lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <C246F099C408FE429BCEE7473E2DDC60429707@internet1.mccd.edu>
From: alexander.s at mccd.edu (Steven Alexander)
Subject: credibility (was 'more security people')

WTF makes people think that passing a single test qualifies someone as
an expert in anything?  

People need to realize that while tests/certifications are not
worthless, they should only complement other qualifications.  Tests are
used in other professional fields: lawyers have to pass the bar exam in
the state where they intend to practice law, accountants have to pass
the CPA exam.  However, you can't take the bar exam without a law degree
or the CPA exam without taking a specified number of accounting classes.

Knowing a lot of random facts about security simply isn't enough.  It's
nice that everybody and their mom knows what a buffer overflow is
nowadays but it doesn't enable them to evaluate StackGuard, ProPolice,
PaX, W^X, etc.  Knowing what an intrusion detection system is doesn't
mean that you have tcpdump skills.  Expertise is based on knowledge that
has both breadth and depth. 

Security people need to know a lot about a lot of things: one of the
most important books that I've read WRT to security is Richard Steven's
TCP/IP Illustrated Vol. 1 and it doesn't directly deal with security.
But, without an in-depth understanding of TCP/IP, how formidable can
one's knowledge of security (especially firewalls and intrusion
detection systems) be?  

Also, it's important to be able to think outside the box.  Bruce
Schneier has argued for years that good cryptosystems are designed by
people who are good cryptanalysts.  It makes sense to me; why should I
trust the ciphers that you design if you don't understand what was wrong
with the old ones?  Likewise, why should I trust in the security of a
network/system "secured" by some random CISSP when they don't know
anything about breaking into systems.

I don't think that every security expert has to be a reformed
{cr|h}acker.  I do think however, that anyone who dares call themselves
a security expert should understand how systems are broken into.  If you
don't know what attackers are doing, how the hell do you know what to
protect against?  

There should be a hands-on challenge to any security certification
requirements.  Perhaps something like: "Find and infiltrate the PaX
protected system on network X.  You must write your own exploit to gain
root through ssh using return-into-libc.  Remove all traces of your
intrusion from the logs (they're append only).  Don't alert the Snort
box." 

I don't have a CISSP btw so I'm biased.

My $.02

-steven     


>-----Original Message-----
>From: Gregory A. Gilliss [mailto:ggilliss@...publishing.com] 
>Sent: Wednesday, February 04, 2004 10:47 AM
>To: full-disclosure@...ts.netsys.com
>Subject: Re: [Full-Disclosure] credibility (was 'more security people')
>
>

<snip>

>BTW, to be clear I am *not* saying that certifications are
bad/worthless.
>I am saying that they are weak, ineffectual, and not nearly enough to
>qualify someone to market themselves as a "security expert". From the
>perspective of weeding out the phonys, I'm all in favor of
certifications.
>

<snip>

>In summary, the industry deserves what it gets, which is a large number
>of untalented posers who couldn't root a Linux 5.0 box running wu-ftp
>
>=;^)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ