Saturday, January 31, 2015

Suggestion for Interviewing Technical Hires

Thanks to a Tweet by Peter Singer, I read an article at Forbes titled Maldrone: Watch Malware That Wants To Spread Its Wings Kill A Drone Mid-Flight. This article is interesting in its own right, but it linked to a late 2013 project by Samy Kamkar called SkyJack.

Samy's project links to a video where he describes software that enables a Parrot drone to "autonomously seek out, hack, and wirelessly take full control over any other Parrot drones within wireless or flying distance, creating an army of zombie drones under your control."

That is all really cool by itself. However, when watching the video, I realized that it incorporates many different elements of IT and security. Samy put many different tools, tactics, and hardware to work in order to accomplish his drone hijack goal. I began to wonder what it would take for someone to follow along and understand each step of the process.

I remembered the sorts of questions my leadership team and I used to ask of new hires. If you are confronted by similar challenges, keep this video in mind. I suggest that during a technical interview, ask the participant to watch Samy's video. After the video finishes, ask the candidate to explain how Samy's system works. The ability to "digest" the entire system, and teach it back to you, is a marker for their technical and explanatory abilities.

If the candidate can explain the attack and its components, I would ask:

  • How could you prevent the attack?
  • How could you detect the attack?
  • How could you respond to the attack?
Depending on the candidate and your interests, you might even have the proposed hire examine the code and work with that aspect of the system.

Have you seen other videos which could serve similar functions?


Anonymous said...

I have found that getting well trained security staff, is difficult. Often you have to get newly educated people and train them yourself.

So when interviewing, I look more for personal interests and drive, than up to date knowledge on security issues. And often the simplest questions can differ those taking the education "for well payed work" from those who took it because of personal interests.

Anonymous said...

Just for my own curiosity...
Please keep in mind I don't own a drone and have very limited knowledge of how they work.

- Prevent, disabling WiFi or by not using WEP, and using a strong WPA-PSK "passphrase"
- Detect, unless you have some kind of pocket WIPS or configure one on your drone, I could only surmise continuous de-auths.
- Respond, This is the real interesting one. Do you find and confront the drone operator? Hope he isn't unstable or packing a gun. Do you just move to a different area? Shoot the other drone out of the sky?