Monday, March 26, 2007

Physical Security at Microsoft

I signed and sent off my summer internship contract today, so I can now happily announce that I'll be working at DoCoMo's Euro Research Lab in Munich, Germany this summer.

Since that is now safely sorted out, I think it's OK to describe the interview process for another potential internship opportunity: Microsoft.

A little while back, I flew out to Seattle for 3 days. MS pulled out all the stops - a last minute $800 airplane ticket, a rental car, a decent hotel, and $75 per day in food. It's probably chump change for a consultant, but for a grad student, it was really nice to be able to take a taxi to the airport instead of slumming it on a bus.

I had three 1 hour+ interviews, with three different people in the team that I'd potentially be working with.

I have to say, that 2 of the interviews were absolutely fantastic. Really enjoyable interview questions. Thought provoking, and I can honestly say that they were probably the best interviews I've ever had.

Some of the questions included:

* You are standing in front of a vending machine. Tell me everything that you'd do to hack/reverse engineer it.

* What do you think of the DMCA? When is it ethical to violate it, and likewise, when is it ethical to use it to go after someone?

* Given a web based security application X, describe all the potential attack vectors, and describe how you would protect them.

* What do you think of Mike Lynn, and what he did with Cisco/ISS? Do you agree with his actions, or not?

This last question was particularly enjoyable. I strongly believe that he did the right thing - but the fun little trivia tidbit that I was able to throw out there, is that Mike and I were/are represented by the same fantastic lawyer: Jennifer Granick.

The most ironic part of the interview process was the last, and least fun of the three.

I had to go through a less than enjoyable code review (find the bug in these 3 pages of C++). The person interviewing me spent quite some time telling me how a good chunk of his workload was due to the general laziness and poor coding skills of a large number of programmers at Microsoft. Essentially, he said, the programmers are too lazy to write their code properly, and do the little bit of extra work to actually check the values/inputs that their programs take in.

Bear in mind that after each of the previous interviews, the person conducting it would escort me back to the sealed interview area, where I would wait for the next person to appear and escort me past the locked doors to my next session.

However, after my last interview, Mr "programmers are lazy" took me to the main hallway near his office, pointed me to the reception down the stairs, and asked me to see myself out.....

The very same engineer who had complained that his colleagues created most of the company's security woes due to laziness then let a complete stranger - no, worse: Someone he had just quizzed on their ability to think deviously - walk around a restricted access office building...

And so I took the opportunity to walk down a few hallways, smile at the random engineers that I passed and then helped myself to some of Microsoft's pretty rough coffee in one of their break rooms. I didn't linger more than 4-5 minutes...

Oh yes - Microsoft doesn't have open wireless access on their campus. WTF? Google provides it to the entire city of Mountain View, and MSFT can't even have it in their reception areas for guests?

1 comment:

Anonymous said...

Re: the lax security after the third interview: They probably followed you on camera the entire time after they let you go to see what you'd do. Question: are they looking for someone who is "honest" or someone who is interested in pushing the envelope looking for vulnerabilities.

Color me paranoid.