"I’m currently looking for work in a staff or senior staff engineering or data scientist role. If you’ve got interesting technical analysis or optimization problems, please reach out to me and let’s talk."
That is probably the best CV I've ever read by accident.
You should broaden your job hunt criteria to technical content marketing - seriously!
Very rare to possess the skill to tell a story in an entertaining, approachable and detailed technical fashion.
I saw this post and initially skipped it because I know how crypto threads go on HN. Then saw on LinkedIn it was from you. Can confirm, this gent is a great engineer and is actually a nice guy.
"If you've got" may not be formal "correct" English, but everyone understands it and it's used quite commonly in daily speech (and writing). I would wager that "if you've got" may actually be preferable to "if you have," in order to engage the reader at a more comfortable, personal level.
Germans tend to pronounce A's in English as if they were E's ("cat" is pronounced as "k-eh-t" instead of "k-ah-t" -- which I don't really understand since A in German is pronounced as "ah"), so I'm not sure if everything you learned in English class is correct ;-)
English class in Germany told me to pronounce it the "k-ah-t" way because they were primarily teaching British English, but I think a lot of exposure to US Media brings people to pronounce it "k-eh-t" (and maybe overdoing it in trying to do so).
That's another thing I distinctively remember from English class in Germany, being taught the British pronunciation that, at that young age, was much less familiar to me than American pronunciation, and some slight confusion around that.
I’m a native (non-American) English speaker and the American pronunciation, to me, doesn’t sound like keht at all. (German was technically my first language, although English became my main language at an early age, so I’m quite used to German accents, so it’s definitely not caused by the native accents imho)
I once (when I was ~15 or so) had an argument with a kid who simply would not believe me that the letters C-A-T aren’t pronounced keht
The English books seemed to teach the correct thing, however, using the correct IPA and giving the correct hints. Just like with "I've got [something]".
It's also definitely not the case that the "a" in American English "cat" is pronounced like "a" usually is in German. In that case, the "a" sounds much closer to a German "e" then a German "a". The IPA for AE "cat" is kæt, not kat (where in some parts of Britain it actually is kat).
Perhaps it is the american accent they are taught, americans would say keht.
I always thought it was strange football was fussball in german, yet they'd call in soccer in english.
Except the American accent doesn’t say keht — maybe there’s a slight hint (cough accent) of it, but it’s very slight, while the German way sounds rather odd, I bet even to Americans.
You're misparsing the sentence: "If you’ve got interesting technical analysis [or optimization] problems". "Technical analysis" is an adjective, not a noun.
I share your sentiment. This seems to be a great engineer, storyteller, and a person able to make a complex technical story accessible to a layperson with only minimal dumbing down (except if I'm too ignorant to perceive the magnitude of the possible dumbing down, in which case, oh well).
In any case, dear author, thanks for the write up, it makes for great reading, and I hope you receive offers for endeavors that give you as much intellectual stimulation as it is useful to society at large, and a large enough paycheck.
> How did that saying about "brightest minds working on ads" go?
The sentiment is a bit older than ads. It goes:
" I saw the best minds of my generation destroyed by madness, starving hysterical naked,
dragging themselves through the negro streets at dawn looking for an angry fix,
angelheaded hipsters burning for the ancient heavenly connection to the starry dynamo in the machinery of night,
who poverty and tatters and hollow-eyed and high sat up smoking in the supernatural darkness of cold-water flats floating across the tops of cities contemplating jazz,
who bared their brains to Heaven under the El and saw Mohammedan angels staggering on tenement roofs illuminated,
who passed through universities with radiant cool eyes hallucinating Arkansas and Blake-light tragedy among the scholars of war,
who were expelled from the academies for crazy & publishing obscene odes on the windows of the skull,"
Some might consider your post to be off-topic or worse a "well, actually" interjection, I found it fascinating to learn the source of the "best minds of my generation" framing. Thanks.
I see no reason to think Ginsberg originated the phrase "best minds of a generation," but it doesn't appear cliche enough of a phrase to even have an etymology I could look up.
First, that's a different, much more specific variation that is clearly from Howl. I have heard the phrase "the best minds of a generation" in old movies and books before, but they would have been around 1950 so maybe Howl came first. Second, your link isn't actually about the Howl quote anyway, which makes me suspicious that you didn't even read the link you posted. The link investigates a quote from 2011 that contains a play on the first line of Howl and investigates that quote, not Howl, nor the phrase which appears in Howl that we're discussing.
We are discussing the quotation from 2011. See the original comment upthread which reads 'How did that saying about "brightest minds working on ads" go?'
The comment by DavidAdams to which you replied was thanking someone for mentioning the Ginsberg connection in relation to the topic under discussion, i.e. the 2011 'framing' which unambiguously draws on Ginsberg.
I didn't say that. I didn't even suggest that he didn't create the term. I just said that there's no reason to assume, just because a phrase exists in famous work of art, that it is the origin or popularizer of the phrase. The person I was responding to said it was interesting to learn the origin of the phrase, except no one actually posted anything indicating it was the origin. It just contained it. Maybe it's the origin. I'd be interested in a good source for it. But the normal places I go to to get reliable etymologies (there are plenty of terrible sources for etymologies, unfortunately) don't have that phrase in there.
In other words, I was saying "that's a bad assumption, but I can't actually confirm or deny whether the conclusion is true."
I don't know where you or other people responding to me got the idea that I was saying anything other than exactly what I said. I'm not sure where the breakdown in meaning has occurred.
> How did that saying about "brightest minds working on ads" go?
I think it goes something like the Open Source saying "that person doesn't owe anyone their intelligence to work on so-called important problems for free, just because it might be nice if they did".
Want smart people to solve important problems? Find a way to pay more for that, than for ads, or find a way they don't need to earn money to live at the standard they want.
Never going to happen. Look at other important jobs - doctors and nurses can have very low wages, while professional footballers earn millions. We all know which one is more important, but there's no way the medics will ever get paid comparably.
Some top doctors can earn at least nba coach level figures. Frontline workers testing people will never make that amount because the skill level is lower so more people can do the work. If everyone refused and only a handful of people were left they couldn't reproduce the same impact anyhow and the program would close instead of paying them millions. Together they have a big impact and one on one they have a big impact but a single first responder doesn't have the attention or connection of millions. Would you put a poster of Jill, Nurse 56 from Grandrapids who works in the covid wing cleaning sheets? Probably not, even though the job is extremely important.
Sure everything from plastic surgeons to heart specialists. Not everyone has to be a doctor to the stars or go on shark tank to make millions. Does your local walkin clinic doctor make that? No, but would make 500k before expensives.
>Want smart people to solve important problems? Find a way to pay more for that, than for ads, or find a way they don't need to earn money to live at the standard they want.
This is essentially the Nuremburg Defense, but it's "just following money" rather than "just following orders".
Unless we reach some magical Utopia, we will always have the choice between making money through ethical or unethical means, with the former being beneficial to society, and latter being more lucrative to the individual.
This is the tragic thing I think. There are some really cool things that I want to work on but very few people paying for it. Awesome doesn't necessarily mean valuable.
"You want doctors and researchers to be paid more than football players? Just find a way to make them more lucrative than ads."
It's a rather reductive and defeatist view. There's nothing more harmful than looking at a specific state of affairs and going "eh, that's just the way the world works", as if our current economic system was an immutable law of nature.
I don't know how you get from "find a way to change things" to reading "the current state is immutable", but I meant exactly the opposite, it's changeable and dynamic and changing.
The brightest minds are working on ad-tech, not as an immutable law of nature, but because that's where the incentives are, and if the parent commenter wants that to change, whining about how the OP isn't more charitable won't solve it, like whining that open source developers don't work on what users want instead of what they want won't change it; If it's all about incentives, we [1] should look towards finding a way to incentivise the more desired outcome.
I'm kind of in this situation now, and it doesn't feel super great to be sort of trapped in a golden handcuffs kind of situation. The effect would be less intense if it weren't an entirely mental exercise.
1) I generally take the higher paying gigs but mostly so I can accelerate retirement
2) Even in the crappiness of high paying jobs (I often think I'm essentially being bribed to put up with all the BS) I can generally maneuver myself into doing interesting work. It takes about 1.5 years of concerted effort, but once I understand how stuff works, I can generally start nudging stuff in the right direction, and can eventually find some form of fulfillment amongst the BS.
I'm only commenting on 1, not on the rest of your comment:
> I generally take the higher paying gigs but mostly so I can accelerate retirement
My problem with this outlook is that sacrificing my current well-being for increased future well-being is risky. I don't know how long I will live or what my health will be like. I have to make the best of the time I have now (without sacrificing too much future well-being, of course!)
Not that I don't do the same, just, it feels risky, on its own. I think the rest of your comment is super important for this reason.
It's a tricky balance to strike. I used to think that you should just work if it's available to you, but now I'm much more inclined to work so you can afford to not work in the near-term rather than only at the hypothetical end. If you can afford to be laid off or quit and just willingly chill and do whatever for a while, that's a good option to take.
Absolutely. I’m painfully aware that I didn’t offer any solution either, because it is a balance that everyone must find for themselves. The main thing I was trying to get across is that sacrificing now for a reward in the possibly distant (relatively speaking) future is too risky for me since I don’t know what the future holds (and given how many people I know who have died young makes me reluctant to take for granted that I would reach retirement age (even early))
Having worked in startups for most of my career, I see a lot of engineers who yo-yo between high paid, boring jobs in FAANG-esque companies and burnout-inducing early stage gigs.
I love working at startups and hated working at a large company. You learn 10x more in a fast paced environment where you get a chance to work on a little bit of everything and talking to partners and investors compared to a large scale company where you’re tweaking a small area of the company. Startups are obviously not for everyone and I know plenty of people that prefer the corporate environment either because they like the stability, hours, or the salary.
Which is a really weird situation when you think about it! This gives credence to the theory I've heard that corporate jobs are "unsustainable" in that they will only hire "smart" people, but actively make their employees dumber.
Whether that's the particular mechanism or not, I think this bears investigation.
That's a part of my point. The compensation is arbitrary past a certain point where your actual needs are met, unless you're driven by the stuff you exchange the money for. For myself, it's evident even in the post necessity phase where I know I still need to bank some cash to be able to assume some future volatility, but am not in the market for anything out of my reach to buy, so the money stops having tangible value.
I couldn’t agree with this sentiment more. My current job isn’t the highest paying job I’ve ever had (or could currently get). But the value in what I’m learning and exposed to keeps increasing over time. I am not the smartest person in the room and super happy about that
But if you are over qualified your effort is lower. Working at a startup I felt I had nothing left in the tank compared to corporate job that I could checkout easily at the end of the day go home and write more code.
No doubt, that's how most people do it. But ideally you don't want your life to be one of hating most of what you're doing and then just compensating for it in a way that keeps the feedback loop working.
1. Hire the best of the best, typically PhD level.
2. Assign them to random crap project that have precious little to do with their specialty and strengths.
3. Assume that if they were smart enough to earn a PhD on topic X, they'll learn quickly how to do work on Y, even if X and Y are completely unrelated.
I've seen some CS and math PhD grads being employed for software engineering roles where all that mattered was knowing framework X by heart, memorizing GoF patterns, TDD, DDD, SOLID, clean code and all what uncle Bob was preaching in the '90s and early 2000.
I think both CS and software engineering have their own importance but they are not the same. It's better to hire the right person for the job.
Connecting people to goods and services they may want or need in a targeted way that tries to make them more relevant seems positive if anything to me.
Good thing we have search engines. If I want to find a good or service, I'll go look up reviews or the like. Ads only serve to sell me things that I don't need, in the vast majority of cases. I think it's fair to say that making people want more stuff is socially negative.
> making people want more stuff is socially negative
I don't really think so in the general case. Personally I've eaten a lot of food I found out about from ads and wouldn't have known I wanted otherwise, and I'm glad iit happened.
If you want to try new foods, that's cool, I do too. Read local food reviews.
But if ads convince you to try 47 different restaurants and that otherwise you would have been perfectly happy to eat at home, then the ads did a disservice to society.
Relatively nobody goes out of their way for local food reviews. If advertising was suddenly banned I feel like people would end up much less likely to try anything new and life would be more stagnant overall. New businesses would struggle to attract customers and everyone would gravitate to McDonald's and Wal Mart even more than they already do.
I disagree. I and I lot of people I know go out of our ways for local food reviews, and word of mouth is also incredibly powerful.
And you must remember that for every local food ad there are 300 ads for McDonalds or Walmart, and they are just as effective, altough likely for another demographic.
Some people are absolutely OK with that. Some people, it bothers deeply. Same about weapons work, or other engineering tasks of various applicable moralities. We all have to make our choices. I know I've worked on things of minimal value, just because I needed to pay for life. I've switched to other things when able.
I'm starting to consider any company whose revenue primarily comes from ads to be immoral. It's the business of hijacking people's minds. Part of this means stimulating the worst aspects of thinking: addiction, fear, pain, all that ads seek to satisfy.
You open a business. You sell something or offer a service. Day one is "let people know that I exist". Pretty much every form this take is advertising. No business live without making its customers aware of it.
It's not immoral in specializing on how to advertise. It's immoral to overstep some boundaries when doing it.
Disclosure: I worked in a company whose primary revenue was selling tools to create ads.
I don't think there is any way to get rid of ads from society, as you say. I don't think ads were that big of a problem historically. The problem is that the recent (20ish years) era where the fast response of internet ads (a click on the ad immediately tell you it worked), compared to a tv ad (you wait a month to infer ad effectiveness from the revenue numbers), has enabled rapid A/B testing of ad design.
What that means is that ad design is rapidly iterated upon to maximize revenue of the company [1]. We also know from first principles that ads can have negative influences on people (making people dissatisfied with their bodies or lives, or making them engage in medically harmful behavior like smoking etc etc.). Now, there is very little legal regulation of what can be in an ad, except that factual statements in the ad are true; and ad creators rarely self-regulate.
So you have one variable A=product revenue. You have another variable B=negative psychological impact on viewers of ads. The ad optimization process only optimizes A, and places almost no constraints on B while doing so. Guess what? A significant percentage of ads end up with both high A and B.
This is the problem. I am not proposing any solutions, but the problem exists.
[1]. Also the techniques learned from internet ads are applied to tv, print and billboard ads.
Discovery is a problem that can be solved in a million other methods. If (hypothetically, somehow) ads were outlawed from existence tomorrow, a thriving industry of independent reviewers would instantly pop up to serve the need of product discovery.
Painting the advertising industry as "humble startup putting up a sign in the downtown square" is also disingenuous. Most advertisements you see are done by big corporations. What's the excuse of Coca-Cola or McDonalds to plaster the streets with psychologically-crafted pictures of their unhealthy products, then?
> If (hypothetically, somehow) ads were outlawed from existence tomorrow, a thriving industry of independent reviewers would instantly pop up to serve the need of product discovery.
Hardly. You buy a domain name, put something on it and then what, wait for an independent reviewer to monitor the registrars? And that review would be discovered how?
> Painting the advertising industry as "humble startup putting up a sign in the downtown square" is also disingenuous. Most advertisements you see are done by big corporations. What's the excuse of Coca-Cola or McDonalds to plaster the streets with psychologically-crafted pictures of their unhealthy products, then?
I have no idea how did you reach that conclusion from what I wrote.
"If (hypothetically, somehow) ads were outlawed from existence tomorrow, a thriving industry of independent reviewers would instantly pop up to serve the need of product discovery."
By "independent reviewers", you mean bought youtube influencers, right? Because that's what's often happening in industries where external reviews plays a big role.
I understand and agree with your point but I think this site overvalues CS graduates by a lot. There are bright minds everywhere, doing math, physics, literature, medicine, law and a long etc. That "some" minds, because of greed/need-to-subsistence or whatever the reason choose that path is a shame but hardly a loss in the great scheme of things. Most intellectual pursuits are already fiercely competitive as it is.
”Until a man is twenty-five, he still thinks, every so often, that under the
right circumstances he could be the baddest motherfucker in the world. If I
moved to a martial-arts monastery in China and studied real hard for ten years.
if my family was wiped out by Colombian drug dealers and I swore myself to
revenge. If I got a fatal disease, had one year to live, devoted it to wiping
out street crime. If I just dropped out and devoted my life to being bad.
Hiro used to feel that way, too, but then he ran into Raven. In a way, this is
liberating. He no longer has to worry about trying to be the baddest
motherfucker in the world. The position is taken.”
> Recovering the key was usually instantaneous, but to help people feel like they’d gotten their money’s worth, we’d put on a little animated show like a Hollywood hacking scene with lots of random characters that gradually revealed the right password.
and later ...
> I’m currently looking for work in a staff or senior staff engineering or data scientist role. If you’ve got interesting technical analysis or optimization problems, please reach out to me and let’s talk.
I can't help but wonder if this write-up (which is fascinating) may not be one of those little animated shows to help propspective employers feel like they'll get their money's worth.
Slightly offtopic, but I always laughed at these types of animations in hacker movies. Until one day I made a tool to extract strings (mostly passwords or hashes, purely for academic purposes!) through SQL injections in SQL Server when the error message did not return anything useful. I scanned each character bit by bit and depending on the value, I would either return control immediately or delay the response by a couple of hundred ms. That allowed me to reconstruct the string bit by bit, and as new information was acquired for each character - it would change on the screen. It looked exactly like some of these hacker movie scenes... =)
That little animation was put there by the guy who hired me. We got rid of it in the Password Recovery ToolKit that combined all the modules I'd written into a single tool. In that one, we had a big list of any encrypted files we found and their passwords. With enough modules, it was entertaining enough to watch the list grow. And it was very satisfying when the user reused a password on something trivial to crack that let us open a Word 97 file.
@metaweta: The technical side is interesting, but seems like the admin side would be too; how did the administration and contract side play out?
Someone needed to front an estimated $100k of GPU costs, without being sure it would work - and then pay for your work on top; who risked that? You had no proof the claimed Bitcoins inside were real, or as many as claimed. You're in New Zealand(?) and the customer is in Russia - you need the file to study it and if you crack it then you have the Bitcoins as well - how did they become comfortable that you wouldn't steal them and say you couldn't crack it? Did it worry you that the owner might not be able to convert them to cash, e.g. if the Exchange was shady and there was very little recourse?
How much work did it take to convince your partner to stop what they were doing, and write GPU code for a crack which might not work?
I'm in the USA. He paid us for some work up front and agreed to pay the rest on delivery of the key. He expected to spend most of the $100K he'd budgeted on GPU costs, so we got much less than that for the work; we took the job because it sounded like fun. We didn't need the information in the archived files, just the encryption headers, so he set most of the bytes to zero. I couldn't have spent the coins even if I wanted to.
Thank you, that is interesting; he's wealthy enough and technically capable enough to make that all go a lot easier. (I guessed from going back to check on the process ID on his laptop that you must have had his laptop, and didn't know you could do that with just headers).
Not only are the cryptography skills of Mr. Mike Stay is obviously impressive, his presentation of things which happened 20 years ago in a vivid yet subtle manner seems extraordinary to me.
Especially since, I can't remember what I did 2 weeks back to write in my blog.
Can you give us the secret of your documentation/notes workflow Mr. Mike (@metaweta)? Please don't say that you recalled from your memory!
> ZIP supports a simple password-based symmetric encryption system generally known as ZipCrypto. It is documented in the ZIP specification, and known to be seriously flawed. In particular, it is vulnerable to known-plaintext attacks, which are in some cases made worse by poor implementations of random-number generators. https://en.wikipedia.org/wiki/Zip_(file_format)#Encryption
IMO the fact that the author was able to recover the password at all indicates weakness. Something encrypted with AES-GCM would presumably be all but impossible.
We won’t really know the true value of bitcoin until options are widely available on retail exchanges like fidelity or at least tdameritrade using people’s normal brokerage and ira accounts.
It got me with SoftIce. Although I never thought to print them out; I needed to watch all the registers change as I was doing similar work or reverse engineering encryption schemes.
I did not have a printer at that time. Notepad with a lot of addresses and registers' values... Also, did not realize one can print from the SoftIce directly, as I assumed it run at the lowest level before all the printer drivers. Certainly, it would be super useful!
I've always wondered what the development process looks like for these type of algorithms. If you have to run the program for a year to know if it will work, how can you have any confidence that what you've written is going to do the trick?
Exactly. We created some zip files we knew the password to and then checked that our code found the right one. Each stage would generate a bunch of files with different candidate ranges, so when testing the next stage, we'd choose the one file we knew had the correct key in it.
It brings interesting trade-offs for program design. You can write the code one way which may be 10x faster but harder to reason about, or another way which is more straightforward but takes an extra 5 days go execute. How confident are you in your code or debugging ability? How many iterations will you need? I'm assuming this was written in CUDA based on the block/thread ID mix-up.
Funny this. Back when I had more time on my hands I liked to do project euler problems. I'd start with the dumbest brute force method to find the answer, and let that run. Then I'd see if I could figure out the math and implement it correctly before the brute force finished. I'd say I had about an 95% success rate at beating the dumb brute force (course it really depends on the problem search space).
What was interesting, is that implementing the brute force solution and running it probably saved me time in the long run, because it managed to turn off a part of my brain that worries about wasted time. As long as I knew the brute force was potentially making progress, I didn't care if I ended up with false starts, or took a long time trying to understand the math, so it was easier to focus on the smarter solution.
This is part of the reason why the software industry's decision to use algorithm problems as time-bounded interview questions is so frustrating.
Right away, you have to make a choice between doing it the reliable way (brute force) and taking a gamble on being able to out-smart the problem and doing it the math-y way. This adds a ton of pressure, no matter which path you choose.
If you choose to start with brute-force, you're stressed that you look stupid because you don't know the trick. If you spend precious minutes looking for the trick, you're stressed because there's no guarantee you'll crack it in the given time.
I've just gone through a gambit of software interviews and this is the biggest thing that determines whether I'll enjoy solving a problem or not. If they start with "find an efficient solution" or "the data set is in the millions" or something along those lines, I know I'm doomed if I don't recognize the form of the problem. If they encourage me to get to a working solution first, and _then_ figure out the trick, I'll typically do well regardless of whether the question is familiar or not.
Collected the biggest archive of Bitcoin wallet.dat files with balance and lost passwords.
https://allprivatekeys.com/wallet.dat
The collection consists of 32 files total for 2500+ BTC. The biggest wallet 576 BTC, the most interesting wallet.dat files with pre-mined coins from 2009-2010.
Let's try other wallets for a share?
There's no way that the AccessData job I had would exist today. Most services are online, with data encrypted in transit and stored in the cloud. TLS security has improved dramatically over the last decade in response to attacks like BEAST and BREACH and CRIME and POODLE. Google drops (? is going to drop?) your SEO ranking if you don't have proper certs installed. Nowadays, it's rare to find an attack on the connection from the browser to the server. Instead, it's either malware on the client or hacking into the servers, where the operators have terrible security practices like storing data unencrypted at rest.
The field of cryptography has grown tremendously, and there's still a lot of research being done. There have been many competitions for developing strong cryptographic primitives. There's a lot of work being done on zero knowledge proofs and verifiable computation. Cryptocurrency has encouraged lots of bright young minds to get involved.
One thing we learned from the Snowden revelations is that crypto works where it's applied, so every little bit of crypto helps. Run a Tor node if you can.
The story would be less thrilling, I think: someone bought around 35 BTC, and then later he desperately wanted access to them, because they were worth 35 BTC!
But how do you prove that? It’s trivial to replicate the hardware the file was lifted from if the malware grabbed the standard sys info. File create/modify times could also give you a pretty damn good guess as to when the encryption happened.
If some random Russian dude shows up and offers to pay $100k to crack something with untraceable digital currency inside, don't you worry about getting killed if you fail to do it? Maybe I watch too much TV.
That is probably the best CV I've ever read by accident.
You should broaden your job hunt criteria to technical content marketing - seriously!
Very rare to possess the skill to tell a story in an entertaining, approachable and detailed technical fashion.