Technology Blog

OK - I’ve just about had it. We have a few jobs (Sydney and New York) open at the moment and as usual the overall standard of applications has been nothing short of appalling.

For anyone out there applying for any Java job, here are a few tips from me (as I sit on the other side of the fence):

1. Your cover letter or email should be in readable English

Poor language in your application letter is the fastest way to get your resume thrown in the bin without even getting read.

Gain experience through a combination of general skills and theoretical
knowledge is my motive.

Get someone to proof read it. I don’t care what your grasp of English is, if you want to have any chance to get a job you have to at least fool the recipient into thinking that you can get through an interview to actually get to an interview.

Insincere flattery and other flowerly language in a cover letter look cheesy - forget it.

“With regard to the job opening In your esteemed Organisation”

“To your humble greatness I submit my application…”

In terms of language, poor English is one thing. Typos are completely another. If you can’t send an important cover email without spell checking it, perhaps you shouldn’t waste my, or your, time?

I beleive that I myself am the best suted and am the ‘Perfect’ match as to what you are looking for.

Sentences like this, no matter how much you believe in yourself, will make it very hard for a potential employer to believe in you.

2. Your experience should be relevant

Generally, people in job ads explain what they’re looking for. You should therefore explain why you suit the role.

If the job is for a J2EE architect, don’t tell me why your knowledge of CSS esoterica is important.

If the job is for a technical support person, don’t tell me why your financial knowledge will help with our accounting!

3. Read the bloody job ad

Yes - this sounds simple, but for some reason people see a job ad, get inspired, fire off their resume and then wonder why the hell it takes them months or years to get a job.

Did you think of actually reading the ad first?

When we have jobs in our Sydney office, we explicitly put “You must be available in Sydney for an interview.” - but despite this hundreds of hopeful people from around the world decide they should send in their resumes anyway. “I can telecommute!”, “Relocations are always in willingness to be undertaken from country X” (for the language tips, read point 2!) etc are not going to get you a job.

We used to always ask for resumes in PDF, HTML or text format and delete any that are Word documents. Now we do read the Word documents because there are so many of them, however we still give those people a small cross against their names for not reading the ad.

I’ve always wanted to ask for all resumes to be typed in pink, just to see how many people actually read the ad. My guess is we’d get one or two per hundred who actually cared enough about their application to send a pink PDF.

Save a few poor bits and don’t hit the send button if you haven’t read the ad thoroughly.

4. Do something, anything to stand out

There are a million people who will apply for any given job with potentially relevant experience. Your task in a job application is to stand out from the crowd enough that you will get an interview. (Interviewing tips may come in a future post!)

Every time we have a developer position, we can get a few hundred resumes. We’re not even going to interview 10% of that number. 50% or more will get cut based on the 3 rules above. Beyond that, you have roughly a 1 in 5 chance of standing out.

How do you stand out? There are plenty of ways to do it, my two favourites:

• start a blog or write an online article - this shows you can communicate and you’re interested enough in your choice of vocation to write about it under your own steam
• contribute to an Open Source project - hell, fix a bug in any project you use then include the project on your resume as something you’ve “contributed to” (if they don’t have a good bug tracker I can recommend one ;))

Other than that you can stand out by clearly reading the ad and responding to its requests,

5. So you have experience, explain it!

If you have had previous jobs, explain why or how your previous experience was good and most importantly - what the hell you did there!

“XYZ Corporation - Developer - Jun 2001-July2004”

Thanks - very useful. What did you do? Did you make coffee for the architect and senior developers? Did you develop the documentation and help files? Did you design a brilliant three tiered, event driven system that blew the previous sytem’s performance away by 100 fold? Tell me!

Oh, and don’t bullshit me. It’s very easy to see.

“High School - 1997-2000.”

“FooBar Technical College - 2001-2003.”

“Massive Bank X - Senior Architect, Guru Developer and Indispensable Team Leader of 100 developers - 2004-Present.”

Doubtful at best, lies at worst. If the rest of your resume doesn’t reflect god-like status, you’re likely to be thrown in to the trash.

Explain your experience, what you did and what you learnt, how you progressed in your career through positions 1, 2, 3, 4, but drop the bullshit.

6. Lose the insanity

“I truly had an experience of that of biting steel!”

I have no idea what this sentence really meant in the context, but it scared me about the person’s previous work experience.

If these tips seem like common sense to you, congratulations you probably have a great job and will continue to have a fulfilling career (if you don’t, tell us). From the perspective of someone who has hired a lot of developers in the last 3 years, sadly they are not.

This post was written by Mike, source: Applying for a Java job - HOWTO

Via DME: compare and contrast the following
reports, which both apparently relate to the same event:

[news.bbc.co.uk]

Tsunami fund ‘hacking’ is probed

An attempt to hack into the website of the Disasters and Emergency
Committee (DEC) that was set up after the Asian tsunami, is being
investigated.

Officers from the Metropolitan Police’s Computer Crime Unit have
begun an inquiry after BT blocked the attempt on New Year’s Eve.

A 28-year-old man from east London was arrested and released on
bail in connection with alleged offences.

Police are examining computer equipment seized during a search.

The bailed man, who was arrested under the Computer Misuse Act at
an address in London’s Bishopsgate on Thursday, is due to return
to a police station in February.

A spokesman for the Met said the DEC website continued to be secure
and the systems in place meant the attempted breach was identified
and blocked very quickly.

The DEC, which estimates to raise £200m to help tsunami
victims, said it was alerted by BT staff.

Chief executive Brendan Gormley reassured the public that “every
penny” donated over the internet was safe and had reached the DEC.

…and…

[www.boingboing.net]

A Londonder made a tsnuami-relief donation using lynx — a text-based
browser used by the blind, Unix-users and others — on Sun’s Solaris
operating system. The site-operator decided that this “unusual” event
in the system log indicated a hack-attempt, and the police broke down
the donor’s door and arrested him. From a mailing list:

For donating to a Tsunami appeal using Lynx on Solaris 10. BT [British
Telecom] who run the donation management system misread an access log
and saw hmm thats a non standard browser not identifying it’s type and
it’s doing strange things. Trace that IP. Arrest that hacker.

Armed police, a van, a police cell and national news later the police
have gone in SWAT styley and arrested someone having their lunch.

Out on bail till next week and preparing to make a lot of very bad PR
for BT and the Police….

So just goes to show if you use anything other than Firefox or IE and
you rely on someone else to interogate access logs or IDS logs you too
could be sitting in a paper suit in a cell

If this is true - if the Police truly are undertaking that sort of
behaviour at the merest behest of Sys-Admins who evidently lack any
manner of clue - then both the Admins and the Police deserve to be
held to public account, and further it makes me deeply concerned about
the latest ideas coming out of the Home Office.

“You typed the word “IRA” into Google. You’re under arrest for terrorist offences.”

“That’s my name, “Ira” - Ira Berkowicz…”

[Comment Link for RSS]

source: Jailed for using a “nonstandard” browser?

On March 28, 2005, I will give a talk on the legal and policy implications of trusted computing at the Center for Internet and Society at Stanford Law School. More information can be found here.

source: Talk on trusted computing

For the German readers: my doctoral dissertation on DRM, which was published in 2002, has been out of print for some time. But now the publisher has agreed that I can publish the original PDF file on my homepage. So here it is (544 pages, 3.37 MB, written in German).

source: DRM book

Rather than pollute this blog with my rantings about wikis and annoy all the good Java folk out there, I’ve started a new blog to discuss that.

Thusly, I announce that wikizen is born as the spawn of rebelutionary (is anyone else seeing a concatenated word pattern here?).

If you like wikis, or are interested in new ways of team communication, check it out.

Enjoy.

(And no - this does not mean we’re starting a bastardised javablogs clone ;))

This post was written by Mike, source: wikizen - double the Mike at twice the price, still free!

Sput has a great little JDK 1.5 movie if you didn’t see it. Very well done

This post was written by Mike, source: Tiger humour?

The phenomenon of
“ye-gods-you-mean-you’re-actually-allowed-to-do-that?” strikes once
more, when - following the leads of
“Company-Confidential“,
“Proprietary-Information“,
“Internal-Use-Only“,
“Top-Secret“, and
“UK-Eyes-Only” -
someone twigs that you can use Google to
search for open-access webcams

Note the way I phrase that - “open access” does not necessarily
equare with “unsecured”, although that may be the case. As ever,
security is primarily a matter of policy.

[Comment Link for RSS]

source: Googling unsecured webcams

Chris Gerhard
cited
this article
in The Register:

[www.theregister.co.uk]

A Register reader passes us an eye-witness account of progress with
the see through clothes scanner currently being tested at Heathrow
Terminal 4. As one might expect from a country that deploys stuff
without considering health implications, the testing is splendidly
incoherent, and unlikely to produce anything in the way of valid data.

Queuing for the metal detector our informant spotted a machine with a
Secure 1000 nameplate, and this rang a bell: “I noticed women being
pulled out of line and being asked to go through it. Obviously you
couldn’t see them walk through it, but once through they were then
escorted straight to the front of the line for the metal detector.

…

Wife: what is it?

Staff: it’s a low-dose x-ray machine

Wife: what does it do?

Staff: it’s a security check

Wife: is it mandatory?

Staff: [not actually answering the question] if you don’t go through it, when you set off the metal detector you’d be subject to a pat down.

Wife: that’s fine, I don’t mind a pat down

Staff: but it’s only a low-dose x-ray machine

Wife: I’m a woman of child-bearing age, I’d rather not go through it

Staff: it’s no more dangerous than having an x-ray at the dentist

Wife: and I decline those

Staff: well, you use a cell phone don’t you?

Wife: yes, but they’re radio waves affecting my brain, not x-ray’s affecting my reproductive organs.”

I am due to go through LHR in a few weeks, and I shall decline to go through it if they try.

This could be interesting; an
earlier article
in El Reg makes the following point:

You’ll note that the picture in the second link shows Susan
Hallowell baring her all in the name of security, and displaying her
concealed hardware. But rewind - why is she packing? The only metal
detectors currently deployed at airports that aren’t going to find a
rod that size are surely ones that aren’t switched on. And if that’s a
jacket pocket she’s been carrying it in, then the airports we’re
familiar with these days would have that jacket going through the hand
baggage scanner. As indeed would they have the QinetiQ guy’s
handily-placed newspaper.

In short it is one of those things I detest most, a case of selling a
security point-solution to ignorant people who don’t know any better,
on the basis of a Unique Value Proposition that sounds good but does
little or nothing to address the actual problem.

It just makes them look like they are achieving something,
because, well, they’re doing something new, and consuming their
budget. Surely it must be of some additional benefit?

Like the representatives of the Anti-Money-Laundering industry whom I
have met, some of whom really, really want the UK Government to
introduce Citizen ID cards, and for all whose statements to the
contrary I still suspect want the cards chiefly so that they can shift
the burden of money-laundering blame back to the Government.

“What do you mean he’s laundering money for the Mafia? He
presented valid ID, and wasn’t on your denied-parties list!
It’s not our problem, Guvnor…”

[Comment Link for RSS]

source: X-Ray Security Scanners at Heathrow

I just received this:

To Alec Muffett,

I’m a 19yr Australia male, and interested in taking up a career in
I.T. Security.

What i would like to know from you is do you have any recommendation
as to where to begin to learn about I.T security. I have read your
site and it’s one of the better sites I have been to in terms of
knowledge.

I have experience with wireless setups, Linux, novell, windows,and
more. I have been working with computers for the past four years. I
started at a computer shop and now work at a High school (Secondary
College) now into my seconde year fixing computer problems, managing
users with Novell and also helped with the deployment and management
of a wireless network.

I would like to know where a good place would be to start for a I.T
security career.

Your help would be much appreciated

Yours Sincerely,

Matthew Fava

So: Hi Matthew, it’s a fair question, and one that I get asked quite a
lot, so I will try to give the best answer that I can, based on my
personal experience.

Regarding security, I sort-of fell into it; the story of the
writing of Crack is documented
elsewhere,
and the backplot to my getting a job in the field is essentially one
of just being interested in the topic.

No joke.

The way to become a security expert real fast is:

1. To have an honest interest in the subject.
   

   
   

2. Read around the topic, lots; books, magazines, web-sites and
   forums. Read voraciously. Focus on specific aspects that may
   interest you.
   

   
   

3. Experiment at home with security software and setting-up and
   penetrating your own defenses, learn how the tools work and what
   they’re doing; write your own tools, publish them as open-source, and
   refine them.
   

   
   and finally and most important…
   

   
   

4. when friends and students and colleagues and cow-orkers ask a
   question about security, don’t say “i don’t know”, but instead say:
   

   
   

   that’s really interesting, i’ll go find out the answer and get
   back to you.

   
   

   
   …and then go do it; research the problem, dig into Google, find
   half a dozen solutions, try to understand the problem and
   technologies, weigh-up your own conclusion and solution, and
   importantly write it up in a short e-mail and send it to the
   questioner.
   

   
   This latter gives you an ASCII copy which you can keep forever and
   recycle next time someone asks you the same/a similar question. If
   you can’t decide/find an answer, don’t bullshit, but get back to the
   person telling them what you’ve tried, that you’ve failed, and that
   you’ll keep trying. Stay open-minded and stick to rational
   discussions without getting emotive. This goes doubly for responding
   to the mail-lists you’ll be reading.

In my glib moments I have been known to shorten this all to: the
way to become a security expert is just to be one - which without
context is less than helpful, but it is the essence. There is no
secret ceremony, no one-foot-in-a-bucket-of-porridge
swear-on-a-dead-goat masonic ritual to becoming a security geek;
there’s nothing more than the being interested in security
aspect, combined with the being a helpful, expert type of
person.

Regards being an “Effective” IT geek, you have gotten one tip
(”write-up your answers and archive them for reuse”) above; to that I
would recommend watching Danny O’Brien’s
Lifehacks
video, which provides marvelous hints on how to be as lazy as
possible by keeping things simple and keeping/reusing every script and
tool you ever write.

Thirdly, there is the implicit question in your e-mail, along the
lines of “How do I get a job?”

That’s a harder one. I reckon that any IT job can be turned into a
security job, but system administration is a good starting place. The
usual suspects - IT Hardware, Software, Consulting; ISPs and Telcos
are generally the best breeding grounds.
I did five years sysadmin for two employers when starting out, but had
established my security bonafides in the first three years, and
arrived at Sun with a reputation fully-founded. Nowadays the market
is bigger, and you’ll have to try harder.

Putting yourself through a certification like CISSP might help to
fast-track your career, but I advise you to not treat the
certification manual as gospel. Make up your own mind.

If someone says that The maximum number of TCP connections per
second you should permit is 300, ask: Why not 299? Or 301? Or
600?; you’ll often find that they are unthinkingly reciting dogma
or even just pulling figures out of their arse. It goes on. Be
aware. The certification examiner may want a specific figure to show
you’re memorised their book, but real life doesn’t work like that.

Oh, and I recommend you read this book:
[www.amazon.co.uk] - it’s nothing to
do with security, but a good exposition of how to treat life in the
manner of a security person.

[Comment Link for RSS]

source: “Advise for the young”