Hacking Book | Free Online Hacking Learning


michele spagnuolo.

Posted by bassolino at 2020-03-20

My experience with the Google hiring process began in February 2011, when Marion, working in the staffing department at Google Sydney, sent me an email explaining she found my LinkedIn profile interesting and asking if I was interested in an internship in one of Google global offices. At the time I was not interested in an internship, was about to leave for Chicago for my double degree program, so I declined the offer, adding the recruiter on LinkedIn. Fast-forward to December 2012.I get a mail from Sunil about a Site Reliability Engineering role, but, after a brief phone call, we decided to postpone the thing to the summer. In the summer, however, not a word from him. I try to send him an email, but it bounces. His email address was disabled. He left Google. So I wait some months and contact Marion, who was really kind and helped me in getting in touch with a proper technical recruiter in Zurich, Terry. Terry is an awesome recruiter. Supportive, clear, helpful and insightful. We had several informal phone calls, and he even suggested me to apply for a different position that he believed would be a better match for my skillset. So, after a review of my profile by the engineers, they asked to setup the first technical telephone interview. Telephone interviews The calls should last 45 minutes, but mine have actually been 50 to 55 minutes longs. In the first one, the interviewer was calling from Zurich, and was a Security Engineer. The interview was completely technical and straight to the point.He asked me several technical questions about security from the beginning, and I really appreciated that, because it made me feel confident and motivated. The questions were logically linked and I could tell that the interviewer was actually enjoying the discussion that arose about different techniques to, for example, overcome the Same Origin Policy (such as CORS and postMessage() in the HTML5 Web API). No stupid brain teasers, no Fermi questions. I was actually expecting some kind of Fermi questions in the first screening interview (questions along the lines of How many gas stations are there in Chicago?) and I've been told that they actually ask them for different roles, such as Marketing and Sales. They are about breaking down a problem, making reasonable assumptions, and doing a little bit of arithmetic. Back to the interview.When there were about 10 minutes left, they ask you to come up with some code in your favorite language to solve a problem.You have to code on a dedicated Google Docs document that they link to you before the call. It's not easy, especially if you use Python or other languages that assign semantics to indentation, but it's still easier than whiteboard coding. And, guess what, that is something you'll have to do if you manage to get to the on-site interview. In the first call I was asked to implement a very popular input sanitization function from scratch. The interviewer was much more interested in following my initial thought process than to read my actual code, and this is a very good thing in my opinion. The second call was really similar, with the interviewer calling from California.It was maybe slightly more focused on handling of scenarios. On-site interviews After two weeks, Terry sent me an email congratulating me and inviting me to Zurich for an on-site round of interviews. Google pays for every expense, and books an hotel for you to stay overnight. They also offered to book a flight for me, but I preferred to take a train from Milan. The day I had to leave for Zurich I had an university exam in the morning, so I had to quickly jump on the train after that. I arrived in Zurich in the early evening, I walked to the hotel, which was about 3km far from the station, had dinner, and then directly to bed. The next morning, I woke up, had an abundant breakfast and checked out from the hotel. I wandered around the city for a while, slowly heading to Google offices. Zurich is pretty in the morning. Zurich in the morning I arrived to Google offices a full hour early, so had plenty of time to hang around and take photos: Google Office in Zurich A googol is 10^100 Droids everywhere... Switzerland! I also found the Google car parked! Google car resting Ok, so, maybe I wait a bit on the benches in front of the building... Area in front of the building Ok, it's time! Let's walk into it! Front desk area - credit Camenzind Evolution The office is awesome. It has a different design theme on each floor, massage stations, restaurant-quality food, slides, billiards, aquariums, gondola lifts used as conference rooms, and so on. You can also see more photos of the Zurich office.

The lady at the front desk pointed me to a touchscreen, on which I had to agree to an informal NDA (I won't specify details of the questions I've been asked) and I had my interviewee badge printed. I remember I had to put my name and my recruiter's, and I thought of trying to inject something there, but I decided to be a good guy :) . Here's my badge: My interview badge After five minutes, my recruiter came and welcomed me. I was brought directly to my interview room, called Blueberry, and was asked if I needed anything. Everybody there was really kind to me. Terry explained what was the schedule of the day, and, in less than ten minutes, I was being interviewed by the first engineer. On-site interviews are more in-depth than the telephone ones. I was asked very precise things about protocols, RFCs and specifications. I can't go into details, but, for example, if you never thought of studying the bit representation of a float number, well, you should. The first two interviews were similar, and I was also presented with snippets of very vulnerable code, and I had to spot all the vulnerabilities I could. They used C, Python and PHP, and expected me to understand and know the security aspects of functions in the standard library of those languages. I was also asked to code myself, but nothing too difficult, mostly operations with lists and numbers and string manipulation. The interviewers chose the language this time - for example, I was explicitly asked to use plain C for a string manipulation task. Questions about security were increasingly difficult, and they tried to push my limits, for example by asking things such as the parameters that common functions take or which OS used to use static canaries (yes, it is Windows XP!). I was asked to use the whiteboard for drawing things all the time.Don't expect to vaguely hint about Return-oriented programming (ROP) without having to give a concrete example of a gadget chain ;). After 90 minutes of non-stop interviews, I had a 30 minutes break to eat something and rest.I was reminded I was not being interviewed during that time, and another engineer showed me a lot of features of the office and perks. Impressive, indeed. And the desserts are amazing. Back to Blueberry, next interview was with two interviewers. One of them was shadowing, as he was learning to become an interviewer himself. He took notes and sometimes commented and took part to the discussion. Everything went smooth, I was asked about advanced aspects of SQL injection and other security stuff (sorry for being generic here). No coding assignment this time. Last interview was different. The interviewer looked much more interested in assessing my organizational and coding skills (as a software engineer more than a security engineer), so he asked me to draw organization charts, discuss about incident response, the connection with marketing and decision making levels, and, finally, to code routines in a machine language with just one instruction (enough for making the architecture Turing complete). I was really exhausted in the end, and I feel I underperformed in the last assignment. After that, I was accompanied to a micro-kitchen for a refreshment and finally left.