post-doc contractor), and one of them took 4 months to hire (contractor). I don't know what it looks like in the private sector, but this is INSANE. In a previous federal job, we had two applicants find other employment while we were in the process of hiring them (restarting the 6-9 month process!).
Want to talk waste/fraud/abuse? Have an engineer work 70 hour weeks for 6 months while you try to promote the person who will do the job. This has happened twice in my observation (the first person got promoted out). Fucking disaster.
While you are correct that it is difficult to fire someone (I've seen it done twice), it is also very hard to hire them. It is double-hard to hire people when you tell them that it will be 6 months before they start. You tell that to graduating seniors, and they walk away from the recruiting station.
...of security clearances and credit checks and background checks and peeing in cups, although that's a big part of it (official DoD policy is that any marijuana use is a "serious mental disorder.")
The other aspect is that they don't really want their security fixed. They don't want to be told that "TBD" on a security plan isn't acceptable.
To be fair, this sounds exactly like working for any large corporation. =)
We should probably hire them. That way we'd get to choose between more than 2 applicants. Hey, one might even be able to do the job for a change!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
For the House of Representatives we should probably draft them, like the Army used to. Walk out to the mail box, open the letter from the gov't, ... damn I have to report to Congress for two years. That way we get a broader sampling of perspectives and experiences. The type of people we want probably would not apply for the job (volunteer). :-)
The first Boy Scout who develops "elite hacker skills" and is willing to spell it that way gets the job.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
This isn't just government. People who run businesses and make hiring decisions have all kinds of weird ideas and hangups about what makes a good employee. You are considered not good employee material if you've been out of work for more than 6 months, or your age, appearance, or dress doesn't conform to their startlingly narrow standards, or your attitude isn't just so, or your credit rating is too low or perhaps too high which means you might be able to walk out on them without losing your car and house, and more. The experience and currently employed catch-22 seems especially unfair. Can't get experience without a job, and can't get a job without experience. They also want to know if you have children and how old they are, so they can discriminate against women with young children, and for men with young children as long as the men are married not divorced. They want the very hardest driven workers they can find, the sort of persons who can be persuaded or bullied into working extreme hours, figuring that counts for more than ability. A candidate who seems a little desperate may have better chances. There's still racism, sexism, and anti-intellectualism. It always amazes me the way educational accomplishments are often dismissed out of hand or even held up as a negative. There's a great amount of subjectivity injected into these decisions.
As if applying bad criteria to hiring decisions isn't enough, there's also favoritism and gaming of employment. Too often they don't even try to hire whoever is best according to the pseudo rational criteria they love so. Or there isn't even an opening, they're just going through the motions to cover something or harvest resumes.
Intellectual Property is a monopolistic, selfish, and defective concept. It is "tyranny over the mind of man"
The paranoid nutcases that determine whether, or not, someone is a "security risk" have no clue how to determine that (how many spies have been publicly exposed within the CIA, etc. ?). They fall back on "I'm a good security risk, if I do say so myself, so people like me must also be potentially good security risks.", and, therefore, everyone "not like me" is a bad security risk.
The primary "like me" criterion is the willingness to have your entire life exposed to your bosses and other, less visible, auditors. While the TSA perverts have been getting a lot of people used to being in public scrutiny, right down to detailed images of their genitals, the number of people who can think "sneaky" (in order to foil those who really are sneaks) AND are willing to "bare it all" is, apparently, not that high.
Was using the government as a benchmark for anything. Government IT contracts are obscenely bloated with regulatory compliance requirements and perilously thin on security. There's difference between the two.
Government contracts stress first and foremost adherence to standards like COBIT and NIST because....well just because. Then the regulatory monkeys fly in and tell you about the 40 different regs you have to be audited to. And all of a sudden you've torn out your whole storage farm and replaced it with devices that encrypt at the disk level because that's what they demand even though their view of the reg is complete horseshit. So you got them to plunk down another $20 million in 'secure hardware' which is great for the vendor but pointless. Because they don't have a requirement in their bible of standards to implement URL filtering, NIDS or zoned off VPN crossbars. So 'security' is bullshit. But you passed the audits. Which is all they care about.
Here's a more straight forward route to a software engineering job in the fed:
Get your degree in CS.
Enlist in the airforce, officer or no.
Spend your 4 years there doing whatever, banging out code in your spare time so skillz don't actually, you know get rusty.
Apply for cushy GS 12 position & get it.
And so are you, and oh -- by the way -- your keyboard-'R' is unreliable.
Well, yes and no...
The bureaucratic bullshit (BBS) is roughly proportional to the size and the age of the organization. There's nothing special about govt work that makes it more susceptible to BBS... except that the govt is much bigger and older than most companies.
Shit, imagine working for the Vatican. They're a worldwide operation, and they've been at it for 2000 years. When St. Peter was doing all the hiring personally, it was a lot easier to get your foot in the door.
IT needs trades / tech schools like learning not college that come with big skills gaps.
The real problem is that security-related government jobs require security clearances and lie detector tests that exclude a large portion of geeks, in my opinion. They want to make sure you haven't done a bunch of drugs in the past 7 years, but for most smart geeks, that's the time they usually did their drugs. They need to relax the rules on some drugs if they want more talent.
... is dog-whistle for "I really wish I could get away with being open about my racism/sexism/homophobia/whatever." You should really avoid hiring those people, if that's what you really mean. If you just mean "Yo, we shouldn't knock qualified applicants off the list for a pot bust ten years ago," then maybe you're on to something.
It's the polar opposite of my experience. From what I've seen in the corporate world, it is the employees who ask to take some time off before they start. The employers, given a chance, would rather have you start a week after the interview. If it takes more than a couple of weeks to get a call from HR to discuss salary, that usually means they didn't like you, and they're looking for other candidates.
Now to be fair, screw-ups with contractors happen, but I've never seen anything remotely that messy when a contractor transitions to a full employee. And I've never seen it take anywhere near nine months to bring in anyone, contractor or otherwise, unless perhaps some of the summer interns get provisional job offers that many months before they graduate, but that isn't really a similar situation.
At my current job, I went from interview to orientation in... I believe five days, give or take a day. This is not unusual. Nine months is unusual. It means either that the company is a bureaucratic hellhole that will make you want to run away in terror after a week or that the position is not something they urgently want to fill, in which case it will be the first job that they cut in six months when the layoffs come....
Check out my sci-fi/humor trilogy at PatriotsBooks.
So in the end you only get the people that really can't find a job elsewhere. As that are the ones that are still waiting after 6-9 months. Oh well, it's a way to narrow down your pool of prospective employees
Are you working for Google or something? I work in a large corp, and the hiring procedures are insane, especially on the IT side. There is one process for getting budget to pay people (which is fair enough), then you have to get permission at damn near board level to actually start looking for an actual person to hire, and once all the people in that would-be hire's command chain have signed off on hiring them, it can still take HR weeks to months to get an actual written offer out. And then there are yearly hiring freezes that strike about every September, last till next year, and supersede any approvals you might have achieved by then. These, again, can be bypassed by pushing hard enough - overall, none of this makes hiring impossible, but an incredible time sink, not to mention causing us to lose candidates because the competitors were faster on the draw.
Once you're in the system, it's actually a pretty good place to work (and getting a bit better every year IMO, as the number of bright people around me grows), but the hiring procedures are just damn crazy.
And working for an institution that fuels itself on groupthink and blind patriotism is a last resort for smart people with personal ethics.
"Demands for college degrees and IT certifications and the ability to get IT security clearances should not be a priority in hiring,.. Forget education..." - Schwartau
While we are at it why don't we remove the same criteria from becoming a doctor, lawyer, or engineer. Not a good idea? I didn't think so either.
I've worked for the federal government for over seven years. For me it took two months between the job offer and my start date due to the HR office being slow sending me paperwork and then slowly processing the paperwork. I also had to wait on a security clearance.
Now that I've been around for a while I am more involved in the hiring process. Last year we tried to fill two positions. One of those the employee started within a month because she already had a clearance and was moving from a contract position within the same building. The other position has been in the works for OVER A YEAR NOW. Mind you we picked a candidate and completed salary negotiation and everything in the summer of 2010! I'm surprised that person is still going along with the process!
The latest issue is we are trying to hire a couple "Computer Scientist" (GS-1550) developmental positions (GS 7/9/11). We are trying to get the advertisements up as soon as possible so we can start processing their clearances so they can start as soon as they graduate in the spring. We had job descriptions written up and the HR people gave the go ahead, but just before they posted the advertisements on usajobs.gov they came back and said we are not authorized to hire in the Computer Scientist job series, they must be the IT Specialist (GS-2210) job series. This goes into the differing requirements the Office of Personnel Management places on different job series, but to keep it simple the difference is a Computer Scientist has an education requirement (basically must have a BS in Computer Science) whereas anybody who knows what a computer looks like can be an IT Specialist (most of my coworkers are IT Specialists and at best they just make Powerpoint slides and non-technical whitepapers).
Frankly I'm tired of just picking up people with security clearances who aren't geeks (don't have a passion for this area) and only want the job because it pays well (and is stable because, yes, it is hard to fire people). I'd much rather hire a college student who at least has some *interest* in this area (proactively chose computer science to study). After HR applies their scoring criteria all the candidates that are left are former Intel Specialists that took an "Intro to HTML" at some point in their lives. Just the perfect type of people I need to help build applications, design database schemas, and manage servers!
It doesn't help that, at least in the DoD, there is this mindset that people are just "bodies" that can be trained. (Is it like that elsewhere? Seriously I've been cooped up in this Defense Wonderland for so long I don't know what the real world is like anymore.)
Actually to be more fair, I don't care if the individual has a degree or not. I just want someone who is passionate about computers/IT/programming/whatever. Someone who, if they don't know, has a desire to learn. In the 7+ years I've worked in the DoD I can count the number of people on one hand I've met like that.
Let me get off this soapbox before I start complaining about how all these people in the government are crying about cyber-threat-this and cyber-weapon-that, while at the same time don't understand anything about technology and have watched one too many cyber-movies.
If you're going to get a Fed security clearance of any kind, you're going to *start* the process by filling out this form (127 pages, although large parts are skipped for most people):
http://www.opm.gov/forms/pdf_fill/sf86.pdf
Just so you know the kinds of questions they start with. It gets more invasive from there. They generally only care about the last 7 years of your life, however.
Oh, and skip to page 96 if you want to get to the "what drugs have you done?" part.
With the first link, the chain is forged.
If it takes your HR department weeks or months to get a written offer, you seriously need to fire your HR department ASAP. Companies that are slow to hire people tend to lose the vast majority of the most qualified candidates that they're trying to hire, and the people they don't lose are frequently people who couldn't get jobs anywhere else. Such practices significantly hurt the quality of a company's workforce.
As you said, highly successful companies like Google, Apple, Facebook, etc. don't have those sorts of problems. More to the point, that's a big reason for their success. Companies whose hiring processes are more agile have a decided competitive advantage over companies whose hiring processes impede hiring the best and brightest. That means not only offering a competitive salary and competitive benefits, but also a competitive start date.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Between 1st, 2nd, and sometimes 3rd interviews it usually seems to take about 2 months to get an offer. Once you have the offer there are usually some sort of stipulations about how often orientation can be held. You may need to give notice to your current employer. I would estimate 3 months is average for getting a new job.
Cheap storage VM.
Exactly, hackers don't have much respect for authority and rules (otherwise they wouldn't be hacking) yet you have a selection process that makes it compulsory. It's like saying i need a car that can drive practically any where, fit 8 men inside, and still be fast, but it's not allowed to be 4wd, bigger than a mini, or use much fuel.
Hackers do have respect for authority and rules. Logic from which computer systems are based on, rules define the language the source code is written in and so on. Also there are rules and order in every community including the hacker community. Not every hacker is an outlaw, a criminal, or a thug. Some hackers follow rules, aren't thugs, and can respect authority. The problem is the average hacker doesn't respect ALL authority. It depends on who is in charge.
And the Catholic Church could prop up its declining clergy membership by recruiting straight from the local sex offender registry.
Seriously, what the fuck? "Legal niceties" is another term for these rules are in place because we don't want to get fucked over again by someone we trusted.
Who fucked them over? Bradley Manning? The Bradley Manning situation happened because they weren't paying attention to him, it's almost like they allowed it to happen.They weren't following their own security protocol, and skipped their own rules and measures in that situation. They let it happen.
That doesn't change the fact that Bradley Manning did what he did, it's simply a matter of making it impossible for anyone to do what he did again and then you don't have to worry about that.
They're there for a reason, and actively circumventing them to search for applicants is inviting yourself to get burned. Maybe some of them could be relaxed, sure, like the one-time drug offense bit for security clearances. But just saying "they're narrowing our pool of applicants!"...Shit, Sherlock, that's why they exist!
They are narrowing the pool of applicants to the point where they are complaining. They don't know what they want or need, they don't seem to know what they are doing, they don't seem to hire people who know what they are doing, and it keeps going into this circle of needing to hire experts but refusing to hire experts who don't fit.
It's not about politics. People will bring up politics, but politics aren't what it's about. If it's about personality traits then they should go for the people who have the traits they want, if they know what those traits are. I don't know much about security clearance but on the drugs, if someone is addicted to drugs (or anything for that matter) it's a lot easier for them to be coerced or bribed.
I have worked for the Federal Government for some time now (6-7 years). Below is a brief detail of my hiring/firing history.
1 - Apply for intern job (summer 2004), a month (month!) later, go on an interview, be told that I "got the job". Two months (!) later, I start. The first 50 hours are entirely paperwork. I work 20 hours/week for a year after this.
2 - Due to the conditions on my hire, I was only allowed to be employed for 12 months. The plan is to fire me on a Friday, and hire me on Monday (more paperwork). Somebody gets sick, or lazy, or something (never found out). I end up unemployed for a month. My supervisor gives me a bonus (equal to a weeks pay... $240), as an apology.
3 - I get my degree, and get hired on as a full time employee. I start the process early, but it takes three months (during which I work full time at less than half of the full time rate).
4 - I take a temporary assignment. This takes 9 months to set up. It is a two month assignment.
5 - I take another temporary assignment. We don't fill out the paperwork, as it is a lateral for the same pay on the other side of the building.
6 - I find new employment (June 2010). A position is opened up with my name on it. I start mid-January 2011.
Among my group, one of them took over a year to hire (and had to jump through a "temporary hire" hoop in order to wait out a hiring freeze), one of them took 9 months to hire (full time federal), one of them took nine months to hire (full time post-doc contractor), and one of them took 4 months to hire (contractor). I don't know what it looks like in the private sector, but this is INSANE. In a previous federal job, we had two applicants find other employment while we were in the process of hiring them (restarting the 6-9 month process!).
Want to talk waste/fraud/abuse? Have an engineer work 70 hour weeks for 6 months while you try to promote the person who will do the job. This has happened twice in my observation (the first person got promoted out). Fucking disaster.
While you are correct that it is difficult to fire someone (I've seen it done twice), it is also very hard to hire them. It is double-hard to hire people when you tell them that it will be 6 months before they start. You tell that to graduating seniors, and they walk away from the recruiting station.
Your situation doesn't sound so bad.
I think you got it a bit wrong. To be a good hacker you learn to bend the rules without breaking them. You learn to work the legal system and laws to your advantage. You learn that while computers and operating systems do have rules, those rules can be bent.
That is not the same as breaking the rules. A rule breaker is an outlaw and wont last very long before they break one rule too many. A rule bender is someone who knows how to get things done by knowing how things work so well that they figure out the cheat codes.
If you can't see that the current elite is screwing up big time,
Not sure what in my comment remotely indicated that I think the "elites" are getting everything right. In fact, I'm pretty sure I explicitly noted my agreement with several points the author raised.
if you can't see how the financial "elite" screws up your country,
Didn't realize I'd wandered into a political discussion here, but simmer down, little fella. Don't worry, I'm a liberal too. Really, I'd have thought the whole "don't hate on women and gays" thing would've given me away here. But just to be clear, yeah, I'm definitely on the same wavelength: the aristocracy are robbing us blind, and with our blessing. It's fucking disgusting.
if you can't see that the Jews want America to make war for them, then you are a retard.
Woah Nellie.
I can't tell if this is a very subtly clever post where you're trying to make my point for me, or if you're so horrifically tone-deaf that you don't see that you've actually just made my point for me. Anyway, just in case you don't get it, Israel =/= "Jews," and believe it or not, you can disagree with America's massive amounts of foreign aid to Israel without needing to be anti-Semitic. I'm married to a Jew and have a brother-in-law who lives in Tel Aviv, and I don't like how much we pander to Israel. Guess what? You can make a political point every bit as effectively without conflating (1) all Israelis with the Israeli government or (2) Israeli hawks with "Jews" generally. As to "retard," it's unfortunate that this kind of immature derisive insult is so common it's NOT the type of thing to put off polite company.
Oh, but clearly, if you go around spouting anti-Semitic nonsense and find yourself out of work one of these days, well that must be just a great big Jewish conspiracy, yeah? Again, thanks for illustrating my point so very clearly.
Real security guys see through the bullshit and they will be labelled all of that by the Sheeple. Those who believed all the WMD lies and those who believe "Iran is evil". I will be happy when they blow up jews, because they steal land and kill the landowners just because they can. Now call me a Nazi, ass-kisser.
What you just wrote here makes so little sense that I'm actually worried for your mental health. Seriously, dude, go take a walk in the sun and talk to an actual human being, face-to-face. Just try to remember not to brandish a knife while doing it. Pro tip, that kind of thing tends to freak people the fuck out.
I wasn't addressing how long it takes to hire somebody. I sure agree that the process of hiring somebody can be lengthy and frustrating, but if your goal is to fill the space, you can eventually get that done in the federal government. Try to fire somebody for substandard performance though, almost takes an act of congress and can consume more than a year and a half of your time assuming you know and follow the process.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101