N = 1

Have I been pwned allows you to check whether your password has ever been in a leak, as per the site:

Password reuse is extremely common and puts your accounts at risk. When credentials are exposed in data breaches, attackers can use these known email and password combinations to access your other accounts. NIST guidelines specifically recommend checking user passwords against previously breached datasets. This service provides a simple, secure way to comply with these guidelines.

So how secure is my go-to password?

Oh dear, but wait, I am sensible with my passwords, I forgot to capitalize my P

mmm, better, I guess, maybe if I add some numbers

we’re on the right track still not great though, what if add some special characters?

ok, things are going into the right direction, maybe another special character

This is a massive improvement, if one - is good, two - must be better, right?

This is almost secure, hang on, what if I mix and match special characters

Success!!! A secure password guaranteed not to be on any breach *

I wonder if it works the other way around

It does, I think I’ve cracked it now, best get busy changing all my passwords now.

* Terms and conditions apply

As a thought experiment imagine that you are the only user of google or facebook or your supermarket’s loyality card scheme, how much would your data be worth?

You might not say worthless, too many negative connotations, but close enough, right? And yet add a few millions like you and that data is worth its weight in gold, metaphorically speaking.

Unlike aws cli, az cli does not have the concept of a profile, namely you can’t do

az storage account list --profile bob

instead you are forced to do something like this

export AZURE_CONFIG_DIR=~/.tmpaccount

az login 

You can add this as function to your .bashrc file or your favourite’s shell configuration as a function, e.g.

function c_az_prod {
 
        export AZURE_CONFIG_DIR=~/.prod
        az login
        az account set -s 40e300f1-dead-c0de-beef-d6295431e6d6
 
}

One of the problems with LLMs is hallucinations, where it confidently asserts something as true that isn’t. The problem is that if you are not a domain expert or at least knowledgable in the domain you might never know that this was a hallucination.

This is a simple guide to help people address these situations, namely how to effectively use LLMs in a new domain:

1. Become a domain expert.
2. Use LLM to solve your problem.
3. Confidently assess whether the LLM was talking out of its arse.

No need to thank me

If you ever put a job ad on LinkedIn or a similar platform, you’ve probably been inundated with applications, this is certainly what happened to us recently.

One thing that struck me was the forgotten middle:

1. I looked at a few of the first CVs that arrived.

2. I then devised a system to sort through the literally hundreds of CVs and using that system I did a sift of CVs.

3. Most CVs after the sift were looked at because they trickled in rather than flooded in.

So my takeway here is:

The early bird gets the worm, the latecomer gets the glance — the middle just feeds the algorithm.

tongue off cheek now please.

I can’t help but think that GenAI is Gen-Z’s outsourcing moment, no doubt that time will prove me horribly wrong but bear with me.

In the late 90s, early 2000s outsourcing was all the rage. Why pay for expensive Western resources when you can get cheap developing country ones?

Well, to the surprise of the MBAgentsia, it turned out that the lower labour costs were not just a product of lower cost of living but also of lower productivity (the factors are many but mostly related to lower educational standards and lack of investment), which coupled with cultural differences, communication issues as well as training and rework, frequently resulted in delays and little to no savings.

If you used GenAI to develop code your experience is likely to be shaped but what you are trying to achieve:

If you are working on a popular framework of a popular language you are probably having a good experience, sure it does need quite a bit of back and forth but it gets you there and even if it doesn’t it helps along the way.

If on the other hand you use an obscure language or framework or even worse an obscure framework in an obscure language, GenAI is likely worse than useless to you.

Predictably, the MBAgentsia sees the former case as representative and envisions massive labor savings, just like they did with outsourcing.

And while I don’t doubt that GenAI will almost certainly trascend some or all of current limitations, are we due another realization that not all that glitter is gold?

Some people, when confronted with a problem, think “I know, I’ll use an LLM.” Now they have two problems.

Today I was writing a relatively simple PowerShell script to alert before secrets have expired, this was my first attempt:

$config = Get-Content $configFile | ConvertFrom-Json -Depth 100 -AsHashtable

$config.GetEnumerator() | ForEach-Object {

    $alert = $_.Name
    $ExpiryDate = [datetime]::ParseExact($_.Value.ExpiryDate, "yyyy-MM-dd", $null)
    $description = $_.Value.Description
    $NoticePeriodInDays = $_.Value.NoticePeriodInDays
    $daysToExpire = ($ExpiryDate - (get-date)).Days
    $shouldNotify = (get-date).AddDays($NoticePeriodInDays) -gt $ExpiryDate

    if ($shouldNotify) {

        Invoke-RestMethod -Method post -ContentType 'application/json' -uri $TeamsWebhookUrl `
        -Body "{""text"":""$alert is expiring on $($ExpiryDate.ToString("yyyy-MM-dd")). This is $daysToExpire days away. See further details here: $description""}"

    }
    else {
        Write-Host "$alert is expiring on $($ExpiryDate.ToString("yyyy-MM-dd")). This is $daysToExpire days away."
    }
}

I then proceeded to ask various LLMs out there (Gemini, Deep Seek, OpenAI and Claude) to refactor and write tests for it.

The refactors went well but not a single one managed to provide working tests the first time around.

I then tried feeding the refactored code, as generated by that LLM, and simply asked it to write tests for the script and it wasn’t great:

• DeepSeek required minor changes (dot sourcing required the script parameters) to get to 3 failures out of 14 tests.
• ChatGTP worked out of the box but all 11 tests failed.
• Gemini required minor changes (dot sourcing required the script parameters) to get to 16 failed tests out 16.
• Claude worked out of the box and got 4 failures out of 11 tests.

I didn’t engage in a deep analysis of the tests but some were a bit questionable, essentially testing basic powershell functionality, but hey if you aim for 100% coverage, then

This is the way

I suppose

I can’t cease to be both amazed and immensely frustated by these LLMs

The drunkard’s search principle is a type of observational bias that occurs when people only search for something where it is easiest to look and I think this is exactly what happens with interviewing.

I lead a small team of devops engineers and I’d say that these are the core skills for my job:

• Team management Skills
• Architecture (System Design) Skills
• Coding Skills
• Misc Tech Knowledge, e.g. cloud tech, CI/CD, etc ..

The, seemingly, canonical way to probe into this set of skills is by using a competency based recruitment process:

Competency-based recruitment is a process of recruitment based on the ability of candidates to produce anecdotes about their professional experience which can be used as evidence that the candidate has a given competency.

There are many problem with these type of interviews both fundamentally and of execution:

• Good story tellers shine, regardless of competence.
• Overly reliant on previous experience, how is one meant to make the jump to a leadership position if one can’t rely on past behaviours?
• Overly complicated scenarios to avoid prepared answers.

The main issue, however, is very similar to financial advice, namely:

Past performance is no guarantee of future results

In other words just because I told a good story about how I mended fences with a colleague for the good of the project/company, does not mean that I wouldn’t actually torch a project and then swoop in to the rescue so I get the promotion rather than the project lead.

Here’s your 🔦, no need to go back the park, hope it helps though.

The system design interview tends to go like this:

1. Design an MVP.
2. Change it to your ideal architecture.

This is to be done in 45 minutes, without access to any resources (product documentation, colleagues, dev team, etc …) and there is no room for iteration or review, how could there be? You only have 45 minutes.

If this sounds like the exact opposite of how most people go about architecting a system, well that’s because architecting a system is normally a very collaborative, iterative process that relies on research, proof of concept work and those pesky users and their awkward requirements as well as all the other non-functional requirements that you don’t need to think about because: we’re on the cloud, man.

I think we are going to need a bigger torch.

If you thought that the system design skill was really unrepresentative of how the actual process works, imagine that the output needed to be written down in velum and you’re not far off of what the whiteboard interview is.

We’re not talking torches anymore, we’re talking football stadium lightning here.

There are other relatively common approches, e.g. pair coding or live coding, which generally answer the question:

Can you solve an arbitrary problem under an undeterminable (For the interviewer) amount of pressure in a short amount of time, generally, without access to the tools you are normally used to?

I know what you are thinking:

This is why we do a take home test

I love these and think that followed with a walkthrough in a interview, they can provide a lot of useful information. The main problem with these is, the time they take to complete, which might mean losing out on candidates who really can’t dedicate another 4 hours for another take home test.

Surprisingly enough trivia questions are seemingly still in vogue, e.g. what’s the output of kubectl get nodes or what’s the difference between ADD and COPY in a docker file?

Defenders of this type of questions tend to argue that they are good proxies for experience in the area of the questions. I think this is generally not the case given that a lot of certifications test for this sort of knowledge. Furthermore, theoretical knowledge is relatively easy to achieve but there is no guarantees that the candidate will apply it.

In fairness, the questions around these areas tend to generally be more about experience and scenario based than outright trivia questions, which to me seems fairly sensible. Sure they might be harder to evaluate than trivia questions with, almost always, a right answer but I think they provide a better guide as to the competency of the candidate.

We might be on to something here.

Do they write good PR descriptions? Do they place value in writing documentation? Is the candidate a gold plater? Do they validate their approach before proceeding with a complex or time consuming feature? Do they take PR feedback personally?

A list of intangibles, for want of a better word, like this could go on forever, everybody will have their own list no doubt, and these are nigh on impossible to accurately gauge in an interview and no, competency based interviews are not going to help here, for reasons previously explained.

Every so often I have a need to add an Entra ID user directly to an Azure SQL database, which involves a hunt on google

This command will also give the user read only access to the database.

CREATE USER [bob.thebuilder@bobsville.co.uk] FROM EXTERNAL PROVIDER;
EXEC sp_addrolemember 'db_datareader' , N'bob.thebuilder@bobsville.co.uk'

Additionally, sometimes I need to look at which roles are assigned to which users:

SELECT DP1.name AS DatabaseRoleName,   
    isnull (DP2.name, 'No members') AS DatabaseUserName   
FROM sys.database_role_members AS DRM  
RIGHT OUTER JOIN sys.database_principals AS DP1  
    ON DRM.role_principal_id = DP1.principal_id  
LEFT OUTER JOIN sys.database_principals AS DP2  
    ON DRM.member_principal_id = DP2.principal_id  
WHERE DP1.type = 'R'
ORDER BY DP1.name;  

When I worked on the DWP account we once had a meeting with the chap that lead the account, where he proceeded to tell us that the profit margin wasn’t great and it needed to improve to match our competitors, what was the profit margin? 13%.

Except that it wasn’t actually 13%, it was 34% but because corporate took 21%, we arrived at our measly 13%, far lower than the 16% averaged by our competitors. I’m not sure of the actual size of the contract but we’re probably talking ~ £1 Billion per year, so a 3% difference is ~ £30m.

A simplistic way to look a this, is that in order for the contract to benefit the tax payer, the DWP would have to be ~ 1/3 less efficient that EDS/HP (contract holder at the time), except that this would mean losing a lot of in-house knowledge and thus the efficiency difference would probably need to be higher (40%? 50%?) to account for the loss of in-house knowledge.

Another way of looking at this is that it would require 3-4 DWP FTE to do the work of 2 EDS/HP FTE (under the dubious assumption of similar cost per FTE) depending on how we value the in-house knowledge.

I have worked for the Civil Service recently, not the DWP mind, and I’m now back in the private sector and I find it hard to believe that it ever made sense.

I know what you are thinking:

• A lot (most?) of civil servants get away with doing nothing.
• It’s Senior civil servants that are the problem, in other words, management.
• It’s the politicians.

Having worked in companies ranging from 12 to 300000+ employees, the first point is mostly a big company problem. is it worse in the civil service? I think so but mostly because of length of service.

As for the the last two points, well, the current model seems to prefer to embed contractors into the teams so the problems remain. The model where the outsourcer runs the contract was found to be wanting, which is why this newish model has been adopted.

In fact, my estimates about the efficiency gains needed by a contractor to benefit the taxpayer are way off, given the currently preferred model, namely contractors tend be embedded while costing 2 or 3 times more than a civil servant, but hey it’s not like the civil service can afford to pay techies decent salaries, much cheaper to pay the Methods, Madetech or Kainos of this world 2 to 3 times as much per person as a civil servant.