Slashdot Mirror
Want a Security Pro? Get Politically Incorrect and Learn Geek Culture
coondoggie writes "While complaints can be heard far and wide that it's hard to find the right IT security experts to defend the nation's cyberspace, the real problem in hiring security professionals is the roadblocks put up by lawyers and human resources personnel and a complete lack of understanding of geek culture, says security consultant Winn Schwartau. Take Janet Napolitano, U.S. secretary of the Department of Homeland Security, who has said the country can't find the right people for network defense. The real problem is a misunderstanding of computer geeks, their personalities, habits and their backgrounds, said Schwartau today during his talk at the Hacker Halted information security conference."
My mother's basement is well defended !!!!!!!
And the Catholic Church could prop up its declining clergy membership by recruiting straight from the local sex offender registry.
Seriously, what the fuck? "Legal niceties" is another term for these rules are in place because we don't want to get fucked over again by someone we trusted. They're there for a reason, and actively circumventing them to search for applicants is inviting yourself to get burned. Maybe some of them could be relaxed, sure, like the one-time drug offense bit for security clearances. But just saying "they're narrowing our pool of applicants!"...Shit, Sherlock, that's why they exist!
Everything is better with chainsaws.
think they deserve special treatment and don't have to be clean, social, pleasant, accountable workers.
newsflash: they do.
Corps and Gov are right to want to make more geeks, so they don't have to make do with the half-defective ones.
The Cloud - because you don't care if your apps and data are up in the air.
Your assumption is that the government hires people capable to actually solve the problem. It does, but only in war times. In war times you lose ground when you follow the wrong path. When yo sent the horses against the machine guns. Governments are not interested to actually solve the problem but rather to be in charge of the problem. We know that many security issues could be solved. Simply spent a few millions on security reviews of commonly executed code. and order the companies to provide bug fixes or apply punitive damages, make them partly liable for not fixing security issues.
This isn't even specific to the IT field. This is a problem with every organization that hires people. Unless the organization is too small to have lawyers or human resources.
I haven't met a too many good hackers who haven't, at least at one time, engaged in some drug use -- whether it be smoking weed (usually), tripping on mushrooms/acid, or cocaine etc..it seems to permeate the culture quite a bit.
A couple three-letter agencies once tried to recruit me, but I didn't want to stop going to festivals/parties, smoking pot, etc. It felt like I would have to become a square and this job would be my life, and I'd have to disown much of the culture I was associated with previously. Plus, I thought if I went forward, I'd never get past the polygraph where they ask you tons of questions about drug use, and it would just be a waste of time.
For context, I am an IT professional with a specialization in security and about 20-40% of my workload is security related.
Maybe if drug testing wasn't required, these agencies would get more applicants. But no one wants to piss in a cup on a monthly basis to work at a rate of pay less than they could get at companies that don't drug test.
While not terribly talented and hardly the sort of person likely to hold down a decent paying job (let alone know how to write out a resume or pass an interview) these are the sort of people who find the gaps. Recruiting them to work for you may be iffy. Once they have a paycheck, can afford a sports car, some decent clothes and can afford to go out they slowly cease to be the people you wanted.
Best to just hire them on a per item contract and toss them a burrito now and then.
A feeling of having made the same mistake before: Deja Foobar
This is nothing new to the IT industry in general and has been going on for years. It's only moved to "Security" now because the wave of nerds that 10 years ago were hired for "basic IT" are now sufficiently advanced where connecting a network together is trivial and their knowledge has moved on.
Unless the organization is too small to have lawyers or human resources.
And this is why I gave up working for big organisations - I want to spend my time doing a useful job rather than constantly battling against other departments (such as HR) who seem intent on making sure there's as little productivity as possible.
http://blog.nexusuk.org
There are two big barriers for government IT hiring:
Pay scale
The GS payscale doesn't map well to high-end IT skills. So often you end up with the marginally qualified, or those rare individuals who are not only not in it for the money, but somehow find a way to turn down offers every quarter from another round of head-hunters.
Extra scrutiny
The government security and screening process is a lot tougher than many commercial enterprises. It leads to ironic debtor-prison type situations where an otherwise qualified guy about to have his house foreclosed can't get the job because he is a security risk because he needs the money. The government just doesn't want to take the risk he will be try to pay off his bills by selling access to the highest bidder.
If you've ever worked for the government, you'll know that they ensure it's hard for them to hire anyone.
Don't forget the background checks where they spend six months or more interviewing your family and past employers. And the random drug tests. And polygraph tests. And the credit check. And...
If you've ever worked for the government, you'll know that they ensure it's hard for them to hire anyone.
Really? Congress could have fooled me to think otherwise.
Congress doesn't get hired, the get elected. The process for the later is even more f'd up than the process for the former.
Network security is a position of trust. There is basically no way around this: implicit in running a network is that you have the tools to see what's on it. Encryption only goes so far in such situations, particularly at agencies tasked, in part, with getting at encrypted data.
This adds up to some employers requiring a greater degree of trust in their employees than is currently the norm. Some geeks, it seems, are unwilling to come to terms with the fact that their life choices may have made them poor security risks in that context. The cases where the risk isn't because of a life choice are sadder, but the risk is just as real, and to ask agencies with bona fide requirements for absolute trust to simply ignore those risks is insane.
This year's Defcon had a HUGE push by Homeland security and the CIA attempting to recruit. It was funny going to watch Bruce Schneier talk and someone told him that and he bascially said "I hope you didn't believe anything they said". They guy from Homeland security seemed like a good guy and was tring to actually hire good people, but my only question to everything he said was "You do realize you work for Janet N.?"
The Federal government has become a joke. If you go out on a limb for them and it becomes slightly inconvient for them they hang you out to dry. You find them doing something wrong and think about whistleblowing, you will be fired and probably sued (see ATF guy who told about Fast and Furious). You interrogate terrorits and you will be threatened with jail (See CIA agents at Gitmo). They have a history of stomping on people who might make them look bad.
No thanks. The Federal government is corrupt beyond fixing. Anyone who goes in to do the right thing will end up being a casuality.
An important point: Except in some relatively minor respects such as slang vocabulary, hackers don't get to be the way they are by imitating each other. Rather, it seems to be the case that the combination of personality traits that makes a hacker so conditions one's outlook on life that one tends to end up being like other hackers whether one wants to or not (much as bizarrely detailed similarities in behavior and preferences are found in genetic twins raised separately).
General Appearance
Intelligent. Scruffy. Intense. Abstracted. Surprisingly for a sedentary profession, more hackers run to skinny than fat; both extremes are more common than elsewhere. Tans are rare.
Dress
Hackers dress for comfort, function, and minimal maintenance hassles rather than for appearance (some, perhaps unfortunately, take this to extremes and neglect personal hygiene). They have a very low tolerance of suits and other ‘business’ attire; in fact, it is not uncommon for hackers to quit a job rather than conform to a dress code. When they are somehow backed into conforming to a dress code, they will find ways to subvert it, for example by wearing absurd novelty ties.
Female hackers almost never wear visible makeup, and many use none at all.
Physical Activity and Sports
Many (perhaps even most) hackers don't follow or do sports at all and are determinedly anti-physical. Among those who do, interest in spectator sports is low to non-existent; sports are something one does, not something one watches on TV.
Further, hackers avoid most team sports like the plague. Video games being a notable exception, both in terms of team play and consideration as a sport... Hacker sports are almost always primarily self-competitive ones involving concentration, stamina, and micromotor skills: martial arts, bicycling, auto racing, kite flying, hiking, rock climbing, aviation, target-shooting, sailing, caving, juggling, skiing, skating, skydiving, scuba diving. Hackers' delight in techno-toys also tends to draw them towards hobbies with nifty complicated equipment that they can tinker with.
The popularity of martial arts in the hacker culture deserves special mention. Many observers have noted it, and the connection has grown noticeably stronger over time. In the 1970s, many hackers admired martial arts disciplines from a distance, sensing a compatible ideal in their exaltation of skill through rigorous self-discipline and concentration.
Today, martial arts seems to have become firmly established as the hacker exercise form of choice, and the martial-arts culture combining skill-centered elitism with a willingness to let anybody join seems a stronger parallel to hacker behavior than ever. Common usages in hacker slang un-ironically analogize programming to kung fu (thus, one hears talk of “code-fu” or in reference to specific skills like “HTML-fu”).
Education
Nearly all hackers past their teens are either college-degreed or self-educated to an equivalent level. The self-taught hacker is often considered (at least by other hackers) to be better-motivated, and may be more respected, than his school-shaped counterpart. Academic areas from which people often gravitate into hackerdom include (besides the obvious computer science and electrical engineering) physics, mathematics, linguistics, and philosophy.
Food
Ethnic. Spicy. Oriental, esp. Chinese and most esp. Szechuan, Hunan, and Mandarin (hackers consider Cantonese vaguely déclassé). Hackers prefer the exotic; for example, the Japanese-food fans among them will eat with gusto such delicacies as fugu (poisonous pufferfish) and whale. Thai food has experienced flurries of popularity. Where available, high-quality Jewish delicatessen food is much esteemed. A visible minority of Southwestern and Pacific Coast hackers prefers Mexican.
For those all-night hacks, pizza and microwaved burritos are big. Interestingly, though the mainst
was confirmation of my opinion that "political correctness" now means "any kind of attitude or phenomenon that I don't like, but I can't be bothered to articulate a proper argument against". A bit like "inappropriate", really.
...had a Top Secret / SCI (secure, compartmentalized information) clearance.
They crawled up his ass with the Hubble telescope, looked for people he knows, then went and crawled up the ass of *those* people to find out who *they* know that might know Manning. They hooked him up to a polygraph. They checked, re-checked, cross-checked and followed every single link, social media page, every parking ticket, every word on his school records.
It takes months to do a SSBI.
And yet, when Manning encountered something that he knew for a confirmed fact that what he was seeing/hearing/reading was against the law, he tried to do the right thing, but got shot down by his chain of command. Feeling as though he had no other choice, he allegedly turned the info over to Wikileaks.
What the heck do you suppose a "geek", someone who by their very nature has issues with authority, probably has personal issues around justice, and has tendencies towards just about every "ism" that your average government puts people on watchlists for, is going to do when they see/hear/read something that they think is wrong????
Nabbing geeks off the street to "hack the planet" is fine and dandy for movies about the end of the world, but it doesn't work so well in real life.
[End Of Line]
I have worked for the Federal Government for some time now (6-7 years). Below is a brief detail of my hiring/firing history.
1 - Apply for intern job (summer 2004), a month (month!) later, go on an interview, be told that I "got the job". Two months (!) later, I start. The first 50 hours are entirely paperwork. I work 20 hours/week for a year after this.
2 - Due to the conditions on my hire, I was only allowed to be employed for 12 months. The plan is to fire me on a Friday, and hire me on Monday (more paperwork). Somebody gets sick, or lazy, or something (never found out). I end up unemployed for a month. My supervisor gives me a bonus (equal to a weeks pay... $240), as an apology.
3 - I get my degree, and get hired on as a full time employee. I start the process early, but it takes three months (during which I work full time at less than half of the full time rate).
4 - I take a temporary assignment. This takes 9 months to set up. It is a two month assignment.
5 - I take another temporary assignment. We don't fill out the paperwork, as it is a lateral for the same pay on the other side of the building.
6 - I find new employment (June 2010). A position is opened up with my name on it. I start mid-January 2011.
Among my group, one of them took over a year to hire (and had to jump through a "temporary hire" hoop in order to wait out a hiring freeze), one of them took 9 months to hire (full time federal), one of them took nine months to hire (full time post-doc contractor), and one of them took 4 months to hire (contractor). I don't know what it looks like in the private sector, but this is INSANE. In a previous federal job, we had two applicants find other employment while we were in the process of hiring them (restarting the 6-9 month process!).
Want to talk waste/fraud/abuse? Have an engineer work 70 hour weeks for 6 months while you try to promote the person who will do the job. This has happened twice in my observation (the first person got promoted out). Fucking disaster.
While you are correct that it is difficult to fire someone (I've seen it done twice), it is also very hard to hire them. It is double-hard to hire people when you tell them that it will be 6 months before they start. You tell that to graduating seniors, and they walk away from the recruiting station.
...of security clearances and credit checks and background checks and peeing in cups, although that's a big part of it (official DoD policy is that any marijuana use is a "serious mental disorder.")
The other aspect is that they don't really want their security fixed. They don't want to be told that "TBD" on a security plan isn't acceptable.
To be fair, this sounds exactly like working for any large corporation. =)
No, they think you are a person. And therefore, a potential terrorist.
For the House of Representatives we should probably draft them, like the Army used to. Walk out to the mail box, open the letter from the gov't, ... damn I have to report to Congress for two years. That way we get a broader sampling of perspectives and experiences. The type of people we want probably would not apply for the job (volunteer). :-)
And so are you, and oh -- by the way -- your keyboard-'R' is unreliable.
Well, yes and no...
The bureaucratic bullshit (BBS) is roughly proportional to the size and the age of the organization. There's nothing special about govt work that makes it more susceptible to BBS... except that the govt is much bigger and older than most companies.
Shit, imagine working for the Vatican. They're a worldwide operation, and they've been at it for 2000 years. When St. Peter was doing all the hiring personally, it was a lot easier to get your foot in the door.
IT needs trades / tech schools like learning not college that come with big skills gaps.
The real problem is that security-related government jobs require security clearances and lie detector tests that exclude a large portion of geeks, in my opinion. They want to make sure you haven't done a bunch of drugs in the past 7 years, but for most smart geeks, that's the time they usually did their drugs. They need to relax the rules on some drugs if they want more talent.
... is dog-whistle for "I really wish I could get away with being open about my racism/sexism/homophobia/whatever." You should really avoid hiring those people, if that's what you really mean. If you just mean "Yo, we shouldn't knock qualified applicants off the list for a pot bust ten years ago," then maybe you're on to something.
Are you working for Google or something? I work in a large corp, and the hiring procedures are insane, especially on the IT side. There is one process for getting budget to pay people (which is fair enough), then you have to get permission at damn near board level to actually start looking for an actual person to hire, and once all the people in that would-be hire's command chain have signed off on hiring them, it can still take HR weeks to months to get an actual written offer out. And then there are yearly hiring freezes that strike about every September, last till next year, and supersede any approvals you might have achieved by then. These, again, can be bypassed by pushing hard enough - overall, none of this makes hiring impossible, but an incredible time sink, not to mention causing us to lose candidates because the competitors were faster on the draw.
Once you're in the system, it's actually a pretty good place to work (and getting a bit better every year IMO, as the number of bright people around me grows), but the hiring procedures are just damn crazy.
You can tell the difference by subjecting the applicants to creative tests. If they manage to break in, they're more likely to be able to switch hats and guard the other side of the fence.
cpghost at Cordula's Web.
I've worked for the federal government for over seven years. For me it took two months between the job offer and my start date due to the HR office being slow sending me paperwork and then slowly processing the paperwork. I also had to wait on a security clearance.
Now that I've been around for a while I am more involved in the hiring process. Last year we tried to fill two positions. One of those the employee started within a month because she already had a clearance and was moving from a contract position within the same building. The other position has been in the works for OVER A YEAR NOW. Mind you we picked a candidate and completed salary negotiation and everything in the summer of 2010! I'm surprised that person is still going along with the process!
The latest issue is we are trying to hire a couple "Computer Scientist" (GS-1550) developmental positions (GS 7/9/11). We are trying to get the advertisements up as soon as possible so we can start processing their clearances so they can start as soon as they graduate in the spring. We had job descriptions written up and the HR people gave the go ahead, but just before they posted the advertisements on usajobs.gov they came back and said we are not authorized to hire in the Computer Scientist job series, they must be the IT Specialist (GS-2210) job series. This goes into the differing requirements the Office of Personnel Management places on different job series, but to keep it simple the difference is a Computer Scientist has an education requirement (basically must have a BS in Computer Science) whereas anybody who knows what a computer looks like can be an IT Specialist (most of my coworkers are IT Specialists and at best they just make Powerpoint slides and non-technical whitepapers).
Frankly I'm tired of just picking up people with security clearances who aren't geeks (don't have a passion for this area) and only want the job because it pays well (and is stable because, yes, it is hard to fire people). I'd much rather hire a college student who at least has some *interest* in this area (proactively chose computer science to study). After HR applies their scoring criteria all the candidates that are left are former Intel Specialists that took an "Intro to HTML" at some point in their lives. Just the perfect type of people I need to help build applications, design database schemas, and manage servers!
It doesn't help that, at least in the DoD, there is this mindset that people are just "bodies" that can be trained. (Is it like that elsewhere? Seriously I've been cooped up in this Defense Wonderland for so long I don't know what the real world is like anymore.)
Actually to be more fair, I don't care if the individual has a degree or not. I just want someone who is passionate about computers/IT/programming/whatever. Someone who, if they don't know, has a desire to learn. In the 7+ years I've worked in the DoD I can count the number of people on one hand I've met like that.
Let me get off this soapbox before I start complaining about how all these people in the government are crying about cyber-threat-this and cyber-weapon-that, while at the same time don't understand anything about technology and have watched one too many cyber-movies.
If you're going to get a Fed security clearance of any kind, you're going to *start* the process by filling out this form (127 pages, although large parts are skipped for most people):
http://www.opm.gov/forms/pdf_fill/sf86.pdf
Just so you know the kinds of questions they start with. It gets more invasive from there. They generally only care about the last 7 years of your life, however.
Oh, and skip to page 96 if you want to get to the "what drugs have you done?" part.
With the first link, the chain is forged.
Invest in some wifi to ethernet bridges, it's all about the letter of the law, not the spirit.
Cheap storage VM.