Caution, CEH's

Well it looks like I'm out of luck with Microsoft.

Two weeks ago I got a call setting up phone interviews for a PM job in hardware security. (Surface, XBox, etc) I passed those two, so they set me up for three days of interviews this week. I got through two days thinking I was fine, until I got the dreaded cancellation. No third day, no job.

To illustrate my mastery of embedded systems I'd brought in to show them my Dish Network box that I use for my home theater. I've installed a video tap that sucks out the pure compressed video stream for recording on my computer. I still need to pay for a Dish account, and I am not bypassing decryption, I am simply bypassing the need to decompress/recompress the video and am recording the stream as compressed on Dish's $50k compressors.

But this was misunderstood by this "XBox security team" as 'hacking'. It is disappointing that they did not understand the meaning of this, and instead worried about me. All the PMs interviewing me had been with Microsoft for more than 15 years, and I guess they are stuck in a certain way of thinking.

Another thing I did wrong was correctly answering the question asked by the 'key master' (in charge of keys), of my experience in penetration testing. He asked how I would go about it, so I explained in depth. Turns out this made him fearful... not impressed. WTF? Aren't they supposed to be hiring me for my security skills?

I really needed this job. I really tried my best. Now they seem to view me as an 'evil hacker'. Well no, I am in fact a Certified ETHICAL Hacker. I am exactly what they need, but they can not see it. I guess I'll take today to grieve and then try and get back to job-hunting.

Find more posts tagged with

Comments

slinuxuzer

That sucks man, unfortunatley so much of interviews are based on perception, and with only a few hours at the most, they usually end of being based off of assumptions that get made on the fly, and I've been on interviews where I know I threatened the interviewer, its sad, but alot of people don't want to hire someone that challenges them, if your a threat your out, in alot of cases. Good luck looking for a job.

Quantumstate

When you say 'threatened the interviewer', I know you mean 'were a threat to the interviewer'. Yeah, I anticipated that and tried very hard to understand that these people are the 'organs of the company' examining me. This way I didn't see it as a personal thing.

Fortunately MS has recruiters, who basically watch the process objectively, and I've been explaining myself to my recruiter and the fears interviewers may have had. I know I may have too new ideas for the established paridigm and so may not fit in. For example I've studied the XBox line extensively and learned how it was compromised, the constituancies, etc, and proposed to one interviewer how to make it unhackable and boot instantly. (Lattice XP2) And I proposed to the keymaster how to prevent the 'overbuilding' problem and how to transmit keys overseas securely. (reverse SSH tunnels, 'dark fiber') And I believe these respective interviewers will be using my ideas.

But I only ask that my character is not impugned as a Black Hat Hacker. So maybe I'll have a shot at other jobs at MS.

This is what I appealed to the recruiter, since I am not well understood by the others.

lsud00d

Too 1337 for your own good, Quantumstate

kj0

Just start hacking Microsoft and fix their holes, and wait for them to call you.

Seriously though, Bad luck, maybe try for google or a rival company. For your set of skills, there must be a huge shortage. Keep looking, It is obvious the job wasn't for you, and the right one will come along and you will never want to leave.

Good Luck for the rest of your Job hunting.

ptilsen

That really seems like a flaw for that department. You're exactly the type of person they should be looking to hire. If they're not interested in the type of people who have the mindset of "how could I break into this?" they're going to make products that can get broken into.

Quantumstate

Thanks ppls. Ya I'll now be looking to G**gle and Facebook. These three are in a knifefight for talent, from what I understand.

ptilsen they have done a good job with security in recent years, and in fact the XBox360 software was never compromised. Hackers had to resort to hardware methods (timing attacks, glitching) to **** the secret ROM. But I now understand that the way things are set up, at least in this department, is that each employee is rated in comparison to the others. In other words somebody's going to end up rated best, and somebody worst, if you know what I mean. This can have a certain effect on interpersonal relations, and I think impacted my evaluation. MS has an independent survey system set up for after these interview cycles complete, I think to catch just such dynamics. No idea how I'll handle this. Probably just give them all good. I don't want to make waves.

slinuxuzer

Quantumstate wrote: »

Thanks ppls. Ya I'll now be looking to G**gle and Facebook. These three are in a knifefight for talent, from what I understand.

ptilsen they have done a good job with security in recent years, and in fact the XBox360 software was never compromised. Hackers had to resort to hardware methods (timing attacks, glitching) to **** the secret ROM. But I now understand that the way things are set up, at least in this department, is that each employee is rated in comparison to the others. In other words somebody's going to end up rated best, and somebody worst, if you know what I mean. This can have a certain effect on interpersonal relations, and I think impacted my evaluation. MS has an independent survey system set up for after these interview cycles complete, I think to catch just such dynamics. No idea how I'll handle this. Probably just give them all good. I don't want to make waves.

Yea, since they didn't select you, might as well move on and forget their bs politics, I sympathize, I've never had interviews for this level of job, but I am finally ready to move beyond a "operations role" and want to move into architecture, I had the best opportunity ever come up and made it all the way down to the offer stage only to be talked down to by the recruiter, he basically pissed all over me because I don't have a degree and wouldn't budge an inch on salary, I turned down 10k$ raise and a chance to work with two or three key technologies (Cisco UCS, EMC storage vs. I only touch netapp now) and an architecture role, because I wouldn't be talked down to.

Hang in there man, you sound way too sharp not to get the kind of job you want.

ChooseLife

I am with others on this one, you have done well, and it's the company's loss, not yours. That just sounds so ridiculous - I would not want to work in a team that has internal rivalry and people feel threatened by their coworkers' mastery of skills... You will find a company that will be able to appreciate your expertise.

ChooseLife

With all the nice things said, I just have to pick on you for this one...

Quantumstate wrote: »

...they seem to view me as an 'evil hacker'. Well no, I am in fact a Certified ETHICAL Hacker.

Didn't know there was a certification process for one's morality

Quantumstate

ChooseLife wrote: »

Didn't know there was a certification process for one's morality

Sure, but part of the reason I applied for the designation is I AM ethical. Someone can't perceive that in a short time, as trust takes time. I might as well advertise myself as such tho...

Quantumstate

Well I got word back from the MS recruiter.

He was told 'I need a deeper understanding of security principles', LOL, and that maybe I should get a CISSP. I thought I'd responded thoroughly, and in fact they all seemed impressed (and there were no corrections or followup questions), but I guess one just wanted to see a CISSP. CEH tests the actual tools and principles that Black Hats use, but I understand it's not widely recognized. I prefer to focus on where the actual damage may come. Glad I didn't bother with the much more challenging OCSP as no one but Black Hats knows what that is. Worthless.

Well I know I gave them a number of new ideas anyway. Maybe that was the actual problem, as they are rated against one another. I may screw up the curve. I may go for my CISO cert. CISSP is not quite rigorous enough to make it worth it to me, so I bypassed it.

Quantumstate

Ya know? I've been looking for a job almost full-time for eight months now, and have had only three interviews. Applying for no less than 100 jobs a week. Astounding.

What could account for my terrible results, even as I have outstanding qualifications, education, and experience? Well today I realized that even when I was interviewing for a job in Microsoft Security, the fact that I am a "Certified Ethical Hacker" bothered them. And when the Key Manager asked me how I would penetrate a system, I explained it to him, and he turned sort of gray. These things strike fear into people. Maybe the fact that I am a Certified Ethical Hacker has been my problem all along.

But I'll be damned if I'm going to throw away that $600 I spent on the cert. So as of today I am instead a "Certified Network Defense Architect", which is the same designation.

We'll see what difference this makes.

Zartanasaurus

Quantumstate wrote: »

Ya know? I've been looking for a job almost full-time for eight months now, and have had only three interviews. Applying for no less than 100 jobs a week. Astounding.

What could account for my terrible results, even as I have outstanding qualifications, education, and experience? Well today I realized that even when I was interviewing for a job in Microsoft Security, the fact that I am a "Certified Ethical Hacker" bothered them. And when the Key Manager asked me how I would penetrate a system, I explained it to him, and he turned sort of gray. These things strike fear into people. Maybe the fact that I am a Certified Ethical Hacker has been my problem all along.

But I'll be damned if I'm going to throw away that $600 I spent on the cert. So as of today I am instead a "Certified Network Defense Architect", which is the same designation.

We'll see what difference this makes.

If you aren't getting interviews, it has to be something on the resume they don't like or aren't seeing that they expect. Or you are applying for things you aren't qualified for on paper.

You've applied for 3,300 jobs?

Quantumstate

More like 3,600.

Yeah I know it's easy and fun to Blame The Victim. But I've revised my resume numerous times in response to recommendations by VA Voc Rehab, my university Careers office, and several HR recruiters. I can't put my resume up here, but trust me it is impressive. I have an MBA from an Ivy, 15 years as a project manager with three F100 companies, I'm a PMP, a CSM, I serve on a County development board, I was a CIO for 6 years, and so on.

I could not fathom what the problem was, but now I believe I've realized evidence that the CEH has been the problem.

ptilsen

A poorly designed resume can overrule even really great credentials. If you haven't, it might be worth posting it for scrutiny. In general, if you have good credentials and aren't getting hits, it's your resume quality. If you were getting lots of interviews but no offers, that's a different problem.

I also disagree with your assertion that CEH has a better reputation than OSCP with any crowd but the misinformed. Even doing some cursory job searches on Indeed, CEH has more hits, but neither has a lot of hits. So either way, I look at either cert as targeted towards people well-versed in certifications. On that note, I think about posts on this site. CEH has a very negative rep here, while OSCP has a very positive one. From a quality standpoint, CEH tests on knowledge of tools. OSCP tests on the ability to actually break into something. From my perspective, OSCP is a better cert that shows a higher skill level. I will admit that CEH is possibly more widely known and definitely more widely asked for (again, not by that much), but the people who are actually knowledgeable about either are going to be more impressed by OSCP.

That being said, in the context of resume hits, CISSP is probably what you're missing. CISSP has very little to do with actual deep technical security, but it is still widely asked for. I'm surprised you don't get more hits with PMP alone, but CISSP but can go a long ways. Just for a comparison, when I search Indeed for jobs in MN, CA, and WA (just to pick some not-so-random states), I get more hits in each state from the search "CISSP penetration" without quotes than I do from CEH, OSCP, or the full names of those certs. My honest analysis based on even that small amount of information is that CISSP is more valuable for a penetration testing job than the two most common penetration-testing-specific certifications. That alone should say a lot about CISSP and any security-related job.

JDMurray

Quantumstate wrote: »

the fact that I am a "Certified Ethical Hacker" bothered them. And when the Key Manager asked me how I would penetrate a system, I explained it to him, and he turned sort of gray. These things strike fear into people. Maybe the fact that I am a Certified Ethical Hacker has been my problem all along.

When you see the interviewer(s) having this reaction, immediately restate that you are "more like a systems and software quality assurance engineer," and that you find issues that the product development team should be made aware of. Explicitly indicate that you understand that the "issues" you find should be considered confidential to the team, and management is in control of what is done--if anything--with these reported issues. That will postilion you in the more conventional world of SQA and give the hiring manager confidence that you are a team player and won't be talking about their product's hidden and embarrassing problems to everyone.

ptilsen

Quantumstate wrote: »

But I've revised my resume numerous times in response to recommendations by VA Voc Rehab, my university Careers office, and several HR recruiters.

But not based on technical professionals who hire other technical professionals, like people on TechExams. Maybe you're resume is great, but if you anonymize it and post it, I don't think it would hurt you. We may well come back and say "wow, I can't believe you're not getting interviews."

Quantumstate wrote: »

I have an MBA from an Ivy, 15 years as a project manager with three F100 companies, I'm a PMP, a CSM, I serve on a County development board, I was a CIO for 6 years, and so on.

It sounds to me like you're probably overqualified for many of the positions for which you're applying. Unless they're all management positions (not to say non-technical positions, but positions in which you're in charge of various resources), I could see an issue. I'm not sure what you're applying for, but it wouldn't make sense IMO for your to apply to any position that doesn't involve managing technical projects or departments, or at least teams.

Quantumstate wrote: »

I could not fathom what the problem was, but now I believe I've realized evidence that the CEH has been the problem.

I think it is. CEH is way, way out of line with everything else on your resume. It's an uncommonly-possessed-and-requested, entry level, 100% technical certification. I wouldn't expect a CIO to have it. Not even a CIO of a security consulting company. Nor a PMP, MBA, or CSM.

Quantumstate

So far only JDMurray has any idea what the Hell I'm talking about. Understand that the job I was interviewing for at Microsoft was a higher-level one in a certain Security function. As such the process is three days of interviews with a series of developers, program managers, the Director of Security, and so on. If any one of them says No, that is the end, all future interviews are cancelled.

I had made it to the end of the second day (including approval by the Dir of Security) when this happened. I was exhausted and couldn't be sure of what I'd seen until having reflected on it. When I got home to the dreaded cancellation email, I immediately wrote the recruiter to assure him that I could not use these techniques against my employer who employs me and pays me money, or else I would soon no longer be employed. I wrote it with more finesse, but that was the gist. Further, I told him I am a Mason and am vowed to integrity, I have a long history of honorable service, and many other things. He let me know he was still gathering info from the team. The next week he let me know that I hadn't done anything wrong, and that this would not affect other jobs I may apply for at Microsoft.

Well I now know what really happened; it was definitely the Key Manager who knocked me out, and he is paid to be very conservative, naturally. He had actually asked me about pen testing as it was on my resume, which ironically is the reason I was invited to interview in the first place.

Y'all can go ahead and try to get a job with CEH on your resume, but it's not going to happen in Seattle I can tell you.

This was only the third interview I've had after thousands of applications. Don't worry about my resume, it is polished to top-notch now. I am pretty sure now of what was wrong, and somebody with actual experience trying to get a job with CEH on their resume knows what I'm talking about, I'll bet. It scares the sh1t out of interviewers, who are paid to be conservative.

Quantumstate

ptilsen you don't know. I've been applying almost exclusively for Senior Program/Project Manager jobs, some in security functions. I am an older guy, so need some way to show that a) I am highly technical, and b) up to date. Certs are the way to go.

I can not believe that this many jobs have been filled in the Seattle area by people better qualified than me. They haven't. I've just been passed over.

ptilsen

Quantumstate wrote: »

I can not believe that this many jobs have been filled in the Seattle area by people better qualified than me.

Me neither. See how the lack of CEH helps. I still think CISSP is the only missing piece, but I acknowledge that you're extremely well qualified despite that and that it shouldn't be a deal-breaker.

N2IT

QS

Atleast we figured out what the root cause was (in theory)

I really do see the C|EH nothing more than risk. Remove it and you'll be in far greater shape, your IVY league MBA alone trumps any certification on this forum.

There is a major lessons learned here. Quality over quantity and less is more.

QS the IVY MBA and PMP/CSM alone is enough to land a great job. Drop the C|EH like a bad smack habit.

Quantumstate

I think so. I hope to God this has been my problem. I'm a CNDA now...

the_Grinch

I wouldn't put CNDA on your resume as that is a designation for those that passed the CEH and work in a government capacity. In order to obtain the CNDA you'd be required to have the following:

1. Completed the CEH
2. Work for a government agency

Meeting those two requirements you'd then need to do the following:

1. Fill out the application
2. Attach your CEH
3. Attach proof of government employment (ID, paystub, etc)
4. Pay the $100 fee

While I feel your pain on not getting the position misrepresenting yourself will not garner you anything. Before I finished my degree I got a part time job as an IT Tech at a school district. The admin looked at my resume and the first words out of his mouth was "try to break into any of my equipment and I will have you arrested." It comes with the territory and you won't be the first nor last to experience it. Also, don't neglect to think that perhaps jobs are finding you overqualified for the positions you are applying for.

lsud00d

the_Grinch wrote: »

Before I finished my degree I got a part time job as an IT Tech at a school district. The admin looked at my resume and the first words out of his mouth was "try to break into any of my equipment and I will have you arrested." It comes with the territory and you won't be the first nor last to experience it.

Dang...was he joking? Kinda cold-blooded to say out the gates.

the_Grinch

Nope, he was 100% serious. He never said another thing about it and we got along really well. I believe it was one of those situations where he didn't know me, but once he did get to know me everything was good. He really liked my "attitude" as it were haha.

Quantumstate

the_Grinch wrote: »

I wouldn't put CNDA on your resume as that is a designation for those that passed the CEH and work in a government capacity.

Oh man. Maybe this is just radioactive. I sure didn't want to just let go the $600 I've spent, and I'm sure ECC wouldn't check if I applied for CNDA as long as I sent in the money (altho I am reluctant to throw good money after bad), but maybe the very association remains.

Out of almost 1,000 applications to Amazon, G**gle, and Expedia, not a single response. And I am shooting for jobs at my level. This has to be the reason.

bigdogz

Quantumstate,

+1 to JD

Sometimes just using the word "hacking" people may think that you are evil when you are not.
I would also think that bringing up the Dish story may not have helped you. In most cases you cannot open the hardware to change/install/remove anything other than the original intent. You may look as though you were smart in accomplishing something, someone may not understand your intent but the fact that you just "hacked it".

Good Luck in your search!!!

the_Grinch

I've interviewed with Google twice in four years of applying. With any big companies like that it is truly hit or miss on when/if they will call you. Start looking at start-ups or local shows. Also, if you're willing to relocate, apply to contracting firms in the DC area. Finally, look at the NSA's job website as I suspect your skillset with embedded systems will probably fit nicely with what they do.

Quantumstate

Thanks ppls. Ya I have a broad net cast, hitting LinkedIn, Indeed, Dice, and numerous companies I have in regular rotation. But at Amazon I have pages and pages of jobs applied for (despite their bad rep as an employer), and just see them knocked off one after another. I do not understand it. No way to get feedback.

Microsoft was my best shot. It was clear though that everyone who interviewed me, feared the others and were fairly miserable. See, they're evaluated in relation to one another, so somebody has to win, and somebody has to lose. The job would have paid $65-$75/hr, but maybe it's for the best altho it's hard to see it now.

I won't be moving, I like it here; don't mind the monsoons. Also wouldn't work for NSA or any defense contractor for political reasons. I'd rather run out of money and kill myself.

Edit: Checking out jobs.colorscareers.com ("The Northwest's Premier Online Diversity Career Site") there are tons of Amazon and Microsoft jobs which I am quite sure are not on the actual Amazon or Microsoft careers sites. I just went through the latter two today, but then hit colorscareers and found at least 40 Program Manager jobs (most Senior or Principal) for which I had not applied! I mean, I am not 'diverse'... but, hiinteresting...

Quantumstate

All of a sudden... two interviews this week.