Michael T. DeWitt

This Post Is 70% Nostalgia, 30% Dial-Up Rage, and 0% Interested in Your App

admin — Fri, 06 Feb 2026 06:53:16 +0000

Growing up in the 90s and early 2000s, tech was a foundational part of my childhood.

I remember discovering proxy services in 98′ and used them to circumvent the school’s library web filters. I got suspended for a week. Ahh, the good ol’ days.

I spent more time on a computer than I can remember. Getting my license at 16, I remember buying a pack of 100 CD-R’s and used them to make mix CD’s for my car and for my friends. Then, what seems like in a blink of an eye, CD’s change to MP3s. (Thankfully, my AIWA head unit could read mp3’s right from a cd, which meant 30 – 50 songs instead of the 12 – 18.)

Then came my first cellular phone. It was a Sanyo with a green backlight. It looked like a smaller version of the ‘Zack Morris’ phone from Saved By the Bell. My first phone bill was over $300! That’s when the term ‘nights and weekend minutes’ was termed. I just didn’t know about it yet….

Don’t get me started on Dial-up! I would be right in the middle of downloading an MP3 – 30 minutes into it with another 20 to go, and someone would pick up the phone! AAGH! I’m not sure what I hated more – that happening, or my parents signing up for ‘call waiting’! In case you don’t know what that is, it was a feature on landlines in the 90’s where if you were on the phone talking to someone, and someone else called you, instead of them getting a busy tone, you would hear a set of beeps on your end, letting you know someone was calling you. Wreaked havoc on a dial-up connection.

That was also the golden era of gaming. The first Playstation was released, which was the first console to use CD’s to load games. I remember Final Fantacy 7 had 3 or 4 disks because they integrated a bunch of video cut scenes. And it was amazing! Especially coming from a Super Nintendo and Sega Genesis.

My cellphone I mentioned earlier, I bought it from a brick and mortar store. Not no Amazon. I went into Radio Shack! At that time, Radio Shack and Circuit City were better than amusement parks for me and my friends! Oh how I wish Radio Shack was still around. I’m only able to continue in life because I found a Microcenter near where I live several years ago. Everytime I go in, I hear Angels singing, and no matter how down I might have felt walking in, all that goes away and I always leave feeling better than ever.

Why am I reminiscing? Some could argue that today, we have all that, and so much more! And that would be true. In the early 2000s, tech began a decades-long consolidation. Almost everything we used before became a function of a single device. Objectively, this was an improvement—old VCR interfaces were awful, early MP3 players were clunky, GPS lacked real-time traffic data, and nothing talked to each other. And yet, through that consolidation, something intangible was taken from us.

Our devices lost their unique personalities. Phones became our alarm clocks, flashlights, calendars, watches, cameras, GPS units, music players, radios, journals, and gaming devices—all at once. We betrayed our focus in the pursuit of convenience, and the personality of our devices for homogeneity.

This convergence created winner-take-all (and two-player) markets. Console gaming became PlayStation or Nintendo. Phones became Android or iOS. Computers became Mac or Windows. PC gaming became synonymous with Steam. Everything else became a feature inside one of those platforms, with globally synchronized updates making our experiences increasingly uniform, and bland.

For a long time, that felt inevitable. But it’s only become clear in retrospect that somewhere in the early 2020s, things started to change.

New paradigms are emerging for the first time since mobile. VR is no longer experimental. Early AR is starting to reach consumers. Meta shipped a wearable that normal people actually use, thanks to a clever Ray-Ban partnership (and associated equity stake). 3D printers have become real household products. Wearables are diversifying—smart rings, over-the-counter glucose monitors, connected beds.

Meanwhile, Apple’s aggressive push for services revenue has alienated developers and users alike, creating space for alternatives. And nostalgia has revealed itself as massive, underserved economic demand.

Thinking back to my youth, I was totally and completely absorbed in Star Trek: TNG. If your a techie nerd like me, you know what i’m talking about. (And if your in IT and don’t like Star Trek, just leave. NOW) Do you remember when the crew would go to the holodeck, and re-enact times from what then would seem centuries ago? Picard loved the Dixon Hill holo-novels. There’s a joy in seeing Captain Jean-Luc Picard, a serious man who enjoys Shakespeare, delight in pulpy detective fiction. Or do you remember the episode that was entitled ‘A Fistful of Datas’ where Worf was having trouble bonding with his son Alexander? Hoping to bond like Klingon warriors, Worf participates in a Wild West hologram program at Alexander’s request. Due to a freak accident, the outlaws and residents of the Wild West town all look and sound suspiciously like Data.

And there are so many more episodes that should I list, especially across the entire franchise, my fingers might actually break from all the typing! But I remember back then, being 10 years old, thinking ‘Why are they so interested in the past? I would rather use the holodeck for something more futuristic’. And yet here we are. Gen-Z is buying single-purpose iPods and wired headphones. Pokémon cards are trendy. My friends and I are amassing N64 game collections again. There is a revived appetite for film cameras and Polaroids. Companies are recreating old hardware in modern form—ModRetro’s upcoming FPGA-based M64 plays native N64 cartridges, following their successful Game Boy recreation. They’re now working to bring a “next-gen” CRT monitor to market. The Playdate proved there’s still room for third-party handhelds with their own unique philosophies. Even Nintendo couldn’t resist capitalizing with the re-release of their classic consoles.

Tech is starting to resemble the wristwatch market: collaborations, limited editions, exclusivity. A market with many players—emerging companies, niche studios, design-forward brands, and even failing companies—is healthier than one dominated by a few giants. Apple’s push toward services has been financially successful but culturally damaging. Users are looking elsewhere. It was imperceptible at first, but that sentiment is spreading. In fact, just recently, a Timex ad went viral: “Know the time without seeing you have 1,249 unanswered emails.” People are gravitating toward rigid, single-purpose experiences that let them fully disengage!

Barriers to entry are lower than they’ve been in decades. Software can be deployed in minutes. Hardware is still hard, but 3D printing has revolutionized prototyping and accessible manufacturing services have drastically lowered the cost and time to market. Even the consolidation on the USB-C standard has played a role, allowing switching devices without investing in a new ecosystem.

Now, in 2026, the one thing I have wanted, I have longed for since I was a child, is no longer something existing in imagination or on the USS Enterprise. Artificial Intelligence is here. THIS is why I am so excited to live in 2026! The many episodes where Geordi, or Data was working with the computer to build some high tech solutions to solve the Enterprise’s imminent demise, Is how I have been using AI.

This classic season 3 episode ‘Booby Trap’ has Geordi racing against time to prevent an ancient booby trap from killing the Enterprise crew. The trap involves energy converters which drain power from the Enterprise, and feed it back to the ship via lethal radiation bursts. Geordi calls up a hologram of Leah Brahms, a propulsion designer for the Enterprise, and the two work out a solution to escape the trap. That’s how I use, and plan to continue to use AI. Not as something to do all the work for me, that’s no fun, and I wouldn’t learn much. But as a tool to complement myself. Something to bounce ideas off of. Something to use for calculations that would take myself days, weeks, or longer to complete, that it would finish in a fraction of that time.

Because of AI, there is now a blurring of the line between a Systems Administrator, and a Software Engineer. Have a problem that would cost more money than what it’s worth? Build the solution myself! Find an amazing Github project that runs on Windows but not native to Linux? I’ll port it over, and refactor the code myself! The possibilities are endless!

If you read my post and made it here, I want to say thank you. This was more of a rant than something productive, but it felt really good to write (especially the walk down memory lane!) When my daughter asks not for a USB thumb drive, but instead a pack of Polaroid instant film for her camera, I am going to gladly buy it for her. And when my other daughter asks me for a new music album, not on iTunes, but on Vinyl, you can bet your smartphone we’ll be in the car and on our way to Walmart faster than you can say Onomatopoeia! And when my son, brings his deck of Pokemon cards to me to show what he put together, then asks for money to buy the one last card needed to complete his deck, I will gladly pretend to know what he’s talking about while sending him money via cashapp.

What Is a Full‑Stack Engineer?

admin — Tue, 30 Dec 2025 17:35:12 +0000

(Not Just a Full‑Stack Software Developer)

In today’s tech world, job titles evolve fast. One term you’re probably hearing a lot lately is Full‑Stack Engineer. On the surface, it sounds similar to “full‑stack developer,” but in many IT teams today, companies mean something a bit more strategic when they use “engineer.” Let’s unpack what this term really means, why it matters, and how it differs from a traditional full‑stack software developer role.

Understanding the Basics: Full‑Stack Roles in Tech

Before we differentiate, we need the foundation:

Full‑stack development refers to working on both the front end (the part users interact with) and the back end (the logic, databases, and server tech behind the scenes). Wikipedia

Traditionally, someone who does this is called a full‑stack developer — a professional skilled at building entire applications from user interface to server logic.

But in modern tech teams, not all “full‑stack” roles are equal.

So What Is a Full‑Stack Engineer?

A Full‑Stack Engineer is a role that includes what full‑stack developers do — but goes a step further.

They understand and work with front‑end and back‑end systems.
They build, test, and deploy software across the full technology stack.
But more importantly, they think in terms of engineering systems — not just writing code. Forage

In practice, this means a Full‑Stack Engineer may also:

Architect how different parts of an application fit together
Design scalable systems that work reliably under load
Integrate cloud deployment, DevOps processes, and automation
Consider long‑term maintainability, security, and performance
Work with infrastructure (servers, pipelines, observability) alongside code

This engineering mindset focuses on how a software system works as a whole, not just on building features. LinkedIn

Engineer vs. Developer: What’s the Difference?

Many people still use the terms interchangeably, and in some companies, a “full‑stack engineer” is simply another name for a full‑stack developer.

However, when teams do make a distinction, it usually looks like this:

Full‑Stack Developer

Focuses on writing code for front‑end and back‑end components
Builds user features and applications
Works to make things function and look good

Full‑Stack Engineer

Advocates for scalable architecture and systems thinking
Designs how components integrate and perform
Handles deployment processes, testing automation, and reliability engineering
Thinks in terms of systems and engineering principles
Often works on CI/CD, cloud infrastructure, and long‑term tech strategy

In short: developers build products; engineers build systems that sustain products.

Why This Distinction Matters

1. Modern Tech Requires More Than Code

In many startups and enterprise teams, building software isn’t just about coding features. It’s also about deploying, scaling, securing, and maintaining systems. Full‑Stack Engineers are expected to bridge the gap between software and infrastructure.

2. Career Growth & Strategy

Full‑Stack Engineers often take on leadership or architectural responsibilities earlier than developers because their role spans broader technical concerns.

3. Hiring Expectations

Companies hiring for “Full‑Stack Engineers” often expect candidates to:

Demonstrate deep architectural understanding
Work with cloud services and DevOps tools
Implement automated testing and deployment pipelines
Think about performance, scalability, and long‑term maintainability

All of this goes beyond traditional full‑stack developer duties.

Real‑World Example

Imagine a team launching a new web app:

A Full‑Stack Developer builds the frontend UI and the backend logic so users can sign up, log in, and use features.
A Full‑Stack Engineer does the same plus:
- Chooses the best cloud setup for reliability
- Designs how the backend will scale with user growth
- Implements automated testing and deployment so updates are seamless
- Plans for logging, monitoring, and performance optimization

Both write code, but the engineer’s view is system‑wide, not just feature‑wide.

What Skills Do Full‑Stack Engineers Typically Have?

Because the role is broader, Full‑Stack Engineers often include:

Front‑end frameworks (React, Angular, Vue)
Back‑end services (Node.js, Python, Java, etc.)
Databases and APIs
Cloud platforms (AWS, Azure, GCP)
DevOps tools (CI/CD, containers, automation)
System architecture and scaling principles
Monitoring and observability frameworks

That’s a wider slice of the tech landscape than many traditional full‑stack developers handle day‑to‑day.

Wrap‑Up: Why the Title Matters

In today’s competitive IT landscape, job titles can tell you a lot about expectations:

Full‑Stack Developer focuses on building full applications
Full‑Stack Engineer focuses on building systems and scalable solutions

Think of the engineer as someone who combines the hands‑on coding skills of the developer with the architectural perspective of a systems thinker.

Whether you’re hiring, interviewing, or choosing your career path, understanding this distinction helps you know what skills and responsibilities you’re talking about — and what companies are really looking for in 2025 and beyond.

The real reason techies can’t find jobs: An Analysis of Strategic Job Concealment in the U.S. PERM Labor Certification Program

admin — Fri, 03 Oct 2025 01:17:41 +0000

Acknowledgement: If you’ve read other posts on my site, you probably know me as someone who leans into sarcasm and humor. That tone is intentional, but today I want to set it aside. This post comes from a very different place. The hours I’ve poured into searching, reading, and chasing endless trails of information have left me with a deeper sense of responsibility. What I’ve uncovered isn’t just frustrating—it’s unacceptable. My only hope in sharing this is that it reaches the right people, those who can help bring about real change and make the job market fairer and stronger for all Americans.

Executive Summary

This report provides a comprehensive analysis of the systemic practice by some U.S. corporations of strategically concealing job openings to facilitate the Program Electronic Review Management (PERM) labor certification process, a critical step for obtaining employment-based permanent residency for foreign national employees. The central finding is that a significant pattern of deliberate job concealment exists, driven by a confluence of regulatory loopholes and powerful corporate incentives to retain pre-selected foreign workers. This practice, while often technically compliant with outdated Department of Labor (DOL) regulations, has been found to be in direct violation of the anti-discrimination provisions of the Immigration and Nationality Act (INA).
The investigation reveals that the PERM system’s reliance on an employer “attestation” model, combined with antiquated recruitment requirements, has created an environment ripe for manipulation. Corporations have developed a playbook of tactics—including requiring mail-in applications, advertising in obscure channels, and bypassing standard corporate career portals—designed to deter U.S. worker applications while creating a facade of a good-faith labor market test.
Landmark enforcement actions by the Department of Justice (DOJ) against Meta Platforms, Inc. (formerly Facebook) and Apple Inc. serve as pivotal case studies, providing incontrovertible proof of these practices. The substantial financial penalties, totaling nearly $40 million across both settlements, and the mandated, sweeping reforms to their recruitment processes signal a paradigm shift in federal enforcement. The DOJ is now successfully prosecuting this behavior as a form of citizenship-status discrimination, raising the legal and financial risks for all companies employing similar strategies.
Concurrently, the rise of public watchdog groups, most notably Jobs.now, has disrupted the information asymmetry upon which these concealment strategies depend. By aggregating and publicizing PERM-related job postings, these groups are exposing the hidden labor market to U.S. workers, prompting aggressive, and ultimately self-defeating, corporate pushback.

While the strategy of hiding jobs is now failing under the combined pressure of federal enforcement and public scrutiny, the underlying systemic vulnerabilities remain. This report concludes that meaningful policy reform is necessary to align the PERM process with its original statutory intent. Recommendations include modernizing recruitment regulations, enhancing DOL oversight, and potentially restructuring the timeline of the labor market test to eliminate the inherent conflict of interest that currently pervades the system. Such reforms are essential to protect U.S. workers and restore the integrity of the nation’s high-skilled immigration framework.

I. The PERM Labor Certification Process: A Regulatory Framework Under Strain

The phenomenon of deliberately concealed job openings is not a random corporate anomaly but a direct consequence of the structural design and inherent vulnerabilities of the U.S. permanent labor certification system. To understand why and how companies obscure these roles, it is essential to first deconstruct the legal architecture of the Program Electronic Review Management (PERM) process, its statutory purpose, and the critical weaknesses that have been systematically exploited.

A. The Statutory Mandate: Protecting the U.S. Labor Market

The PERM process, administered by the Department of Labor (DOL), is the foundational first step for most employment-based paths to lawful permanent residency, commonly known as a “green card”.1 Its statutory purpose is unambiguous: to protect the domestic labor market. The core principle, embedded in the Immigration and Nationality Act (INA), is to ensure that the hiring of a foreign worker on a permanent basis does not adversely affect the wages or working conditions of similarly employed U.S. workers.2
To fulfill this mandate, an employer sponsoring a foreign worker must first “test the labor market.” This involves conducting a prescribed recruitment process to prove to the DOL that there are no “able, willing, qualified, and available” U.S. workers to fill the position.4 Only after the Secretary of Labor certifies this lack of suitable domestic candidates can the employer proceed with the immigration petition on behalf of the foreign national.2 The entire framework is predicated on the idea that foreign workers are hired to fill genuine gaps in the domestic labor force, not to displace it.

B. The “Labor Market Test”: Prescribed Recruitment vs. Practical Reality

The regulations at 20 C.F.R. § 656.17 outline the specific, mandatory recruitment steps an employer must undertake to satisfy the labor market test. This process must be conducted within the 30 to 180 days preceding the filing of the PERM application.6 The requirements are highly prescriptive and include:

State Workforce Agency (SWA) Posting: The job order must be placed with the relevant SWA for a minimum of 30 calendar days.1
Newspaper Advertisements: The employer must place an advertisement on two different Sundays in a newspaper of general circulation in the area of intended employment. This requirement is a notable anachronism in an era where professional recruitment has migrated almost entirely online.1
Internal Posting Notice: A notice of the job opening must be posted at the physical worksite to inform current employees of the opportunity.8
Additional Recruitment Steps: For professional occupations, which constitute the vast majority of PERM applications, the employer must select and conduct three additional recruitment activities from a menu of ten options. These options include participating in job fairs, advertising on the employer’s website, using a job search website other than the employer’s, or placing ads on radio or television stations.1

While these steps appear comprehensive on paper, their practical application reveals a significant disconnect from modern, effective recruitment strategies. A company seeking to genuinely attract the best talent for a high-skilled role, such as a software engineer, would primarily leverage its corporate career portal, major online job boards like LinkedIn, and professional networks—channels that are not all strictly mandated by the PERM regulations. This discrepancy between regulated procedure and real-world practice creates the first major vulnerability in the system, allowing companies to follow the letter of the law while entirely subverting its intent.

C. Systemic Vulnerabilities: The Attestation Model and Limited Oversight

The most critical structural flaw of the PERM program is its design as an “attestation-based” system. When an employer files a PERM application (Form ETA-9089), it attests, under penalty of perjury, that it has completed all required recruitment steps and has been unable to find a qualified U.S. worker. However, the employer is not required to submit the supporting documentation—such as copies of advertisements, resumes received, or interview notes—at the time of filing.9
This model creates a system that is, in the words of the DOL’s own Office of the Inspector General (OIG), “highly susceptible to fraud”.9 The OIG has found that the PERM program “relentlessly has employers not complying with the qualifying criteria”.9 The lack of upfront documentary evidence means that the initial review by a DOL analyst is often a check for procedural completeness rather than a substantive evaluation of the recruitment’s good faith.
The weakness of this model is starkly illustrated by the OIG’s statistical analysis of audit outcomes. When the DOL does select an application for an audit, it is essentially a request for the supporting documentation that was not required upfront. The results of this increased scrutiny are dramatic: the OIG found that the denial rate for PERM applications subjected to an audit was 21%, compared to a denial rate of just 3% for applications that were reviewed without the submission of supporting documentation.9 This sevenfold increase in denials upon documentary review provides powerful evidence that a significant number of employers are attesting to compliance that they cannot subsequently prove.

This regulatory design establishes the core conflict of interest that drives the entire phenomenon of job concealment. A company that has already employed a foreign national for several years on a temporary visa, such as an H-1B, has a strong business interest in retaining that proven, integrated employee. The PERM process, however, forces that company to conduct a recruitment campaign designed to find a U.S. worker to replace them. Faced with this conflict, and operating within a system of limited initial oversight, the path of least resistance for the employer is to design a recruitment process that is procedurally compliant on its face but practically engineered to fail. The system’s architecture does not merely allow for this behavior; it actively incentivizes it.

II. Corporate Strategies for Obscuring PERM-Related Job Openings

The incentive to conduct a perfunctory labor market test has given rise to a coherent and deliberate playbook of tactics designed to obscure PERM-related job openings from qualified U.S. workers. These strategies are not signs of incompetence or laziness in recruitment; rather, they represent a systematic inversion of the principles of effective talent acquisition. By deviating sharply from their own standard, highly effective hiring practices for this specific category of jobs, companies reveal the intentional nature of the concealment.

A. The Playbook: A Systematic Inversion of Effective Recruitment

Evidence from Department of Justice investigations, media reports, and online forums for tech workers reveals a consistent set of methods used to create a facade of compliance while actively deterring applications.7 These tactics include:

Requiring Mail-In Applications: In an era of one-click online applications, forcing candidates to submit a physical resume via postal mail is a significant deterrent. The DOJ described this practice as “absurd” in its actions against both Meta and Apple, noting that it “nearly always resulted in zero or very few mailed applications”.2 This archaic requirement creates a substantial barrier to entry, filtering out all but the most determined or unsuspecting applicants.
Obscure Advertising Channels: While technically compliant with DOL rules, placing advertisements for senior software engineering roles in the print classifieds of a local newspaper is a tactic designed for invisibility. Companies have been documented using these print ads, as well as placing notices on esoteric websites or even on the radio, channels that are highly unlikely to be monitored by qualified professionals in major technology hubs.7
Bypassing Standard Corporate Channels: Perhaps the most telling tactic is the failure to post PERM positions on the company’s own public-facing career website. For major corporations, this portal is the primary, authoritative source for all legitimate job openings. The deliberate omission of PERM roles from this central channel, as documented in the Apple case, is a clear signal that these are not standard opportunities.4 In some cases, companies post these jobs to separate, unlinked job boards to further obscure them from view.7
Using Non-Standard Contact Points: Legitimate job postings typically direct applicants to a standardized applicant tracking system or a corporate recruiting email address. PERM-related ads, however, often direct applicants to unusual points of contact that signal the role’s true purpose. For example, online learning platform Udemy instructed applicants to send resumes to “Immigration@Udemy.com,” while OpenAI directed them to an individual on the “global mobility team”.11 These designations effectively warn savvy applicants that the posting is part of an immigration process, not a genuine search for a new hire.
Crafting Hyper-Specific or Unrealistic Job Requirements: Another common strategy is to tailor the job description to perfectly match the unique combination of skills and experience of the incumbent foreign national employee. This can include listing requirements for niche, proprietary software or an unusual combination of foreign languages and technical skills, effectively ensuring that only the pre-selected candidate is “qualified”.7 This is often paired with unusually low salary ranges to further discourage interest.7

The systematic nature of these deviations from normal, effective recruitment is best illustrated through a direct comparison, as detailed in Table 2.1.

Recruitment Component	Standard Corporate Practice (for non-PERM roles)	Documented PERM-Specific Practice
Application Method	Online application via integrated Applicant Tracking System (ATS), often with one-click apply features.	Requirement for physical, mail-in applications.
Advertising Channels	Company’s main career website, major job boards (e.g., LinkedIn, Indeed), professional networks, targeted digital ads.	Local/rural print newspapers, obscure websites, radio ads; deliberate omission from main company career site.
Point of Contact	Centralized recruiting department email or direct application into ATS.	Non-standard email addresses (e.g., “Immigration@…”), “Global Mobility” teams, or legal departments.
ATS Integration	All applicants are entered into a searchable database, allowing recruiters to source them for other open roles.	Applicants are often not entered into the main ATS, preventing them from being considered for other positions.
Job Description	Written to attract a broad pool of qualified candidates, focusing on key skills and experience.	Hyper-specific requirements tailored to the incumbent’s unique background; may include artificially low salary ranges.

This side-by-side comparison makes it clear that the practices employed for PERM positions are not accidental but are part of a calculated strategy. Large technology companies possess some of the most sophisticated and well-resourced human resources departments in the world, yet for this specific class of job postings, they revert to methods that are decades out of date. This stark contrast between their standard operating procedure and their PERM-specific procedure eliminates the possibility of incompetence and points directly to a strategy of “malicious compliance.” The companies fulfill the letter of the outdated DOL regulations (e.g., placing a newspaper ad) while actively violating the spirit of the law and the overarching anti-discrimination provisions of the INA. The intent is not to recruit, but to generate a paper trail that documents a failed recruitment effort.

III. Case Studies in Enforcement: The Department of Justice vs. Big Tech

The most compelling evidence that strategic job concealment is a real and unlawful practice comes from a series of landmark enforcement actions undertaken by the U.S. Department of Justice. The multi-million-dollar settlements with Apple Inc. and Meta Platforms, Inc. have transformed the issue from anecdotal complaint to a federally prosecuted pattern of discrimination. These cases serve as irrefutable proof of the tactics employed and establish a new precedent for corporate liability.

A. The Apple Settlement: A $25 Million Precedent

In November 2023, the DOJ announced a landmark settlement with Apple Inc. to resolve an investigation that began in 2019 into the company’s PERM-related recruitment practices.13 The settlement is the largest ever recovered by the DOJ under the anti-discrimination provision of the Immigration and Nationality Act.4

Allegations: The DOJ’s investigation concluded that Apple engaged in a pattern or practice of discrimination based on citizenship status.15 The core of the government’s case rested on the stark differences between how Apple recruited for standard positions versus PERM-related positions. The key findings were:

Apple failed to advertise PERM positions on its external, public-facing career website, the primary channel it used to solicit thousands of applications for other roles.13
Apple required all applicants for PERM positions to submit physical, paper applications by mail, a practice the DOJ deemed a significant and unlawful barrier designed to deter applicants.4 The DOJ found that these less effective recruitment methods “nearly always resulted in Apple receiving few or no applications to PERM positions from applicants whose permission to work does not expire”.4

Settlement Terms: To resolve these allegations, Apple agreed to pay a total of $25 million. This sum was divided into $6.75 million in civil penalties to the U.S. Treasury and the establishment of an $18.25 million back pay fund to compensate eligible victims of the discriminatory practices.14
Mandated Reforms: Beyond the monetary penalties, the settlement imposed significant, forward-looking changes to Apple’s recruitment processes. Apple is now required to ensure its recruitment for PERM positions “more closely matches its standard recruitment practices”.14 This includes mandating that Apple:
Post all PERM-related positions on its external and internal job websites.
Accept electronic applications for all PERM-related positions.
Ensure applicants for PERM roles are entered into its standard applicant tracking system, making them searchable for other roles.
Cease requiring mail-in applications.15 The company is also subject to DOJ monitoring for a period of three years to ensure compliance.16

B. The Meta (Facebook) Settlements: A Two-Pronged Federal Action

Two years prior to the Apple case, the DOJ and the DOL concluded separate but related settlements with Meta Platforms, Inc. (then Facebook) over similar PERM-related practices. This earlier action set the stage for the DOJ’s heightened scrutiny of the tech industry.

DOJ Allegations: In December 2020, the DOJ filed a lawsuit against Facebook, alleging that the company “routinely refused to recruit, consider, or hire U.S. workers” for thousands of positions it had reserved for temporary visa holders undergoing the PERM process.2 The allegations mirrored those later leveled against Apple, with the DOJ specifically citing that Facebook:

Used recruitment methods designed to deter U.S. workers, such as requiring applications to be submitted by mail only.2
Refused to consider U.S. workers who did manage to apply for the positions.20 The DOJ asserted that these practices constituted intentional discrimination against U.S. workers based on their citizenship status, in violation of the INA.2

DOL Audit Findings: Concurrent with the DOJ’s investigation, the Department of Labor’s Office of Foreign Labor Certification (OFLC) conducted its own audits of Facebook’s pending PERM applications. These audits identified “potential regulatory recruitment violations,” leading to a separate settlement focused on compliance with the DOL’s specific advertising and posting rules.2
Settlement Terms: The combined federal actions resulted in significant penalties and reforms. Under its settlement with the DOJ, Facebook agreed to pay a $4.75 million civil penalty and establish a fund of up to $9.5 million to compensate eligible victims.2 At the time, this was the largest fine and monetary award ever recovered by the DOJ’s Immigrant and Employee Rights Section (IER).2
Mandated Reforms: The settlements required Facebook to fundamentally change its PERM recruitment. The company agreed to conduct more expansive advertising and recruitment, accept electronic applications for all PERM jobs through its standard career website, and ensure that these applicants were entered into its regular recruiting systems.20 The DOL settlement also subjected Facebook to ongoing audits to ensure future compliance.21

The consistency across these two landmark cases is striking and demonstrates a clear federal enforcement strategy, as summarized in Table 3.1.

Settlement Component	Apple Inc. (2023)	Meta Platforms, Inc. (2021)
DOJ Investigation Period	Jan 2018 – Dec 2019	Jan 2018 – Sep 2019
Key Allegations	Failure to post PERM jobs on external website; requiring mail-in applications; citizenship status discrimination.	Reserving jobs for visa holders; requiring mail-in applications; refusing to consider U.S. workers; citizenship status discrimination.
Civil Penalty	$6.75 million	$4.75 million
Back Pay Fund	$18.25 million	Up to $9.5 million
Mandated Recruitment Changes	Must post PERM jobs on public career site; must accept electronic applications; must integrate with standard ATS.	Must conduct more expansive recruitment; must accept electronic applications; must align PERM process with standard practices.
Ongoing Monitoring	3 years of DOJ monitoring.	Ongoing DOL audits.

These enforcement actions represent a critical paradigm shift. Historically, PERM compliance was viewed primarily as a procedural matter within the purview of the Department of Labor. Employers focused on checking the boxes of the DOL’s regulations. However, the DOJ’s successful application of the Immigration and Nationality Act has fundamentally altered the legal landscape. The core legal argument is no longer about whether an employer placed a newspaper ad, but whether the employer’s recruitment process, when viewed as a whole, was discriminatory in its intent and effect. This moves the standard from a simple procedural checklist to a substantive test of good faith. The implication for all employers is that their “PERM-only” recruitment tactics, even if they arguably meet the minimal requirements of DOL regulations, are now highly vulnerable to federal prosecution as a form of unlawful discrimination.17

IV. The Rise of Public Scrutiny: Citizen Watchdogs and Corporate Pushback

While federal enforcement has been a critical driver in exposing discriminatory PERM practices, the “failing” aspect of the concealment strategy is also attributable to the efforts of non-governmental actors. A “cottage industry” of tech workers and activists has emerged to counteract corporate opacity, leveraging technology to bring these hidden job markets into the light.10 The corporate reaction to this newfound transparency provides some of the most compelling evidence that the concealment strategies were both deliberate and effective until exposed.

A. Exposing the Hidden Market: The Role of Jobs.now

At the forefront of this citizen-led effort is a group and website known as Jobs.now. This platform was created by individuals within the tech community who were frustrated by the difficulty of finding work while knowing that major companies were simultaneously claiming a lack of qualified U.S. talent to justify their PERM applications.11 The stated mission of Jobs.now is to combat what its founders see as unfair practices that disadvantage American workers during a time of economic uncertainty.10
The operational model of Jobs.now is simple yet disruptive. It systematically scours the very channels that companies use for obscure compliance—such as local newspaper classifieds, state workforce agency websites, and esoteric online boards—and aggregates these PERM-related job postings into a single, centralized, and easily searchable database.7 Since its launch, the group claims to have posted thousands of such jobs from major companies like Meta and Stripe.10
By doing so, Jobs.now directly attacks the principle of “security through obscurity” on which the corporate concealment strategy relies. The strategy is only effective if the information about the job opening remains fragmented and difficult for the target audience of qualified professionals to find. By centralizing this information, Jobs.now corrects the information asymmetry, allowing any interested U.S. worker to find and apply for these roles. This action can directly disrupt a company’s PERM application, as the process can be halted if a sufficient number of qualified U.S. workers apply for the position.12

B. Case Study in Corporate Reaction: Instacart’s Cease-and-Desist

The effectiveness of this public scrutiny is best demonstrated by the aggressive corporate response it has provoked. In September, the grocery delivery company Instacart took the notable step of sending a formal cease-and-desist letter to Jobs.now.10
In the letter, Instacart’s lawyers made the extraordinary claim that the “unfettered sharing of its job openings constitutes ‘a misappropriation and violation of the rights of Instacart.'” The company demanded that Jobs.now “suspend” its website and even claimed that the “damages” it incurred from the resulting “influx of applicants” entitled it to monetary compensation. Jobs.now characterized the letter as an “intimidation tactic” designed to “silence free speech promoting job openings to American citizens” and temporarily complied with the demand to remove Instacart’s listings while it explored its legal options.10
Instacart’s legal maneuver is a powerful, albeit inadvertent, admission of the efficacy of Jobs.now’s mission. A company would not expend significant legal resources to suppress the dissemination of publicly available information unless that dissemination posed a material threat to a core business process. In this context, the “damage” caused by an “influx of applicants” is precisely the intended outcome of a legitimate labor market test. Instacart’s reaction reveals that its PERM recruitment process was not designed to handle, or even welcome, a genuine applicant pool.

The company’s claim that it was harmed by receiving too many applications for its open positions confirms that the exposure provided by Jobs.now was successfully disrupting its ability to certify to the Department of Labor that no qualified U.S. workers were available. This aggressive pushback validates the entire premise of the watchdog’s mission and serves as the strongest possible evidence that the concealment of PERM jobs is a deliberate strategy, one that fails the moment it is exposed to public light.

V. Contextualizing the Phenomenon: “Hidden Jobs,” “Ghost Jobs,” and Legitimate Hiring

To conduct a truly expert analysis, it is crucial to differentiate the specific, unlawful practice of PERM-related job concealment from other, broader labor market phenomena that are often conflated with it. The terms “ghost jobs” and the “hidden job market” describe distinct concepts with different motivations and legal implications. A nuanced understanding of these differences is essential for accurately diagnosing the problem and formulating effective policy solutions.

A. “Ghost Jobs”: A Different Phantom

The term “ghost job” or “phantom job” refers to a job posting for a position that is either not real or for which the company has no immediate intention of hiring.23 While frustrating for job seekers, the motivations behind posting ghost jobs are distinct from those driving PERM concealment. Common reasons include:

Building Talent Pipelines: Companies may post “evergreen” requisitions for common roles to continuously collect resumes, creating a pipeline of potential candidates they can tap when a real vacancy arises. This reduces future time-to-hire.24
Market Research: A ghost job posting can be a low-cost way to gauge the talent pool for a potential future role, gathering data on available skills, experience levels, and salary expectations without committing to a hire.24
Projecting an Image of Growth: A steady stream of job postings can make a company appear to be expanding and successful, which can be beneficial for attracting investors, clients, and future talent, or for pacifying overworked current employees with the impression that help is on the way.24
Internal Requirements: In some cases, a job is posted publicly to satisfy an internal policy requiring an external search, even when an internal candidate is already slated for the role.25

The critical distinction is this: a ghost job typically has no pre-selected candidate and often no actual, currently available job. The posting itself is a tool for data collection or branding. In contrast, a concealed PERM posting is for a very real job that is already filled by a specific, pre-selected individual (the temporary visa holder). The posting is not a tool for recruitment but a piece of regulatory fiction created to fulfill a legal requirement.

B. The “Hidden Job Market”: Legitimate Unadvertised Openings

The concept of the “hidden job market” refers to the large number of genuine job openings that are never publicly advertised. Unlike PERM concealment or ghost jobs, this practice is driven by legitimate, rational, and often highly efficient business strategies. Employers have several valid reasons for not publicizing every opening:

Prioritizing Internal Hiring: Many companies prefer to promote from within. Hiring an internal candidate is significantly faster, cheaper, and less risky than hiring an external one. Internal hires are already familiar with the company culture, require less onboarding, and have a proven track record.29 Data shows that internal hires have higher performance and retention rates, while external hires may command 18-20% higher salaries and are 61% more likely to be terminated.30
Maintaining Confidentiality: A public job posting can reveal sensitive corporate strategy. A company may be developing a new product line, expanding into a new market, or planning a reorganization that it does not want to signal to competitors. Similarly, if a position is being backfilled for an underperforming employee who has not yet been terminated, discretion is paramount.29
Leveraging Employee Referrals: Employee referrals are consistently ranked as one of the highest-quality sources of new hires. Companies often incentivize employees to refer candidates from their networks, and they may exhaust this high-quality channel before incurring the cost and effort of a public search.29
Avoiding Application Overload: For well-known companies, a single public job posting can attract hundreds or even thousands of applications, the vast majority of which may be from unqualified candidates. Sifting through this volume places an immense burden on human resources departments, making a more targeted, non-public search a more efficient option.33 This is particularly true for high-level executive positions, which are rarely advertised publicly.29

These practices constitute a legitimate “hidden” market, accessible primarily through networking, internal mobility, and relationships with recruiting agencies.33 This stands in stark contrast to PERM concealment, which involves the public posting of a job with the deliberate intent of it not being found or applied for by qualified candidates.

The legality and ethics of any particular hiring practice ultimately hinge on the employer’s intent. While the outcome for an external job seeker might appear similar in all three scenarios—unawareness of an opportunity or a wasted application—the underlying purpose is what separates legitimate business strategy from unlawful discrimination. Promoting an internal candidate is an act of efficient talent management. Posting a ghost job to mine resumes is an ethically questionable but primarily market-driven practice. Creating a PERM-related job posting with built-in barriers to application, however, has the specific and unlawful intent to discriminate against a protected class (U.S. workers) to secure an immigration benefit for a non-protected individual. This fundamental difference in intent is why PERM concealment has attracted the scrutiny of the Department of Justice and requires a distinct and targeted set of policy solutions.

VI. Statistical Landscape of the PERM Program

To fully grasp the scale and impact of the issues within the PERM program, it is essential to ground the analysis in quantitative data. Official statistics from the Department of Labor provide a clear picture of the program’s volume and, more importantly, its concentration within specific sectors of the U.S. economy. This data reveals that the PERM process is not a broad-based immigration tool but a highly specialized pipeline, primarily serving the technology industry’s goal of converting its temporary foreign workforce into permanent residents.

A. Application Volume and Processing

The PERM program operates at a significant scale. In the first quarter of Fiscal Year 2023 (October to December 2022) alone, the DOL received 40,826 applications. During that same period, it processed over 26,000 applications, certifying 22,858, denying 1,670, and marking 1,557 as withdrawn. As of the end of that quarter, the backlog of pending applications stood at a massive 120,555.35 This high volume underscores the importance of the program’s integrity, as any systemic flaws affect tens of thousands of positions annually.

B. Who Uses PERM? Key Industries, Occupations, and Locations

The DOL’s data on certified applications reveals a striking concentration in the technology sector. The top occupations, industries, and states of employment all point to the tech economy as the program’s dominant user.
As shown in Table 6.1, the top five occupations for which PERM applications were certified are all in computer science and data analysis. “Software Developers, Applications” and “Software Developers, Systems Software” alone accounted for nearly 35% of all certifications in Q1 FY2023. When combined with IT Project Managers and Computer Systems Analysts, the figure rises to over 50%.35
This occupational focus is mirrored in the industry data. The “Professional, Scientific, & Technical Services” sector, which encompasses many tech and consulting firms, was responsible for 36.5% of all certifications. This was more than double the next largest industry, Manufacturing. Geographically, the program’s use is concentrated in states with major tech hubs: California led with 20.3% of certifications, followed by Texas, New York, and Washington.35

Rank	Occupation/Industry	Number of Certifications	Percentage of Total
Top 5 Occupations
1	Software Developers, Applications	5,138	22.5%
2	Software Developers, Systems Software	2,833	12.4%
3	Information Tech. Project Managers	2,306	10.1%
4	Computer Systems Analysts	1,357	5.9%
5	Statisticians	843	3.7%
Top 5 Industries
1	Professional, Scientific, & Technical Services	8,343	36.5%
2	Manufacturing	3,597	15.7%
3	Retail Trade	2,374	10.4%
4	Information	1,975	8.6%
5	Finance & Insurance	1,620	7.1%
(Source: U.S. Department of Labor, PERM Selected Statistics, FY 2023 Q1) 35

C. Who Benefits? Visa Status and Country of Origin

The data also clarifies for whom companies are using the PERM process. It is overwhelmingly a mechanism for retaining employees who are already working for the company in the U.S. on temporary visas. In Q1 FY2023, 66.8% of all certified PERM applications were for individuals on H-1B visas, the primary temporary visa for high-skilled specialty occupations.35
The national origins of the beneficiaries are also highly concentrated. Workers from India accounted for 56.6% of all certifications, more than all other countries combined. Workers from China were a distant second at 9.5%.35

This statistical landscape leads to a crucial conclusion: the PERM program, in practice, functions as a high-volume pipeline for the U.S. technology industry to convert its existing H-1B workforce, largely from India and China, into permanent residents. It is not primarily a tool for recruiting new talent from abroad but rather the final and most critical step in a long-term talent retention strategy. This heavy concentration means that the integrity of the PERM system is not a marginal issue affecting a diffuse set of employers and workers. Instead, any dysfunction, abuse, or perceived unfairness within the program has outsized economic and political implications, directly impacting the competitiveness of a cornerstone of the U.S. economy and fueling contentious debates over domestic STEM workforce development, global talent acquisition, and the fairness of the immigration system itself.

VII. Analysis and Recommendations for Policy Reform

The evidence presented throughout this report—from the structural flaws in the PERM regulations to the documented patterns of unlawful corporate behavior and the ensuing federal enforcement actions—paints a clear picture of a system in conflict with its purpose. The gap between the statutory intent of the PERM process to protect U.S. workers and its practical application by some of the nation’s largest employers is significant and undeniable. To restore the integrity of the high-skilled immigration framework, targeted policy reforms are essential.

A. Synthesis of Findings: A System in Conflict with its Purpose

The core problem is an inherent conflict of interest embedded within the PERM process. The system requires an employer, who has already invested years in training and integrating a valued foreign national employee on a temporary visa, to conduct a good-faith search for a U.S. worker to replace that individual. This is a fundamentally irrational business expectation.
This conflict is exacerbated by a flawed regulatory framework that relies on employer attestation and mandates outdated recruitment methods. This combination has incentivized a strategy of “malicious compliance,” where companies fulfill the procedural letter of the law while engineering the recruitment process to fail in practice. The landmark DOJ settlements with Apple and Meta provide definitive proof that this is not a theoretical concern but a documented pattern of unlawful discrimination based on citizenship status. The rise of public watchdog groups has further exposed these practices, demonstrating that the strategy of concealment is only viable as long as it remains hidden. The system, as currently designed, encourages behavior that is directly contrary to its stated mission.

B. Pathways to Reform: Modernizing and Enforcing the Law

Addressing these systemic issues requires a multi-pronged approach that modernizes outdated rules, removes the central conflict of interest, and enhances enforcement. Based on the analysis of the system’s failures and the remedies imposed in successful enforcement actions, the following reforms are recommended:

Modernize Recruitment Requirements: The Department of Labor must overhaul the regulations at 20 C.F.R. § 656.17 to reflect the realities of the 21st-century job market. The mandate for print newspaper advertisements, a relic of a bygone era, should be eliminated. In its place, the regulations should require practices that align with a genuine, good-faith recruitment effort. Drawing directly from the terms of the Apple and Meta settlements, new rules should mandate that all PERM-related positions be:

Posted on the employer’s primary, public-facing career website for a minimum duration.
Advertised on at least one leading national third-party job board relevant to the profession.
Able to accept electronic applications through the company’s standard Applicant Tracking System (ATS).15 These changes would make it significantly harder for employers to obscure job openings and would align the PERM process with their own standard, effective recruitment practices.

Shift the Labor Market Test Timeline: A more fundamental reform would be to address the core conflict of interest by changing when the labor market test is performed. As suggested in the foundational opinion piece, policymakers should consider requiring companies to conduct and certify a search for qualified U.S. workers before they are permitted to hire a foreign national on a temporary work visa, such as an H-1B.10 At this initial stage, the company has not yet invested in a specific foreign worker and has a more genuine incentive to hire a U.S. worker if one is available. Performing the test years later, at the green card stage, almost guarantees a perfunctory effort. This shift would align the timing of the test with the moment of true market need, drastically reducing the incentive to “game” the system.
Enhance DOL Auditing and DOJ Enforcement: The attestation-based model has proven insufficient. The DOL should significantly increase the rate of random, comprehensive audits to verify the documentation and good faith of recruitment efforts. The stark difference in denial rates between audited and non-audited cases demonstrates that the threat of an audit is a powerful compliance tool.9 Concurrently, the Department of Justice must continue its robust enforcement of the INA’s anti-discrimination provisions. The success of the Apple and Meta cases has established a powerful legal precedent that recruitment practices must be substantively non-discriminatory, not just procedurally compliant. Continued high-profile enforcement will serve as a potent deterrent to other employers.

C. Concluding Thoughts: Restoring Trust in the High-Skilled Immigration System

The strategic concealment of job openings within the PERM process undermines the foundational principles of U.S. immigration and labor law. It harms U.S. workers by denying them a fair opportunity to compete for high-skilled jobs, and it damages the long-term integrity of the immigration system itself. A system that is widely perceived as being “gamed” by powerful corporations erodes public trust and makes it more difficult to have a rational, evidence-based debate about the economic benefits of high-skilled immigration.
Implementing the proposed reforms—modernizing recruitment rules, shifting the test timeline, and bolstering enforcement—is essential not only to protect the domestic labor market but also to ensure that the U.S. remains a premier destination for global talent by operating a system that is transparent, fair, and legitimate. Restoring the integrity of the PERM process is a critical step toward building a high-skilled immigration framework that serves the best interests of the American economy and its workers.

Works cited

PERM Processing Times Explained: What to Expect in 2025 – DocketWise, accessed October 2, 2025, https://www.docketwise.com/blog/perm-processing-time/
Office of Public Affairs | Justice, Labor Departments Reach …, accessed October 2, 2025, https://www.justice.gov/archives/opa/pr/justice-labor-departments-reach-settlements-facebook-resolving-claims-discrimination-against
The H-1B Visa Program and Its Impact on the U.S. Economy …, accessed October 2, 2025, https://www.americanimmigrationcouncil.org/fact-sheet/h1b-visa-program-fact-sheet/
Apple to pay $25 MM to settle claims it discriminated against U.S. workers, accessed October 2, 2025, https://www.constangy.com/newsroom-newsletters-1259
Chapter 6 – Permanent Labor Certification – USCIS, accessed October 2, 2025, https://www.uscis.gov/policy-manual/volume-6-part-e-chapter-6
PERM Labor Certification — maylawgroup, accessed October 2, 2025, https://www.maylawgroup.com/perm-labor-certification
Jobs.now exposes PERM jobs that are hidden on purpose from US …, accessed October 2, 2025, https://www.reddit.com/r/cscareerquestions/comments/1n1a44s/jobsnow_exposes_perm_jobs_that_are_hidden_on/
“Ghost” Job Postings | Congress.gov | Library of Congress, accessed October 2, 2025, https://www.congress.gov/crs-product/IF12977
overview of vulnerabilities and challenges in foreign … – DOL-OIG, accessed October 2, 2025, https://www.oig.dol.gov/public/reports/oa/2021/06-21-001-03-321.pdf
Corporations are trying, and now failing, to hide job openings from …, accessed October 2, 2025, https://thehill.com/opinion/finance/5498346-corporate-america-has-been-trying-to-hide-job-openings-now-it-is-failing/
Tech companies accused of bending H-1B rules with … – Newsweek, accessed October 2, 2025, https://www.newsweek.com/h1b-job-ads-green-cards-targeted-immigrant-workers-2113714
There is no requirement to demonstrate that you cannot find an …, accessed October 2, 2025, https://news.ycombinator.com/item?id=44880832
Department of Justice and Apple Reach $25 Million Landmark …, accessed October 2, 2025, https://www.foley.com/insights/publications/2023/11/doj-apple-25m-agreement/
www.justice.gov, accessed October 2, 2025, https://www.justice.gov/archives/opa/pr/justice-department-secures-25-million-landmark-agreement-apple-resolve-employment#:~:text=Pursuant%20to%20the%20%2425%20million,matches%20its%20standard%20recruitment%20practices.
Apple Enters into Settlement Agreement with DOJ Based on Alleged Improprieties in its PERM Recruitment Process | Tafapolsky & Smith LLP, accessed October 2, 2025, https://tandslaw.com/apple-enters-into-settlement-agreement-with-doj-based-on-alleged-improprieties-in-its-perm-recruitment-process/
Office of Public Affairs | Justice Department Secures $25 Million …, accessed October 2, 2025, https://www.justice.gov/archives/opa/pr/justice-department-secures-25-million-landmark-agreement-apple-resolve-employment
Apple to Pay $25 Million to Resolve Citizenship Discrimination Case Stemming from its PERM Labor Certification Program – Reddy Neumann Brown PC, accessed October 2, 2025, https://www.rnlawgroup.com/apple-to-pay-25-million-to-resolve-citizenship-discrimination-case-stemming-from-its-perm-labor-certification-program/
DOJ and Apple Reach $25 Million Agreement to Resolve Employment Discrimination Allegations – American Immigration Lawyers Association, accessed October 2, 2025, https://www.aila.org/doj-and-apple-reach-25-million-agreement-to-resolve-employment-discrimination-allegations
Facebook enters Settlement Agreement regarding PERM Labor Certification Recruiting Practices | Mintz, accessed October 2, 2025, https://www.mintz.com/insights-center/viewpoints/2806/2021-10-21-facebook-enters-settlement-agreement-regarding-perm
Justice, Labor Departments Reach Settlements with Facebook …, accessed October 2, 2025, https://www.justice.gov/archives/opa/press-release/file/1443336/dl?inline
Untitled – U.S. Department of Labor, accessed October 2, 2025, https://www.dol.gov/sites/dolgov/files/OPA/newsreleases/2021/10/eta20211894.pdf
DOJ Settlements with Tech Companies Highlight Importance of …, accessed October 2, 2025, https://www.gtlaw-insidebusinessimmigration.com/perm-labor-certification-application/doj-settlements-with-tech-companies-highlight-importance-of-perm-recruitment-compliance/
Ghost job – Wikipedia, accessed October 2, 2025, https://en.wikipedia.org/wiki/Ghost_job
Ghost Jobs: What They Are, Why Companies Use Them, How to …, accessed October 2, 2025, https://www.eclaro.com/blog/ghost-jobs-what-they-are-why-companies-use-them-how-to-avoid-them
Ghost Jobs: What They Are, How to Spot Them | Built In, accessed October 2, 2025, https://builtin.com/articles/ghost-jobs
Ghost Job Postings 101: What They Are & How to Spot Them – Gotoro, accessed October 2, 2025, https://gotoro.io/ghost-job-posting-guide/
What Are Ghost Jobs? | HR Glossary – AIHR, accessed October 2, 2025, https://www.aihr.com/hr-glossary/ghost-jobs/
Ghost Job Postings ARE Real : r/recruitinghell – Reddit, accessed October 2, 2025, https://www.reddit.com/r/recruitinghell/comments/1mo7ask/ghost_job_postings_are_real/
5 Reasons Employers May Not Post a Job Opening | Spencer Reed Group, accessed October 2, 2025, https://www.spencerreed.com/blog/5-reasons-employers-not-post-job-opening
Internal vs External Applicants: Key Differences for HR Managers – Techneeds, accessed October 2, 2025, https://www.techneeds.com/2025/08/30/internal-vs-external-applicants-key-differences-for-hr-managers/
ILR study tests why internal hires outperform external hires | Cornell Chronicle, accessed October 2, 2025, https://news.cornell.edu/stories/2021/01/ilr-study-tests-why-internal-hires-outperform-external-hires
1 Paying More to Get Less: The Effects of External Hiring Versus Internal Mobility Matthew Bidwell University of Pennsylvania, accessed October 2, 2025, https://faculty.wharton.upenn.edu/wp-content/uploads/2012/03/Paying_More_ASQ_edits_FINAL.pdf
Job Seekers: Four Reasons To Embrace The Hidden Job Market, accessed October 2, 2025, https://www.forbes.com/councils/forbeshumanresourcescouncil/2023/03/21/job-seekers-four-reasons-to-embrace-the-hidden-job-market/
Why Employers Don’t Publicly Advertise All Jobs | Bishop & Company, accessed October 2, 2025, https://www.bishopco.net/2016/12/19/why-employers-dont-publicly-advertise-all-of-their-jobs/
OFFICE OF FOREIGN LABOR CERTIFICATION, accessed October 2, 2025, https://www.dol.gov/sites/dolgov/files/ETA/oflc/pdfs/PERM_Selected_Statistics_FY2023_Q1.pdf

Automate My Workflow: Streamline Your YouTube Shorts Factory with n8n

admin — Fri, 22 Aug 2025 21:54:23 +0000

Introduction

Content creators and tech teams alike are stuck in a loop.

You either spend hundreds on tools like Synthesia or Pictory or waste time manually creating video content. But what if there was a smarter way?

If you’re in IT, DevOps, software, or AI—this guide is for you. We’ll show you how to build your own automated video system using n8n, Ollama, Edge-TTS, ComfyUI, and MoviePy. No subscriptions. Full control. All open source.

By the end of this guide, you’ll have a working YouTube Shorts engine that generates, edits, and uploads content while you sleep.

What is a YouTube Shorts Factory (and Why Build One Yourself)?

A YouTube Shorts factory is an automated pipeline that takes a topic, generates a script, creates visuals and audio, stitches everything into a short video, and uploads it to YouTube.

Most people pay $200+ a month for this. You’re going to do it for free with tools like:

n8n – Automates everything.
Ollama + Llama 3 – Generates scripts using local AI.
Edge-TTS – Converts text to natural voiceovers.
ComfyUI – Generates images from prompts.
MoviePy – Creates video files.
YouTube Node in n8n – Uploads your Shorts.

If you’re in tech, learning to connect open-source tools like these will sharpen your automation skills, improve your productivity, and give you complete control.

How to Build Your Own YouTube Shorts Factory

Step 1: Set Up Your Custom n8n Instance

This is your automation brain.

Create a folder and add two files:
- docker-compose.yml
- Dockerfile

docker-compose.yml

version: '3.8'
services:
  n8n:
    build: .
    restart: always
    ports:
      - "5678:5678"
    environment:
      - N8N_BASIC_AUTH_ACTIVE=true
      - N8N_BASIC_AUTH_USER=admin
      - N8N_BASIC_AUTH_PASSWORD=changeme123
      - GENERIC_TIMEZONE=America/New_York
    volumes:
      - ./n8n_data:/home/node/.n8n
    extra_hosts:
      - "host.docker.internal:host-gateway"

Dockerfile

FROM n8nio/n8n:latest

USER root
RUN apt-get update \
 && apt-get install -y --no-install-recommends python3 python3-pip ffmpeg ca-certificates \
 && rm -rf /var/lib/apt/lists/* \
 && pip3 install --no-cache-dir edge-tts moviepy
USER node

In the terminal, run:

docker-compose up -d

Open http://localhost:5678 in your browser and log in with:
- Username: admin
- Password: changeme123

Now your automation engine is live.

Step 2: Build the Workflow in n8n

Your workflow will look like this:

[Trigger] → [Ollama Script] → [Edge-TTS Voice]
                   ↓
     [ComfyUI Generate Image] → [MoviePy Assemble]
                                   ↓
                            [YouTube Upload]

Step 3: Generate the Script with Ollama

Install Ollama locally:

curl -fsSL https://ollama.ai/install.sh | sh
ollama pull llama3

Add an HTTP Request node in n8n.

Set it to:

POST to http://host.docker.internal:11434/api/generate
Add a header: Content-Type: application/json
Use this body:

{
  "model": "llama3",
  "prompt": "Write an engaging 30-second YouTube Shorts script about {{ $json.topic }}. Hook the viewer, surprise them, and end with a strong CTA. 75-100 words.",
  "stream": false
}

Now Ollama generates engaging, unique scripts for every video topic you feed it.

Step 4: Convert Script to Voice with Edge-TTS

Add an Execute Command node.
Use this command (writes text to file to avoid quote issues):

printf "%s" {{ $json.response.toString().jsonEscape() }} > /home/node/.n8n/script_{{ $runIndex }}.txt \
&& edge-tts --voice "en-US-AriaNeural" --text-file "/home/node/.n8n/script_{{ $runIndex }}.txt" \
--write-media "/home/node/.n8n/audio_{{ $runIndex }}.mp3"

Edge-TTS gives you realistic voiceovers in over 100 languages. Everything is saved to your shared folder.

Step 5: Generate Images with ComfyUI

Clone and install ComfyUI:

git clone https://github.com/comfyanonymous/ComfyUI.git
cd ComfyUI
pip install -r requirements.txt

Download your chosen model (e.g., SDXL Base) with a Hugging Face token if needed:

cd models/checkpoints
huggingface-cli download stabilityai/stable-diffusion-xl-base-1.0 --include "*.safetensors"

Configure ComfyUI to save images into your n8n shared folder by editing extra_model_paths.yaml:

comfyui:
  base_path: ./ 
  output_directory: ../n8n_data/ComfyUI_Output

Start ComfyUI:

python main.py --listen --port 8188

In n8n, use a sequence of nodes:
- HTTP POST to /prompt with a workflow JSON (passing your text prompt in)
- HTTP GET to /history/ to retrieve the filename

Prompt example:

{{ $node['HTTP Request'].json.response }}, cinematic lighting, high quality, 4k

This ensures you get the actual filename when the image is ready.

Step 6: Assemble the Video with MoviePy

Save this script as ./n8n_data/create_video.py on your host:

from moviepy.editor import *
import argparse

def make_even(x):
    return int(x) if int(x) % 2 == 0 else int(x) - 1

parser = argparse.ArgumentParser()
parser.add_argument('--image', required=True)
parser.add_argument('--audio', required=True)
parser.add_argument('--output', default='shorts_video.mp4')
args = parser.parse_args()

audio = AudioFileClip(args.audio)
img = ImageClip(args.image).set_duration(audio.duration)

target_w, target_h = 1080, 1920
img = img.resize(height=target_h)

bg = ColorClip(size=(target_w, target_h), color=(0,0,0)).set_duration(audio.duration)
x = (target_w - img.w) // 2
y = (target_h - img.h) // 2

final = CompositeVideoClip([bg, img.set_position((x, y))]).set_audio(audio).fadein(0.5).fadeout(0.5)

final_w, final_h = make_even(final.w), make_even(final.h)
if (final.w, final.h) != (final_w, final_h):
    final = final.resize(newsize=(final_w, final_h))

final.write_videofile(args.output, fps=30, codec='libx264', audio_codec='aac', verbose=False)

In n8n, use an Execute Command node:

python3 /home/node/.n8n/create_video.py \
--image "/home/node/.n8n/ComfyUI_Output/{{ $node['Retrieve Generated Image'].json.filename }}" \
--audio "/home/node/.n8n/audio_{{ $runIndex }}.mp3" \
--output "/home/node/.n8n/final_video_{{ $runIndex }}.mp4"

This gives you a complete short video—synced audio, proper 9:16 framing, and polished formatting.

Step 7: Upload to YouTube Automatically

Add a YouTube Node in n8n.
Connect your account with OAuth.
Use these config values:

Operation: Upload
Title: {{ $json.topic }} - Mind-Blowing Facts!
Description: {{ $node['HTTP Request'].json.response }} 🔔 Subscribe for more! #Shorts #{{ $json.topic }}
Tags: {{ ['shorts', $json.topic, 'facts'] }}
Category: 22
Privacy: public
Video File Path: /home/node/.n8n/final_video_{{ $runIndex }}.mp4

Now your video uploads automatically.

Tips and Reminders for Building This System

Use host.docker.internal + extra_hosts for Linux containers to access host services like Ollama.
Ollama and ComfyUI run locally; Edge-TTS requires internet.
Add a Google Sheet or database for automated topic scheduling.
Use Whisper AI to auto-generate subtitles if needed.
Always test with safe sample topics before scaling up.

Closing Thoughts

You’ve just built an entire automated content system that others pay hundreds for—without paying a dime.

It’s fully customizable, scalable, and entirely yours. Whether you’re creating tech content, educational Shorts, or AI-powered storytelling—this workflow can handle it all.

Just imagine how much money I could save your company……. with my automation skills.

Bridging the Skills Gap… Because Participation Trophies Don’t Write Code

admin — Tue, 12 Aug 2025 00:16:35 +0000

Introduction — Back When Geekdom Was a Calling

I was born in ’83. Grew up in the ’80s and ’90s. Fell in love with Star Trek: The Next Generation when it first aired. I remember sitting at my 486 playing Interplay’s Star Trek: 25th Anniversary on CD-ROM and deciding, right then and there, what I was going to do with my life — I would be a technologist.

When I entered the workforce right after college, there were still a few Trekkies out there. Still a few nerds in IT who had put in their time behind beige towers, tinkering with IRQ settings until things finally worked. I used to brag, “Age of the geek, baby!”

Today? It feels like the room has changed. Too many people got into tech because they thought it was an express lane to getting rich quick. And when that’s your motivation, you rarely develop the grit, curiosity, and stubbornness that real troubleshooting demands.

This post is my take on:

Why the skill gap feels sharper today.
How those of us forged in the DOS trenches see the difference.
What leaders can do to rebuild that problem-solving culture.

The Skill Gap We’re Talking About

The Reddit thread that kicked this off was full of stories any sysadmin would nod along to. One stood out:

“It’s so frustrating… for the ones who are just floating with no drive. You spend time explaining the solution and then the following week they escalate the same issue claiming they don’t know how to do it. Documentation goes unread.”

It’s not that everyone coming in is like this. The good ones still exist — and they’re easy to spot.

“The good ones ask how to do it, not just pass it up the chain. The best thing is when they ask at a later date for clarification on a point of the config… or come back with good tech answers as they want to go deeper.”

That’s the difference: one group’s just moving tickets, the other’s growing into technologists.

Back in My Day…

“People coming in today will never know the struggle… These experiences shaped us. I was there, Frodo… when I had to schedule online time because if my mom picked up the phone I’d get disconnected. We literally had to structure our lives around such inconveniences and problems, which gave us incredible problem-solving skills for technology.”

If you never had to craft a custom boot disk just to get X-Wing vs Tie Fighter running on a 486, you missed a rite of passage. Same with Duke Nukem 3D in MS-DOS — hours spent brute-forcing reinstallations, toggling IRQs, and flipping settings just to get sound and video working. And for what? Grainy, pixelated glory.

Ever deleted your Autoexec.bat file or your config.sys file in DOS while trying to get the CD-ROM to be recognized by the OS?

You know what i’m talking about…
DEVICE=C:\DOS\CDROM.SYS /D:MSCD001

It sounds like a cliché “back in my day” rant, but here’s the thing — those inconveniences were the training ground. We didn’t just like tech. We lived it. Every install, every crash, every strange error was a puzzle to solve.

Two Archetypes in New Hires

I see two main personality types in IT newcomers:

1. The Checklist Follower

Great at following a standard procedure.
Lost when something deviates from the script.
Documentation is optional — until they escalate the same issue again.

2. The Creative Thinker

Wants to know the “why” behind the “how.”
Experiments, even if it means breaking something in a lab.
Comes back weeks later with new, deeper questions.

It’s not about age — I’ve met 22-year-olds who think like seasoned engineers, and mid-career hires who never progress past the basics. The difference is mindset and motivation.

Why the Gap Exists

Education Without Friction
Curriculums produce users of tools, not builders or debuggers of them.

The Death of the Home Lab
We had no choice — if you wanted to learn, you tore apart your own machine. Today, free tiers and instant deploys are great… but they rob you of the messy learning.

Boring Onboarding
Keeping juniors in repetitive, risk-free tasks doesn’t teach problem solving.

The “Tech is Cool” Crowd
There’s a difference between “I like tech” and “I’m obsessed with tech.” The former is a preference. The latter is a calling.

The Cost of Getting It Wrong

When outages hit or systems fail in ways the manual doesn’t cover, checklist followers freeze. They escalate. They wait. And those minutes cost money, customers, and credibility.

Creative thinkers? They get scrappy. They dig. They try something — anything — before they give up. That difference is the survival skill of IT.

Closing the Gap: What Works

1. Make Learning Part of the Job

Give paid hours for self-education. Fund homelabs. Provide Udemy, CBT Nuggets, or Hack The Box subscriptions. My favorite boss, Jarrett A. made sure I had resources at my disposal for furthering my knowledge and education. It made a difference for me.

2. Teach Automation Early

Require scripting for routine work. Even small PowerShell or Python projects force logical thinking.

3. Reward Curiosity Publicly

Praise those who come back with deeper questions. They’re the ones thinking.

4. Pair Juniors with Veterans

Let them shadow not just tasks, but thinking. The war stories about dial-up and floppy installs aren’t just fun — they teach persistence.

5. Keep “Below Me” Tasks in Rotation

Fixing printers, updating docs, resetting passwords — those teach humility and discipline.

A Sample Junior Dev Program

Time Frame	Activity
Week 1	Small scripting project.
Weeks 2–4	Guided learning modules on architecture and troubleshooting.
Month 2	Self-directed improvement project.
Quarterly	Performance review focused on process as much as results.

Final Thoughts — Carry the Geek Banner Forward

I’ll always have a soft spot for the people who built boot disks, wrestled with IRQ settings, and timed their downloads around the family phone schedule. We didn’t enter tech for quick paydays. We entered because we were in love with the machines, the puzzles, the endless learning.

If you’re leading younger hires today, show them what that means. Let them hear the Star Trek story. Let them feel the frustration of an unsolved problem — and the pride of finally cracking it.

Because the age of the geek doesn’t have to be over. But if we don’t pass it on, it will be.

Link to reddit article here

Microsoft’s New Hotpatch Plan: Now You Can Pay to Not Reboot Your Server… or Your Sanity

admin — Mon, 28 Apr 2025 14:22:55 +0000

Introduction

Microsoft is changing the rules on Windows Server updates. Starting July 1, 2025, a new $1.50 per CPU core monthly fee will be introduced for a service called “hotpatching.” If you’re a system administrator, IT manager, or run infrastructure that can’t afford downtime—this matters. A lot.

In this guide, we’ll break down what hotpatching is, why Microsoft is charging for it, how it affects your update strategy, and what IT pros are saying. We’ll also walk you through whether it’s worth paying for—and how to plan ahead.

What Is Hotpatching?

Hotpatching is a way to install security updates without rebooting the system. It works by injecting patches directly into system memory. This means you get important security fixes without shutting down apps, services, or entire virtual machines.

It’s especially useful for servers running critical workloads—think databases, applications, or services that require maximum uptime.

For a while, hotpatching was free in preview mode. But now, Microsoft is shifting it into a paid subscription model for Windows Server 2025 Standard and Datacenter editions.

$1.50 Per Core? I Didn’t Know Patching Came with a Cover Charge

Let’s talk numbers.

Fee: $1.50 per CPU core, per month.
Who it applies to: Any on-prem Windows Server 2025 instance enrolled in Azure Arc.
When: Starts July 1, 2025.
Billing begins: If you’re in the preview program and don’t opt out by June 30, billing starts automatically.

On the surface, $1.50 per core might sound manageable. But for a server with 32 cores, that’s $48/month—or $576/year. Multiply that across a cluster or multiple hosts, and the costs add up fast.

How the Hotpatch Cycle Works

The update process under this model follows a three-month rhythm:

Month 1: You apply a baseline update. This one does require a reboot.
Months 2 and 3: You receive hotpatches—no reboot needed.
Then the cycle repeats.

Effectively, you’re reducing planned reboots to four times a year. This is a big win for uptime, especially in production environments.

Pros and Cons for IT Teams

Pros:

Fewer restarts = more uptime.
Predictable update cycles.
Potentially fewer disruptions during business hours.
Better for high-availability environments.

Cons:

New recurring cost, especially in large environments.
Only available if you integrate with Azure Arc.
Not every workload needs zero-downtime updates.

Reactions from the Sysadmin Community

This news has already sparked debate in IT circles—especially on Reddit.

Here are a few common questions and themes popping up:

Is it worth it?
Some admins say yes—especially for public-facing services or regulated environments where downtime is a no-go. Others argue that traditional patch-and-reboot methods work just fine if managed properly.
Why isn’t this included in the OS license?
Several users voiced frustration that hotpatching is now being “unbundled” and monetized separately. They’re already paying for licenses, CALs, Azure, etc.
How will this affect licensing audits?
Others worry about potential billing surprises. Since hotpatching is tied to core count, tracking and budgeting will be important—especially across hybrid environments.
Do I have to use Azure Arc?
Yes. Hotpatching is only available through Azure Arc-connected servers. This locks you into Azure if you want to use the feature. Some see this as a smart strategy by Microsoft. Others call it aggressive.
Will Microsoft eventually make this the default update path?
Some sysadmins are skeptical. They wonder if traditional patching will become second-class—or if more features will be put behind a paywall.

Who Should Consider Paying for Hotpatching?

This service won’t be right for everyone.

You should probably pay for hotpatching if:

You manage high-availability or critical systems.
Your workloads can’t afford unexpected downtime.
You’re operating in a regulated industry (finance, healthcare, etc.).
You already use Azure Arc and want smoother update cycles.

You can probably skip it if:

You’re running lab, test, or dev environments.
You reboot servers on a regular schedule already.
You’re tightly managing costs and don’t need 24/7 uptime.

How to Prepare

If you’re on Windows Server 2025 or planning to upgrade, here’s how to plan:

Audit your server core counts.
Figure out what your monthly spend would look like. Remember, this is per core—not per server.
Evaluate your need for uptime.
If a 15-minute reboot window doesn’t hurt your business, the hotpatching fee might not be justifiable.
Decide if you’ll integrate with Azure Arc.
If not, you won’t be able to use hotpatching at all.
Review licensing terms carefully.
Automatic billing starts July 1 unless you opt out. Don’t assume preview = free forever.
Talk to your team.
Get input from stakeholders, especially in Ops and Security, on whether this fits your risk and uptime tolerance.

Final Thoughts

This change from Microsoft isn’t just about $1.50 per core. It reflects a broader shift: updates are becoming services. And Microsoft is betting that businesses will pay for convenience, uptime, and predictability.

Whether this is a smart investment depends on your use case. For some, it’s an easy yes. For others, it’s just another nickel-and-dime moment in the growing list of Microsoft add-ons.

If you want your infrastructure to stay secure and online, you now have to factor this into your budget and planning. Don’t get caught off guard.

Sources

Forbes: “Microsoft Confirms $1.50 Windows Security Update Fee Starts July 1”
Microsoft Windows Server Blog (April 2025)
Reddit /r/sysadmin discussion on Microsoft Hotpatching Announcement

The 2025 State of Open Source: What the Data Really Tells Us

admin — Sun, 20 Apr 2025 02:04:00 +0000

Open source software (OSS) is no longer just an alternative — it’s the backbone of modern IT stacks. Each year, OpenLogic by Perforce publishes its State of Open Source Report, and the 2025 edition delivers some eye-opening insights about trends, technologies, and challenges facing organizations across the globe.

After surveying 433 professionals from every corner of the tech world, this year’s report shows that OSS adoption continues to surge — but not without its complexities. Here’s a deep dive into the key findings and what they mean for the future of tech.

OSS Is on the Rise — Again

Let’s start with the obvious: 96% of organizations increased or maintained their OSS usage over the past year. In fact, more than a quarter (25.71%) reported a significant increase. Large enterprises led the charge, with over a third showing substantial growth in adoption.

Why the surge? The answer is simple: cost. Over half of respondents (53.33%) said cost savings — including avoiding license fees — was their top reason for choosing OSS. Other motivators included reducing vendor lock-in, adopting open standards, and improving interoperability.

Interestingly, in Asia, the top driver was development speed, reflecting regional priorities.

Where Are Companies Investing?

Organizations are pouring resources into a few key OSS areas:

Cloud and container technologies (39.52%)
Databases and data technologies (33.33%)
Programming languages and frameworks (32.86%)

These investments reflect a growing trend toward internal development, especially among smaller companies. Larger enterprises, meanwhile, are doubling down on DevOps, analytics, and security tooling.

Top Challenges: Security, Compliance, and Legacy Software

Despite widespread adoption, challenges persist — and they’re big ones:

Keeping up with patches
Meeting security and compliance requirements
Maintaining EOL software

For many, aging systems like CentOS and AngularJS are sticking around far past their expiration dates. In fact, 26% still use CentOS, including 40% of large enterprises — and alarmingly, 28% of those lack a plan for handling new CVEs.

Linux: Ubuntu Still Reigns

Ubuntu remains the most popular Linux distribution (56.73%), followed by Debian and CentOS (despite its EOL status). While CentOS usage is falling in North America and Europe, it remains strong in Asia and Latin America.

Cloud-Native Tech: Docker & Kubernetes Lead

Unsurprisingly, Docker and Kubernetes dominate the cloud-native landscape. Kubernetes usage has more than doubled since 2021, now sitting at 39.2%. However, many organizations still struggle with:

A lack of personnel or expertise (51%)
Installation and configuration challenges

Smaller companies lean toward simpler stacks, while large enterprises embrace complex orchestration and monitoring platforms like Prometheus and Rancher.

Big Data: High Stakes, Low Confidence

Roughly 37% of organizations are using OSS to manage Big Data — but 47% say they lack confidence in managing their data tech stacks. The biggest hurdles?

Data integration across systems
Governance and compliance
Skill gaps in-house

Small organizations rely on open source communities for support, while larger companies tend to pay for commercial services.

Languages & Frameworks: Familiar Faces Lead

JavaScript (53.89%) and Python (52.85%) remain neck-and-neck for most-used language, followed by PHP, Node.js, and C/C++. OpenJDK is gaining popularity, while Oracle Java usage continues to slide — likely due to rising costs.

React.js leads in frameworks, with jQuery and Spring Boot close behind. Surprisingly, EOL AngularJS is still widely used, especially by mid-sized companies.

Security & Compliance: More Important Than Ever

Security and compliance are now mission-critical:

59% scan OSS for vulnerabilities
84% must meet at least one compliance standard
41% of companies using EOL software failed a compliance audit in 2024

Top security actions include applying patches, enforcing secure coding practices, and upgrading to current versions.

OSS Maturity Is Growing — Slowly

The report ends on a hopeful note: while maturity varies, organizations are improving. Most common practices include:

Performing vulnerability scans (59%)
Contributing to OSS projects (37%)
Creating security/governance policies (35%)

Small companies are the most active contributors, while large enterprises are more likely to have formal OSS governance programs and generate SBOMs.

Final Thoughts: Open Source Is Everywhere — But It’s Not Free

The 2025 State of Open Source Report shows that OSS is vital — but success depends on more than just downloading a free tool. It requires skilled professionals, smart strategies, and long-term thinking.

Whether you’re a solo dev building in your basement or an IT director at a Fortune 500 company, one thing is clear: OSS is here to stay — and investing in it wisely is key to future-proofing your infrastructure.

Want to dive deeper? Check out the full report at perforce.com.

Zero to Root: A SysAdmin’s Career Progression

admin — Tue, 01 Apr 2025 16:49:14 +0000

Breaking into the world of systems administration is a bit like learning to drive a manual transmission—awkward at first, full of unexpected stalls, and no one warns you that DNS issues are basically the IT version of hitting every red light. But just like with driving, with time, mentorship, and a few panicked Google searches, you start to shift gears smoothly. In this post, we’ll break down the different stages of a Systems Administrator’s career—from fresh-faced Junior figuring out where the power button is, to seasoned Senior who’s practically part of the server rack, all the way up to the Architect-level expert who’s not just solving problems, but shaping the whole roadmap. Whether you’re just starting out or eyeing that next big promotion, this guide will help you get a better understanding of where you are, and where your going. And if your like me, and like to code, this will help correlate your level of experience between a sysadmin and a developer.

Junior Systems Administrator

Experience: 0–3 years
This is the foundational level. Junior SysAdmins are in learning mode—building core skills and gaining real-world exposure.

Typical Competencies:

Learning foundational tools and technologies (e.g., Windows/Linux CLI, Active Directory, DNS, DHCP, ticketing systems)
Assisting more experienced admins with clearly defined tasks
Ramping up quickly on new systems or unfamiliar environments
Communicating issues promptly and effectively
Following SOPs and documentation accurately
Performing basic system maintenance, user account management, and backup tasks

Parallel to Developer Role:

“Learning core languages and technologies, assisting seniors given clear direction, ramping up rapidly on unfamiliar frameworks, communicating issues promptly.”

Common Job Titles:

IT Support Technician
Associate Systems Administrator
SysAdmin I
Desktop Support / Junior IT Admin

Senior Systems Administrator

Experience: 3–8+ years
This level represents a seasoned professional with the ability to lead, architect, and mentor. They have strong ownership over systems and projects.

Typical Competencies:

Designing and managing complex infrastructure (e.g., virtualization, backups, storage, enterprise networking)
Taking ownership of core systems and ensuring reliability, security, and performance
Setting operational standards and best practices for teams and departments
Scripting and automating routine processes (PowerShell, Bash, Python, Ansible, etc.)
Mentoring junior team members and guiding career development
Leading system upgrades, migrations, and change management processes
Collaborating across teams (Dev, InfoSec, Compliance)

Parallel to Developer Role:

“Strong ownership abilities, architecting complex application modules, setting technical standards and vision, mentoring junior team members.”

Common Job Titles:

Senior Systems Administrator
Systems Engineer / Infrastructure Engineer
IT Operations Lead
SysAdmin III
Lead IT Specialist

Expert / Principal / Architect-Level Systems Administrator

Experience: 8–15+ years
This is the top-tier level, where technical mastery meets strategic influence. Experts don’t just manage systems—they shape IT strategy and lead transformative change.

Typical Competencies:

Strategic thinking around infrastructure design, scalability, and future growth
Cross-discipline mastery: servers, networking, cloud, security, automation, monitoring, disaster recovery
Leading enterprise-scale projects (e.g., cloud migration, HA/DR implementation, org-wide security overhaul)
Setting long-term vision and aligning IT infrastructure with business objectives
Evangelizing new technologies and leading cultural change within IT
Acting as a liaison between engineering, security, and executive leadership
Representing IT in high-level decisions (budgeting, policy, compliance, architecture)

Parallel to Developer Role:

“Strategic systems analysis and foresight, multifaceted knowledge across software stack, change leadership rallied around bold vision, sustained passion for solving complex problems.”

Common Job Titles:

Principal Systems Engineer
Infrastructure Architect / Solutions Architect
Senior IT Strategist
DevOps/Cloud Architect
Director of Infrastructure (in smaller orgs)

Final Thoughts:

Years of experience are helpful but not absolute. A highly motivated individual with strong project work can fast-track to senior-level skills in under 5 years.
What sets levels apart is less about what tools you use, and more about how independently and strategically you solve problems, lead others, and drive change.

The Jedi Master’s Guide to RHEL Security: May the Logs Be With You

admin — Thu, 20 Mar 2025 20:36:21 +0000

Once you’ve locked down the basics of RHEL security, it’s time to move into more advanced territory. These next-level techniques help safeguard your systems against sophisticated threats and improve your overall security posture.

1. Implement Advanced SELinux Policies

SELinux isn’t just “on or off.” You can customize it with advanced policy modules to control how applications and services interact.

Create Custom SELinux Policies:
Use audit2allow to generate specific rules for services triggering denied actions.
```
sudo audit2allow -a -M custom_policy
sudo semodule -i custom_policy.pp
```
Use Targeted Policy Modules:
Enable and configure targeted SELinux policies for specific services like Apache, MySQL, or Postfix.

This fine-tuning helps ensure services run with the least privilege possible.

2. Leverage Advanced auditd Rules

Basic logging is helpful, but you can take things further by auditing critical files and user behavior.

Track Privilege Escalation Attempts:

-a always,exit -F arch=b64 -S execve -C uid!=euid -k priv_escalation

Monitor Access to Sensitive Files:
```
-w /etc/shadow -p wa -k shadow_file
```
Set Immutable Rules:
Once you’ve configured your audit rules, make them immutable (cannot be changed without a reboot):
```
-e 2
```

This ensures your auditing policies can’t be tampered with during runtime.

3. Enforce Secure Boot and Kernel Module Signing

Enable Secure Boot in BIOS/UEFI:
Secure Boot verifies signed bootloaders and kernels before loading.

Sign Kernel Modules Manually:
If you develop custom kernel modules, sign them using your own keys:

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 365
sudo mokutil --import MOK.der

Require Signed Modules Only:
Modify kernel boot parameters to enforce loading only signed modules:
```
sudo grubby --args="module.sig_enforce=1" --update-kernel=ALL
```

This protects against unauthorized or malicious kernel modules.

4. Apply Network Namespace Isolation

For high-security environments, isolating services into network namespaces helps compartmentalize traffic.

Create Isolated Namespaces:

sudo ip netns add ns1
sudo ip link add veth0 type veth peer name veth1
sudo ip link set veth1 netns ns1

Configure Dedicated Interfaces:
Assign IPs and routes unique to each namespace. This isolates traffic and helps prevent lateral movement during a breach.

Namespaces are like creating mini-networks inside your server.

5. Harden Compilers and Build Chains

Limiting who can compile or execute code on production servers is another layer of defense.

Restrict Compiler Usage:
Remove compilers from production servers or restrict them to trusted users:
```
sudo chmod 700 /usr/bin/gcc
```

Enforce Compiler Security Flags:
Standardize the use of secure build flags for your applications:

export CFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2"
export LDFLAGS="-Wl,-z,relro,-z,now"

These flags harden applications against memory-based attacks.

6. Configure Advanced firewalld Rules

Move beyond basic port blocking and implement granular, context-aware firewall rules.

Use Rich Rules:
Set up specific rules for logging or restricting by IP subnet:

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/24" service name="ssh" accept'

Implement Port Knocking:
This technique requires users to “knock” on ports in a specific sequence to open critical services like SSH.

Port knocking reduces exposure of open ports to external scans.

7. Secure NTP and Time Synchronization

A compromised time source can disrupt logs and security systems.

Configure NTP with Authentication:
Use authenticated time sources with tools like chrony:
```
sudo yum install chrony
sudo vi /etc/chrony.conf
```
Restrict NTP Traffic:
Limit which hosts can interact with your NTP service to trusted sources only.

Consistent and secure time sync is critical for audits and incident forensics.

8. Implement AppArmor or Additional MAC Frameworks

While SELinux is powerful, some environments also leverage AppArmor for specific workloads.

Install AppArmor:
```
sudo yum install apparmor
```
Apply Profiles:
Configure profiles to confine applications like databases or web servers within specific security policies.

Using multiple MAC systems can create layered defense models.

9. Deploy Host Intrusion Detection (HIDS)

Install OSSEC or AIDE:
These tools detect unauthorized changes to files, configurations, and binaries.
```
sudo yum install aide
sudo aide --init
```
Automate Checks:
Schedule daily integrity scans and receive alerts when critical files are modified.

HIDS adds a crucial layer of monitoring for persistent threats.

10. Automate Compliance with SCAP and OpenSCAP

Ensure your RHEL system meets industry standards like CIS, DISA STIG, or PCI DSS.

Install OpenSCAP Toolkit:

sudo yum install scap-security-guide openscap-scanner

Run Compliance Scans:

sudo oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results results.xml /usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml

Remediate Automatically:
OpenSCAP provides suggestions and scripts to close security gaps.

Automating compliance audits reduces manual effort and helps avoid regulatory fines.

Wrapping Up

Advanced security hardening on RHEL goes far beyond basic firewall rules and password policies. From namespace isolation and module signing to compliance automation and intrusion detection, these techniques help you protect your systems against sophisticated threats.

Call-to-Action

Want to secure your infrastructure like a pro? Contact me for a tailored security audit and expert guidance on advanced Linux hardening.

Why Your Saved Passwords Are Basically a Hacker’s Lunch Buffet

admin — Fri, 14 Mar 2025 18:57:36 +0000

Stealer Logs: How Attackers Extract Saved Logins from Your Browser

Introduction

Imagine this: You sit down at your computer, open your browser, and seamlessly log into your email, social media, and banking accounts without typing a single password. Convenient, right? But what if someone could steal all those logins in seconds?

That’s exactly what stealer logs do. These logs contain stolen credentials, session cookies, autofill data, and even credit card details—harvested directly from your browser’s password vault.

This guide will explain how stealer logs work, why they’re so dangerous, and how attackers extract saved logins effortlessly. By the end, you’ll know exactly how to protect yourself and your organization from this growing cyber threat.

What Are Stealer Logs?

Stealer logs are files containing stolen user credentials, typically harvested by infostealer malware. These malware programs infiltrate a victim’s system, extract sensitive data from the browser, and compile it into a file before sending it to cybercriminals.

These logs are often sold on the dark web or distributed in hacking communities, allowing attackers to access accounts, bypass multi-factor authentication, and even impersonate victims in financial transactions or corporate environments.

How Easy Is It to Steal Saved Logins?

Most people assume their browser’s built-in password manager is secure. Unfortunately, that’s not entirely true. Here’s why:

1. Password Vaults Are Stored in Plaintext or Weakly Encrypted

While browsers encrypt saved passwords, they also store the decryption key on the same system. This means any malware running on your computer can easily decrypt and extract passwords.

2. Infostealer Malware Is Readily Available

Cybercriminals don’t need advanced hacking skills. There are ready-made stealer malware kits available on underground forums, some costing as little as $50–$200.

Popular infostealers include:

RedLine – Extracts credentials, cookies, and autofill data.
Racoon Stealer – Targets stored passwords and cryptocurrency wallets.
Vidar – Exfiltrates sensitive data from browsers and messaging apps.

3. Malware Can Extract Credentials in Seconds

Once installed, stealer malware runs silently in the background. It:

Scans for installed browsers (Chrome, Firefox, Edge, Brave, etc.).
Extracts stored credentials and autofill data.
Compiles stolen information into a log file.
Sends the file to an attacker-controlled server.

This entire process happens within seconds, leaving no visible trace for the user.

4. No Need for Admin Privileges

Unlike traditional malware that requires elevated system privileges, many infostealers operate without admin rights, making them even harder to detect.

Where Do Stolen Logins End Up?

Once credentials are extracted, they are sold or distributed through:

Dark Web Marketplaces – Hackers auction bulk logs to the highest bidder.
Telegram Groups – Cybercriminals share logs in real-time.
Criminal Forums – Stealer logs are exchanged for Bitcoin or Monero.
Automated Bots – Some Telegram bots allow users to search for credentials by email or domain.

Real-World Attacks Using Stolen Credentials

Stealer logs have been used in high-profile attacks, including:

1. Corporate Breaches

Many data breaches start with stolen credentials from employees’ browsers. Attackers log into company accounts, escalate privileges, and deploy ransomware or steal intellectual property.

2. Cryptocurrency Wallet Draining

Infostealers target browser extensions for crypto wallets (like MetaMask) to extract private keys and drain accounts.

3. Session Hijacking

Some logs include session cookies, which let attackers bypass passwords and MFA, logging in as the victim without triggering security alerts.

How to Protect Yourself from Stealer Logs

Even the most security-conscious users are at risk. Here’s how to defend against infostealers:

1. Stop Using Browser Password Managers

Instead, use a dedicated password manager like:

Bitwarden
1Password
Dashlane

These store passwords securely with encryption, making them less vulnerable than browser-based vaults.

2. Enable Multi-Factor Authentication (MFA)

Use hardware security keys (like YubiKey) or app-based authentication (like Authy) to prevent unauthorized logins—even if your password is stolen.

3. Regularly Monitor for Leaked Credentials

Use tools like:

Have I Been Pwned (https://haveibeenpwned.com/)
Firefox Monitor to check if your credentials have been exposed in a breach.

4. Disable Autofill in Browsers

Browsers store autofill data in plaintext, making it easy for malware to extract:

Go to browser settings → Disable autofill for passwords, addresses, and credit cards.

5. Run Anti-Malware & Endpoint Protection

Use advanced security solutions like:

Microsoft Defender for Endpoint
Malwarebytes
SentinelOne to detect and block infostealer malware.

6. Avoid Downloading Unverified Software

Infostealers often hide inside cracked software, fake updates, and malicious email attachments.

Always download from official sources.
Scan downloads with an antivirus before opening them.

7. Use a Secure, Non-Admin User Account

Running your system with a limited user account instead of an administrator account can prevent malware from making system-wide changes.

Final Thoughts

Stealer logs are one of the biggest cybersecurity threats today, and attackers don’t need sophisticated skills to exploit them.

If you save passwords in your browser, you’re a potential target. Attackers can extract your logins in seconds, gain access to sensitive accounts, and bypass security measures like MFA.

The best way to protect yourself? Ditch browser password managers, enable MFA, and stay vigilant against malware.

Sources

https://krebsonsecurity.com/ (Investigative cybersecurity reporting)
https://www.bleepingcomputer.com/ (Cybersecurity news and research)
https://www.darknetdiaries.com/ (Real-world cybercrime stories)
https://haveibeenpwned.com/ (Breach data and credential monitoring)

Michael T. DeWitt

This Post Is 70% Nostalgia, 30% Dial-Up Rage, and 0% Interested in Your App

What Is a Full‑Stack Engineer?

Understanding the Basics: Full‑Stack Roles in Tech

So What Is a Full‑Stack Engineer?

Engineer vs. Developer: What’s the Difference?

Full‑Stack Developer

Full‑Stack Engineer

Why This Distinction Matters

1. Modern Tech Requires More Than Code

2. Career Growth & Strategy

3. Hiring Expectations

Real‑World Example

What Skills Do Full‑Stack Engineers Typically Have?

Wrap‑Up: Why the Title Matters

The *real* reason techies can’t find jobs: An Analysis of Strategic Job Concealment in the U.S. PERM Labor Certification Program

Executive Summary

I. The PERM Labor Certification Process: A Regulatory Framework Under Strain

A. The Statutory Mandate: Protecting the U.S. Labor Market

B. The “Labor Market Test”: Prescribed Recruitment vs. Practical Reality

C. Systemic Vulnerabilities: The Attestation Model and Limited Oversight

II. Corporate Strategies for Obscuring PERM-Related Job Openings

A. The Playbook: A Systematic Inversion of Effective Recruitment

III. Case Studies in Enforcement: The Department of Justice vs. Big Tech

A. The Apple Settlement: A $25 Million Precedent

B. The Meta (Facebook) Settlements: A Two-Pronged Federal Action

IV. The Rise of Public Scrutiny: Citizen Watchdogs and Corporate Pushback

A. Exposing the Hidden Market: The Role of Jobs.now

B. Case Study in Corporate Reaction: Instacart’s Cease-and-Desist

V. Contextualizing the Phenomenon: “Hidden Jobs,” “Ghost Jobs,” and Legitimate Hiring

A. “Ghost Jobs”: A Different Phantom

B. The “Hidden Job Market”: Legitimate Unadvertised Openings

VI. Statistical Landscape of the PERM Program

A. Application Volume and Processing

B. Who Uses PERM? Key Industries, Occupations, and Locations

C. Who Benefits? Visa Status and Country of Origin

VII. Analysis and Recommendations for Policy Reform

A. Synthesis of Findings: A System in Conflict with its Purpose

B. Pathways to Reform: Modernizing and Enforcing the Law

C. Concluding Thoughts: Restoring Trust in the High-Skilled Immigration System

Works cited

Automate My Workflow: Streamline Your YouTube Shorts Factory with n8n

Introduction

What is a YouTube Shorts Factory (and Why Build One Yourself)?

How to Build Your Own YouTube Shorts Factory

Step 1: Set Up Your Custom n8n Instance

Step 2: Build the Workflow in n8n

Step 3: Generate the Script with Ollama

Step 4: Convert Script to Voice with Edge-TTS

Step 5: Generate Images with ComfyUI

Step 6: Assemble the Video with MoviePy

Step 7: Upload to YouTube Automatically

Tips and Reminders for Building This System

Closing Thoughts

Bridging the Skills Gap… Because Participation Trophies Don’t Write Code

Introduction — Back When Geekdom Was a Calling

The Skill Gap We’re Talking About

Back in My Day…

Two Archetypes in New Hires

1. The Checklist Follower

2. The Creative Thinker

Why the Gap Exists

The Cost of Getting It Wrong

Closing the Gap: What Works

1. Make Learning Part of the Job

2. Teach Automation Early

3. Reward Curiosity Publicly

4. Pair Juniors with Veterans

5. Keep “Below Me” Tasks in Rotation

A Sample Junior Dev Program

Final Thoughts — Carry the Geek Banner Forward

Microsoft’s New Hotpatch Plan: Now You Can Pay to Not Reboot Your Server… or Your Sanity

Introduction

What Is Hotpatching?

$1.50 Per Core? I Didn’t Know Patching Came with a Cover Charge

How the Hotpatch Cycle Works

Pros and Cons for IT Teams

Reactions from the Sysadmin Community

Who Should Consider Paying for Hotpatching?

How to Prepare

The real reason techies can’t find jobs: An Analysis of Strategic Job Concealment in the U.S. PERM Labor Certification Program