lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040204184720.GA29176@netpublishing.com>
From: ggilliss at netpublishing.com (Gregory A. Gilliss)
Subject: credibility (was 'more security people')

We're already screwed, IMHBAO.

BITD when I used to write viruses, I did it without the knowledge that
there was a "community". It wasn't until Sundevil that I discovered
2600/Phrack/TAP. There was one and only one criteria for membership, 
and that was "clue". The community was a meritocracy, and people were 
accepted/rejected based on whether they were scientific/productive and 
whether they contributed or not. Period.

Then Sir Tim Berners-Lee and Marc Andreeson opened the gates and allowed
the proletariat on to the Internet, and things changed fast. Hell, people
shelling out of PINE was more common than getting laid, but it still was 
a cooperative community. I remember thinking how k3wl it was that the 2600 
group would let a sixteen-year-old into the fold simply because the kid 
was bright enough to have designed a diverter (and not being a phone
 person, I had to get him to explain what a diverter was ...).

Fast forward to today. There are "security people" - half of whom stayed
up with me and others at HOPE/HIP, and the rest of whom (like me, mea 
culpa) took and passed the CISSP test. All that the certification has 
given me is "credibility" in the marketplace. People who know me, either
by name or by handle, have already decided whether or not I am worthy. 
However hiring managers (and I once was one of those as well) have no 
baseline for determining whether or not I or anyone else either is skilled 
and experienced or just earned their Bulls**t (BS) degree in the elevator 
on the way to the interview. 

I am *not* in favor of the threshold being used to allow people into the
fold, however. I think that knowing that a buffer overflow has something
to do with exploiting a computer system is not nearly enough knowledge/
experience (and how do these certifications take experience, like my
nineteen years, into account...they don't) to qualify someone to walk
around and compete with me in the marketplace and call themselves a
security expert. Hell, if you haven't stood with Pieter or Elias and
had the conversation face to face about their research, WTF right do 
you have to call yourself an expert because you woke up early on a 
Saturday and took a test and passed?

BTW, to be clear I am *not* saying that certifications are bad/worthless. 
I am saying that they are weak, ineffectual, and not nearly enough to 
qualify someone to market themselves as a "security expert". From the
perspective of weeding out the phonys, I'm all in favor of certifications.

One reason (I believe) why this system will fail is that I see the progress
made by people in Eastern Europe and even China (although I find the Chinese
hacks to be somewhat less than elegant). These people seem to disregard
laws/certifications/other artificial barriers and simply do what works,
namely read the code and push the envelope. That always has been and always
will be what security is about - the pursuit of knowledge. No test can 
certify you for that...only the desire to beg/borrow/steal a *NIX distro
and dive into the deep end will give you that kind of experience.

Heaven forbid that the government of the US or anywhere else should try 
and place some artificial barriers on research and development - that's 
progress, and the day that they try and restrict progress is the day that
 we should all pack our bags and head elsewhere. Information should be free!

AFA vendors are concerned, security is a revenue drain, and they never
will come around to fixing things unless their revenue stream is threatened.
Security by embarrassment works best, no question about it. Some of you
younger readers would do well to consider that point.

In summary, the industry deserves what it gets, which is a large number
of untalented posers who couldn't root a Linux 5.0 box running wu-ftp

=;^)

On or about 2004.02.04 09:00:04 +0000, macmanus@...hmail.com (macmanus@...hmail.com) said:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Too bad it won't last - once all the newbies get CISSPs, we'll be screwed!
> Thanks Uncle Scrot, best thing I've seen on this list in a while!
<<SNIP>>

-- 
Gregory A. Gilliss, CISSP                              E-mail: greg@...liss.com
Computer Security                             WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ