[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2be58a30511240138s5a143cebm8fceb9797857386b@mail.gmail.com>
Date: Thu Nov 24 09:39:02 2005
From: infosecbofh at gmail.com (InfoSecBOFH)
Subject: Hacking Boot camps!: certifications
But my dear friends... one can lie and still get his CISSP. I know of
at least 3 different people who are NEW to infosec but faked some
experience for their CISSP. Hell, I lied on my application and got my
CISSP yet I still ./ my way around the interweb.
On 11/23/05, senator.crabgrass@...cast.net
<senator.crabgrass@...cast.net> wrote:
>
> jeff_wilder wrote:
>
> >snip
> Want to know where the best bang for the buck is.... goto... www.dice.com...
> search for GIAC = 116 open positions
> search for CISSP = 677 open positions
> >end snip
>
> You my friend have hit the proverbial nail on the head, the key difference being; I believe, is that the CISSP requires a pre-vetting, were the GIAC does not. The knowledge/maturity needed to attain a CISSP credential infers responsibility by addressing a level of downstream liability mitigation, providing an employer a certain level of assurance, say an EAL of (x), with the (x) being the unknown left to the CISSP to convey, they are what they say. (Insert Domain Expertise Here) Basically you get what you give. Memorize to vomit the information for any cert is as useful as a Microsoft patch to plug a vulnerability.
>
>
> --
> vote for me
>
>
> > I wanted to chime in on all this SANS VS. any other certification VS.
> > training...
> >
> > The only thing a certification does for anyone is validate to a prospective
> > employeer that you, at the time you took the test, knew enough to pass it.
> > Depending on how high that bar is set will determine if you receive it or
> > not. So I go take a test so my employeer knows that I am smart and I can do
> > the things I claim.. things I already knew.
> >
> > So, how you gain the information, through a crash course in buffer overflows
> > or seed information that give you a topic of study... or a lifes worth of
> > study on the topic means very little to an employeer. Its only the alphabet
> > soup that they care about.
> >
> > Want to know where the best bang for the buck is.... goto... www.dice.com...
> >
> > search for GIAC = 116 open positions
> > search for CISSP = 677 open positions
> >
> > So am I any smarter for having my CISSP over a GIAC?... I dont think so..
> > but the employeers seem to thing so =)
> >
> > So back to the hacking boot camps issue... I had my ethical hacking cert
> > before I went to class, was I any smarter after I had the cert?.. No... well
> > actually it was one of the hardest tests I've taken and still passed it
> > without a book to study or the weeks class.
> >
> > I have been to great classes, and some that where really a waist of time and
> > alot of money to boot. But I ALWAYS found some value because I went for me..
> > and not another cert at the end of my name. Not everyone is going to have
> > the answer for every question, I know I dont, I cant hold that against an
> > instructor.
> > If you get owned for 3500 bucks because you didnt investigate what it was
> > that you where going to be learning... the courseware... or whatever it was
> > that was that you bought... its because you allowed yourself to get owned.
> > If the class you took didnot offer the information that you desired..
> > perhapse you should lookinto different material more SR. level.. or create
> > your own certification maintain 20 tracks.. sell it.. promote it... =) so,
> > I respect what they have done for the industry, its not an easy task.
> >
> > I coauthored some courseware for a forensics management class... I've spent
> > 100's of hours in prep to create it and deliver it.
> >
> > My hats off to anyone who wants to share information at any level.. because
> > you will always find someone at every level.
> >
> > thats my $.02 worth
> >
> > -Jeff Wilder
> > CISSP,CCE,C/EH,security+,ISSAP,ISSMP,MCP,INet+... yadda yadda yadda..
> >
> >
> >
> > -----BEGIN GEEK CODE BLOCK-----
> > Version: 3.1
> > GIT/CM/CS/O d- s:+ a C+++ UH++ P L++ E- w-- N+++ o-- K- w O- M--
> > V-- PS+ PE- Y++ PGP++ t+ 5- X-- R* tv b++ DI++ D++
> > G e* h--- r- y+++*
> > ------END GEEK CODE BLOCK------
> >
> >
> >
> >
> >
> > >From: "Clement Dupuis" <cdupuis@...ure.org>
> > >To: "'Koen Van Impe'" <koen.vanimpe@...net.be>
> > >CC: full-disclosure@...ts.grok.org.uk
> > >Subject: RE: [Full-disclosure] Hacking Boot camps!
> > >Date: Wed, 23 Nov 2005 18:06:48 -0500
> > >MIME-Version: 1.0
> > >Received: from lists.grok.org.uk ([195.184.125.51]) by mc11-f1.hotmail.com
> > >with Microsoft SMTPSVC(6.0.3790.211); Wed, 23 Nov 2005 15:07:43 -0800
> > >Received: from lists.grok.org.uk (localhost [127.0.0.1])by
> > >lists.grok.org.uk (Postfix) with ESMTP id DDF10CF7;Wed, 23 Nov 2005
> > >23:07:12 +0000 (GMT)
> > >Received: from galilee0.sogetel.net (galilee0.sogetel.net
> > >[205.236.148.132])by lists.grok.org.uk (Postfix) with ESMTP id DB025B63for
> > ><full-disclosure@...ts.grok.org.uk>;Wed, 23 Nov 2005 23:07:02 +0000 (GMT)
> > >Received: from [69.51.205.98] (helo=amd3200plus)by galilee0.sogetel.net
> > >with esmtp (Exim 4.44)id IQFKKD-0003HI-O5; Wed, 23 Nov 2005 18:14:38 -0500
> > >X-Message-Info: JGTYoYF78jGKs0XkK+pqE3bF7cyg/XaKSmjuxlnoKAc=
> > >X-Original-To: full-disclosure@...ts.grok.org.uk
> > >Delivered-To: full-disclosure@...ts.grok.org.uk
> > >X-Mailer: Microsoft Office Outlook 11
> > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> > >Thread-Index: AcXwczMm87DbaalkSPWV7bMLVxIiNgAD1ZQQ
> > >X-ACL-Warn: Begin on scan on yes...
> > >X-Virus-Scanned: Scanned with Clam AntiVirus
> > >X-BeenThere: full-disclosure@...ts.grok.org.uk
> > >X-Mailman-Version: 2.1.5
> > >Precedence: list
> > >List-Id: An unmoderated mailing list for the discussion of security
> > >issues<full-disclosure.lists.grok.org.uk>
> > >List-Unsubscribe:
> > ><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>,
> > ><mailto:full-disclosure-request@...ts.grok.org.uk?subject=unsubscribe>
> > >List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure>
> > >List-Post: <mailto:full-disclosure@...ts.grok.org.uk>
> > >List-Help: <mailto:full-disclosure-request@...ts.grok.org.uk?subject=help>
> > >List-Subscribe:
> > ><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>,
> > ><mailto:full-disclosure-request@...ts.grok.org.uk?subject=subscribe>
> > >Errors-To: full-disclosure-bounces@...ts.grok.org.uk
> > >Return-Path: full-disclosure-bounces@...ts.grok.org.uk
> > >X-OriginalArrivalTime: 23 Nov 2005 23:07:45.0034 (UTC)
> > >FILETIME=[B6A0E6A0:01C5F082]
> > >
> > >Good day InfoSecBOFH,
> > >
> > >Hum... It seems like you have something to settle with SANS, I really do
> > >not
> > >know what they did to get you this mad or what negative experience you had
> > >to go through but they definitively are not on your white list.
> > >
> > > > - Their training is out of date
> > >I guess this is the growing pain. It becomes an unbelievable challenge to
> > >maintain over 20 tracks. I do not believe they are all outdated as you
> > >claim; all of tracks are usually updated a couple times a year.
> > >
> > > > - Most of their instructors are unqualified to answer any questions
> > > > that are not in their training books.
> > >Most of their classes have outstanding instructors such as Ed Skoudis, Mike
> > >Poor, Eric Cole, Chris Brenton, Jason Fosen, Joshua Wright, Bob Hillery,
> > >Marcus Sach, William Stearns, etc... These instructors will not only
> > >answer questions on security topics but have also written the training
> > >books
> > >and have been published in magazine and books as well. They are well
> > >respected in the community and very competent. If you would dare to call
> > >any of these instructors unqualified, you must have a very demanding level
> > >as far as an instructor is concerned.
> > >
> > >I totally disagree with your comment about them being unqualified, they are
> > >the best, and they are the people delivering a lot of the live classes. I
> > >have heard of some negative comments related to their other delivery
> > >mechanisms but their live classes are being done by great instructors.
> > >
> > > > - Most of their instructors will feed you with a marketing pitch for
> > > > their own consulting or product companies.
> > >
> > >Most instructors will introduce themselves within the first few minutes of
> > >the class and this is the extent of it. I think it is only fair to give
> > >your company credit as well as yourself. After all, it is your company
> > >that
> > >gives you time to attend and teach in many cases. If any instructor goes
> > >above and beyond this, they are out of line and not following their own
> > >code
> > >of ethics.
> > >
> > > > - The so called "SANS What Works" program where they endorse vendors
> > > > who have products that actually work and help with infosec issues is a
> > > > sham. They will list any vendor that pays their 25K "fee" to be
> > > > listed.
> > >
> > >I must agree with you on this one, people think that the products featured
> > >are endorse and recommended by SANS but this is not the case. SANS is only
> > >showcasing a company and what they have use with success or what has work
> > >in
> > >their very specific case. The company has you have said has to pay a fair
> > >amount of money to have their case and product showcased.
> > >
> > >It is people reading about it that takes for granted that the product
> > >presented is endorsed by SANS, it is stated clearly on the SANS website
> > >that
> > >it is not the case.
> > >
> > >Of course, nobody from SANS has attempted to dispel the myth (to the joy of
> > >the people who have paid to be part of the program). I guess they see no
> > >reason to attempt doing so because it is stated clearly on the web site
> > >what
> > >the program is about.
> > >
> > >The name "SANS What Works" is somewhat misleading I must admit. A bit more
> > >information could be provided on what the program really is, what it stands
> > >for, and what is the endorsement being made.
> > >
> > >
> > > > - Here is how the pyramid works. You have Northcutt and Paller on the
> > > > top of things as the creators of this so called non-profit (yet they
> > > > have multi million dollar homes in Hawaii). They *USE* volunteers to
> > > > come up with training material and to run their "mentoring program".
> > > > Then, they take the volunteer work, hand it to their close friends who
> > > > also happen to be their full time instructors let them take credit for
> > > > it and have them deliver the course and of course pay them very well
> > > > for it. Nothing like making money for your 'non profit" on the backs
> > > > of volunteers who you still charge to attend the training BTW.
> > >
> > >Both Stephen Northcutt and Allan Paller have never claimed to be non profit
> > >because they know that they are not. Their web site and documentation does
> > >not pretend to be non profit either. Somehow there is this myth from the
> > >early days that has been going around about SANS and GIAC being non profit.
> > >
> > >
> > >On the training material side:
> > >The training material being developed for the past few years has been done
> > >by people who were compensated for their work and NOT free work as you
> > >claim.
> > >
> > >The local mentor are paid as well, they are not doing volunteer work. I
> > >have heard good comments and very sad comments about the delivery of the
> > >program. I guess you mileage will vary depending on who is the mentors.
> > >
> > >I do not know of any regular instructor who has taken someone else material
> > >and claim it was their own. There is no volunteer that I know of,
> > >producing
> > >training material without getting paid for each slide if it is being used
> > >for training. In fact SANS has one of the most generous royalty programs
> > >out there. None of the large training organization out there will pay you
> > >royalties the way SANS does and the amount SANS does. I must give them
> > >credit on that side.
> > >
> > >You are right: SANS has the best pay in the industry.
> > >
> > >Do you have a specific example of someone who has developed a course, a
> > >short class, or anything for free and the material got used and abused as
> > >you claim by SANS or an instructor or SANS?
> > >
> > >I know SANS is not perfect, they are not what they use to be as a
> > >community,
> > >but they still deliver quality training and credit must be given to them
> > >where it belong.
> > >
> > >Other training vendors are doing nothing to give back to anyone. At least
> > >SANS are giving back to the community through many projects.
> > >
> > >Take care
> > >
> > >Clement
> > >
> > >_______________________________________________
> > >Full-Disclosure - We believe in it.
> > >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > >Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists