On Fri, 18 Feb 2000, jeff andrews wrote:
> So if you had three candidates for hire:
> 1) Jack Smith, Security Professional, CISSP certified.
> 2) John Smith, ex-hacker turned security expert
> 3) Dr. Chaos, gray hat hacker in hacker group Anarchy4Life Club
>
> Which one would you hire as VP of Security or senior security consultant lead of the
>project to manage your security? Would it be in the 1, 2, 3 order? From a trust
>standpoint, it seems like it would be easier to trust Jack Smith (#1), and then John
>Smith (#2), and how much you trust #2 depends on what kind of hacker was John Smith
>previously. How much do you trust and want to hire #3? The above names are
>intended as fictional characters for example only.
(D.) None of the above.
1.- I'm still underwhelmed by the CISSP certification. I've now met or
dealt with 4 who had a clue irregardless of the certification, so it's
much better than before, but they had a clue before the certification-
and I've met a lot more who have had no clue (or possibly "policy clue"
without "practical clue.") My general rule of thumb is still that CISSP
isn't a metric that has value in this industry. At the risk of dredging
up that oft-argued thread yet again, certifications aren't that valuable
when there are more competent practicioners without the certification than
with by an amazing magnitude. Interestingly, 2 of the clued ones I've met
(50%) don't openly advertise their CISSP in peer-group circles.
2.- I'm sure there are lots of people who have turned a new leaf, but I'm
also sure that trying to figure out someone's motivational factors is
difficult enough to not be able to give a high level of assurance when
doing so.
3.- I'm positive that some people can differentiate between "good to my
customer" and "bad to my target." I'm also sure that there are enough
complex issues to make it near impossible to be able to draw direct lines
between the two. I'd also worry about them suddenly disappearing because
someone traced something they did back to them and now they have to go
meet Bubba their new cell mate. Note that belonging to a group isn't the
differentiator here, it's what the group does. There are also groups with
mixed "actively exploiting things" people and "research but not exploiting
things" people. They've yet to meet a good legal team or understand
current law IMO. It'll come as a shock to those folks when they land in
the pokey because of what someone else does when they "haven't done
anything wrong."
I'm admittedly biased though. I don't have any certifications, I've never
broken into anywhere I didn't have permission, and I've never belonged to
any group.
There are no hard and fast rules though. I've met sysadmins of the {no
illegal acts, no cracking, no 31337 group} variety who told me I was
positively moronic for not putting backdoors into systems I administered.
It is important to point out that it's possible to be good at security
without having a questionable background. IP doesn't change depending on
who's looking at it, and neither do OS'.
There are a large number of very clueful black and gray hats out there
(and not a large number of equally clued INFOSEC people.) I'd rather they
had fun and got money doing good things than bad. It probably wouldn't be
my money they'd get though.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
