Hacking Tech Interviews

so good morning everyone I guess some of you in the room might have to do a tech interview anytime in the next you know two months three months six months or maybe have done one and couldn't quite figure out why it didn't go right well we asked Adam brand who is one of our sponsors here from pur tippity he's given this presentation before great response I really want to thank him for coming back and really getting into sort of an in depth issue of why tech interviews are so important in the process and how even though you may be really great technically you may be blowing the interview and what you really need to look with that so let's

give it up for Adam brand from pur tippity all right thank you very much appreciate it so uh as you can see here and with perty I've done about this is a little dated this numbers probably about 130 tech interviews in the past 18 months so do a lot of these types of things on a regular basis so go through the flow with each candidate record my findings and I actually keep a record of all the tech interviews that I do just you know what were the questions and what were the answers I mean I have a standard set of questions but how did somebody answer that and you know throughout the tech interviews I

typically ask people to kind of give give their rating where they see themselves in a particular area and then I put my own assessment of that after they answer the questions so in coming up with this talk I went back and reviewed a lot of that data and tried to condense you know what are some of the key lessons that I could pull out of that what are the the things that people are doing in tech interviews that you know in a lot of cases they could be a great candidate they just didn't come off well by the way that they handled the tech interview so hopefully you know you go through this you'll pick up some

tips many of these you already you know may be doing and that's great but hopefully there's some new stuff in there in terms of questions you know feel free to poke in with a question at any time we need to wait all the way to the end to do that and you know I'm happy to you know to take questions at the end as well if you want to hold them so why should you hack a Tech interview so it's called hacking Tech interviews and you know where hackers we like to know what the system is and I think it's you know kind of obligatory where if you're a hacker you should try to hack

all the things so I not hack a Tech interview and by hacking what I mean is understanding how the system works and not necessarily trying to game it you don't want to try to get a job that you're completely unqualified for but at least understanding some of the fundamental rules will allow you to maximize your chances so that's what I'm talking about from from a hacking perspective so these are the main areas that we'll go through today one thing that's interesting about tech interviews is there's stuff that happens before the interview or or should happen before the interview and after the interview that actually makes a huge difference in what your overall success rate will be for

the interview so I divided the talk up into these you know three areas pre during and post so you get a sense of and what can you do to maximize your chances of success so pre interview so pre interview is resume time for the tech interviewer I always review the resumes of people that I'm interviewing before I interview them so I know to ask them right I'm not gonna ask somebody a bunch of Linux questions if they have no Linux background or knowledge so here's an example skills section how many people have a skills section on the resume most of you yeah so does anyone see anything off potentially about this skills listing anything strike you as

unusual odd questionable

yep

yeah duplication syntax issue so lack of attention to detail lack of detail and in many cases what jumped out at me from this one is if you look here like the platforms for example they're listing anything from Windows to K through VPN I'm not sure what they're referring to there which VPN right so listing all of those I have no idea as a tech interview what that means does that mean you're aware that's an operating system that exists in the world does that mean that you have like seen the source code for Windows as part of a private program and you know developed exploits what does that mean right and so this is a common

mistake that I see in these is people will just list out everything without any additional information about you know how do they what do they know about those things there's another example that's a little bit different anyone see anything wrong with this this resume ok HTTP not maybe not networking anything else think about this this listing as a whole sorry yeah anyone else anything overall strike you about this skills listing doesn't detail their experience like we talked about anything else well yeah ok so yeah there could be why did you separate routing and switching from networking right so what what strikes me on this one as an example is these skills are just all over the board

right what what do you know I mean they have things on here like notepad plus plus I mean come on like right really that's a skill you can click an icon it's not really right I mean if you contributed to no plug plus plus like in an open source fashion fine you should say that but don't list that I mean there's stuff like that they have you know from anywhere from Python to C++ right all this stuff in here Perl and bash pretty much every single operating system known to man listed right like what are the like hoods that you actually know all these things super well probably pretty low right and so as a tech interviewer I'm

like I don't know what to do with this guy is he a networking guys systems guy database cow look at the rest of the stuff but from a tech interview questions this is all over the board so kinda a conclusion there is the resident your resume is a roadmap for the tech interviewer so have it lead somewhere good for you right customize it to what's relevant so you know maybe you had you know in a previous life ten years ago done a lot of software development work and you touched a lot of different things if the job that you're applying to now has nothing to do a software development like it's a sock analyst level two or

something don't list all that stuff you can maybe summarize it briefly but don't go through the whole laundry list always add context to the skills so don't just say Windows you know NT through Windows you know twenty twelve or whatever on the listing actually put some color around that right and I guess in terms of outdated stuff it's not super relevant that you know Windows 2000 for most places right unless you're like I don't know going into healthcare or something they have those things right you should you know stick with the more modern stuff yes yep so a question on listening let's say a history of a longevity of operating system versions is that something that's

not interesting to show a track record or is that confusing to a tech interviewer I would say keep it to what's relevant in their head right meaning they have a mental model for what they're looking for and certainly they can see a resume in other areas to see that you know in 2001 you were a systems administrator and you used Windows 2000 and Active Directory and things like that but from a technical skills perspective I'm looking for what does this person know today that I care about and Windows 2000 probably not on that list of operating system so you know I would certainly customize it know your audience what they're looking for and also don't put down what you don't

know I think this is a pretty important one that we'll get into the interviews but you know I've had people stuff down at a Kennedy a few months ago put down like oh yeah on the resume a list of skills you know Kali Linux you know expert or something like that and I asked in the interview okay well how do you get a listing of files at a shell prompt than Kali anyone know how to do that LS right didn't know I'm like I you kidding me like what's going on here just like don't put down stuff that you don't know just because you like used Kali once in a sans class doesn't mean that you know it in cans are questions

and certainly you know that that did not fare well for that guy so here's an example of a better skills listing so does anyone see anything different about this that what might make this a better skills listing as a interview roadmap yeah well what does expert mean is another question but just in terms of better than what we saw before

right experts yeah you can see the progression here of things that they feel like they have greater expertise in all the way through things like okay I played with it a little bit I generally get it right so I'm gonna put it on so they have certainly better here's another one that's even cleaner than that and these are resume excerpts like real excerpts so you can see here they said something like clear understanding of intrusion prevention in all attacks associated it maybe not all attacks that's a little much but in general I get what they're saying here this is a lot better than just saying IPS right what does that mean does that mean you

implemented a next-gen firewall they had an IPS function or you actually set something up from scratch so certainly you know a lot better here years of configuring and experiencing and figuring and maintaining endpoint protection products a lot of context which is great so here's another one so in this case it was broken up by technology domain which I thought was kind of nice easy to read so here they talked about you know their experience with Microsoft technologies how did they how were they involved with Windows XP through Windows 8 one in this case they were involved because they had desktop support experience right so that's easy for me to understand and then frequent experiences with exchange 20-17 right so

I know that they weren't the exchange admen maybe they had at some point to you know touch it maybe for adding users or something like that but it gives me a good better roadmap and then similarly at the bottom here you know familiar with web input sanitization techniques right it's a lot better than listening like a lot of top 10 as a skill so another thing is that you should keep in mind for these tech interviews and a lot of people don't do this but they don't really study for a Tech interview and I know that sounds kind of weird because you're supposed to be yourself in the interview but I do feel it if you're

going into a Tech interview there's a lot of areas a tech that you know pretty well but you haven't touched in a little while and so that area of your brain isn't active right those synapses aren't aren't firing and connected as much so if you can go back and look at okay if you put on your resume you're great at windows you know Active Directory just go back and review the fundamentals ahead of time start preparing your brain for those types of questions and also learn about what's new and changed so you know for folks that maybe did have a lot of experience with NT 2000 2003 but that was a while ago and they haven't really gotten back and

don't know what's new and eight and twelve kind of brush-up you like yeah I think that's perfectly valid you know you didn't put on your resume that you had experience there but if they start asking questions about Windows you can say you know hey most of my experience stopped it oh three but I know that twelve has you know much better you know privilege separation or whatever it is right so be familiar with some of the improvements in these technologies the other part is knowing your interviewer so is anyone stalked or late their interviewer and Linkedin at all okay a good portion of you for those that haven't I highly recommend it uh-huh I mean essentially you can look at you

look up your interviewer and figure out what's their background right if they're a huge software dev background chances are they're gonna focus on the software dev areas on your resume and ask you questions about that probably because they don't feel as comfortable asking questions in other areas so if you can get that context it can help you prepare a little bit better so during the interview so one of the things that I think is important is you know a lot of these interviews they're gonna start off it's not going to start off cold just with questions like you know hi John you know what's the gpo right it's not typically doesn't start like that there's gonna be some warm-up so as part

of that warm-up take the opportunity to set some level set weight with the interviewer so before we get into questions they'll probably say oh you know how are you doing today etc etc you know great I'm looking forward to talking with you you know just so you know you know these are the areas of my resume I know this is a Tech interview I'm generally the strongest in these areas because I had hands-on experience with them you know I know something about these areas you know because I was exposed to them for a short period of time so if you help set the stage then you're positioning the questions already to give yourself the best chance of

success right because if you're going in cold maybe they haven't reviewed your resume in detail they didn't have time and they just start you know throwing a bunch of networking questions at you and you didn't have a huge networking background if you can set that stage initially you know you're you're much better because then they're gonna feel you know obligated to ask you more questions in areas you say you know and fewer and the ones that you say you don't so the other is proactively mentioning areas that you're working on I think it's good so if there's an area that you know based on the job description that they wanted experience with but you don't have it I

think that's perfectly valid you can just say hey you know I know you know I noticed that you'd put on the job listing that you were looking for X I'm not super deep in that but you know it's something that I'm interested in I'm hope to learn more in this position I've just done some independent study on it and I think it's a really interesting area you know whatever it is just be upfront about those areas that you want to improve on and then also be sure either at the start or at some point in the interview to mention those extra activities that you've been doing like coming to b-sides or if you have a home

lab like the M lab or cloud lab set up and you play with different operating systems and you know try different things mention that in the interview like make sure that you get that in before the end that carries a lot of weight with a lot of people that are in the community because it shows that you're an independent learner you care about advancing your career you're not going to be the kind of person that's gonna be you know clinging to everything that they've learned and not trying to learn new things so also during interviews here's some bad answers to interview questions so I'd Google it this is you know you guys laughed this is unfortunately a

very common answer so for anyone that's cyber stalking me don't say at google it I know you can google it anyone can google anything I think that's pretty self-evident so when you get to a question that you don't know I'll talk about some better ways to answer this certainly don't point out that you'd be able to look something up because I think that's you know that's evident here's another of yep so for I run across a lot of questions like this that are simplistic and referential tend to be okay so how do you handle that let's say it in an interview situation where might my blanket answer would be like I'll just go look that up so what do you mean by

simplistic so they're gonna ask you reference questions right when you can easily just go look that up when it's right right versus having that memorized yeah so it's like a professor in college saying you need to memorize every formula instead of teaching you theories and saying just go look up the formula it's a it's a reference item ya need to understand the theories behind it yeah absolutely yeah I'll get into some ways to answer these better in a minute but you certainly expect to have those kinds of questions as a technical interviewer there's a good reason why we ask those questions I asked some of those questions as well and that is if you say

that you are you know close to an expert level in an area or very familiar with it some of those basics I expect you to know right off the top of your head right like if your a Linux system administrator that set up IP tables you should know how to flush IP tables or list the rules by if you have to go and look that up how you do your job every day right you're agreeing constantly in Google so there's a certain set as part of these that I'm like okay if you do this stuff every day you shouldn't need to look this up it should just be like this now if you say that you have some

free you know infrequent exposure to that then I'll be fine if you say you don't know the answer or or answer to another way so this is the second one I am googling it as the answer that to be fair many candidates don't actually say I'm googling it but I can hear their keyboards right you can tell if it's like oh you know like I don't know what's the what are the fizz mo rules on Active Directory and you hear click click click click click click click click click and you know long pauses and then it's like okay rid master schemer master I'm like hmm okay yeah yeah I know what you just did there and I

haven't actually called anyone out and it's kind of an embarrassing thing but we noticed right even if you're on your phone and you don't have a clickety clack keyboard I can usually tell if you're googling it because you'll be answering a lot of other questions and kind of I try to keep the pace right and then they'll just be a pause you know like I'm pretty sure what you're not doing now is like racking your brain I'm pretty sure you're typing on your phone so yeah is that ever wise to indicate to the interviewer that these are very poor questions if they're just trivia stuff like it should be they should be asking you about concepts really I find like

that I feel like trivia is not a very good test of someone's like expertise so it's not pop quiz right like this that's the thing well I mean it depends right yeah I mean certainly there's an the importance of concepts and there will be question you would think there'd be questions on concepts if you feel the entire interview is trivia you know it's up to you how you'd want to handle that situation personally I don't think it's a good approach to call them out on that because that's creating a confrontational situation that you're not gonna win so I mean if you don't want to work for that company I would say call them out on that if you hunt it

if you want to work for them then I would you know I would talk more about what you do know in those areas it just seems that they've made no effort if that's the case like I've been in interviews before where they have this certain like development interviews yeah and they'll just flick to there's like this book that they use for all these like top end interviews and they'll just flick to the hard section they'll say give me n log n implementation of this sawing algorithm yeah and you just like tip away is memorizing that so important be more important to compare and contrast the different ones yeah now I I think you're absolutely right I mean

people that are relying solely on those types of questions probably you know aren't in the they're potentially not even in the role that understands the answers and they may just be looking up the answers themselves you know and they don't have the knowledge maybe to end even ask those conceptual questions so how to handle it as I said I probably wouldn't call them out on it I would try and put your best foot forward and explain what you do know about those related concepts another thing that sucks like to answer that kind of from a point of view of somebody that interviews all the time and it's part of my job we have to sometimes we have to

well not sometimes depending on what company you work for you have to ask the same questions to everybody so it's almost like I know this sucks but let's get through it yeah absolutely so the other one anyone know who this is very confident vanilla eyes yeah so the other way not to answer interview questions is completely guessing but guessing really confidently right it's like you know I know that we have experience with social engineering and stuff like this but yeah don't try this at home on an interviewer Tech interviewer and they're gonna be able to tell right if they know their stuff so but this happens all the time where I'll go with you know be interviewing a

candidate and they're confidently giving me completely wrong obtuse answers to everything just boom after boom and you're like what are you even doing right now and it's I was interviewing a guy for a variety position but he'd been a PC IQ essay right so there's a certain body of knowledge you need to know and I was asking him relevant questions you know like what port does telnet use right because that's a big and secure protocol call them you know just like constantly oh that's port 10 no sort of thing like you know how do you you know like how do you get what's a GPO and he's like oh I don't yeah it's just a way to group

users together I'm like no pretty sure that's not it yeah look weirdest thing is yeah you guys are making me run there and out-of-shape what port is pink no I'm just kidding tell me more about this I see him doing weighted to palm the game haha so trick questions uh I mean I don't know if it's on the side maybe but maybe it is but like I can't stand trick questions and I mean I get it but I feel like it's sort of like they the whole like lure and a type thing and you know I I think that's those question I've gotten those from like big big companies I think it's a trick well yeah and I'm not talking about that

but I actually have gotten that specific question but I mean that's that's easy yeah when they do that same methodology on a harder question you're just kind of like hon they're like well there really is no right answer because it's I made it although you know whatever yeah ouch I have a question about the googling thing and I totally got this like few questions for this one I know the technology so something like you're asking me how do you log into Facebook now I have never seen Facebook but I used Twitter so I'll say okay I have not used Facebook but I have used Twitter and I'm assuming both the technologies will be same so it might be using

username and password I'm guessing it but I'm telling you yeah no I mean I think that's valid right if you're not just spitting out the answer saying you know it if you're providing you know an alternative question I think that's that's valid you know I'll take it it shows some critical thinking you know obviously that was a simplistic example but in other cases yeah certainly I'm up for that yeah and one wouldn't we'll get about the googling again yeah so sometimes when they ask complex complex questions it requires some thinking I'm not googling but I'm recollecting my thoughts and putting it in in an order Vance you're jumping right at the sign-in button I'm jumping okay username

password and then sign in yeah require some thinking yeah that's valid I mean I should I think it depends on the complexity of the question right I'm asking you you know like you know example port question and you think for a really long time about what port SSH is on and you're like a Linux administrator like yeah so yeah certainly there are cases I would expect if I'm asking somebody more of a complex conceptual question that there would be some pauses and those are the questions you can't really Google an answer to anyway so perfectly fine with you know people taking time to answer those so I'm gonna move on we'll take some more questions at the end I know we're

running a little short on time so so some of the things you know I don't just google it don't make something up so to your point explain what you know about the topic and or your best guess so if you don't know what port ping runs on if you don't know a particular answer I think it's best for you to say this is what I know about that area right like you know if I ask you what logging facility I don't know authentication happens on on a red hat box you could say well you know I'm not super in the weeds on that part of it however I understand that there's this idea of logging facilities and different

levels and you know they could go to different locations based on what you can you know specify and syslog can file and stuff like that so if you explain what you do know about that even if you don't have to answer a ton much ton better then then saying you know you don't know or trying to Google it or something like that so the other part in the interview is try to make a connection with you know with this I know a lot of these can be rapid-fire interviews try to make time before or after the interview to establish some type of rapport I know this is kind of like a tech interview but tech

interviewers are people too you know like we have a soul so you can you can mention something from their LinkedIn profile like hey I saw you know on your profile you spoke at Def Con you know that's really cool I'd like to do that someday you know tell me more about that or I saw that you used to do you know network engineering I used to do a - you know what type of stuff were you routing and switching firewalls so try to strike up some find some commonalities or ask some questions or you know not a personal nature but more personal than just you would otherwise have in a conversation and the key here is also

ask questions at the end this is kind of like interviewing 101 but have questions and ask them so after the interview one of the things I find interesting is I said I've done you know maybe 130 tech interviews at this point I have probably received three follow-up emails thank you emails after the interviews how many of you send thank-you emails oh wow a lot of you okay that's that's pretty awesome maybe it's just me maybe people I got that guy's an so yeah I think this is a key part and a lot of people forget about this you know just went through this intense interview you're not sure where you where you ended up extremely important you know

this is a way that you can help recover from potentially missed answers right so I'll show an example here so here's an example simple thank you this takes two seconds to write thank you for taking the time thanks for your consideration it's an exciting opportunity for me right very easy and what this tells me is that this person is actually maybe interested in this position which is important right I know security is kind of a hot area and a lot of people are vying for a small pool of qualified candidates but nobody likes to feel on the interviewers side that you know they're just one of many choices and they should be lucky to have you

the people that you want to select you want to select someone that's actually interested in working for your company and this is a way of showing that was like hey this is cool I'm excited to work with you guys very simple easy to do here's a more in-depth one I thought this was really cool and this kind of upped the the grade for this guy after the tech interview and he did okay anyway but essentially after the tech interview where he had missed some questions he sent me an email but thank you email but he's like you know I was really curious about some of the things that you asked me about and I went and

looked them up and this is what I found right that was pretty awesome I'm like this guy's pretty curious you know he went through the second review and he remembered oh man I didn't know that I felt like I should have know that and he had the curiosity the intellectual curiosity to go out and find the answer and take the time to explain it which I thought was really nice so certainly take the time to do these emails even a simple one will make a big difference so I think we do have any more time for questions or a then we do have time for one or two questions yep I'm gonna do ladies first and then you okay this is a

resume link what do you think coz is two pages too long cuz all I ever hear is one page one page one page but then when you start listing out all your experience and like more specifically not just kind of listing now the operating systems and stuff how can you like keep all that is it horrible with it's more than one page I mean this is kind of a hot-button topic I know it's kind of a lot of people have different opinions so you may get you know many other opinions in this room my opinion is that this is based on your experience right if you have less than five years experience I'd probably expect a one-page interview as it goes

more than that one page resume or one page resume sorry as it goes longer than that I'd expect to see you know more information two pages is probably fine I think two pages is typically the max that I like seeing if somebody has a really long career in something and they've done a lot of cool stuff and it goes over to three pages I'm probably fine with that but if the reason it's three pages and this is more of like a US versus international like CV thing but for the u.s. at least if it's three pages because they have like their entire university curriculum on it like that's not important to me as a tech interviewer please leave that stuff

off you know I'm not gonna read 20 different bullets yeah I'm sorry am i available to review resumes oh okay I could probably do one or two I wasn't planning on it but I think I'm free so I can hop over yeah okay hi as a security professional I'm really conflicted about this and I'd like to hear your opinion and everyone's gonna have theirs their own but LinkedIn okay I mean I just abhorred the idea of them harvesting my data you know and knowing who I know and who I work with you know if they paid me something I'd be glad to get on it but I just I'm not on it and I noticed that everyone that's

looking for a job is on it and you just mentioned you know I was just curious if I'm not on LinkedIn is that a plus or is that a minus for a job search I'd say it's a - you know I'll also go look up candidates on LinkedIn it's kind of interesting to see if we know people in common right and I sometimes look at those little reviews and stuff just to get a better sense of that person so maybe the rest of the year you disable your profile or remove the information but if you're interviewing I would be you know I'd and having went up there I think it adds a certain level of you know credibility

to show the number of connections that you might have that are mutual and just all the other information on there and remember that you can go into the privacy settings and shut down your network so it's only you one last question yeah so on the tech questions do you ever let the canvas know they've got something wrong and see how they recover and if you ever cut an interview short so do I let the candidates know I'd say usually not because there's a lot of questions to go on in a shorter period of time if they ask me specifically I will tell them whether or not they got something right but typically I did the

there's lots to do in the interview so I'll just go through them and carry on will I cut it short yes so if we're going through Windows questions I'll typically ask questions until they start to get some wrong depending on what their knowledge level is like if they said they were just basically knows I'm not going to ask them super advanced questions but I typically progress and then go to the next thing and if somebody is really not knowledgeable at all in or or answering things really incorrectly and competently I will shut down the interview and you know early I'm not going to go through the rest of this we're gonna save both ourselves time so let's thank Adam for his time

and expertise this morning [Applause]