Etsy shows established companies the way..

Fred Wilson over at wrote a piece on the Etsy offices (in 2010) titled: "The office matters"
In it he explained how "They are getting the best talent in NYC to come to their company" and commented on the importance of paying "attention to the office and the culture" of a company.

Around the same time I had written a piece titled "Cargo Cult Startups" in which i posited that too many companies were faking startup culture, keeping draconian productivity-killing rules in place while plastering their offices with beanbags and nerf guns.

I still maintain that copying Etsy's office style is not sufficient to inject Etsy-style-startup-magic into a company. But.. I recently came across a job-ad from Etsy which strikes me as completely awesome, start-uppy and yet completely stealable by established companies. ie. I think if a company was going to copy something that could actually help their business, it should be related to the Etsy job (and not the Etsy office-space)

The ad calls for an "Office Hacker" reporting initially to the VP of Engineering.

It reads:
"Our office has tons of data lying around, but our systems to use and understand that data are freakin' horrible. ... usually, though, we never even get around to using our development skills to make our working environment better.

We want you to hack our space. Make the office more fun and interesting and useful for everyone at Etsy, using development as your primary weapon. If you come up with something good, open source it and help save the world. Move between projects easily, but have the discipline to actually get useful stuff done and deployed, and move onto the next thing only after that. Manage your own time and projects, and talk to people here about what they need and how they might build it. Learn from us and teach us."

They go on to give example hacks they can already think of (like sprinkling the office with iPads showing useful meaningful Etsy data or doing something useful with the data from their physical entry door-passes)

I think the idea is an awesome one, and i think Etsy have managed to articulate something profound here. Lots of big companies attempt to copy portions of startups that are merely symptoms of startup life, but Etsy has thrown them a line.. Having smart developers/hackers running around the workplace "picking up loose balls" is a recipe for winning that startups inherit automatically (and established companies almost never do.)

You often walk into corporate offices and see little annoyances of office life, that could be trivially automated away by a determined hacker and a few lines of code. You see a number of broken processes or disconnected loops and you want to shout out "You can write an app for that." It's even more interesting when the workplace is non-generic and requires domain specific knowledge (a Newsroom/Manufacturing floor vs. a regular office gig) because the domain specific knowledge makes it even less likely for generic solutions to exist. Sadly, such apps fall somewhere between the serious in-house dev teams and the internal IT staff and most often most regular staff will never know how easily those problems can be hacked. Startups automatically bypass this, since most startups will probably have the developers, sysadmins and secretarial staff as the same people (for some periods of time).

In his post on great hackers, Paul Graham writes: "At our startup we had Robert Morris working as a system administrator. That's like having the Rolling Stones play at a bar mitzvah. You can't hire that kind of talent." In startup cases like that, you have a great amount of brainpower that you can bring to bear on essentially solving problems in the office. While tweeting coffee machines are good for morale, you will just as often manage to uncover hidden gems that give birth to new products or revenue streams via the classic "scratch your own itch" creedo. It's worked really well for some pretty famous companies.

I think finding the right hacker will be tough, but recruiting A-players always is. In this case though, i think the payout can be huge. If you are a big company, i can think of many worse ways to spend a headcount than by getting in an Etsy-style "office hacker".

The lamest hacks

A little while back, a colleague of a colleague approached me with a favour request that was hard to refuse (no, not that kind...) They had one of these external harddrives that supports on-drive encryption and, as you will have guessed, had forgotten the password. No more saved business docs, but also no more saved baby pics. "Could we have a look?", they asked. A brief search online revealed companies who claim to be able to recover passwords for these very drives, but required shipping the drive from South Africa to Europe, and the cost was not instantly dismissible. Surely there was another way?

Automating password entry was easy enough; when powered on, the drive's password entry dialog popped up and it was simple to drive the GUI and enter passwords. However, the slight hiccup was that, after five password guesses, the drive needed to be powercycled to reset the guess counter. One of my many failings is a distinct lack of basic electronic experience, and even being able to switch a relay from a computer borders on magic in my eyes. Enter a good friend, Alex Schutz, resident mechatronic engineer at eDart Slurry Valves and go to electronics guy. He quickly whipped up a rig that used a USB extension cable with one of the power lines spliced through a relay controlled by a programmable board, that was driven through a serial interface. From the controlling laptop, enabling HDD power was as simple as "echo b > COM3" and cutting the power was "echo a > COM3".

With this test rig built, the project then went dormant for a bunch of reasons. Last week we were asked for the drive back, but Alex was determined to give it one more go. Cue final polishing and the production of passwords based on the user's common password combinations, and the brute-force was ready to run. If you've run a brute-force before, you'll know the success case isn't always immediately obvious. We know what a failed password attempt looks like, but detecting a successful password attempt without ever seeing one is trickier. Instead, we took the simpler approach of grabbing a screenshot after each attempt, for subsequent analysis.

The rig looked like this:

The comforting sound of the relay firing followed by the visual feedback of the password dialog being attacked was the source of much happiness.

In the end, the password was guessed correctly on about the 500th attempt, which made up for the effort that went into the test rig. Cue happy colleague of colleague, and the satisfaction that comes from a dirty dirty hack.

In 2009 I wrote a post on recruiting and mentioned "the T-shirt Test".

It read:
The T-Shirt test is simply to ask yourself: "how will i feel standing at a conference, with this guy next to me wearing my company T-Shirt". If you don't like the thought, you shouldn't make the hire.
I still feel strongly about the T-Shirt test, and feel really strongly about the importance of company culture which makes it crazily cool to officially welcome Marco Slaviero as the newest member of Thinkst.
I worked with Marco for several years at SensePost, and we have had some ├╝ber fruitful collaboration during (and after) that period.

I could wax lyrical for a while, but we believe the results will be self evident. Watch this space!

Penetration Testing considered harmful today

Early last year we presented at 44con with a talk titled: "Penetration Testing considered harmful today".

44con have just released the video so we figured it was worth a quick recap (for anyone not willing to tolerate the whiny voice!)

The original slides (in PDF) are available (here)

The central thesis of the talk is that penetration testing has established itself as a necessary activity for securing a network and is now pushed forward by a multi million dollar industry despite the clear signs that it is not helping all that much. (Read the annotated slides here)

Watch the video here: