lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <02d101c5f082$95895fb0$7601a8c0@amd3200plus>
Date: Wed Nov 23 23:07:09 2005
From: cdupuis at cccure.org (Clement Dupuis)
Subject: Hacking Boot camps!

Good day InfoSecBOFH,

Hum... It seems like you have something to settle with SANS, I really do not
know what they did to get you this mad or what negative experience you had
to go through but they definitively are not on your white list.
  
> - Their training is out of date
I guess this is the growing pain.  It becomes an unbelievable challenge to
maintain over 20 tracks.  I do not believe they are all outdated as you
claim; all of tracks are usually updated a couple times a year.   

> - Most of their instructors are unqualified to answer any questions 
> that are not in their training books.
Most of their classes have outstanding instructors such as Ed Skoudis, Mike
Poor, Eric Cole, Chris Brenton, Jason Fosen, Joshua Wright, Bob Hillery,
Marcus Sach, William Stearns, etc...   These instructors will not only
answer questions on security topics but have also written the training books
and have been published in magazine and books as well.  They are well
respected in the community and very competent.  If you would dare to call
any of these instructors unqualified, you must have a very demanding level
as far as an instructor is concerned.  

I totally disagree with your comment about them being unqualified, they are
the best, and they are the people delivering a lot of the live classes.  I
have heard of some negative comments related to their other delivery
mechanisms but their live classes are being done by great instructors.

> - Most of their instructors will feed you with a marketing pitch for 
> their own consulting or product companies.

Most instructors will introduce themselves within the first few minutes of
the class and this is the extent of it.  I think it is only fair to give
your company credit as well as yourself.  After all, it is your company that
gives you time to attend and teach in many cases.  If any instructor goes
above and beyond this, they are out of line and not following their own code
of ethics.   

> - The so called "SANS What Works" program where they endorse vendors 
> who have products that actually work and help with infosec issues is a 
> sham.  They will list any vendor that pays their 25K "fee" to be 
> listed.

I must agree with you on this one, people think that the products featured
are endorse and recommended by SANS but this is not the case.  SANS is only
showcasing a company and what they have use with success or what has work in
their very specific case.  The company has you have said has to pay a fair
amount of money to have their case and product showcased.  

It is people reading about it that takes for granted that the product
presented is endorsed by SANS, it is stated clearly on the SANS website that
it is not the case.  

Of course, nobody from SANS has attempted to dispel the myth (to the joy of
the people who have paid to be part of the program).  I guess they see no
reason to attempt doing so because it is stated clearly on the web site what
the program is about.

The name "SANS What Works" is somewhat misleading I must admit.  A bit more
information could be provided on what the program really is, what it stands
for, and what is the endorsement being made.


> - Here is how the pyramid works.  You have Northcutt and Paller on the 
> top of things as the creators of this so called non-profit (yet they 
> have multi million dollar homes in Hawaii).  They *USE* volunteers to 
> come up with training material and to run their "mentoring program".
> Then, they take the volunteer work, hand it to their close friends who 
> also happen to be their full time instructors let them take credit for 
> it and have them deliver the course and of course pay them very well 
> for it.  Nothing like making money for your 'non profit" on the backs 
> of volunteers who you still charge to attend the training BTW.

Both Stephen Northcutt and Allan Paller have never claimed to be non profit
because they know that they are not.  Their web site and documentation does
not pretend to be non profit either.  Somehow there is this myth from the
early days that has been going around about SANS and GIAC being non profit.


On the training material side:
The training material being developed for the past few years has been done
by people who were compensated for their work and NOT free work as you
claim.  

The local mentor are paid as well, they are not doing volunteer work.  I
have heard good comments and very sad comments about the delivery of the
program.  I guess you mileage will vary depending on who is the mentors.

I do not know of any regular instructor who has taken someone else material
and claim it was their own.  There is no volunteer that I know of, producing
training material without getting paid for each slide if it is being used
for training.  In fact SANS has one of the most generous royalty programs
out there.  None of the large training organization out there will pay you
royalties the way SANS does and the amount SANS does.  I must give them
credit on that side.

You are right: SANS has the best pay in the industry. 

Do you have a specific example of someone who has developed a course, a
short class, or anything for free and the material got used and abused as
you claim by SANS or an instructor or SANS?

I know SANS is not perfect, they are not what they use to be as a community,
but they still deliver quality training and credit must be given to them
where it belong.

Other training vendors are doing nothing to give back to anyone.  At least
SANS are giving back to the community through many projects.

Take care

Clement

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ