The Shpantzer Interview Technique

Posted on by Ben Rothke

In IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job, the authors cover core information security topics, and then pose various questions that may come up in the course of an interview.  Some of the areas covered are network and security fundamentals, firewalls, regulations, wireless, security tools, and more. 

The book is a standard interview preparation guide, with a focus on information security. 

Last week, Gal Shpantzer, in a moment of levity, wrote a blog post We Didn't Start the Fire(wall), set to the tune of We Didn't Start the Fire by Billy Joel. 

The highlights of Gal’s prose are as follows:

Hacktivism, PGP, Red China, Entropy

BlackBerry, Neuromancer, PageRank SEO. 

Dan Kaminsky, Richard Nixon, Studebaker, Max Vision

Red Pill, Blue Pill, CISSP. 

RADIUS, Logic Bomb, Pain Ray, Johnny Long

Gene Schultz, The King And I, when do we stop SQLi? 

Robert Morris, Vaccine, England's got the same queen

DVD Jon, Liberace, Operation Bot Roast. 

Chorus: We didn't start the firewall

It was always burning

Since the URL’s been turning

We didn't start the fire

No we didn't light it

But we tried to fight it.

Pirate Party, Rybolov, Nimda and CSRF

Blaster LoveBug, John The Ripper, Communist Bloc 

SRI, BBN, PDF bugs round the bend,

D-N-S Fails, Synchronize the Clocks. 

Stuxnet, LASER Beam, BSides’ got a winning team

Hoffacino, Xerox PARC, Kristin Paget, Bletchley Park. 

Lycos, LulzSec, Altavista, Cuckoo’s Egg

Freedom Frisk, Howard Schmidt, Paris Hilton’s Sidekick. 

Cyber Storm, AirCrack, Mickey Mantle, ENIAC

Mitnick, System High, It’s the year of PKI 

Keyloggers, Stacheldracht, Operation ShadyRAT

BitLocker, SecuTwits, Sony-BMG Rootkit 

SE Linux, @Beaker, EFF, Mafia

SIPRNET, Lamo, Ripco is a no-go. 

U2, WikiLeaks, IANA and IRC

Securosis, RAND Corp, Hacker’s Manifesto

Zimmerman, LANMan, Stranger in a Strange LAN

Webcam, KLM, APT invasion

(David) Bell-Lapadula, Foursquare check-in mania

Vint Cerf, Trojans, GPUs make BitCoins

JavaScript, Active X, British Politician sex

RSA: Blown away! What else do I have to say?!?


451, brute forcing, Kerberos is back again

Pick locks, teraflops, Captain Crunch, DevOps 

Begin, Reagan, Cross Domain, hackers bringing Titan Rain

Ayatollas in Iran, US in Afghanistan 

9/11, Sally Ride, Biba Model, suicide

Foreign debts, homeless vets, AIDE, Crack, iOS 

Got collisions in the SHA, China's under martial law

BYOD, browser wars, I can't take it anymore!

Chorus (2x) 

Most of the people I shared this with got a kick out of it.  While Shpantzer won’t be quitting his day job anytime soon in pursuit of a Grammy, I think his lyrics make a great hiring tool to be used in the interview process.   

While Shpantzer meant this as a comic relief vehicle, I think he might be onto something much bigger. Here is my idea, next time you are going to interview someone for an information security spot, don’t obsess on their resume; rather show them We Didn't Start the Fire(wall) and ask them to explain them. 

The (ISC)² CBK (common body of knowledge) is a taxonomy used as a basis for the CISSP exam.  It is a collection of topics relevant to information security professionals around the world. It establishes a common framework of information security terms and principles which allows information security professionals worldwide to discuss, debate, and resolve matters pertaining to the profession with a common understanding.  

Shpantzer created his own CBK and if the job candidate can adequately explain We Didn't Start the Fire(wall), then they likely have a good handle on information security.  It covers everything from encryption, malware, certifications, industry personalities, to industry conferences, hacking tools, protocols, hardware, operating systems, vulnerabilities and much more. 

Of course, if too many people take my advice, then we would see the beginning of We Didn't Start the Fire(wall) boot camps, prep guides, books, cheat sheets, seminars and more; which would obviate the efficacy of it as a testing tool. 

But if that would happen, Shpantzer would likely have by then written We Didn't Start the Next Generation Fire(wall).

Ben Rothke

Senior Information Security Manager, Tapad

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs