[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <8554447A-5745-11D8-8077-000393DC4650@midsouth.rr.com>
From: jmgraham at midsouth.rr.com (Michael Graham)
Subject: more security people = less security
This is a horrible rant with some fine isolated points within it.
Further comments in-line.
On Feb 3, 2004, at 2:22 PM, Uncle Scrotora Balzac wrote:
>
> Many hackers (who also view themselves as security experts) are pissed
> off by the landslide of new people, products, and money entering into
> the security space.
Wow. A community that prides itself on being as bleeding edge and "out
there" as possible is offended that the mundanes are stepping all over
their precious playground. Color me shocked.
> Yes, it's true there are many more people becoming security "experts"
> (using this term as loosely as possible) every day.
Here is where you went from a possibly good argument into just a rant.
If they aren't "security experts" then they have no business calling
themselves "security experts." End of point.; no one would argue. But
instead, we have to berate all these dumb noobs for stepping on our
elitisim. All you really needed to say was: "The world would be a
better place if everyone was qualified to do their job."
> And yes, it's also
> true companies are running to the marketplace faster than Whitney
> Houston
> to a line of coke.
Companies throw money at problems instead of doing the hard work
required to solve the core issue? Inconceivable!
> Of course, the obvious benefit: The more people pulled into this space
> from various other backgrounds, the lower the average security
> administrator's
> level of knowledge becomes.
Again, forgive me, but aren't you just raging against the machine about
things we've all observed in every sub-field of IT? Moron DBAs, MCSEs
who don't know anything about even windows, Solaris admins who have
never touched an external array, etc.
> This "dumbing down" happens for several reasons,
> but the most significant is the way in which these new generations of
> security administrators are educated.
Here you're just being obnoxious. Yes, all our lives would be much
better off if everyone who wore a security hat was qualified to do so.
But that does not prove that more people trying to effect good security
measures somehow degrades my performance nor the security of the net in
general. So what if the guy at company B is doing security because he
was a mediocre network "engineer"? Is that as good a thing as if he
was really qualified? No, obviously not. But is that a better state
of affairs than no one doing that job? Absolutely and obviously so.
> Typically, they are forced into
> these positions by employers that realize they desperately need
> security
> staff.
Are you out of work or something? Consultancy not going so well? Why
the vitriol about lesser beings filling these roles? Again, just
because a situation isn't the best possible situation doesn't mean it
isn't better than yesterday's status quo.
> Now you've got some guy sitting there trying to figure out which way
> is up, so where do they turn? To vendors. Be it a vendor of
> hardware/software
> solutions, or a vendor like SANS (selling propaganda, errr, I mean,
> "education"
> about open source products backed by commercial entities which SANS
> purportedly
> invests in).
This is a valid point. Vendors should not be who you get your
information from. Vendors should not be making strategic decisions
about what you need to do to secure your network. But again, it's not
as if this doesn't happen in other fields. Cisco is built upon
thousands of mid-sized companies who have about $50,000 more switching
than they actually need. We come back to "The world would be a better
place if everyone was qualified to do their job."
> Although it grates on the nerves of everyone who knows better to see
> all these pen testers running around selling Nessus reports,
Again, the Remaining 4 are selling their boilerplate instead of real
services. OK?
> So bring it on! We need *more* new security people and more new
> products
> to create more confusion, ambiguity, and false senses of superiority.
> Think security consoles only being released for Windows anymore doesn't
> signify anything?! Come on out, the waters fine!
>
And now we sum-up with the real point of this e-mail. Noobs r dumb,
let's remind everyone how hardcore we "real" security people are! I
don't disagree with any of your actual points, but that was about six
more paragraphs than you needed in order to state your (obvious) case.
The world would be a better place if everyone was qualified to do their
job. Hear, Hear! But do we need to abuse them for trying?
Mike Graham
NOT a Security Expert
Powered by blists - more mailing lists