I don't know much about this case but depending on the level of concern, even just plugging the device into a safe, isolated machine and performing an image may be insufficient.
You could imagine a USB device that presented as a harmless file store unless certain conditions were detected, in which case the device could re-present as a keyboard (providing pre-programmed keystrokes) or potentially a bluetooth or wireless network receiver that could log or analyze traffic to a hidden partition.
I think the question of how to safely analyze suspect USB devices, at the level of potential nation-state actors, needs a lot more consideration and probably some custom tooling.
I can't think of many things more fun than coming up with some clever USB descriptor hacks to allow an innocuous drive full of pictures of grandchildren to carefully switch into an HID device when it thinks the coast is clear. I have to imagine there's a lot of little tricks you could implement which would be difficult to trigger in a sandbox and might require dumping the EEPROM (if that's possible).
This sounds like an effective way to stall investigations for months in exchange for a movie plot threat scenario.
"Boss, the electron microscope reverse engineering from that USB stick 6 months ago came back. They said they didn't find anything out of ordinary. The bill is $400k. But I guess we can start analyzing the contents now.".
> I think the question of how to safely analyze suspect USB devices, at the level of potential nation-state actors, needs a lot more consideration and probably some custom tooling.
I would be absolutely shocked if the US’ three letter agencies did not have some form of custom tooling to detect this — especially considering the sophisticated multi-vector I/O exploitation they demonstrated a decade ago with Stuxnet and the Equation Group.
Regardless of your views on his policy, Trump has demonstrated zero respect for opsec — even in a national security context — so I would also not be surprised if those three letter agencies have decided the White House is untrustworthy with its cyber warfare capabilities.
In this case we kind of do. The USB stick was recovered from a woman who was visiting Mar a Lago. Trump conducts government business there a lot, in a break with pretty much all advice. It's an incredibly insecure location.
I'll agree with you that modern HTML and CSS for presentation is best-of-breed. I'll accept that the DOM API is sufficient.
But neither of those necessitate JavaScript; JS is just a language that happens to run in the browser and has DOM API bindings (and the other browser APIs too). There's no reason those identical bindings couldn't be provided in any other language.
I have to encourage you not to give up on all tech interviews. (By that I think you mean "hands-on"/"practical" type tests).
I do hiring for our agency, which consists entirely of non-rock-stars, at non-rock-star pay, solving non-rock-star problems, in non-rock-star time. We still do practical tests for all interviews. Some people, actually, do just get up and walk out. I wish they'd at least look.
We do problems on the level of "fizz-buzz" or similar. Quick 10-20 minute problems. We don't make full completion a binary success/failure metric. We just want to hear you discuss your thought process and see that you're aware of variables, if statements, and for loops. Because, yeah, turns out some candidates who claim years of programming experience ... aren't.
But no tricks. And we also make sure the request is suitable to the resume (think about it as resume validation). So we wouldn't say "Python person, write a method for us in C#" or vice-versa. Smart people can easily cross-train themselves once the job starts. It's more about finding someone who has the fundamentals and can apply them.
In conclusion, I would defend the hands-on "tech" interview as necessary and not even evil.
You might not make full completion a binary success/failure metric but so many other companies do, that people assume any random tech interview will be like that. Its anecdotal but both my friends and I all have the same experience of making a single mistake and seeing the interviewer visibly check out of the rest of the interview, and only getting offers from places where you passed every aspect of their interview correctly.
I do very well on technical homework-type tests, but they still want to bullshit in the phone about culture, and be very exclusive (28 year-olds with beards) etc.
Related question: what online sites, if any, are better to purchase items to avoid counterfeit?
I've been thinking of using B&H instead of Amazon for
electronic stuff, assuming that their reputation means they are less likely to enable counterfeit sellers, but I don't know that for sure. I also don't know if other online sites (jet.com?) have or don't have the counterfeit issue.
A lot of times I buy for the websites of big name brick and mortar stores. Some B&M stores also have third party sellers, so watch out for that. Walmart.com offers free two day shipping for orders over $49, which I've used quite a bit since they implemented that policy. I've also bought direct from the manufacturer.
As far as jet.com, I think their suppliers vary and I don't know if they have better vetting of their suppliers. They are owned by Walmart now, FWIW. I've bought a few things from there and they have very bad problems with packaging, all my orders had something destroyed during shipping due to poor packaging.
I only buy from websites that control their own supply chain -- meaning they know who they are dealing with when they procured the goods, not randos from overseas.
I love Target, free shipping threshold is $35 but you get what you ordered 100% of the time. They have a good selection for most of what I buy often. You can mail back returns or take them to a store. I like Microcenter for electronics.
I also buy from brand websites directly, since they have no reason to send anything but their authentic products. Brand websites often have deals. Join the mailing lists of your favorites, a lot of them send out discount codes.
Grey market is not black market though. They aren't counterfeit, knockoffs, or potentially dangerous. They are legitimate products made by the manufacturer. They are very upfront that they sell grey market items.
We also sell some products we've obtained from sources other than the manufacturer or its licensed importer. These are "grey market" products. "Grey market" is not illegal, not factory seconds, not demo merchandise, not cheaper or inferior products. In fact in almost every instance a "grey market" product is absolutely identical to its US-warranted counterpart. "Grey market" and US-warranted products are manufactured in the same factories from the same components, and sub-assemblies, to the same specs and tolerances, by the same workers. In terms of the item itself (excepting PAL video -- see below) there is no difference at all. A "grey market" Nikon 50mm f/1.4 D-AF lens (for example) is exactly the same in every possible way as the US-warranted version.
I found very interesting that the sample meal shown was very, very heavily pure meat. Today's meals tend to include substantial "bread"/starch component for each meat: whether a bun, breaded chicken, potatoes. That appears absent or much reduced on this menu.
Well, I think you can assume there was bread, alongside the pomme de terre which are on the menu; and we don't have relative quantities for everything, or know how many people were eating. Variety, though, is a large part of what makes a meal opulent - e.g. tasting menus usually have 10 to 20 courses when you include the various little nibbles in between courses. And indeed, tasting menus typically have a different meat for every dish; if you listed them in this format, they'd look very meat heavy too.
What I really want is to the ability to optionally select the shipper... UPS, FedEx, USPS, OnTrac, with different prices as needed. I think a lot of people who have trouble with one particular shipping company in their area (which one varies by area) would enjoy the ability to choose the one that is more reliable, and be willing to pay for it.
I agree. Of course, there is a "spin-up" time and we prefer to select the competent candidate with skill in our tools vs the competent candidate with skill in a different tool; but absolutely a competent developer should be able to adapt to any environment.
Interviews can help accommodate this by allowing the candidate to solve a coding test in a language of their choice, while also inquiring about the candidate's learning plans. (Want to make sure they are willing to adapt to the team's tools and not try to force the team to adapt to them!)
I took a job once where the code base was in a FORTRAN-derivative language. I had never used FORTRAN or anything like it. Not a problem. I studied the code. I studied the docs. I figured it out and did the work. I would expect nothing less of any other competent developer.
Another job had a toolchain based on NodeJS on the server-side. Never used NodeJS. Not a problem. Studied the code. Studied the docs. You know the story.
The key skill is a developer's willingness and ability to learn the tools that are desired for the job at hand, and to accept and learn new tools when the time is right.
This is an oversimplification. The average household has several kinds of debt, and generally debt should be paid down in descending order of interest rate.
More significantly, investment income opportunities need to have their interest rate (or equivalent) assessed. For example, in the past 12 months, the DIA has risen 18%. Thus, if 12 months ago I had money to spare, it would have been better to put the money into DIA rather than make an extra principal payment on the mortgage, unless my mortgage is 18% or more.
With the exception of bonds and CDs, it's not possible to know the investment growth in advance, so that creates some risk of course.
Further, because of the amortization schedule, applying that extra principal payment only shaves off the last month of the amortization schedule, which is the smallest fraction of interest of all payments.
One would still be better off investing that money in something until that last month, then apply the payment to save the very small amount of interest.
This assumes the mortgage is like most (all?) mortgages out there that follow an amortization schedule -- which are unlike credit cards or student loans, where early payments have a big benefit.
You could imagine a USB device that presented as a harmless file store unless certain conditions were detected, in which case the device could re-present as a keyboard (providing pre-programmed keystrokes) or potentially a bluetooth or wireless network receiver that could log or analyze traffic to a hidden partition.
I think the question of how to safely analyze suspect USB devices, at the level of potential nation-state actors, needs a lot more consideration and probably some custom tooling.