lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040319214254.GA16204@netpublishing.com>
From: ggilliss at netpublishing.com (Gregory A. Gilliss)
Subject: Credibility (was User Insecurity)

Actually what he is describing is what I refer to as "credibility".

The CISSP after my name is a measure of my credibility. It tells otherwise
clueless people, people without first hand experience and knowledge,
something about me. Perhaps it tells them that I exhibit some measurable
degree of knowledge or experience in my chosen field (security). For
people who know me or know security, it may tell them nothing more than 
the fact that that I am a person who can afford $450 and can pass a 
standardized test. The letters mean something different than they do for
people without experience, since each group (a) bases their measure of my
credibility on something different (personal experience, word of mouth, 
rumor, slander, etc). 

Credibility is a function of perception (my assertion - YMMV). Sales 
people with crappy clothes and long hair may be "less credible" than "Ken
dolls". MCSE is "more credible" than "pimply-kid-who-knows-how-to-install-
NT". Doesn't necessarily mean that MCSE is "more knowledgeable" or "more 
professional" than "NT kid", but if *you* see it that way then *you* have
defined the credibility. A hiring manager may look at two resumes and,
all else being equal, will likely hire the one with the college degree or
the certification because that person is "more qualified" - or, IOW, that
person has more credibility. May not be the best choice, but that's what
goes on. (Hiring managers who take exception may email me off list pls).

Credibility equates to experience equates to clue (my assertion). In a
"trust" relationship, you can start from "no trust" or "full trust" or
anywhere in between (some trust, limited trust, etc). SSL is a good example
of "full trust". Holes, exploits, etc reduce "trust" for a time (until the
hole is patched). Microsoft suffers from a credibility problem because
(a) people keep finding holes, (b) Microsoft often denies/ignores the
holes, and (c) Microsoft takes a subjectively long period of time to
patch the holes found in (a) and denied in (b).

Credibility. We live and die by it in the security world as much as any
mechanic/lawyer/doctor/insert other professional designation here...

G

On or about 2004.03.19 11:39:19 +0000, gadgeteer@...gantinnovations.org (gadgeteer@...gantinnovations.org) said:

> What you describe regarding you and your mechanic is "blind trust".  
> You are trusting his abilities as a mechanic based on you preception 
> of him as a person.
<<SNIP>>

-- 
Gregory A. Gilliss, CISSP                              E-mail: greg@...liss.com
Computer Security                             WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ