Sunday, April 26, 2020

The Toxicity of Interview Programming Tests, Pinché Cabróns



When I was at Cisco, my last project was about what Cisco could do about the email spam problem. Cisco had exactly no presence with email in any form, so this was as greenfield as it could get within the confines of $MEGACORP. We got chartered by Dave Rossetti and got together a bunch of senior engineers where we immediately started tapping our white canes in the email universe. I remember talking to Eliot Lear one day about how maybe we could affix a signature to each piece of email from a stable private key from the sender and let the magic of Bayesian filtering do its job. I don't think that Eliot was overly optimistic about unanchored keys -- although I don't think he laughed out loud either. I floating the idea with the rest of the group after that. I'm struggling to remember whether Jim Fenton (Jim, help me?) had been thinking down similar lines, or not, but the end result is that our white canes were now tapping at a furious rate at what would ultimately be called Internet Identified Mail (IIM). IIM had a shiny new thing we called a key distribution server (KDS) which bound the key to a given domain, and used HTTP to transport the keys to the receiving domain to verify the signature, so I'm sure that Eliot was assuaged.

We wrote an internet draft and started socializing it. In the mean time, I hacked up a sendmail milter (code that sits in the mail flow pipeline that can munge the email) and hashed out a lot of the boring message on the wire syntax mainly by needing to get down to that level to be able to code it up. Jim and I were much more interested about the semantics, after all. After having a working prototype, along with our socialization outside Cisco we ended up finding out that Mark Delaney at Yahoo down the street from us was working on his Domain Keys draft/implementation which looked different, but eerily similar too. We finally got together and made our cases to each other -- we were looking from the vantage point of enterprise, and Mark understandably was thinking service provider. After some soul searching Jim and I decided that the main differences were with syntax in way the signatures parameters were sent, canonicalization, and the use DNS vs HTTP for key lookup. Truly yawn inducing details thinking back about it.

So DKIM was born -- Domain Keys (Mark) Identified Mail (Jim and I). This lead to a very large push outside with lots of IETF folks. One the remarkable things about the experience is that the eventual working group had rough consensus and running code in spades, and well before the actual working group was spun up. I managed to eek out a small victory in being the first one to want to interop code with others, with Murray Kucherawy then at Sendmail following like the next day. Murray's worked a lot better than mine, but he had written the DK milter, so he was at a big advantage.

During the journey, we started talking to a company called Ironport who were also participating and knew what Murray and I had done. Jim and I were part of the due diligence team that vetted Ironport that Cisco went on to buy. In the mean time, internally we had started our own effort, and my DKIM code was put into Cisco's mail pipeline with a racked up box (Cisco is a hardware company... it's what you do). So not only did I write the code for DKIM, it was running in a Fortune 500 company's mail infrastructure, and for a company that lived and died by email, that was no small thing. It never had a hiccup.

So what does this have to do with Toxic Programming Tests you quite reasonable ask? All of the above should show to any idiot that I'm quite capable of writing solid code in short order. Once Ironport was part of Cisco, it was obvious that our project was done so I decided to try to jump over to the Ironport acquisition. When I finally interviewed, they gave me a programming test -- strstr as I recall. I wrote a shitty version of it but said that in real life I'd get out Knuth and lean on his genius. I mean, I had been out of school for 25 years by then... these algorithms are not on the tip of my tongue. Afterward, I was told that the universal reaction was that I couldn't write code. I'm like what in the fucking fuck? They reduced all of the evidence to the contrary to a single coding test that I wasn't even expecting! In another interview later I was vetoed because I couldn't recall off the top of my head what the Java keyword for a constant was (final) by a shitty junior engineer. I know lots of languages and it takes a little bit of time to swap them in and out. FWIW, I knew the answer but just couldn't remember it in the interview.

That is toxic. Coding tests have always been pretty close to useless because different people like to code in different ways. I like to be holed away and absolutely loath people staring over my shoulder. But guess what, that's what coding tests force you to do! So by all means, ignore your lying eyes and base everything on 25 year old memories of algorithms which in real life you'd be fired if you were to roll your own. Rinse repeat. Over and over. Interviewers are completely convinced that if you don't know whatever obscure algorithm they are throwing at you, you can't code. Research by Google of all people -- because they are the absolute best at this toxicity -- showed that coding tests and lot of the other toxic interviewing they did was not only useless, but were actively harmful. I interviewed once at Google before this revelation and got the same idiotic treatment and rejection. For years they would call back asking me to interview again, and every time I said no and the reason why. I finally started telling recruiters that if it involved programming tests, I wasn't interested.

The thing that's most stunning about all of this is that they never want to talk about what you've done in the past. The excuse that I've been given is that it could all be a lie. But memorizing algorithms is its own sort of lie. In my opinion, your past is an excellent place to quiz the interviewee because they better be able speak to the architecture, design and implementation with authority. A thing I would look for are the subconscious "we"'s which can mean that they are embellishing their part in the project. But that's a different rant.

After doing some research on this admitted hobby horse of mine is that a Fizzbuzz-like test might be ok, but treating even mid-career engineers the same as fresh college grads is lunacy. As I've written before, a lot of these interviewers are really just looking to have their penis extended so they are doing these kinds of interviews in bad faith in the first place. Yet way too many companies seem to rely on these kinds of tests as if they were delivered wisdom. Sorry, no I'm not going to re-read Knuth to get a job at your shitty-ass company that I don't know a damn thing about, let alone what I might be doing.


Tests, to god-damned hell with tests! We have no tests. In fact, we don't need tests. I don't have to show you any stinking tests, you god-damned cabrón and chinga tu madre!

Weaponizing PC Aspirations from Poorly Trained AI's [frank language]

I was banned from Reddit after a short stint of posting to r/askgaybros recently. The person to whom I was responding (1234ideclareworldwar) had just got done telling me that I either had AIDS-related dementia  or was mentally retarded because I somehow had a chip on my shoulder.  I have no clue how those even relate to each other. He had previously said that he wouldn't date somebody who was HIV positive because they were in effect reckless barebackers including all of the people who died at the beginning of the pandemic. My crime was to point out that there was no such concept of "barebacking" back then -- it was just gay men having sex with each other -- and that he'd either be the type of person who abandoned his friends as social pariahs to die a painful death alone, or he could be one of those who died a painful death alone himself.

Poof! That was it. Assumedly enough of the people of his persuasion (and there are lots of hateful young gay incels just like him) reported me and that was that. The content while somewhat graphic was certainly not harassment -- it was the literal truth. I was only trying to explain in a pointed way what the situation actually was to somebody who was clearly Monday morning quarterbacking, and full of the yummy privilege of hindsight.

The coup de gras, however, was me retelling this story on Facebook as a comment on a friend's posting, I was put in Facebook jail as well. I had just described what happened and my experience with the legions of gay incels that seem to populate that subreddit and their clueless hatefulness. Apparently as a gay man I am not allowed to use the F word (and I probably can't even say it here because Google's AI's are probably no better) in any context even though as a gay man I have been actively trying to reclaim that word as our word. It's not as easy to tell with Facebook, but I doubt that any of the original poster's friends reported me to Facebook. This was most likely Facebook acting as net.nanny on its own. When I appealed, it said that it might not get reviewed because of the Covid-19 pandemic, but in fact it "reviewed" it a few minutes later with the same results. That says that it was not, in fact, a human but some poorly trained bot (read: egrep) making the decision.

Ok, enough of the pity party, it's just a concrete example of something that is happening on a widespread basis without doubt. The larger problem is that these poorly trained bots (I hesitate to even call them AI's because they seem to be at the level of egrep) allow people with bad intentions to game the system. These poorly trained bots in fact are punishing the people they are intending to protect. Since they do not have the capability of understanding context -- and even human moderators generally just do peephole scanning -- they are enabling people to use that lack of context to retaliate against speech they do not like.

I should point out that this is fine for moderated groups/subreddits who have their own rules. Moderators can be a pissy bunch, but in the end it is their group to be pissy about. You are always free to create your own group with its own rules. The problem is with platform-wide moderation where it's it is painfully obvious that it is not up to the task of providing a fair and even moderation service. In the Reddit example, the user whom I supposedly harassed is still posting away with complete impunity. I was dished up more vile and harassing -ist (fill in the blank) in those 4 months by young gay men than I ever was by homophobes on Usenet's unmoderated soc.motss in the many years I participated. While Reddit does not disclose its moderation algorithms (security by obscurity!), it's pretty obvious that it is heavily influenced by the number of reports. While that may seem reasonable since homophobes coming into a gay group is not very desirable, it can have the perverse effect that the young gay men in my example who reflexively dislike older gay men -- this is common as dirt -- can game the system to get rid of them. The platform-wide bots that enforce this are clearly not up to the task. Yet enforce it they do anyway -- poorly and unevenly.

In the case of Facebook in particular, it is even more egregious. When a marginalized group cannot talk about their marginalization in frank terms, the platform is reinforcing that marginalization. As far as I can tell, anybody can report a comment if they can see it. While that is good for actual bad actors, it can be weaponized by bad actors to report content to retaliate against people they dislike, often for reasons of victim's marginalization. Facebook is in particular awful because you can't even try to give context while appealing the punishment. I suspect that it because either the bots cannot do anything useful with it, or it makes human moderation too costly. Reddit has pretty much admitted the latter. So basically this moderation is nothing more than a glorified egrep for the most widely used social media platforms on the planet.

Topically, I can almost guarantee that people have already been put into Facebook jail for making fun of Trump's dangerous and insane suggestion that people ingest cleaning products to protect or cure themselves from Covid-19. Since they can be trivially reported by Trump supporters as incitement  to harm or fake news, it is up to the bots to detect irony. Irony is extremely context sensitive and on Facebook writing on your own or a friend's wall it often comes down to actually knowing the parties of the conversation and whether it's irony or not: "of course he doesn't mean it literally, it's $FRIEND".  Bots or even human moderators surely have no clue. Since the jail message to me mentioned Covid-19 as being a reason for a possible delay for review, I'll bet a buck that it is because their bots cannot distinguish people rightfully lampooning a dangerous charlatan president from the morons who actually take his idiocy at face value and pass it along in all seriousness. Putting even one person in Facebook jail for spreading the word about yet another dangerous and incompetent thing that Trump is touting that should be avoided is bad. Very bad. Forbidding this kind of speech is an existential threat to our democracy as it gives the bad actors a trivial way to game the system by silencing the very people the platform claims to protect. Just as I am not allowed to call out ageism in the gay community on Reddit, people who fear that our democracy is coming apart in real time are silenced on Facebook by the people who cheer that on.

And that gets to the biggest problem of all. Platform-wide moderation is a cost center. There is little incentive to do anything to it other than reduce its cost. Being accurate and fair is almost certainly way down the list of priorities. Good moderation is extremely expensive because you have to hire and train people who are then given an endless supply of judgement calls -- a huge amount of which they are absolutely unqualified to judge. Do you think that people at moderation centers in Morocco have any clue about the subtleties of gay male culture in the US? Of course they don't, and that is putting aside the cultural biases of the moderators. Since even bad human moderation is expensive, social media has been deploying even more clueless "AI's" to keep costs down. The "AI's" deployed are even less equipped to deal with the subtleties of human speech and interaction. For all the hype, AI's are dumber than shit.

This sets up a huge dilemma: cyber-security -- and maybe security in general -- is asymmetric, where the bad guys have a huge upper hand. Bruce Schneier wrote a great blog post about exactly that asymmetry. It is trivial for attackers to slice and dice up Facebook's population -- that's the service for which they make their ad money after all -- and target them for reporting. Even assuming that there isn't an API to automate the reporting task, there is a huge effort difference for, say, a human given a list of general things to report the target for, than for the moderation task itself. Perversely, the more virtuous the social media platforms try to project, the easier it is for attackers to subvert its moderation since the bar is much lower, sweeping more and more people into the false positive pile.

The long and short of this is that while punishment for harassment might be a good idea in theory as with Potter Stewart's famous quip about pornography and "I know it when I see it",  "seeing it" does not scale to internet scales. It's also clear that we have no clue how to solve that any time soon. Given that it is trivial to subvert on a small scale, it should cause people to shudder at the thought of censoring weapons being used at a nation-state scale, either for its own population, rivals' populations, or more likely both. It would be ironic in a horrible way that the go-to way to stifle dissent is to is to use the tools of virtue as a weapon by those who have none.

The silver lining of all of this for me is that I have been cut off from the horrible people I have been dealing with, and it's feeling pretty good thus far. Fuck you Facebook. Fuck you Reddit. I am not your product anymore. I have no need for you. I have no use for your enabling hateful Trumpanzees who are the poster children for Dunning Kruger Syndrome. Nor do I have any use for hateful young ageist incel gay boys who think that it's a good thing we died of AIDS as they bask in the moral superiority of hindsight. The joke is on them: you'll end up being be old, gay,  and hated and wonder what happened. And best of all, the Trumpanzees will all be dead from Evolution in Action as they infect each other with the Covids, and munch on Clorox Chewables as a cure. Life is good.














Friday, April 24, 2020

On Second Thought... SIP Security

I have argued here that SIP's STIR/SHAKEN is misguided and is probably solving the wrong problem, and that the "right" problem is in fact the sip:mike@mtcc.com problem. But what if we are both wrong? The most obvious question is whether there is going to be anything resembling the PSTN at all in the future. Phones are increasingly not phones at all, but instead devices to access internet services. While email is probably bumping along at the same clip or growing, actually talking on a telephone is distinctly in decline especially among the youngins. They certainly use SMS texting, but there are any number of wholesale replacements for SMS-like texting. Given the lack of end-to-end privacy of SMS, apps like Whatsapp fill in that void and is very popular from everything I've heard. Given the heavily regulated PSTN and the tension with law enforcement, it seems highly unlikely that SMS will ever provide that sort of privacy.

So the obvious question here is whether in, oh say, 10 years legacy telephony (regardless of how it's transported) will be very important. My bet is that as a means of communication the answer is "no". Sure, old geezers like moi will continue to use the old fangled things, but for younger generations the decline will surely accelerate. Lest anybody think that I'm saying that in 10 years time that the PSTN will evaporate, I'm definitely not saying that. But my suspicion is that its raison d'etre will largely be overtaken by new technologies. Given that telephony is almost 150 years old there are definitely a lot of legacy things baked into everyday life that will still be needed for decades to come. But those needs are increasingly around the edges, and they are slowly but surely getting internet enabled analogs.

What that implies to me is that more and more people are going to just turn the telephony functionality off, or at least find ways to not have it annoy you. Even in my geezerhood, I am sorely tempted to do exactly that given the spam problem. All of this puts the telephants into an interesting situation: having to provide an expensive and heavily regulated service that is in free fall. Long gone are the days when telephony was a profit center. Mobile providers haven't charged for telephony in ages, and landlines are becoming  jokes to outwit clueless teenagers. One thing we can be sure of though: if something ain't a profit center but you can't get rid of it, you put exactly as little investment into it as possible.

The other thing that has been happening since I wrote the original post is the Covid-19 pandemic. They say these kinds of things have a way of really reshaping society. It was certainly true of the previous pandemic, especially for gay people. HIV and the corrupt and incompetent response to it shaped a generation of activists who had no other choice but to take things into their own hands to affect change. It also forced several generations worth of tireless work on anti-retrovirals and pushed the envelope of biology in general. We are surely reaping the rewards of all of that work, including the possibility that HIV drugs like Lopinavir may be helpful for Covid-19 too.

Since Covid-19 affects everybody, it is likely that the change is going to be enormous. Working at home as well as using things like Zoom for social interaction has become a major change in daily life. It is highly likely that this petri dish we've been thrown in to is going to force us to especially look at why we need to go into the office every day of every week. I could be wrong, but telephony is probably not the go-to answer for either telework or social interaction. This further contributes to its downward spiral and relevance.

While it seems to be a pretty safe bet to say that telephony qua telephony is in decline, it's still an open question in my mind whether that also applies to SIP qua SIP. The work on G.164 identities seems to me to be a lot of work for little long term gain. But I really don't know whether SIP is used much outside of telephony. Most of the new communication services don't seem to have any inter-provider needs, so SIP isn't a requirement. And if you take the inter-provider problem off the table, the spam problem is reduced to the more tractable intra-provider problem.

So is there actually a DKIM-like analog problem in SIP beyond telephony? I think that it's an open question. Centralization has become the watchword for the last several decades. On the other hand, centralization is starting to create backlash as nations and governments watch it wearily. A Bell-like breakup of, say, Facebook could happen. Or nations might take back messaging and video services and we'll need inter-provider connectivity after all. Who knows? I sure don't.

As always, one engineer, three opinions.