Feuerfest

Photo by Sora Shimazaki: https://www.pexels.com/photo/professional-man-interviewing-an-applicant-5668863/

I recently read a comment on the /r/linuxadmin subreddit from someone who has developed and commercially runs a tool that helps job applicants in real-time, parallel to their interview. This tool doesn't just transcribe spoken words, which is fine by me. It can also solve coding problems and actively suggest what a candidate should say next to "ace the interview". It can even analyse the video feed to solve coding problems written down on a whiteboard.

This is precisely why I value meeting an applicant in person. Inviting them for a trial day of typical problems and conversations with potential future colleagues. It gives them a clear idea of what it's like to work for the company.

I understand that people can be in dire situations where they really need a job. Still, I do tend to have more sympathy for a person who is open and honest about their knowledge gaps.
However, I also disagree with seeing them as negative per se. Instead, it's a huge bonus when someone is able to say, "I don't know." Especially in such a delicate situation like a job interview.

If a candidate says, "I don't know." I will reply, "Perfect! Then let's iterate together on how you would proceed. Like you've just encountered a new problem at work without further knowledge."
I gain a great deal of insight into a person from their answers to such questions.

At a previous employer, I was interviewing a candidate. This applicant regularly said, "I don't know." This was to be expected. My colleague and I intentionally asked follow-up questions on the answered questions, constantly diving deeper into technical details. We didn't just want to check on the basics. We wanted to know if he understood the concepts and how he plans his work. Company-specific and technical knowledge is something we can teach. Changing how an adult person thinks and approaches problems? This is something we cannot do.

After working in our team for two years, he told us the following: "Right after the interview, I'd called my wife. I told her, "Well, it looks I'm not going to get the job. It feels like I couldn't answer anything." can you imagine how surprised I was when I was invited for a trial day?"

We then explained to him why we interview the way we do, and he added, "In most companies, I was only asked basic questions. And more often than not, there was not one person from the technical department. Not even from the team they were hiring for."

The upshot is that companies need to get their recruitment processes right and not just tick boxes.
If you do the latter, you'll get solutions like those described above.

And I don't think that's a good development for anybody.

I have also learnt to redesign my interviews. I don't want candidates to leave the interview feeling devastated or like they're not good enough. They may not be a good fit for the company and we may have to turn them down for various reasons, but that doesn't mean they're bad at what they do. There are just too many variables that need to come together in order to hire someone.

Photo by cottonbro studio: https://www.pexels.com/photo/man-kissing-a-gypsum-head-3693078/

Durch Zufall heute auf den Youtube-Channel von David Tielke aufmerksam geworden.
Und nach 2 Videos auf seinem Kanal schlug mir Youtube seine Keynote von der DWX23 vor. Titel: "Der Faktor Mensch in der Softwareentwicklung"

Ist eine Stunde, die aber wirklich unterhaltsam und lehrreich ist.
Und seine Aussagen mehr auf seine Kollegen zu achten bzgl. Work-Life-Balance, Burnout, Depression und im Leben (privat wie beruflich) nicht nur die IT zu haben. Die kann ich voll und ganz unterschreiben.

Ich war 2x für mehrere Monate aufgrund von Depressionen in der Tagesklinik, zwar wegen bis dato nicht diagnostiziertem Aufmerksamkeits-Defizit-Syndrom (da ist Depression das häufigste Symptom bei Erwachsenen) und nicht wegen Überarbeitung etc.
Dennoch habe ich aufgrund dessen Dinge in meinem Leben geändert. Mir Hobbies und Freunde abseits der IT gesucht.

Und gerade weil ich damit so gute Erfahrungen gemacht habe, bin ich damit so offen & auch offensiv. Depression, Burnout, etc. sind keine lebenslangen Stigmata. Mit der richtigen Hilfe und etwas Umstellung lässt sich das meistens sehr gut in den Griff bekommen. (Klar, jeder Fall ist anders & individuell.) Aber ich sehe eine psychische Erkrankung nicht als K.O.-Kriterium für eine Karriere oder gar als Charakterschwäche. Menschen die so denken wünsche ich, wirklich(!), von ganzem Herzen das sie niemals selbst in so eine Situation geraten. Denn die Kraft die man aufbringen muss, während man selbst am Boden liegt, es sich anfühlt als ob die Welt auf einen einprügelt und man dann noch Zirkuskunststückchen vollführen darf... Nur um mal irgendwann nach etlichen Wochen oder Monaten einen Termin bei einem/-r Psychologen/-therapeuten zu bekommen..
Diese Kraft traue ich auch manchem gesunden Menschen nicht zu.

Also: Passt auf euch auf. Kein Job ist wichtiger als euer Leben. Egal wie geil euer Arbeitgeber ist.

Das Video ist unten eingebettet. Oder hier direkt als Link: https://www.youtube.com/watch?v=Eh-UaaxBYDk

Photo by Yan Krukau: https://www.pexels.com/photo/close-up-of-a-person-holding-uno-cards-9068976/

I just read it again on the Internet. Someone is asking: "Hey, as we do only business in the United States, can't we simply block all other countries and be safer? All our customers and suppliers are located in the US."

This inspired me to write a short post about why this is a dangerous and - let's call it politely - sub-clever idea.

You know what "Internet" means, do you?

The term Internet is short for "interconnected networks". The Internet isn't one big network. It's thousands and thousands of small and bigger networks linked together via so called routing protocols. They transport the information on which routers decide how to route your packet so it arrives at its destination. Routers are, to use an analogy, the traffic signs along the highway. Giving each packet directions on which lane it needs to take to reach its destination. In protocol terms, we speak about iBGP, eBGP, OSPF, RIP v1/v2, IGRP, EIGRP, and so on. The only real distinction is whether these protocols are Intra-AS (routing inside one AS - for example iBGP) or Inter-AS (routing between several AS - for example eBGP) routing protocols.

What is an AS, you ask? AS is short for autonomous system (Wikipedia). That's the technical term for a network under the control of a single entity, like a company. Each AS is identified by its unique number, the ASN. This number is used in routing protocols like BGP to exactly identify to which AS a rule belongs.

And as you must have already guessed by now: None of this respects real-world borders. Packets don't stop at borders. Here in Europe, even we people don't stop at borders. You just have to love Schengen (Wikipedia).

Therefore, the task of only allowing customers from the US is a little bit complicated to set up. Technically spoken. Data packets don't contain information from which country they originated. Just the source IP address.

But.. My firewall-/router-/hosting-/DDoS-/CDN-/whatever-provider provides such an option in the control panel of my/our account? So it must be possible!

I didn't say it couldn't be done under any circumstances. I just said, It's complicated and will constantly cause you pain and money loss.

Even BGP in itself isn't 100% safe and attack vectors like BGP hijacking (Wikipedia) do exist, but due to how BGP works, they are always pretty quickly noticed, and the culprit is easily and clearly identified.

So, when it is possible, how do they do it?

They are taking many and many educated guesses.

...

Yeah, ok. Sprinkled and garnished with some bureaucratic facts as their starting point for their educated guesses.

...

Ok, sometimes they outright pay internet service providers or other companies to give them those data. This might or might not be legal under your countries data privacy laws..

...

Not the answer you expected to read? Yeah, life is disappointing sometimes.

How the bureaucratic layer of the Internet works

Tackle the problem from another angle: Do you know how IP addresses are managed on the bureaucratic layer?

Do terms like IANA, RIR, Ripe and ARIN ring a bell? No? Ok, let me explain.

IANA is the Internet Assigned Numbers Authority. In their words, they "Perform the global coordination of the DNS Root, IP addressing, and other Internet protocol resources" Relevant for us in the article is the "IP addressing" part.

The IANA assigns chunks of IP addresses to the so-called RIRs. That's Regional Internet registry (Wikipedia). Those RIRs are (with their founding dates and current area of operations):

• 1992 RIPE NCC - Europe, Russia, Middle East, Greenland
• 1993 APNIC - Asian/Pacific region, Australia, China, India, etc.
• 1997 ARIN - United States of America, Canada
• 1999 LACNIC - Mexico, South American Continent
• 2004 AFRINIC - African continent

These RIRs then provide companies in their assigned areas with IP addresses they can manage themselves. And to make this picture easier I left the ICANN & NRO, two other governing bodies, out of the picture.

As you can see some RIRs were founded later than others. This also means: Even if you filter based on which RIR manages the IP addresses, this isn't set in stone forever. Even if a RIR is responsible for a whole continent this can change.

What these companies, which offer geo-blocking, do is: They look where an IP address is located on the bureaucratic layer. Which RIR is responsible for the IP block? Which companies "own" the IPs? Where are they routed to/announced from. But these are all bureaucratic and technical information. These information can't be mapped 1 to 1 to a country. And these bits of information are extremely volatile.

Side note: And there is no RIR for each single country. The term LIR or Local Internet registry (Wikipedia) does exist. But it commonly refers to your Internet Service Provider (ISP) who assigns your Internet Modem/Router an IP address so you can browse the Internet. This has nothing to do with countries. The Internet itself isn't technically designed with the concept of "countries" or "borders" in mind. Never was and most likely (hopefully!!) never will.

Another problem are the systems who provide these information: Some provide real time information. Others don't. Additionally you don't know which metrics your vendor uses and how the vendor obtains them. And usually they don't make the process how they obtain and classify the information publicly available.

I had customer support agents who, instead of resolving a domain name via the ping or host command typed it into Google and used that information. Sometimes obtaining wrong information which was months old and therefore led to other errors...

And what about multi national businesses?

A company from Germany can have assigned IPs from the ARIN for their US business. Maybe they have a subsidiary company for their US business, but this still makes it a German company. How do you filter that?

Keep in mind: Maybe their US subsidiary was only established for jurisdictional problems and all people working with you are sitting in Germany. Hence mails, phone calls, letters, etc. will all come from Germany.

Additionally this company is free to use the IPs as they like. They can announce their BGP routes as they like. Nothing is preventing them from using IPs assigned by the RIPE NCC in the United States. This is done on a regular level. As especially IPv4 addresses are rare and sometimes IPs need to be moved around to satisfy the ever growing demand.

Side note: The NRO publishes the data of all delegated IP blocks under https://ftp.ripe.net/pub/stats/ripencc/nro-stats/latest/. And the file nro-delegated-stats contains the information which IP blocks were assigned by any RIR. You will find lines that the ARIN (Only responsible for the US & Canada) assigned IPs to an entity in Singapore.

Jan Schaumann used that file to present some cool statistics about IP allocations: https://labs.ripe.net/author/jschauma/whose-cidr-is-it-anyway/

To make the picture more complex: IPs issued by a RIR can be used in any country. Their is no rule nor enforcement that IPs issued by a RIR are only to be used in their sphere of influence. Therefore even that first starting piece of information can differ completely from reality.

Hence my statement that all this geolocation business is based on educated guesses. Yes, many positions will be precise. But the question is "For how long?" and do you really want to make your communication depending on that?

The technical reality

BGP routes themselves can change at any time. There is no "You can change them only once every 30 days." You can change them every 5 minutes if you like. They can even change completely automatically. Heck, they have to change automatically if we want a working Internet. There are always equipment malfunctions..

When I worked at a major German telecommunications provider, we utilized BGP to build an automatic fail-over in case an entire datacenter went offline. Both datacenters announced their routes (how traffic can reach them) via BGP towards the route reflector of our network team. Datacenter A announced with a local-preference of 200, datacenter B with a local-preference of 100. In iBGP the highest local-preference value takes priority. This means: If datacenter A should ever cease to function (the iBGP announcements from that datacenter stop reaching the route reflector) the traffic will immediately go towards datacenter B.

In our case, both datacenters A and B were located in Germany. But that was pure chance. My employer also had datacenters in France, the UK, Spain, etc. and of course also in the US. It just happened that the datacenter where my team was allocated the necessary rack space for our servers were both located in Germany.

So the endpoint can literally change every millisecond. And with it the country where traffic is sent to or originates from.

Of course we did regular fail-over tests. Now think about the following scenario: We are doing a live fail-over test. Datacenter A switched to B and datacenter B happens to be located in France. The traffic will be arriving in France for 5 minutes (the duration of our test). In exactly these 5 minutes a scan from a vendor notices that traffic for all IPs affected by our test will be located in France. The software will write this into its database and happily move along.

How long will that false, inaccurate and outdated information be kept in their database? What trouble will that cause your business?

Looking at it from the other side

Ok, so we clarified why geo-blocking is taking educated guesses with a bit of Voodoo. It is time to look at it from the other side, right? As this is a viewpoint which is regularly forgotten completely.

Let's go with the example above: "Hey, as we do only business in the United States, can't we simply block all other countries and be safer? All our customers and suppliers are located in the US.."

Is this really the reality? Are your suppliers and customers located in the US?

I bet 100% that you haven't even understood why you are making that claim. Most people will look at: "Where do we have stores? Where do we ship? What are our target customers?"

This usually leads to an opinion based on bureaucratic metrics. Or in other words: Delivery and invoice addresses.

But what about the customer in Idaho who just recently moved there from Spain and still uses his/her mail account from a Spanish mail provider?

Have you checked which IPs their email server uses? Are they hosted by a big cloud provider like Google, Azure or AWS? Do you have complete and absolute knowledge on how these biggest three tech companies manage their IPs and hundreds of networks today? Tomorrow? Next week?

Even they don't.

Which measures and workarounds they undertake should a datacenter be down? Or just be in a planned maintenance state?

It's fairly normal that in times of need workarounds are done to ensure customers can use the services, for which they are paying, again as quickly as possible.

Businesses change too

How about your biggest client suddenly stopping buying from you? Are you getting no calls for bids any more?

Could it be that the company you did business with was recently acquired by another company? And now they send all their mail from an entirely different mail server hosted in an entirely different country? Could that be the reason the RFQs (requests for quotations) stopped coming?

How much money will you lose before you notice this error?

Last words

I tried to explain in easy words for non-techie people why geo-blocking is usually bad. Yes, it's used by Netflix and many others. Yes, many products offer some kind of feature to achieve some form of geo-blocking.

But keep in mind: They have to do this for jurisdictional reasons. They bought rights to movies to show in certain countries. The owners of these rights want Netflix to ensure only those customers can watch these movies. Because they themselves sold the exact same rights to at least 25 other companies in other countries. And each of their customers will sue them once they notice that a competitor has the same movie in the same country. Hence, Netflix is trapped in a never-ending cat-and-mouse game with VPN companies that constantly change their endpoints.

I haven't even talked about VPNs. I haven't talked about DNS. I haven't talked about mail. All these require IPs to function. All these add several other layers of complexity. But all these are needed for your business to work in the 21st century.

You won't be more secure by blocking China, Russia, or North Korea from your firewall.

You will be more secure by applying patches on time. Using maintained software products. Separating your production environments from your development/test networks and the networks where the PCs/Laptops of your employees are located. By running regular security audits. By following NIST recommendations regarding password security. By defining a good manageable firewall rule framework. By having a ticket system that makes changes traceable AND reproducible. By introducing ITIL or some ISO stuff if you want to go that route.

Be advised: The bad guys are not just sitting in those countries that you are afraid of. China isn't solely attacking out of China in the cyberspace. No. Probably they utilize a nice hacked internet account from John Doe just around the corner of your shop.

Some links

If you want to read further I can recommend the site https://networklessons.com/. If you want to learn more about BGP you can visit https://networklessons.com/bgp and start from there.

Photo by Pixabay: https://www.pexels.com/photo/flare-of-fire-on-wood-with-black-smokes-57461/

This topic comes up far to often, therefore I decided to make a blogpost out of it. After all copy & pasting a link is easier than repeatedly writing the same bullet points.

Also: This is my private opinion and this article should rather be treated as a rant.

• Mail templates are separate files? And the workflow to create them is seriously that antique?
  
  • Under Create an email message template (microsoft.com) Microsoft details how to create an email template. But you notice something? They use the term "[...] that include information that infrequently changes [...]" means only static text is allowed.
  • Yep, you can't draft mail templates where certain values get auto-filled and the like. I mean, how many employees, consultants, etc. have to sent their weekly/monthly time-sheet to someone? Is it so hard to automatically fill in the week number, month and automatically attach the latest file with a certain file name in a specified folder?
    • Yes! Automating this with software is surely the best way. But we all know how the reality in many companies looks like, right?
  • Additionally the mail templates are stored as files on your filesystem under: C:\users\username\appdata\roaming\microsoft\templates.
    • This means: Mail templates are not treated as mails in draft mode or the like. No, you have to load an external file via a separate dialogue into Outlook. That's user experience from the 1980s?
  • Workaround: Create a folder templates, create a sub-folder templates-for-templates. Store mail drafts (with recipients, subject, text, etc.) in templates-for-templates. When needed copy to templates. Attach file. Edit text manually. Hit send.
  • Never send directly out of templates-for-templates as else your template is gone.
  • But seriously? Why is this process so old and convoluted? I suspect the feature is kept this way because Microsoft is afraid of people utilizing it to send spam. But.. Sending spam manually? I think this stopped to be a thing at May 5th, 2000 (Wikipedia) at the latest.. Every worm/virus out there has it's own build-in logic to generate different subjects/texts/etc. Why deliberately keep a feature in such a broken state and punish your legitimate users?
• No regular expressions in filter keywords
  • This annoys me probably the most. When you specify a filter "Sort all mails, where the subject begins with Newsletter PC news into a folder", Outlook will only sort mail with the exact subject of "Newsletter PC news"
  • Which is stupid when there is a static & changing part in the subject. I mean it's 2024. Support some kind of wildcard string matching via asterisks is not really new, isn't it? Like: "Sort all mail where the subject starts with "Newsletter PC news*" and then "Newsletter PC news April 2024" will also get sorted.. No. Not in Outlook.
• Constant nuisance: Ctrl+F doesn't bring up the search bar - Instead it opens the new mail window..
  • I mean really? Ctrl+F is the shortcut for search everywhere. Why change that!?
  • Info: Ctrl+E activates the search field on top
• Only one organizer for events
  • Ok, technically this isn't outlook but rather CalDAV and hence Google calendar, etc. suffer the from the same problems. But I still list it as a fault.
  • Why? Microsoft has repeatedly shown the middle finger to organizations like the ISO and the like. When it suits Microsoft's market share, they basically are willing to ignore a lot of common standards (like Google, Facebook, etc..). With their Active Directory infrastructure and Office Suite they have everything in-house and 100% under their own control to make this feature work in Windows environments - which most companies do run. But they don't care.
  • I mean.. On the other hand I'm glad that they follow the standard. It just turns out so often to be a feature we are in need of that I stopped counting.
  • And you already need proprietary connectors to properly integrate your Exchange calendar into other mail programs like Mozilla Thunderbird. So this shouldn't be really a big deal-breaker either..
• Only one reminder for events
  • Due to my Attention deficit disorder I tend to have what is called "Altered time perception" or "time blindness". This means I won't experience 15 minutes as 15 minutes or grossly under-/overestimate how much time I really have left. Best description for non-ADDers I can give is: This means I will think of 15 minutes as "Ah, I still have 1 hour left." That this can lead to situations where I am late or wasn't able to fully prepare something for a meeting should be clear.
  • Therefore it really helps me to be able to set multiple reminders for an event.
  • Usually I do the following: 1 hour before, 30min, 15min. This helps me to break out of the time blindness and synchronize my altered time perception with reality. Enabling me to finish tasks before the meeting/event happens.
  • For events like a business trip which take more time to prepare I often set a reminder 1 or 2 weeks in advance. This way I have time to do my laundry in time and so on.
  • Outlook however only supports the setting of ONE reminder.. Yeah..
  • My workaround is to have events also in my private calendar. (Of course without any details and often just a generic title/description as to not store client information on my private device.)
• Remember Xobni? / The search is horrible
  • Outlook search is a single input field and then it searches over everything. You can't specify if the search term you used is a name, part of the name of a file or part of an email address.
  • In the early 2000s there was Xobni. Slogan: "It reverts your Inbox." - Hence the name Xobni. It was a an add-on which added another sidebar to Outlook. There it displayed all people you've mailed with. And when you clicked on a person you saw all mails, all mail threads and, most importantly, all attachments this person had sent to you (or you to them). You could even add links to the persons social media profiles, etc. It was brilliant. And made work so easy. As often I remembered only the person who sent a file to me or the thread in which it was attached - but not the actual mail or even the subject of the mail, etc. Xobni made it pretty easy to work around that. Making it possible to search Outlook in a way in which our brain works.
  • Well, sadly Yahoo bought Xobni in July 2013 and shut it down in July 2014.
  • But it's 2024 and Microsoft hasn't come up with a similar functionality yet? Really?

Photo by Pixabay: https://www.pexels.com/photo/clear-glass-with-red-sand-grainer-39396/

It's far too often that I encounter blogs, "What's new?"-sections or other content which doesn't have any form of date or timestamp indicating when the content was first published, last modified, etc. And, to a certain degree, I find it annoying. As these information provide a crucial context. It allows me to make certain assumptions and sort it in correctly.

It's like when you read a Changelog for a piece of software and the added/changed/removed features are not attributed to the version of the software where they did change. Not helpful at all.

A political piece, written at the height of a scandal might not include crucial information. Which only was discovered months after. During the lengthy and boring police investigation. About which - of course - nobody writes in detail. With a date next to that text I can sort the piece into it's correct position in the timeline and explain to myself why certain arguments weren't done or are plain wrong - but maybe were the current knowledge at the time it was written.

Today I got curious about what happened to the german PC handbook publishing company Data Becker. And I found this blogpost (in german) by Thomas Vehmeier: Data Becker – eine Ära geht zu Ende (vehmeier.com). Apparently he worked at Data Becker in the middle of the 1990's. And in his text he writes about his experience and how & why Data Becker failed when the Internet, and therefore the market, began to change.

But.. There is no date. Nowhere. He also doesn't mention the year when Data Becker got out of business. Classical archaeological problem. We can only definitely say "It happened after the 1990's". But apart from that? Well he links to the WirtschaftsWoche. A german business magazine. They do a have date on their article. 9th October 2013. And they wrote that Data Becker will go out of business in 2014.

Does this clarify when his text was written? No, but it answers it somewhat sufficiently.

Albeit it illustrates my problem. Yes, it is not an unsolvable one, but still annoying - for me. And, I guess, I'm again in the minority here.

Photo by Tim Gouw: https://www.pexels.com/photo/man-in-white-shirt-using-macbook-pro-52608/

I'm just so fucking happy right now I have never been a customer of GoDaddy. As I learned via Reddit yesterday GoDaddy closed the access to their DNS API for many customers.

No prior information.

No change of the documentation regarding API access.

Nothing.

For many customers this meant that their revenue stream was affected as, for example, the SSL-Certificates for web services couldn't be automatically renewed. Which is the case when you are using Let's Encrypt.

Therefore I can't say it in any other words: GoDaddy deliberately sabotaged it's customers in order to maximize it's income.

Yeah, fuck you GoDaddy. You are on my personal blacklist now. Never going to do business with you. Not that I planned, but sometimes decisions like this must be called out and sanctioned.

When customers asked why their API calls returned an HTTP 403 error (Forbidden) GoDaddy provided the following answer (accentuation done by myself):

Hi, We have recently updated the account requirements to access parts of our production Domains API. As part of this update, access to these APIs are now limited: If you have lost access to these APIs, but feel you meet these requirements, please reply back with your account number and we will review your account and whitelist you if we have denied you access in error. Please note that this does not affect your access to any of our OTE APIs. If you have any further questions or need assistance with other API questions, please reach out. Regards, API Support TeamAvailability API: Limited to accounts with 50 or more domains Management and DNS APIs: Limited to accounts with 10 or more domains and/or an active Discount Domain Club plan.

Wow. The mentioned OTE API meanwhile is no workaround. It's GoDaddy's test API. Used to verify that your API-Calls work, prior to sending them to the productive API. You can't do anything there which would help GoDaddy's customers to find a solution without having to pay.

Sources

Am I the only one who can't use the API? (Reddit)

Warning: Godaddy silently cut access to their DNS API unless you pay them more money. If you're using Godaddy domain with letsencrypt or acme, be aware because your autorenewal will fail. (Reddit)