Employee onboarding at Checkr

I recently joined Checkr as a security engineer and had the opportunity to complete its week-long onboarding program.

In my opinion new employee on boarding is vital to any organization for few simple reasons:

It educational for the new joiners – while they have already decided to jump onboard by accepting the offer, a good onboarding experience helps reinforce the decision.
It helps showcase the value add that the new members will bring to the table and its alignment to the overall mission of the organization.
Life is quite a bit (if not all!) about first impressions and a good onboarding program is just that. For a new employee, it’s the first true insight to how a company really functions.

While it sounds simple enough its tough to get this right I guess. Before joining Checkr, I have worked for various organizations (large, medium, small) and had my share of new joiner trainings/sessions/seminars/onboarding programs, etc. A common thread between these programs is that, almost always, these are impersonal. Usually these cover things like setting up the benefits, payroll, computer and other administrative chores like providing a rundown of Dos and Don’ts at the company. Very little emphasis goes into explaining what it means to come onboard and what is needed to be successful in that company. To me onboarding programs are perhaps the most boring, monotonous and impersonal activity one does when starting at a company.

So, I was surprised (pleasantly!) at Checkr!

The onboarding program here is different. Not only is it laid out in a very thoughtful way (so much so that curiosity piqued by one session was addressed by the immediate next session – such was cohesion in the flow) but was also very conversational. It reflects the core principle of transparency that Checkr works on and for a new joiner provides a great platform to get started here.

This sounds surprising when one considers that Checkr started in 2014 and is currently just around 135 employees. Typically in fast growing startups, the focus is on making the new joiners productive from day one. The idea of making them spend a week learning about the company, its mission, its people and plans sounds strange. But at Checkr, the emphasis on this week-long program comes right from the top of the management chain as evidenced by sessions from the CEO, the CTO and various VPs.

The program is 1 week (5 days) long and covers sessions on each aspect of the company, from how it started to where it wants to go and how.

Usually, most of the new hires here, like myself, have no experience in the background check industry. The onboarding sessions were perfect introduction to the complex world of background records, the court data management/retrieval systems and the painful inconsistencies in timelines as one moves through state/county lines.

This program helps visualize the direct impact of the technology developed at Checkr on the lives of job seekers across the country.

Few of the interesting aspects of the program for me included:

Sessions with early employees of Checkr and getting to know the first hand perspective of how the company has grown fast while holding tight to its mission helped set my own perspective about how Checkr works
Two sessions with the Checkr CEO talking about the company roadmap and history. The level of transparency he provides in terms of roadmap, challenges and priorities is amazing.
Everyone of the new joiners (yes – everyone!!) have to complete the NAPBS FCRA Basic Certification. I learned amazingly lot of stuff about the whole BGC industry during the training for this certification.
Best part – I got to go to the courthouse to see first hand how the record retrieval process works in the US court systems. This happens during the last day of the onboarding program and is the rightful amalgamation of all the learnings from the previous 4 days.

In summary, Checkr is on a mission to modernize the background screening industry. To be successful here, each employee has to connect to that mission and understand how the role they play count towards fulfilling it. Checkr’s onboarding program facilitates this understanding by showcasing how the company functions.

The program made a great impression that will stay with me for a long time.

Concurrency tidbit to GO

Consider the code snippet below- it creates a chat room struct with the following fields:

a channel (messageFlow) to forward incoming messages to the room
a channel (joinChat) to queue clients who want to join the room
a channel (quitChat) for clients who want to leave the room
a map of clients who are currently in the room

type room struct{
      messageFlow chan []byte
     // joinChat - channel for clients wanting to join the chat
     joinChat chan *client
     // quitChat - channel for clients wanting to leave a room
     quitChat chan *client
     // clients - a map object that holds all current clients in a room
     currentClients map[*clients] bool
}

Quick GO channel refresher – Channels are a typed conduit through which we can send and receive values with the channel operator, “<-“. All channels must be created before use. And by default, sends and receives block until the other side is ready. This allows goroutines to synchronize without explicit locks or condition variables.
More details on channels in GO is here: https://tour.golang.org/concurrency/2

Quick GO map refresher – A map maps keys to values. More on maps in GO – https://tour.golang.org/moretypes/19
The usual problem with the code like one above is that it is possible that two goroutines may try to modify the map at the same time thus resulting in an unpredictable state for the currentClients map.

To help mitigate this kind of setup, GO provides a powerful statement called select. As defined here (https://tour.golang.org/concurrency/5)The select statement lets a goroutine wait on multiple communication operations. Select statement can be used whenever we need to perform some operations on shared memory or actions that depend on various activities within the channels.

To address the case in the context of the code snippet above, we can use the select statement to monitor the channels: messageFlow, joinChat, quitClients. As and when a message arrives in any of the of the channels, the select statement will run the code for that particular case. Only the case related to any one channel will be run at any particular time – thus helping synchronize the operations. The select code will look something like:

::::::::::::::
    select{
    case client := <- room.joinChat:
        //do something to allow the client to join in
    case client := <-room.quitChat:
        //do domething to allow the client to leave
    case chatMsg := <- room.messageFlow
}
::::::::::::::

This code should run indefinitely in the background (as goroutines) till the chat program is terminated.

References:
1) GO Programming Blueprints – Mat Ryer
2) https://tour.golang.org/

IAPP – Privacy Technologist Credential Quick Notes

In the days of connected living, lot of amazing new products and features are released every day. Being part of the grid helps encourage innovation, effective collaboration, and possibly, a better way of living in general!

The rush to roll-out the products and/or features that enable this connected existence has a strong inclination to dissipate focus on one important area concerning the ENTITY at the center of it– the human and his/her right to privacy.

Most of these products take a “will this put me in a legal soup?” approach, and push the limits to the maximum, rather than being designed with the privacy protections of the end users built in. As with security, the general thought around privacy is that of hindrance in reaping maximum profitability out of the products.

I have been heavily involved in secure software development lifecycle projects in my career. So, in order to get a better insight into privacy focused software development lifecycle, I decided to pursue the CIPT credentials from IAPP.

My take was that unless the technology folks are made to understand the importance of Privacy (and of course Security), real long term resolution of the privacy/security crisis will not be possible. The goal was to get a structured understanding of what the technologists, not the management/leaders, needs to know to make knowledgeable decisions related to data privacy as they build a product.

While working on my preparations, I realized that there are lot of CIPP information available (it’s the most popular of privacy credentials) but not much on CIPT. Hence including a short summary of my plan below.

My only reference for the certification was the book “Privacy In technology – Standards and Practices for Engineers and Security and IT Professionals” by JC Cannon. The book is well written, and for someone with technical background, this is the only book needed for CIPT.

For individuals with no knowledge of technical concepts around network security, cryptography, and authentication schemes will find this tests to be little tough. On a scale of 0-5, one must at least have a 1.5-2 knowledge of the aforementioned concepts to be comfortable with the type of questions that the exam has.

Reading up freely available articles on the technical concepts mentioned should suffice in understanding the concepts highlighted in the book.

The course covers lots of good information on privacy focused architecture and development practices, privacy notices and tools.

Did I find the course worthy of the dollars/time spent? – Yes! In a world where most do not understand the importance of data privacy and confuse data privacy with data security, the materials covered in this course are refreshingly to the point.

Whether one will get a promotion because he/she got a CIPT, well, that depends J

Diffie-Hellman key exchange

Diffie-Hellman – Layman terms

Basic info (table 1):

(2^x)^y = 2^xy = (2^y)^x

For DH, x and y are very large numbers.

Step 1: GB selects a large random number, x.

Step 2: GB raises 2 to the power of x and obtains, say G (=2^x).

Step 3: GB sends G to SB.

Step 4: SB selects a large random number, y.

Step 5: SB raises 2 to the power of y and obtains, say S (=2^y).

Step 6: SB sends S to GB.

Step 7: Following calculations are performed

SB calculations	GB calculations
S^x	G^x
(2^y)^x from Step 5	(2^x)^y from Step 2
2^yx from table 1	2^xy from table 1
(2^x)^yfrom table 1	(2^x)^yfrom table 1

Step 8: Both SB and GB now has a shared secret without actually have to transfer the key.

HTTP Secure Headers – How prevalent are these?

Recently Twitter added Public Key Pinning to their SecureHeaders Ruby Gem. There are 8 security headers now.

I wanted check the prevalence of these secure HTTP headers amongst the top websites to get a sense of the awareness around these very efficient mechanisms to address a plethora of security related issues.

For reference, CSP is documented here.

I checked most of the publicly available list of 2014 top 500 sites on the web from Fortune.com for this purpose and the stats for the 8 headers that SecureHeaders Ruby Gem covers is:

CSP	HTTP Strict Transport Security (HSTS)	X-Frame-Options (XFO)	X-XSS-Protection	X-Content-Type-Options	X-Download-Options	X-Permitted-Cross-Domain-Policies	Public Key Pinning
2	5	81	12	26	0	1	0

This is not a comprehensive test (and possibly not error free) but these numbers do point towards a possible lack of adoption for these gradually improving (and easy to use) security enforcement mechanisms.

Part reason for this may be the touch unreliability in the way browsers enforce these checks (for example X-Download-Options is supported only on Internet Explorer) but considering that these do not break anything if used sensibly (like CSP and Public key pinning’s report on settings) can be used to gradually improve the security stance of most websites without much effort.

Note: Tristan Waldear has created a Python-Flask package for the same headers and is hosted here.

Drag Microsoft Office Excel Conditional format…

For the Umpteenth number of time, I spent >2 hours to figure out a way to drag my custom format in an incremental way across excel rows.

Here is the user case:

I have an excel spreadsheet that contains columns that look like below:

The custom format that I needed was:

1) Fill Green if value in the cells in B, C, and D is greater than or equal to the value in the cell A for that row.

2) Fill Yellow if value in the cells in B, C, and D is less than the value in the cell A for that row.

Exact Requirement: I want to create the formatting for the cells in one row, drag it down and expect Excel to do the incremental adjustments to the cell values as needed.

By default when I create the formula using the “Conditional Formatting” option it creates something like this:

If I “Format Paint” other cells then the “Cell Vale < $C$1” remains static. I wanted it to change based on the row it is on.

Fix was simple (I think other better ways too!):

1) In the formula remove the $ from the “Cell Value…” for the value that needs to reflect the changes. When I updated the formula like below I was able to format paint it over other cells:

In retrospect, that was simple…

GameSec – Unity3D – 1

Unity’s documentation is pretty good for the developers who want to create cool games, but ones on the critical supporting features like security are not very detailed. Make no mistake, Unity does have good security features like the web player sandbox that helps maintain the security posture but I feel the documentation coverage on these needs to be more detailed.

As I try to get more acquainted with Unity’s world of game development I am taking some notes on the questions I had, and kind of got answers to. And hence the ramblings below 🙂

Unity Security – Permissions Policy files

There are two security policy files that control the access permissions on content that a Unity web player is allowed to access, or not. These are: crossdomain.xml and socket security policy file.

Difference between crossdomain.xml file and the socket security policy file.

The crossdomain.xml file affects HTTP, HTTPS and FTP access to content on a server and it has no effect on restrictions to be imposed for socket connections. To impose restrictions for socket connections, a socket policy server is required to allow, or disallow, Unity web player based socket access.

Does Unity use/require both crossdomain.xml as well as the socket security policy files?

Yes! While both the files use the same policy schema, the crossdomain.xml file only defines permissions on the web services hosted on the server where the crossdomain.xml file is placed, the socket security policies apply to all TCP/UDP socket connections to that server.

For Unity, the http served policy file, crossdomain.xml, is relevant for WWW class in the UnityEngine namespace. For domains different from the domain that is hosting the unity3d file, the Unity web player expects the crossdomain.xml file to be available on the domain it wants to access with the WWW class.

Unity Socket Connections

Before Unity web players can connect to any serve, like the ones on the networks, it is required that the hosts permit such connections. The hosts can manage the socket level connection permissions using the socket policy file.

This socket security policy file is by default hosted by the target host on port 843.

Note: The socket security policy file can be hosted on other ports as well. The functional difference with a non-default port is that it must be manually fetched with Security.PrefetchSocketPolicy() API call and if it is hosted on a port higher than 1024 the policy can only give access to other ports higher than 1024.

A Socket policy file defines what hosts (think client) can connect to a system (think server) and to which ports those hosts are permitted to connect.

The format used for the Unity socket policy file is similar to that used by the Flash player. The schema of the file is as below:

<?xml version=”1.0″ encoding=”ISO-8859-1″?>

<!ELEMENT cross-domain-policy (allow-access-from*)>

<!ELEMENT allow-access-from EMPTY>

<!–ATTLIST allow-access-from domain CDATA #REQUIRED>

<!–ATTLIST allow-access-from to-ports CDATA #REQUIRED>

Example Unity security socket policy file:

<?xml version=”1.0″?><cross-domain-policy>

<allow-access-from domain=”*” to-ports=”80, 443″/>

</cross-domain-policy>”

This policy effectively says “Content from any domain is free to make socket connections at ports 80 and 443”. The Unity web-player will reject any attempted socket connections using a port outside that range and will throw a SecurityException.

Note: The to-ports field in the allow-access-from element in the socket security policy file specifies what ports are available to the Unity web player trying to connect to the server. While wildcards (“*”), port ranges, and/or individual ports can be specified within this field, it recommended that administrators specify only those ports for which they explicitly want to allow access to the connecting web player.

The main points of distinction between the Flash and Unity socket security policy file are:

A limitation with the Unity’s socket policy file vis-à-vis Flash socket policy file is that Unity web player only supports “*” as a valid value for the domain setting. The implication is that any web player in the wild can attempt to establish socket connectivity to the server.
The Unity webplayer does not support the and tags.

To be continued…

CORS – Cross Origin Resource Sharing – A Simple Example

Local setup (I did it on Windows 7 and IIS): 1. Created two websites made to run on two different ports. In IIS a new website can be created using the option shown the screen shot below: A note about Same Origin: Note that most of the modern browsers define the following combination as “same origin” – Scheme (protocol), domain and Port number. As far as I know Internet Explorer tends to behave differently as it did not consider the port number but my memory may need a refresh with the latest releases, other browsers are quire consistent. The two sites I created were accessible using the following URLs:

i. http://localhost:8098/ – I called it Site 1 ii. http://localhost:8099/ – I called it Site 2

So for the sake of SoP these two are different origin sites even though they are on the same web server sitting in two adjacent folders 🙂 I created three landing pages:

i. cors.php on Site 1 ii. site1processor.php on site 1 iii. site2processor.php on site 2

The code for each is as below: cors.php – Site 1 on port 8098 accessible via url: http://localhost:8098/cors.php site2processor.php – Site 2 on port 8099 accessible via URL: http://localhost:8098/ site1processor.php site2processor.php – Site 2 on port 8099 accessible via URL: http://localhost:8099/ site2processor.php I un-commented the following snippet in the cors.php file: This request submits a request to the Site1 which is “same origin” as the cors.php. The request executes just fine and the “Success” alert pops up. No I comment the above code and un-comment the following snippet: This request submits a request to Site 2 which is a different domain from the one where the cors.php file is hosted. Looking at the console windows of the developer tools (Chrome-F12) I see the following message: That is Site 2 does not permit access to its pages from any other domain. In case Site 2 wants to allow access to some content from other domains, there is an option to enable that: Access-Control-Allow-Origin header I tried the Access-Control-Allow-Origin header option by adding this header to the response from the site2processor.php file. The code for site2processor.php now looks like below: What the above code change effectively does is allow access to the page site2processor.php hosted on Site 2 from Site 1. Now the following line of code is executed from the http://localhost:8098/cors.php the success pop up is displayed implying that the request was successful