--- On Wed, 9/23/09, Dan Kaminsky <[email protected]> wrote:
> Be that as it may, the data rather clearly suggests
> certification in the security realm is (very) badly
> correlated with qualification.
Well, be *that* as it may (and I agree, it certainly may be), we live in a
world where plumbers and lawyers (I'll leave the correlation to the reader)
require certifications, so the general concept of certifying is something that
is well-worn in most of the world.
> Bottom line: What if the only people allowed to do
> security work were CISSPs?
The mistake you may be making is assuming that the only possible future is a
linear transposition of aspects of the present. I'm not arguing that there is
not a real risk of lame certifications being the standard in some future
regime, but I would suggest that there is no certainty that this has to be the
case.
> (Yes, this applies to government systems and critical
> infrastructure, for now. But you know, that latter part isn't well
> defined either. Is Linux critical infrastructure?)
Ah! It truly *isn't* defined well, which is another pertinent point. It very
much should be better defined, and the more you peel that grape the harder it
is to not include things like critical economic and communication
infrastructure. If there is an argument for special treatment of the networks
that deliver, say, energy across the nation, it is possible that the same
argument could apply to networks that deliver information and economic
stability as well.
At the very least, this is a discussion that needs to be had with an eye to the
needs of the nation (and not just us) and in the context of what is
pragmatically necessary as opposed to ideally desired.
-chris
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
