lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 01 Oct 2008 16:29:57 -0400
From: Valdis.Kletnieks@...edu
To: Trevow Andrews <trevorandrws3456@...oo.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Paul Asadoorian of PaulDotCom Enterprises /
	Podcast is ridiculous

On Wed, 01 Oct 2008 08:59:16 PDT, Trevow Andrews said:

> No real research has even come out of Paul and Larry

And? So? You *do* realize that "kick-ass researcher" doesn't directly imply
"kick-ass teacher", right?  Quite often, the best researchers make *really bad*
teachers, because the same autism-spectrum and ADD issues that allow them to
focus on things when researching mean they *suck* at presentations.  If
you've ever been to college, and gotten somebody who's got a zillion papers
published, but the class sucks because they can't lecture well, you've seen
this in action.

The second issue is that teaching chews incredible amounts of time, and
directly impacts how much, if any, research you do - if you're on the road
3 weeks of the month teaching, I guarantee that you'll not get much done the
other week.  Sure, you may have spent 3 weeks teaching a *lot* of people a
*lot* of material, and had them all actually remember it - but your research
schedule takes a hit.

The third thing to keep in mind is that "bleeding edge" doesn't always (and
in fact rarely, if ever) correspond to what's out in the real world. OK, so
you're peeved because the guy talked about WRT54G and didn't cover Kamikazi.
Have you bothered to actually *check* what the relative percentages *actually
in use* are?  Yeah, Kamikazi may be cool, shiny, and uber-leet - but if it's
only got 5% market share and WRT54G has 95%, maybe he shouldn't be spending
a lot of time covering Kamikazi.

Yes, SANS presentations often lag behind what's the cutting edge - but they're
teaching people about stuff they're likely to actually encounter.  When they
send new cops to police school, they rarely spend lots time on how to pull over
a Ferrari, but they're hopefully going to learn a *lot* about all the little
details of pulling over a pickup truck (where to look for stuff in "plain
sight", where weapons may be stashed, etc).  Why? Because they're going to be
pulling over dozens of pickup trucks a week, and maybe *once* in their lifetime
they're going to get to pull over a Ferarri.

You remember that big horrible DNS hole from a few weeks ago?  How many you
seen in the wild so far?  And how many system you seen that actually gotten
whacked with a 4-year-old SQL exploit?

Yep, thought so.

(For all I know, these guys may indeed be sucky presenters *and* sucky
researchers - but I'm getting tired of the  meme that it has to be taught
by a "leading researcher" for it to be of use - especially when you're trying
to teach nuts-n-bolts security to Joe Corporate.  And if you think it's that
easy to teach - start doing it.  Undercut SANS, charge only $1000 per head,
teach a class of 20 a week.  You're looking at $80K of income *a month*.
Now ask yourself why there aren't *more* people doing it...)



Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ