Ask Slashdot: What Portion of Developers Are Bad At What They Do? 809
ramoneThePoolGuy writes: We are looking to fill a senior developer/architect position in our firm. I am disappointed with the applicants thus far, and quite frankly it has me worried about the quality of developers/engineers available to us. For instance, today I asked an engineer with 20+ years of experience to describe to me the basic process of public/private key encryption. This engineer had no clue. I asked another applicant a similar question: "Suppose you wanted to send me a file with very sensitive information, how would you encrypt it in such a way that I would decrypt it?" The person started off by asking me if it was an excel file, a PDF, etc. In general, I'm finding that an overwhelming number of developers I've interviewed have poor understanding of key concepts, especially when it comes to securing data. Are other firms experiencing this same dilemma in finding qualified applicants? (Quite frankly it scares me that some of these developers are building sites that need to be secure)"
It's a vast field.... (Score:5, Informative)
So, should any developer know this? That is debatable. I've had very competent developers who had next to no clue about how DNS works. They could do their job just fine with that. Me? Personally, I'm not up to snuff with the finer points of SQL queries and all the joins that exists and when it makes sense to create an index, etc. Could I find out? Most likely, but I haven't had the need to recently.
The problem is, that you are mapping your knowlegde to "what people must know". I used to do that too, and I probably still do often enough. The DNS example above didn't come from nowhere: I had the case, and I was really thinking "how could such a competent person not know this", but then this person could probably enlighten me about dozens of things I don't know well enough.
It all comes down to what you define as "general knowgledge" for a developer should be and that is highly subjective.
TL;DR Hiring people is hard. Especially, technical people.
Re:It's a vast field.... (Score:5, Insightful)
Re:It's a vast field.... (Score:5, Interesting)
This. As someone who has 16 years under my belt I'm finding it more and more difficult to branch into areas which I've had little experience because to justify my salary I'm expected to already be an expert. Which is a shame because I have at least another 20 years of new technologies to learn before I retire.
Re:It's a vast field.... (Score:4, Interesting)
I've found this to be much easier as a contractor. I have different rates for different skills that I have, versus my less-skilled areas, and my less skilled employees. One major problem with W2 style employment is that it is inflexible. People can become rapidly more, or less, valuable based on their skills (attitudes, or whatever), and their compensation doesn't quickly change. Quite often, what happens with me is that a client hires me for something I am very skilled at, that I can sell them well, and then after that is finished and good, they realize they need other things too that I'm not quite as skilled at. I can have a conversation with them about giving them a discount on the rate no problem, and because of the relationship we've built up, they normally have no issue subsidizing (at a discount) my learning. Typically, I try and charge them about what an employee would make for things I'm not (yet) good at, and around 2-3x what an employee would make for things I am good at. Plus, all of this is legal. Depending on your state, there are all sorts of laws about cutting employee's salaries and/or firing them.
The downside of this flexibility is that the income is also quite flexible. If you are expecting a consistent, senior level salary, then I think you'll be consistently doing things you're already senior level at.
Or become part of a fully funded startup. That is a crazy roller coaster ride one of my buddies is getting on, and it sounds like a psychedelic combination of contracting, W2 employment, and doing everything that needs to be done, now. I've been a part of an unfunded startup, and I learned a TON quickly, but I also never got paid and (now) never expect to.
Re: (Score:3)
Don't undersell yourself. If you work really hard I'm sure you can get poor a lot more quickly
It's a vast field.... (Score:4, Interesting)
We have had to get away from getting into looking for too specific skill-sets and instead look for overall qualities, such as how they learn over the course over an interview loop, as well as team fit, if we can find someone that shows up, demonstrates the ability to learn, and gets along well with others, if they demonstrate some level of intelligence then they should be able to pickup the specific skills in a short amount of time, that's what those 20+ years of experience should have taught those people. Don't get me wrong we do dig into the technical understanding but it's usually around design patterns, and overall good coding qualities.
Comment removed (Score:5, Interesting)
Re:It's a vast field.... (Score:5, Informative)
No, you (Alice) encrypt with your private key, then encrypt with 'Bobs' public key, then Bob decrypts with his private key and again with Alice's public key.
Thus Both Alice and Bob are authenticated, and no one besides Alice and Bob can intercept.
Pug
Re:It's a vast field.... (Score:5, Insightful)
The beauty of this post is that in 2 sentences you have just educated any readers lacking this knowledge to the point that the OP's interview question could be answered.
This is the danger of specific knowledge questions. Knowing the answer of the top of your head is largely immaterial. Google is just a finger stroke away. And thanks to JITC (Just in time Comprehension) specific knowledge is less critical than general knowledge and thought process.
I have a couple of things I like to look for in an interview. I like to know what a person is passionate about. A person who really enjoys coding, who works on open source projects on the side, does game mods, toys with the latest new technologies, etc... is likely someone who is always going to be pushing for a better solution.
I also have a white board exercise I like to do because it has an easy answer but can be thrown a curve ball based on inputs. Most folks miss the curve ball, so when we point it out, we can see how they debug code.
Those two general points helped to form one of the greatest development teams I've ever worked with. There were days where it took a lot of cat herding to keep some of them on task, but most of the time, you put a problem in front of them, and they will attack it with vigor and get you a solid product at the end of the day.
-Rick
Re:It's a vast field.... (Score:5, Insightful)
It all comes down to what you define as "general knowgledge" for a developer should be and that is highly subjective.
Can I be snarky for a moment and just enjoy the irony of a sentence that wonders what should be considered to be "general knowledge", and it has the word "knowledge" misspelled? :) Continuing with the theme, I'm sure I just made a run-on or something in the midst of my pedantry.
OK, back to business. This is a hard question to answer for a senior developer, what should be considered to be "general knowledge". I think that to be a successful developer at the senior level, you really need to know a little bit about a lot of things, and be able to look up what you don't know.
By way of example, as a developer, if I were to see something like "192.168.0.0/24", I recognize that immediately as an IP address range in CIDR notation. Mind you, I have no earthly clue how to compute that range--I'm not a network guy--but I know what it is in the general sense. Enough to google for "CIDR calculator" in order to compute the range in a format that I understand.
Part of being a developer is having a decent working knowledge of security concepts. Like "Oh, I'm sending a file across the public Internet. Someone could intercept that. I'd better protect it somehow with encryption." Maybe the developer doesn't quite know what type of encryption to use yet. Should the connection be encrypted, or the file? Or both? Is it required to verify the authenticity of the file? Should it be signed? Or is it good enough to verify the remote host? Or some type of login?
Incidentally, I disagree with OP that the answer of "The person started off by asking me if it was an excel file, a PDF, etc." was totally unacceptable. Excel and the PDF standards both have encryption support, so if the "sensitive data" were an Excel file, the path of least resistance would be to pointy-clicky through the menu and click "Encrypt this here spreadsheet" (or whatever the command is). Likewise with the PDF, but with Acrobat instead. Of course this does not solve the general problem of "how do I protect sensitive data?", but maybe he doesn't want to bother looking up and verifying your public key, installing GPG or setting up S/MIME or whatever if a simple solution exists. If I were to send you a spreadsheet of salary data for the company, you can bet I'd just encrypt the fucker within excel and tell you the password via some other channel like the telephone.
Re: (Score:3)
Re: (Score:3)
good point. I've been hit, countless times, with very specific questions that the interviewer 'knew' everyone should know, but it was clearly his pet area of study. "I know this, how come you don't? sorry, not qualified. next!"
I could turn it around, but I don't. there are a lot of things I know in my decades of being in tech that I'm quite sure the interview guy won't know. "hey, is a 2n2222 a diode, an npn transistor or a metal film resistor?". seems quite simple to me, even as a software guy. rea
Re:It's a vast field.... (Score:5, Insightful)
FWIW, I think that's a mistake. Why trust the opaque "encryption" feature of the application like Excel or acrobat when you can use something well-proven?
Unless you only want to dissuade casual observation, in which case any number of simple methods may work that involve no encryption.
Re: (Score:3)
FWIW, I think that's a mistake. Why trust the opaque "encryption" feature of the application like Excel or acrobat when you can use something well-proven?
I don't necessarily disagree with this point, but I will happily answer the question.
As I'm sure you are well-aware, security is not a binary value (secure vs. insecure). Because any security measure can be defeated given enough time and money, it's more of an economics problem (perceived value of defeating the security measure vs. cost to defeat security measure). There's also a convenience factor in there, because if the security measure makes life too difficult, then no one will use it properly (passphra
Re:It's a vast field.... (Score:4, Interesting)
Re: (Score:3)
if the guy is in your building, then just walk the files over on a thumb drive. that way it never goes through the network at all. or, just print it out and give it to him? seems like a number of options are more secure than email.
Re:It's a vast field.... (Score:5, Informative)
if the guy is in your building, then just walk the files over on a thumb drive. that way it never goes through the network at all. or, just print it out and give it to him? seems like a number of options are more secure than email.
Printing is probably the worst option for confidential data unless you have a private printer or it supports secure printing. The HR director at a former company had to get his own printer after he printed salary information several times before he realizing that the printer was out of paper. After he went to lunch someone replaced the paper and the salary docs ended up spread out on the printer table for everyone to view. Oops. He could have used the secure-print option, but apparently didn't know about it.
Plus there's the fact that the print server is likely not very secure so the document could be intercepted there, many office copier/printers these days have on-board storage and might hold a copy of the document for who knows how long, and, printers are rarely patched in most offices and are often riddled with vulnerabilities. Plus, cloud-print from mobile devices goes through unknown servers so you may as well just email it in plain text than cloud print it.
Re: (Score:3)
Re:It's a vast field.... (Score:5, Insightful)
I'm not saying a developer shouldn't likely know at least something generally about public key cryptography, but the skillset of building a secure website is VERY different from that of using GPG to send a secure email to this guy doing the interview. Does the job posting specify a need for cryptography expertise specifically? There is a vast array of technical knowledge out there and you can jack-of-all-trades-master-of-none types or specialists in one or a few areas, but not all. To therefore say that these developers are "bad at what they do" smells strongly of a frustrated, non-tech-savvy interviewer/manager who doesn't understand why he can't hire someone today to build him a perfect website that will be ready next week.
Re:It's a vast field.... (Score:5, Informative)
The question of what kind of file it was, isn't even that dumb. I'm not familiar with PDF, but I could -for example- imagine there is a standard for encryption within PDF. Someone from with a document management background would most likely think of such solutions.
Re:It's a vast field.... (Score:4, Insightful)
Exactly the submitter's problem. He doesn't realize that PDF and Excel both have built in file encryption as part of their formats. Even Zip does as well!
If he phrased his question differently, he'd get a different answer. "How would I securely encrypt an arbitrary file" - that's a very different problem then most business users who simply need to send a PDF or XLS with private details to a client or someone else in the office.
Re: (Score:3, Insightful)
No doubt he's looking for an excuse to get some H-1B guys in there.
Re:It's a vast field.... (Score:5, Insightful)
How many are bad? I'd say 15-20%. Same as every field. But you aren't looking for "not bad" you are looking for "does it the way I'd do". That's different. Why is file-level or transfer level encryption "wrong" for your question, and message-level encryption the only acceptable answer? I know plenty of people that would find your clumsy "email it" answer to be incompetent, and they'd look for SCP as the only correct answer.
The fact that the candidate recognized that and tried to gather more information to give the right answer shouldn't be counted against him, as you did, but indicate that he's good at clarifying unclear requests (which is just about all of them).
Re:It's a vast field.... (Score:5, Funny)
You aren't evaluating candidates. You are making a common interviewing mistake and fishing for specific answers. You (wrongly) assume that a matching answer is a good answer.
To put it another way, "what do I have in my pocket?" is not a legitimate riddle!
Re:It's a vast field.... (Score:5, Insightful)
You're asking "developers" questions about "information security" by using vaguely worded questions that even "information security" experts would need to clarify, and when you don't get the results you're looking for, you take to the internet and declare that you are "worried about the quality of developers/engineers". I am quite sure that many of your interviewees have left your facility worried about the leadership qualities at your firm as well.
Try asking very broad open-ended questions such as, "Tell me about your general understanding of different types of encryption processes, and elaborate on any experiences you have using them." You might find that interviewees dump so much information on you about encryption that you can't get them to shut up.
Re:It's a vast field.... (Score:4, Funny)
A: (a long string of incomprehensible sounds, something like you might hear coming out of a pentacostal church when they "speak in tongues")
Q: Are you okay?
A: Sure, I answered your question. My answer is encrypted. The encryption is unbreakable.
(try proving otherwise.
Re:It's a vast field.... (Score:5, Interesting)
For what it's worth, the best interview I've ever had was mostly nonspecific questions. In the interest of making the world a better place, here's a few of the questions:
In retrospect, all of those questions, though sometimes posed as casual banter, were either nonspecific or relating to my own knowledge domain, rather than directly relating to the job itself. The first question gave the interviewers insight into how well I organized my thoughts and could explain a complex system on the fly. The second question is an inquiry into my work/life balance and whether I would actually enjoy my job, and the last is a chance to demonstrate problem-solving and meeting requirements.
The job in question was mostly server administration. There were a few questions about Active Directory, Linux permissions, and network design. I botched a few of those (mostly all of networking), but I still got the job because my answers showed that I was the sort of person who could recognize my own shortcomings, and learn what I need to know when it was needed.
Re: (Score:3)
For what it's worth, the best interview I've ever had was mostly nonspecific questions. In the interest of making the world a better place, here's a few of the questions:
On that blank whiteboard, go draw a system you worked on and explain it.
The best interview question I was ever asked (for a senion dev position) was:
"On that blank whiteboard, go draw this system I worked on and explain it."
Obviously, he wasn't expecting me to answer in an hour what had take a team a months to do, but they had had lengthy discussions about the pros and cons of a variety of designs, and so he could tell beyond just his opinion whether my idea was one of the smarter or dumber ones from that design process.
For the curious, the system was VMware's vmotion - moving
Re: (Score:3)
Re: (Score:3)
So I assume you forgot about the SONY hack that cost them billions. Let alone various other security incidents in countless firms.
Hopefully the applicants had a relevent backround (Score:5, Insightful)
Because PKI is more of a specialization, not a fundamental.
Re:Hopefully the applicants had a relevent backrou (Score:5, Insightful)
This is a problem I see in the entire STEM field. You work on technology X for a while, you learn it inside and out, and you expect everyone else who is "qualified" knows what you know. You want to hire someone with no ramp, who is going to drop in on day 1 and start doing great stuff, just as soon as he sets a password to his laptop.
In practice the fields are so huge, that it's fairly unlikely anyone has the domain knowledge you've acquired in your niche, unless you hire direct from a competitor (in which case you better pay well, or be offering something huge). A more reasonable approach is to weed people out based on their general skillset (i.e. what they should have learned in school), based on resume lies, and general attitude and disposition: excessive use of the passive voice, reluctance to commit to anything, points in their discussion where they failed to pursue issues to the next level, excessive number of employers, etc. Then expect it's 6 months before they start producing something that doesn't require you to hit them for. If you're afraid they will leave in 6 months, you're not paying enough or else you hired an incompetent and he's doing you a favor.
Re: (Score:3)
Sortof, I find that the situation is:
You work on technology X for a while, you learn it inside and out, and you expect everyone else who is "qualified" knows what you know. but they moved on from that technology a couple of years ago and now only want to develop in Java/Erlang/Ruby/Node/Scala (* delete as applicable as depending on which year this decade you were hiring).
even more mature technologies like .NET are stuffed full of so much churn that no-one really has time to become a master of any of it. Lik
Re:Hopefully the applicants had a relevent backrou (Score:4, Insightful)
Honestly, why would you need to reverse a linked list in a real application?
Hell, if you knew you were going to have to traverse it in reverse at some point, why didn't you just make it a doubly linked list in the first place?
Re: (Score:3)
I've never needed to do any such thing, and it's been 20-mumble years since college, but I can damn well answer such a trivial question, as fast as I can write. If you can't, then IMO you can't solve very basic coding problems. I don't like or use this question, because it's one people memorize, but I'd be quite comfortable rejecting anyone who couldn't figure it out (making allowances if they don't remember C pointer syntax, but still got the approach right).
Re: (Score:3)
I would not write home grown code. I would definitely select mature, well tested libraries. But I understand what to use and how to use it.
I've been working since the days of the Apple II. It seems pretty basic to understand the basics of
Yes... (Score:2, Insightful)
Having been interviewing people recently, it's almost impossible to find people who are half decent. Slashdot likes to make out like there's a huge glut of good engineers without jobs in the US. If it's true, then I haven't found them. What there is is a huge number of people who don't understand how anything at all works.
Re: (Score:3)
Slashdot likes to make out like there's a huge glut of good engineers without jobs in the US.
There's a huge glut of engineers who think they're good. Draw your own conclusions.
Re: (Score:2)
And quite a few of them migrated into positions in charge of hiring others.
Re:Yes... (Score:4, Funny)
Re:Yes... (Score:5, Insightful)
I must, sadly, second that. There's a lot of engineers who have vastly overinflated opinions of themselves. In my hiring, I try to be modest, since I know I'm not good at most things, and always look for people better than myself in some way - mostly to learn from them. They are very, very hard to find. But then I spend about 15% of my time reading "random" technical writings about all sorts of subjects, just so that I won't look like a total idiot when faced with fields I normally don't deal with. It helps to gain perspective and understanding of the limitations of one's knowledge.
Re: (Score:2)
Re: (Score:3)
Why would you have done a whole bunch of free work where only Netflix benefits?
Re:Yes... (Score:4, Insightful)
Depending on what need I'm trying to fill, I hire 90% for culture fit and 10% for technical ability. Most often, people can learn to improve their technical ability, especially b/c there is very rarely any single individual who can fill an open req 100%. That said, what I have found cannot be learned as well, is how to fit into an organization's culture.
Re: (Score:3)
So what are saying is that you that at your company, or the positions that you are filling, you just need warm bodies.
What you are saying, bluntly, is that you are just building a social club where people are paid to sit around and be nice.
What is funny is that when someone asks me if Bob is good candidate and my response is that Bob's a nice guy what I mean is
that Bob is a moron but he tells funny stories. Sure I like to work with Bob, but I sure a hell am not going to give Bob anything
to do that in anyway
Yes... (Score:4, Interesting)
There is a huge pool of EMPLOYED engineers. Even when they switch jobs they don't generally go through the typical application process circus. The problem is that the people who have been unemployed for months are the most likely to get an interview strictly because of motivation and availability.
It IS very hard to find good people, because they all already have jobs and aren't willing to switch to come work for you.
One good way is to chase shop layoffs (the kind where they close the whole shop, not just trim a few people), and headhunt there. Laid off people tend to be much better than fired people or people who can't get hired by anyone.
Re: (Score:2)
Most probably aren't making it through the HR filter because you've put so many fucking key words in your requirements. When I was out, that was what killed me. That and stupid requirements for experience...5 years experience in this or that...no, 4 years 6 months doesn't count.
Re:Yes... (Score:5, Informative)
I keep hearing how hard it is to find good people but then the recruiters tell me that the potential employer can't meet my price point and that is the end of the discussion.
Re:Yes... (Score:4, Insightful)
What I see with IT is that people demand the top 5% and somehow think that's "average". If 99% of your applicants are incompetent, your standards are the error, not the applicants.
Re:Yes... (Score:5, Insightful)
I would agree.
It's not just "we want the top 5%," but "we want the top 5% that will take the median salary for the job title in our particular locale"
Re: (Score:3)
Yes, they're everywhere that isn't northern California.
I, for one, would be perfectly happy to work for some stereotypical silicon valley tech company... but I'm not about to trade my $100k 3-bedroom house in Atlanta for a million-dollar shoebox-sized shithole to do it. You want my skills? You come to
Re: (Score:3)
FTFY.
FYI, Atlanta and other urban parts of the South (which are where the programming jobs are) are just as liberal as Silly Valley, and I'm sure rural/small town California (e.g. Redding) is just as conservative as the rural South. The only real difference that makes California "blue" and Georgia "red" is that California has a larger proportion of urban population.
Your company is probably shit (Score:2, Interesting)
Are you going through a staffing agency? Expecting them to find you a "senior" developer who will work for 50k a year? Do you only look for resumes with decades of experience, which usually amounts to sitting in an office chair jacking off?
Why would you expect every developer to be an expert in cryptography?
Re: (Score:3, Insightful)
Re:Your company is probably shit (Score:5, Insightful)
that really should be common knowledge in software engineering.
For what reason exactly? Cryptography doesn't apply to many fields of software.
Re: (Score:3)
How many deployment avenues don't use cryptographic signatures?
Plenty of them.
Usually you're either producing downloadable code, in which case the packages or tarballs are generally signed, or deploying to an HTTP or similar server, in which case you should at least understand what the purpose of TLS is.
Plenty of people make installers that aren't signed and there are tons of sites that don't use TLS.
Re: (Score:3)
Front-end web development, database programming, audio/video/DSP, compiler/dev tools, computer graphics, game programming are just a few things you can do without ever needing to use cryptography or needing to know anything about it to do your job.
Re: (Score:3, Insightful)
Re:Your company is probably shit (Score:5, Insightful)
I'm pretty sure knowing about algorithms, data structures, and being able to quickly pick up new languages/frameworks/etc. is far more relevant to the quality of a software developer than knowing some single specialty of software.
This is stupid (Score:5, Insightful)
For instance, today I asked an engineer with 20+ years of experience to describe to me the basic process of public/private key encryption. This engineer had no clue.
Yeah, and? Not everyone is going to know the ins-and-outs of every single field of software.
I am disappointed with the applicants thus far, and quite frankly it has me worried about the quality of developers/engineers available to us.
Unless you claim that you know everything about everything, I'm sure I could find areas that you had no clue about as in these engineers you refer to in the previous sentence. Does that make you a bad developer?
Re:This is stupid (Score:5, Insightful)
It's like the medical field (Score:5, Insightful)
There is far more that can be known than a single person can know, so you should never, ever assume that a developer is skilled (or even knowledgeable) in a particular specialty based only on the number of years experience they have. I think you're doing a disservice in your process for finding qualified applicants: if you want them to know about PKI, for example, then you need to specify that in the job listing.
Did they ask if they could look it up? (Score:5, Insightful)
TL;DR: Stop looking for purple unicorns, and start looking for fast learners.
Re: (Score:3, Interesting)
Physical encryption. (Score:5, Funny)
"Suppose you wanted to send me a file with very sensitive information, how would you encrypt it in such a way that I would decrypt it?"
I'd use a cross-cut shredder, then send it to you in a paper bag along with some Scotch tape. (You didn't specify how easy it needs to be to decrypt, especially if I include some random shredded pages in the mix.)
Works for most types of files: Excel, PDF, etc...
Re: (Score:3)
I'd zip them into a password-protected archive. Why the hell is this idiot expecting PKI for everything?
Too much functional fixedness. Pass.
-
Re:Physical encryption. (Score:5, Funny)
Ah...so you padded the files and salted the encryption algorithm. Very good!
Now, all you need is a gaggle of quantum monkeys to decrypt it.
When took LISP way back in college, the instructor asked a student what he wanted out of the class. The kid said, "an A". The instructor said, "no problem" and wrote "A" on the blackboard. Then he asked the kid his name and wrote it on the blackboard - "Steve's A". The instructor said, "I imagine you'll want to take that home with you," erased the writing and smacked the eraser down on the kid's notebook. The instructor then remarked, "notice how your grade has been encrypted and stored as a nice little bit pattern for you."
Ah, college...
Common Problem (Score:5, Insightful)
This is a common problem... interviewers asking questions that have no relevance to any of my work experience or interests.
Re: (Score:2)
Yeah, these questions would only be relevant if it was vital to the job being interviewed for. Otherwise, these are just stupid questions. Unless knowing the ins-and-outs of PKI is relevant to the job, this is about as dumb as me asking a Web developer about how to optimize multimedia codecs using ARM Neon.
But where/when does one explicitly learn security? (Score:2)
.
Re:But where/when does one explicitly learn securi (Score:5, Funny)
You learn it on your own time at your own expense. Duh. You aren't one of those "freeloaders" that expect their employer to invest any of their time or money in the growth and career development of their employees do you?
Re: (Score:2)
You should put in the sarcasm tag because many here will believe you are serious and agree with you.
About half are below average.... (Score:5, Funny)
Re: (Score:2)
I see what you did there.
Seems as if you want broad experience (Score:2)
Broad experience is great and I wholly support companies which are looking to add resources who possess such knowledge; however, broad experience can come with the price of not having enough targeted knowledge to bring deep-dive specifics to the mix.
The real question you should be asking is whether they can figure it out on their own if tasked with finding a solution to the problem. I guarantee you that most of those you have cast aside due to their lack of public-key cryptography knowledge would be able to
Relevant questions.. (Score:5, Insightful)
Are you a hot magnet company? (well known pre-IPO) Are you paying above market value?
My guess is that the best devs have already been scooped up, and the ones interviewing are comfortable enough where they are
Going along with the trend of the discussion (Score:2)
About 1 in 20 ? (Score:3)
I did have to interview quite a few people in a year, when we were re-building our team.
We interviewed about 40 people before getting 2 of them who actually knew the stuff they advertised on their CVs.
One extreme case, was a candidate who put on his CV that he wrote a compiler for C++.
I expected him to know quite a bit about the language itself, but the discussion did not get past the point where I asked about the number of operations needed to find an element in a sorted array of length N.
As for the people that were already working in the place, one could spot who was trying to maximize the pain for the ones left behind, in case he was let go.
A relevant example is a developer who made sure that his code made calls to a library for which he was the only one with a valid license. Had he been let go, the whole system would stop working.
Humans are bad at software (Score:5, Interesting)
In my career, out of the ~50 I've worked directly with, I've worked with maybe three developers that I'd class as excellent. A few that were "good" for various definitions of that word. The rest were marginal at best, but they still got things done after a fashion.
Title Encapsulates Bad Premise (Score:5, Insightful)
Title asks "Ask Slashdot: What Portion of Developers Are Bad At What They Do?"
Title actually means "Ask Slashdot: What Portion of Developers Are Bad At What I Do?"
If a functional understanding of a fairly specialized technological area is what you have in mind, don't assume it's widespread.
That's like getting bent out of shape if the local mechanic (fully trained and certified, even) doesn't know the detailed intricacies of ECM programming.
If you want a broadly expert Renaissance Engineer, I hope you're prepared to pay more than the usual one-trick-monkey pay. You're not talking about an engineer, there. Something more like Chief Engineer or Chief Scientist.
Developer, not email security expert (Score:2)
"Suppose you wanted to send me a file with very sensitive information, how would you encrypt it in such a way that I would decrypt it?"
Sounds like something you should be dictating to them not asking them for thier opinion. Unless the developer has actually needed to use use things like PGP etc, he probably has never thought of it.
I think a better question is, We will be transmitting confidential/sensitive information, which means you will use PGP(whatever) are you ok with that? etc.
It's partially a symptom of management (Score:2)
They're not doing as much as you think (Score:2)
Unless you have a genuine interest outside your actual scope of work you can be very proficient in a narrow way like how to write SQL or write a GUI app or a back-end web service without having a clue about much of anything else. These are the people who just want to collect a paycheck and go home, nothing wrong with that really until they need to find new employment and it turns out it's pretty hard to find another position where the glove fits.
All that really matters is if you're capable of the job you're
College requirements are why.... (Score:4, Interesting)
I'll be frank and post anon to avoid harming my image.
I was smart enough to see that College was a huge waste of time. I dropped out of high school senior year to go move and live on my own. Wasn't about to sign up for a whole new school just to finish part of a year so I never even got a high school diploma.
However I self taught myself programming before I turned 10 years old and have been coding on a unix machine of some sorts with C/C++ for nearly 18 years now. I'm only 27.
I go to the conferences and attend every single event that I can find because I have *passion* for programming and technology. Through meeting people at conferences I was given a rather high paying developer job despite my lack of credentials. (I earn over $100K in a place where rent for a decent sized house and garage is less than $1000/month).
I decided to move awhile back and I can't seem to find anyone in a Red state that will even give me the time of day. I have 8 years of professional senior-architect level experience and tax documents proving I earned the big bucks with no degree. I had to go back to a Blue state where suddenly I got called back for interviews immediately and was visiting 2-3 in person interviews a week. 2 weeks later I was employed again.
Turns out your HR drones are likely keeping guys like me from even getting a second look. Stop taking the guys who can't see a shortcut and wasted a lot of time and money on college. Those people are the fools. I skipped doing all their hard work, skipped their debt, yet I have better skills due to my passion and I absolutely embarrass them when you get us side-by-side. I grew up coding and literally was an expert before the other guy even tried getting into college.
I now work in a Venture Capital capacity with lots of big clients who almost wouldn't believe me if I told them I had no credentials. They think I'm an MBA because I act geeky and seem to know something about almost every computer science topic.
So my advice to you is stop filtering. I only work for places that will give me the time of day when I hand in a resume with not one educational resource. That proves to me that what I can do is what matters, not how rich my parents were or what I *did*.
So focus on what people can do. Not what they did. Seriously. You'll find some crazy smart guys who this whole time weren't even being called back.
Re:College requirements are why.... (Score:4, Insightful)
If a company gets more applications for a position than it can deal with, it's going to filter them down. The hiring manager's job is to get somebody good with reasonable effort, not to get the best regardless of cost, and high school dropouts are generally unlikely to be all that good.
Nor do I know that you're any good. You are certainly confident, which is in my experience more likely Dunning-Kruger than genuine expertise. The best people I've worked with have been at least somewhat modest, because they have had a clue as to a whole lot of things they didn't know. Your confidence and possible social skills may be getting you jobs that you really can't do well, and don't realize you aren't doing well. Convincing people that you're an MBA is not something a typical developer does, those being different skills.
Re:College requirements are why.... (Score:4, Insightful)
Meh. I wouldn't hire you because you come across as an arrogant prick who thinks he knows better than everyone else. That's a team dynamic issue, which is every bit as important as what you can or can't do technically.
That aside, your general point is sound - what matters is the person not what certifications they have. However, as others have mentioned there is a value to a (good) formal CS education, at least for the work I do. Self taught people tend to learn the minimum needed to solve the problem they face. There's a whole bucket of academic stuff (logic, complexity, stats) that don't often fall into that category but which are really useful as background knowledge. Someone teaching themselves python or ruby is unlikely to spend much time learning about CPU cache design, but that can be surprisingly useful when it comes to optimizing stuff. Just examples, there are always exceptions :)
Avoid Q&A style interviews (Score:4, Informative)
I've had a lot more success hiring great people when I stopped interviewing in a Q&A format and instead spend the time learning how the candidate solves problems. I typically spend 5-10 minutes asking some specific questions about technologies on their resume. Then I define a fictitious project and spend the remaining time ( typically an hour ) learning about how they might solve it, dive deep into a few areas, do some white boarding, a little bit of impromptu code examples and discuss the potential long term problems and solutions. You get a better feel for the breadth of someone's knowledge and their ability to think soundly on their feet. It lets you know that they have the knowledge and ability to apply it to a problem.
PDF encryption (Score:5, Informative)
You should've answered the person, because then they might've told you that there's an encyption standard for PDF. I use it with my tax-preparer, so that we don't need to deal with other programs that would decrypt the file (and then potentially leave an unencrypted copy lying about).
Excel offers password protection to restrict modifications, it wouldn't surprise me if they offered encryption, too.
So in this case, it might not be that the person sucks at his job ... it might be that you are, because you had a pre-conceived notion of what the answer should be, rather than finding out how that person would handle the problem. It's entirely possible that they could come up with a better solution than yours.
And as for the the question of what proportion are bad ... you have to remember that you're hiring people. The people who really know what they're doing are likely either going to be paid well, or have an established network that they can tap when they need a job. (Rather than answer some random job posting where they don't know if it'll be worse than their past job, and/or have to jump through hoops answering poorly thought up interview questions).
If you mention to your current developers that you're hiring, and they can't manage to find people to refer, that's possibly a sign that none of them would be willing to subject their friends to come work for you. And if that's the case, you might have problems when one of their friends' companies are hiring.
Re: (Score:3)
"The person started off by asking me if it was an excel file, a PDF, etc"
He may have also been trying to determine the size of the file. You may attack the problem differently if it is a 200k pdf vs a 40GB log file.
Asking the wrong questions, using the wrong metric (Score:5, Informative)
I'm a web developer and I also haven an interest in understand public-private key crypto, PGP, steganography, physical security etc. The thing is, You don't need *any* of that to build good, secure websites. You should be asking about things from the OWASP Top 10 List if you want to gauge their ability to write secure code.
https://www.owasp.org/index.ph... [owasp.org]
Otherwise you're judging them for not having the same "other" unrelated-to-your-job security interests as you.
They should understand that they aren't trained enough to build their own authentication encryption systems correctly. They should use generally accepted procedures like BCrypting passwords with a unique per-user SALT that also uses a site-specific key. And that other sensitive fields should be blocked from being recorded in logs, data should be encrypted at rest, etc. But if they have poor OWASP skills, the sensitive data is still readable because it is accessed through the application which is decrypting it for an attacker.
You're asking the wrong things and judging on unrelated skills.
I'll let you in on a secret... (Score:5, Insightful)
Almost everybody is extremely bad at their jobs. Especially in IT, but in general too. I would say a solid 85% of people working in IT today should not be in the field.
I work in Security and so my job is basically to know, at a high level, how other people should do their jobs. Of course there are compromises that have to be made for functionality and cost, but in reality most IT systems are developed and architected in a way that no one should architect anything for any reason. The amount of money that's wasted because of poor infrastructure is astonishing. Companies could have an architecture that's twice as secure and probably half the cost to maintain if they were willing to make a one time investment in doing it properly.
Developers are a weird animal too. I know I'm playing with fire saying this on Slashdot. :) In my experience developers have a deep understanding of how systems work and are designed (obviously), but their understanding is *extremely* narrow. This is by no means true of all developers, but it's true of a lot. They can write brilliant code, but they can't tell you how to go about FTP-ing a file, how to encrypt an email, or how a domain works. It's a specialized skill set.
At a previous company I had to call support because my computer didn't grok with the domain and wasn't getting group policy. The tech, with her domain admin access, comes over and is obviously floundering trying to fix the problem. I suggest running a DOS command I know...she googles it and pulls it up...she gets to the command prompt and starts typing, "command\optionfoobar-x7", etc. How can you possibly be in that field and not know the *most basic structure* of a DOS command? I don't care if you know the command and options, everyone googles that crap, but you don't know how to type it in properly? A backslash and no spaces? Really? Even when you're looking at a webpage which has it verbatim?
Its no wonder things are in the state they're in.
Dunning Kreuger effect (Score:5, Insightful)
I don't think having some lack of understanding of encryption is a non-starter.
But I do want to see that someone has a good breadth of experience, and can talk about a good number of things at some base understanding:
How a file system works,
how a network works,
how memory works,
how a repository works,
how a software build works,
how to use editor functions far beyond what can be done by microsoft notepad,
how to use a regex,
how to make a presentation from data,
how to make a lamp webpage,
how to merge tables from multiple databases,
how to do statistical tests on data,
how to set up proper controls for experiments,
how to write. The other part is that bad applicants pervade the pool. Good hires get hired, and held onto -- Bad hires don't get hired, or get released back in the pool. If you want a good hire, there is a bunch of crap applicants to wade through, or you pay the cash to lure talent away from a lucrative job.
Oh the subject.. Eventually gave up on hiring a senior, and posted for a junior position, and got far better applicants than we ever saw for the senior position.
Re:Dunning Kreuger effect (Score:5, Insightful)
So you are a bad interviewer, too.
'How file systems work' would span one book, minimum.
So what is your question?
What do you mean with 'Repository'? Certainly not what a hard core information manager means. You likely mean either a source code control/version control system or an artifact repository like maven/ivy. So you see: I likely had given the wrong answer, because I had said: a Repository is a version of a database that contains metadata (true meta data, not table descriptions) about its data, usually it is a graph database that uses 3 primitives, entity, link and attribute, to define the metamodel which is used to instantiate the model. Wow, that is a Repository, and is very likely not what you meant.
The rest of your questions are kinda bollocks, too. I certainly never memorized all dialects of regular expressions.
I google them when I need them ...
'How to make a lamp' web page, what a stupid question is that anyway? Is P python or Perl or PHP? Why the L? What is wrong with a Mac? Why Apache? Can't it be an tomcat? Is the M MySQL? Why not Postgres? Ah, the P was given.
The correct question would perhaps be: what would you consider/think about if you had to serve dynamic web pages?
What actually is a 'bad hire' and a 'good hire'? Candidates? Is that new 1337 speak for people applying forma job?
If I'm a 'hire' for you, then I certainly don't want to work for you, thanx.
Stop being an obnoxious tech snob (Score:3)
You post two examples of questions you asked your applicants.
Exactly zero of them applied directly to the actual work they would be doing.
I am fucking sick and tired of being asked moronic questions during interviews - and horrified when people I work with ask them. Why do you feel the need to show people how much they don't know, and pretend you are smarter than them?
If you want to pretend to want to find out how smart your applicant is, by all means continue. Otherwise just administer an IQ test and have them write some code related to the product they will be working on. Then, for gods sake, ask them about themselves.
The interview is not about you -- it's about the applicant. When you find a decent one you do want *them* to actually want to work with *you* right?
What Portion of Companies Are Bad At What They Do? (Score:5, Insightful)
I would like it flip it around and ask you why do you think your companies are actually worth working for? Are you going to employ us when we are 40, 50, 60+? Are you going to ask me a bunch of stupid questions even though I have 20 years of work in my portfolio? I just don't understand why its so acceptable for employers to be so arrogant in the IT world compared to other professions.
If companies really wanted good people they would:
I have found that software development might be a decent job, but a horrible career. I'm going to go raise goats and make cheese (sorry ranting)
What the hell was wrong with the answer? (Score:3)
I asked another applicant a similar question: "Suppose you wanted to send me a file with very sensitive information, how would you encrypt it in such a way that I would decrypt it?" The person started off by asking me if it was an excel file, a PDF, etc.
Why are you holding this up as an answer to be ridiculed? This is a perfectly fine way to approach the problem.
Many sensitive documents are in Excel format and Excel has an encryption function (same with the PDF standard). If I were to send a sensitive Excel file to someone, I would most likely just encrypt it within Excel, send it on its merry way, and then just deliver the password to you out of band (like via the telephone). That is secure enough for most corporate purposes. It's not like I'm sending you nuclear launch codes or anything.
Obviously that doesn't work in the general sense because not all document types have specs that support encryption, but what's wrong with taking the easy route? I can pointy-clicky encrypt an Excel file much more quickly than you can organize a key exchange, verify each other's keys' authenticity, etc. Your way would be more secure, true, but sometimes, you just need to email a fucking Excel file and get on with your life.
Web Developer/Public-Private Key? (Score:5, Informative)
I'm not sure if this was a web developer position you were interviewing for, but your statement of "these developers are building sites that need to be secure" makes me think it is. Let me speak as a web developer who's been at this for over twenty years.
I've never once in my position needed to know public/private key encryption to secure files for my job. If you asked me right now how to do this, I'd have no clue. If my manager were to walk over to me now and tell me to do this, I'd need some time to familiarize myself with the process. This would mean using Google to find articles on the subject. Possibly with an addition of purchasing books on the topic or going for training, but mostly Google. I pride myself on my Google-Fu. It can be an invaluable skill to a developer.
How do I secure my websites without knowledge of public/private key encryption then? I know how to set up SSL certificates and send traffic via HTTPS. (Yes, this is a form of public/private key encryption, but I don't know the intricacies of it. I just know how to set it up.) I also know to sanitize my inputs so a user entering "LastName=Jones' 1=1; Delete From Users" in the URL won't delete all of our records. I know not to take user input and just spit it out on my webpage. I know to look for the edge cases where security could fail and protect against them. When I'm building websites/apps, I think "how would I break this if I were malicious" and then I protect against these attacks. Is my security 100% effective? I'm sure not. Nobody's is, but I take pride in securing my sites as much as I possibly can.
All without being able to recite Public/Private Key Encryption details on command. Unless the job directly requires this knowledge, I'd inquire as to why this was such a deal-breaking question and why you've come to the conclusion that so many developers are bad at what they do because they can't immediately recite the details of every technology you toss their way.
You can't necessarily tell someone is incompetent. (Score:3)
Some people just choke in interviews. Worse, other people sound *great* in interviews. What I find is the best guide is references, especially if you can *interview* the references. Just be aware that you have to scale the response you get. If the reference sounds very positive and enthusiastic, the candidate is just OK.
Anyhow, I wouldn't necessarily expect a senior developer to automatically have much experience with public key encryption. Most developers in "hot" fields like mobile apps will have some familiarity with it because of app signing, but you can easily spend twenty years as a developer in certain kinds of contexts without ever having to give much thought to it.
You interview developers with 20+ years of experience? Good for you! I found it so hard to land an interview with 25 years of experience as a lead developer that I decided to leave the field. People just assumed because I was over 50 I wasn't up to date with the latest technologies.
Re: (Score:2)
Plus no one does software development purely off of what they have memorized. Everyone has reference manuals, web sites, stackoverflow, etc. easily accesible while working. Now, if you don't even know the basics that is one thing, but there is no way any software developer knows everything about everything.
Re:Excel file (Score:4, Informative)
Furthermore, it is a legitimate question to consider whether you should trust Excel's security. (And I'm not picking on Microsoft. At least not this time.) You don't have access to Excel's source code. You can't know it is secure. You could sleep a lot better if you simply assume the Excel is just like any file, and like any other file, you encrypt it and sign it with PKI so that the person on the other end can decrypt it and verify it is from you. (Actually encrypt and sign a small key to a more efficient symmetric algorithm.)