I got an email from Shannon asking for her help:
Can one of you guys open this dude's resume please? He sent it in some
Linux format and refuses to send me a format I can open.
-----Original Message-----
From: John Smith [mailto:jsmith@uic.edu]
Sent: Tuesday, July 10, 2007 9:41 AM
To: techjobs
Subject: Antony's resume
Hi
I have attached my resume & cover letter for your review.
Thanks
With regards
John
I'm certainly willing to help if the file is in some unknown format that is Linux centric (LaTeX perhaps? troff?). I'm admittedly a bit surprised when she said "refuses to send a format she can open".
So I ask for the file and the thread of conversation she had with him. It goes something like this (reformatted for clarity):
Hi
I have attached my resume & cover letter for your review.
Thanks
With regards
John
So far so good.
John,
The link in the attached document does not appear to lead to a resume. Please send resume as an attachment.
thanks
Hmmm... I've done that before.
Hi Shannon
Thanks for responding to my application. My resume is attached to the PDF cover letter. In the acrobat reader, you can see an attachment tab.
If you click on the attachment tab, you can see the enc- resume.
With regards
John
He embedded his resume inside the PDF as an attachment? Why would he do that? Why not just make a separate PDF? I didn't even know you could embed attachments in PDFs.
John,
I do see the resume in the attachment tab, but I am unable to open it.
thanks
Some unrecognized file format? Perhaps he embedded an Word 2007 document and Shannon doesn't have the plugin?
Hi Shannon
Thanks for the reply.
That is a new format AES used in Linux. If you have Linux machine or a friend who uses Linux, you will be able to open it.
Thanks in advance
with regards
John
Uh, ok. He can certainly generate PDFs since he managed to embed his resume in one. Why not just send it as PDF? Well naturally Shannon wondered this too:
John,
I am the first person in the line who reviews resumes, and in order to do so I really need to have your resume in a format that I can open. So, if you would please send it in Word or PDF or even copy and paste into the email that would be helpful. Otherwise it's likely that it will not get reviewed.
Thanks
to which he replied (and this is where it gets good)
Hi Shannon
Thanks for the reply.
I am very very good Linux developer as it is shown in my certifications. I am just trying to see whether you are ready to allot 5 minutes of a Linux person in your company to read my resume.
TIA
He's a "very very good Linux developer?" Note the double use of the word "very". It's a shame we're only looking for very very very good Linux developers.
So this is where I come in. By this point Shannon is ready to just throw the thing in the garbage. She sends me the file, and so I run the UNIX tool "file" against it to check the format:
$ file resume.aes
resume.aes: data
$
Well that isn't very helpful. So I open it in emacs, and it's a binary file. So I hexdump it, and I see the leading bytes are "Salted__". Uh oh. As I should have guessed from the file extension, it's encrypted. Fortunately I know a little something about encryption.
So we know three things at this point:
- He embedded file the file in a PDF attachment - almost nobody would notice the resume was even there
- He gave no indication the file was encrypted
- He gave no indication as to what encryption tool he used on the file (GPG? Gcrypt? OpenSSL? Loopback-aes? some other obscure file encryptor I've never heard of?)
- He gave no indication of what cipher strength or chaining was used other than suggesting it was AES (the Advanced Encryption Standard)
- There is no mention of the encryption key necessary to decrypt the file
Always liking a puzzle, I did a quick Google and found out that files with the leading bytes "Salted__" is a formated used by OpenSSL enc (not surprising). So with no knowledge of the cipher format (and the file format itself does not specify), I run it against all the available ciphers.
#!/bin/sh
for x in -aes-128-cbc -aes-128-cfb -aes-128-ecb -aes-128-ofb -aes-192-cbc -aes-192-cfb -aes-192-ecb -aes-192-ofb -aes-256-cbc -aes-256-cfb -aes-256-ecb -aes-256-ofb -aes128 -aes192 -aes256 do
echo "trying $x"
openssl enc $x -d -salt -in resume.aes -out foo -k ""
file foo
done
No joy. At this point I feel the guy has made me jump through way too many hoops. Let us not forget that this is just to view his resume. I have no idea whatsoever whether he is competent.
Of course I don't know the password, but I figure maybe he just used a blank password to make someone go through the work of decoding the file.
So I send this reply to Shannon, which I accidentally happen to put the candidate on the CC:
From: Devin Heitmueller
Sent: Tuesday, July 10, 2007 12:23 PM
To: Shannon Barnett
Cc: john@uic.edu
Subject: RE: John's resume
Hello Shannon,
I took a look at the file you forwarded. The candidate does not give any indication as to what tool he used to do the encryption (openssl, gcrypt, loopback-aes, etc.), but the "Salted__" header suggests he used a derivative of "openssl enc". He gave indication as to what cipher suite he used (the cipher is AES but there is no indication as to the key strength or block type [cbc,ecb, etc]), so I ran it through all the AES ciphers available (see script below). As far as I can see from your email thread he didn't provide a passphrase to decrypt the file, so I just tried a blank password. I don't have time to run it through John the Ripper.
I've got better ways to waste my time than attempting to brute-force a file just to look at a resume that very well may suck. If he's too stupid to know that the whole point behind HR is to filter resumes so I don't have to then just tell him to fuck off.
Thanks,
==
Devin Heitmueller
Senior Developer
I can't imagine why Matt doesn't take me to meet customers.
This prompts a reply from the candidate. I think he can sense I'm a bit irritated.
Hi Devin
Please do not be so angry about this. There are so many consulting companies putting up website just to collect your resume and your whereabouts. My point is that most of the HR is not able to find the right candidate. I think that it is a good way to find out the people you have to work with in case you are selected.
I have attached my resume if you are still interested.
encryption is 256-cbc-aes.
With regards
John
Uh, ok. You think it might have been easier to just type the name of the company into Google after the fifth or six correspondence with HR? We have won awards for our products after all and are quite prominent in the Google rankings when you search on our company name.
Also note, he states what encryption format was used, but as of this point he still hasn't given me the decryption key. He follows his previous email a couple of minutes later with the following.
Hi Devin
This is the whole point of getting attention from HR because HR receives lot of resumes. Anyway the encryption is aes-256-cbc and the password is "hyundaiVeracruz". Anyway I have attached the resume.
With regards
John
Yeah, so it was all a test. Naturally when HR receives alot of resumes, the prudent course would be to make your own as hard to read as possible. And I guess we passed. Except now we're so pissed off that we don't want anything to do with the guy.
The irony is that when I finally decrypted his resume, he doesn't seem half bad. I probably would have brought him in for an interview. Except now we know he's an asshole.
One final email:
Hi Shannon
I am really sorry about this if you feel that I misbehaved. I was trying to avoid a situation that happened in my employment where I had to work with people who can even differentiate the less than & greater than symbol. It looks like you have a good team and you are real not a fake website. If you are considering me as a candidate, please let me know.
Thanks in advance
With regards
John
Awww how cute. He's apologizing. And he acknowledges that we're not a fake website. That's so nice.
Well there kids, I hope you have enjoyed my little digression into the fun of hiring, and I apologize for the very long post. I just couldn't do it justice without giving you the opportunity to see the whole thread.
Time for a vote! How should we reply? Should we still consider him as a candidate? Text 1-800-555-1212 and:
- Enter GOFORIT if we should bring him an interview and possibly hire him
- Enter NOTHANKS if Shannon should politely email informing him we are no longer interested
- Enter ENTERTAIN if we should bring him in for an interview with no intention of hiring him just so we can mock him.
- Enter FUCKOFF if I should email him and tell him we are no longer interested, perhaps less politely
- Enter JOBOFFER if I should email him a job offer, but encrypt it with his own password, but reversed
Or you can just cast your vote in the comments section of this post.
