Sean Reiser

Hi I'm Seán Reiser, this is my Personal Blog

#NewYorker #DrupalDeveloper #InfoSec #Photographer #GEEK #Whovian #MYSTie #LetsGoYankees #LongSufferingJetsFan #NAKnight #Quinquagenarian #CommitAwesome

Hack

I’ve commented on this blog about the trend recruiters have where they ask for the last 4 digits of a candidate’s SSN in their first contact email (Along with name, dob, location and other PII).  I thought I’d consolidate my thoughts on a post.

Let me explain the format of a SSN:

The first 3 digits are tied to the state where the applicant applied for their SSN.  Since most people in the US are born, live and die within a 50 mile radius this becomes guessable.

The next 2 are a group number and can be tied to the year the applicant applied for their SSN.  States only issue from a few group numbers a year.  Most Americans are issued their SSN in the first couple of years of their life.   Where a recruiter doesn’t know a candidate’s age / year of birth, it can estimated  from info on a candidate’s resume (graduation year or when the candidate entered the workforce).

The last 4 are assigned in sequence while isn’t really derivable from a candidate’s information.

So for a large portion of candidates, someone can whittle SSNs down to 1-100 possible options.  You can see when I am concerned that this could be a fishing attack.  Someone I don’t know asking for information that can lead to identity theft.  Also the thought that you’re submitting the info via email which is insecure by design which adds another vector for possible theft..

I understand that firms are using Candidate Tracking Systems where the last 4 digits of a SSN are used to ensure candidates don’t get double submitted, but there are risks involved that I think many people are unaware of.

Image

Lately I've been on a number of interviews and a common question seems to be, "What are your favorite modules?"  I seem to be misunderstanding the question.  

You see, I'll answer that question with a few minute soliloquy on a module like the convert bundles module and how it saved me a bunch of time  on a project where I had to merge a number of redundant content types.  Or how useful twig tweak was when I was trying to insert a block into the middle of a views listing.  Maybe discuss how I use Twig Debugger and Config Split to have twig debugging turned on in a dev region but turned off in live yet still have a common services.yml checked Into git.   You see to me "favorite" is an ephemeral thing, often tied into the problem I'm trying to solve at that moment.  And I felt an answer like this shows not just that I know a list of modules, but how I use them and helps the interviewer know my thought process.

When I answer this way, I get what feels like a combination of confusion and disappointment off the interviewer.  So I worked up the nerve on a recent interview to say, "I don't think I gave you what you want there, did I?".  She replied:

Most People Mention Views or Webform.

I immediately knew where the problem was.  I am interpreting "favorite" as "modules you have a passion for" not "modules you use on almost every build".  It's funny I have been asked "What modules do you use a lot?" and my answer to that is, "Views, Webforms, Paragraphs, Metatag, Media, starting to use Layout Builder, etc.".  But to me these are very different questions.  Much like if someone asks what my favorite beverage is, I don't mention water, although it should be the beverage I should drink most.

I also have to admit, when it comes to modules. I've become spoiled.  I start 90% of my builds with a custom install profile, based on Varbase.  I've configured a number of popular modules and don't think about them.

Either way, I live and learn.  

 

So if you follow this link from NYC.gov it brings you to a site that demonstrates ranked choice voting using pizza toppings as an example, I believe the mayor mentioned in a news conference yesterday. I took a look at it and I have to wonder ... Why are they including libraries from credit card processor stripe.com?

Politics aside… I’ve done a lot of work in Drupal, many amazing things. To be honest the expression “if you have a hammer everything looks like a nail” can apply to me and Drupal. If I were building a twitter like social network, the last thing I’d do is think Drupal, especially with platforms like Mastodon out there.

 I spent my "free time" the last few days standing up a new sever on linode.  It's been a year or so since I've run a built my own server.  I have some potential projects popping up where I felt it was a good idea to flex that muscle again.

My current site is based on the Varbase distribution and I like the time it saves me from a development standpoint, but there are costs from a performance standpoint you take a hit.  I want to really take a day or 2 to look at Varbase vs Lightning vs Vanilla Drupal 9.  The reason I wanted on its own sever is to better evaluate perforce issues.

 

All of the layered protocols (SPF, DMARC, DKIM) on top of email to make it spoof resistant make me angry.

I know I'm in the minority, but I like the notion of the Touch Pad on a MacBook.  It just should be in addition to the Function Keys instead of in place of them.