Hi, I wouldn't even ask them the specific questions but ask them what they thought of the government plan. That way they would have to find the questions too, which is what hacking is really about - asking the right questions!
I have always done tests on simple coding problems during interviews. I used to ask them to fill the white board with a class performs some service function and then go for a coffee. It's cruel but they are a big investment as an employee. Derek ____________________________ Derek Browne, CISSP [EMAIL PROTECTED] Senior Security Consultant, CISO BCE Emergis 905-707-4001 x4787 NOTICE : This e-mail is confidential, privileged and intended for the exclusive use of the addressee. Any other person is strictly prohibited from disclosing,distributing or reproducing it. If you have received this e-mail by mistake, please notify us immediately by telephone and delete all copies -----Original Message----- From: Mads Rasmussen [mailto:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 8:09 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Questions when interviewing new people In their book, "writing secure code, 2nd ed", Michael Howard & David LeBlanc talks about an exercise when interviewing new people. The purpose is not to test the persons security skills but to ascertain how the person thinks about security issues. They give an example: ---- The government lowers the cost of gasoline, however they place a tracking device on every car in the country and track mileage so that they can bill you based on distance traveled. Ask the candidate being interviewed to assume that the device uses a GPS (global positioning system) and to discuss some of these issues: - What are the privacy implications of the device? - How can an attacker defeat this device? - How can the government mitigate the attacks? - What are the threats to the device, assuming that each device has embedded secret data? - Who puts the secrets on the device? Are they to be trusted? How do you mitigate these issues? ----- Do anyone use similar skills to interview new staff? I find this idea really nice. You force the person to think as a hacker in order to answer the questions, will his/hers answers satisfy your expectations? Another interesting idea would be to draw up some code on a white board and ask the candidate to identify the buffer overflow. How you guys any experience that resembles this? Greetings, Mads