How to ensure that you won’t get hired, quickly
I’m currently reviewing CVs, seemingly by the hundreds*. And I run into a guy which has a Github profile link in the CV. Such links are always followed, because seeing someone’s actual work is so much better than just reading some document about it.
But then I saw this:
And looking into the actual repository we have:
While this isn’t quite enough to give you a Darwin Award in the job hunting department (sadly, I saw worse), how could anyone think that having a publicly visible repository that says “I do illegal things to software” is a good idea. Leaving aside that you link that from your CV.
* It isn’t that many, it is just annoying.
Comments
You saw worse? Tell us, we want to know... (- grabs popcorn -)
Lol, a few weeks ago we received a bunch CVs from a recruitment agency. So, one of the first things we check are social media accounts. We do a basic search with name of applicant and a few of the companies he worked for. Picture our surprise when we saw that he one of the applicants was bad mouthing each and every company he was working for. Many of the posts were even posted while he was still working for those companies..
We're looking mostly for developers. In general people with higher education. Why do people forget that once you post something on the internet is stays their forever and is for everyone to see? I actually wanted to write 'some people', but it wasn't a isolated incident..
We also often check with the HR department to hear their story why they terminated/not renewed the contract.
I do have to say why I understand why someone would like that repository in his CV. While it is illegal, is does show that the applicant is resourceful and is able to resolve 'problems'. It's a bit like a hacker that is hired by the company he formally hacked. On the other hand, if you are doing some illegal activities, how smart is it to do that in a public repository? If you're not willing to pay for an private repository at Github, create an account with bitbucket or visualstudioonline..
For security-related positions it can be a plus. Many security experts have some kind of light hacking background from simpler times (by "light" I mean not commercially-motivated) Obviously, I understand that if you sell commercial software, somebody that has recently created a keygen might not be the best fit.
@spongebob - his github repo was something called elsewhere "ravendb" :)
@Diego Mijelshon, LOL! :)
The repository is called "JetBrains-IntelliJ-IDEA-Key-Generator", the description for it is "Generates keygen for IntelliJ IDEA 13", last updated on 2014-01-02 20:25:46 UTC
Oren, if you'd done a little bit of research, you'd understand that this is just a fork of many...
People just mindlessly fork repos on GitHub, because this is SO easy.
When GitHub takes down the root repository its forks become normal-like repos and do not show that this was a fork at some point of time.
But the Google remembers everything and says that the root repo is from "grasimu" account.
It's pretty tacky for an employer to talk trash about somebody's resume or their github profile.
There have been times where "additional" knowledge was highly appreciated. If this is true, you can even see that this guy takes care about programming also in his spare time. So I agree to additional security knowledge and I also agree to that it is pretty tacky for an employer to post it like Bruce mentioned. Actually I consider bad-mouthing to be more problematic. Do you think he will not be a honest guy just because he did some KeyGens? Come on.
Bruce, I was very careful to remove all identifying information from the post. This isn't about pointing to a specific person
Would you discard a guy who's learning IT security and forks ex 0-days code? I mean what's the difference? I know, curiosity is first step to hell, as we say in Poland, but since when it's become a sin in engineering? For me, DMCA rules in this case is just BS (obviously I'm totally against pirating software).
Lukasz, Key generators aren't exactly what I would called security work. And there is a big difference between working on one to see that you can vs. making it public.
Security work is all about proving security systems wrong. And again, as Hazzik has shown, this guy only forked some public github repo, so he did not make a keygen public (which could be considered as irresponsible / full disclosure) but only copied it to his public github. I guess that's the generation difference, I'm 34 and people of my age (I hope) tend to be more careful what they share on the intenet (forking is sharing!). Myself, I'd rather just anonymously clone it, had I wanted to see how it works. Don't be too hard on the guy ;)
As others have said, it's not immediately obvious that this person did anything illegal, forking a project does not reveal motivation. Many of the hacking/cracking tools are very useful for educating oneself about system weaknesses. In fact, it could even be asserted that a strong working knowledge of these tools is necessary for building defenses. It may or may not be the case here, but without hearing the candidate's side, assuming their motivations isn't going to get to the truth.
Regardless, this never the less highlights one of the harsh realities of modern employment: Employers and HR departments are feeling ever more entitled to judge candidates not only by their professional work, but also by what we do in our personal life. They can't help it, it's human nature to judge and to offer opportunities to people who align with their own personalities. I get it and I'd probably do it too, but the implication is that for the purposes of employment and career advancement, honestly and openness about personal life are a liability, which is a shame.
Mkrin, Have you ever been on the side of the person doing the hiring? I got literally hundreds of CVs, out of which we had less than 20 for an interview. And I'm not really seeing the "not related to professional work" when you have a github link in your CV and you are applying to a developer position
Yes, I have selected candidates. We discard 90% of candidates even before the interview, but that's not the same as saying we know with any certainty they wouldn't have been good in the position. We really can't know if they would have been any good especially when we could not interview them. But when you have a stack of hundreds of CVs, you do what you have to do to funnel them down into a manageable set. If there were only five candidates, employers would be forced to take them all more seriously and focus more on their hard skills, however the volume of resumes enables employers to get more arbitrary & personal with the screening process. This will exclude candidates who'd otherwise have been good for the job, but such is life, you move on.
Mkrin, Your description of what is going on is accurate, but the motivation that you ascribe for it is (usually) false.
I don't like soccer, personally. And I find talk about soccer game boring. That doesn't mean that if someone writes in their CV that they are an avid soccer player, or that they are a fan of a certain group (both of which I have actually seen), that would have any impact on the decision.
But when faced with a large number of CVs, and limited resources to do a full process on each (which will waste a LOT of time and effort), we prune the pile in many ways. We try to narrow it down to the set of candidates that are promising as soon as possible. And yes, finding such a gem in someone's CV will cause us to reject the CV and move on. I'm sure that we could go forward, and maybe the candidate has a good reason for it. In fact, they very probably do.
But that doesn't matter. I already have another 100 CVs to go through. So given that there was nothing special in this CV, and given that there is a red flag because of this issue, why go forward?
Anyone who is a professional and doesn't consider everything they post, social media, comments on blogs, etc. as future PR (or future negative PR), is being extremely short-sighted. Do you have to live your life that way? No. Can you survive professionally and be extremely politically outspoken, for example? Sure. But at least realize that everything that you post publicly, including repos, can and will be used against (or for) you. I think Oren is doing everyone a service here by helping drive that point home.
Comment preview