[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Hacking Boot camps!: certifications

To: "senator.crabgrass@xxxxxxxxxxx" <senator.crabgrass@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] Hacking Boot camps!: certifications
From: InfoSecBOFH <infosecbofh@xxxxxxxxx>
Date: Thu, 24 Nov 2005 01:38:48 -0800
But my dear friends... one can lie and still get his CISSP.  I know of
at least 3 different people who are NEW to infosec but faked some
experience for their CISSP.  Hell, I lied on my application and got my
CISSP yet I still ./ my way around the interweb.



On 11/23/05, senator.crabgrass@xxxxxxxxxxx
<senator.crabgrass@xxxxxxxxxxx> wrote:
>
> jeff_wilder wrote:
>
> >snip
> Want to know where the best bang for the buck is.... goto... www.dice.com...
> search for GIAC  = 116 open positions
> search for CISSP = 677 open positions
> >end snip
>
> You my friend have hit the proverbial nail on the head, the key difference 
> being; I believe, is that the CISSP requires a pre-vetting, were the GIAC 
> does not. The knowledge/maturity needed to attain a CISSP credential infers 
> responsibility by addressing  a level of downstream liability mitigation, 
> providing an employer a certain level of assurance, say an EAL of (x), with 
> the (x) being the unknown left to the CISSP to convey, they are what  they 
> say. (Insert Domain Expertise Here) Basically you get what you give.  
> Memorize to vomit the information for any cert is as useful as a Microsoft 
> patch to plug a vulnerability.
>
>
> --
> vote for me
>
>
> > I wanted to chime in on all this SANS VS. any other certification VS.
> > training...
> >
> > The only thing a certification does for anyone is validate to a prospective
> > employeer that you, at the time you took the test, knew enough to pass it.
> > Depending on how high that bar is set will determine if you receive it or
> > not.  So I go take a test so my employeer knows that I am smart and I can do
> > the things I claim.. things I already knew.
> >
> > So, how you gain the information, through a crash course in buffer overflows
> > or seed information that give you a topic of study... or a lifes worth of
> > study on the topic means very little to an employeer. Its only the alphabet
> > soup that they care about.
> >
> > Want to know where the best bang for the buck is.... goto... www.dice.com...
> >
> > search for GIAC  = 116 open positions
> > search for CISSP = 677 open positions
> >
> > So am I any smarter for having my CISSP over a GIAC?... I dont think so..
> > but the employeers seem to thing so =)
> >
> > So back to the hacking boot camps issue... I had my ethical hacking cert
> > before I went to class, was I any smarter after I had the cert?.. No... well
> > actually it was one of the hardest tests I've taken and still passed it
> > without a book to study or the weeks class.
> >
> > I have been to great classes, and some that where really a waist of time and
> > alot of money to boot. But I ALWAYS found some value because I went for me..
> > and not another cert at the end of my name. Not everyone is going to have
> > the answer for every question, I know I dont, I cant hold that against an
> > instructor.
> > If you get owned for 3500 bucks because you didnt investigate what it was
> > that you where going to be learning... the courseware... or whatever it was
> > that was that you bought... its because you allowed yourself to get owned.
> > If the class you took didnot offer the information that you desired..
> > perhapse you should lookinto different material more SR. level.. or create
> > your own certification maintain 20 tracks.. sell it.. promote it... =)   so,
> > I respect what they have done for the industry, its not an easy task.
> >
> > I coauthored some courseware for a forensics management class... I've spent
> > 100's of hours in prep to create it and deliver it.
> >
> > My hats off to anyone who wants to share information at any level.. because
> > you will always find someone at every level.
> >
> > thats my $.02 worth
> >
> > -Jeff Wilder
> > CISSP,CCE,C/EH,security+,ISSAP,ISSMP,MCP,INet+... yadda yadda yadda..
> >
> >
> >
> > -----BEGIN GEEK CODE BLOCK-----
> >   Version: 3.1
> >       GIT/CM/CS/O d- s:+ a C+++ UH++ P L++ E- w-- N+++ o-- K- w O- M--
> >       V-- PS+ PE- Y++ PGP++ t+ 5- X-- R* tv b++ DI++ D++
> >       G e* h--- r- y+++*
> > ------END GEEK CODE BLOCK------
> >
> >
> >
> >
> >
> > >From: "Clement Dupuis" <cdupuis@xxxxxxxxxx>
> > >To: "'Koen Van Impe'" <koen.vanimpe@xxxxxxxxx>
> > >CC: full-disclosure@xxxxxxxxxxxxxxxxx
> > >Subject: RE: [Full-disclosure] Hacking Boot camps!
> > >Date: Wed, 23 Nov 2005 18:06:48 -0500
> > >MIME-Version: 1.0
> > >Received: from lists.grok.org.uk ([195.184.125.51]) by mc11-f1.hotmail.com
> > >with Microsoft SMTPSVC(6.0.3790.211); Wed, 23 Nov 2005 15:07:43 -0800
> > >Received: from lists.grok.org.uk (localhost [127.0.0.1])by
> > >lists.grok.org.uk (Postfix) with ESMTP id DDF10CF7;Wed, 23 Nov 2005
> > >23:07:12 +0000 (GMT)
> > >Received: from galilee0.sogetel.net (galilee0.sogetel.net
> > >[205.236.148.132])by lists.grok.org.uk (Postfix) with ESMTP id DB025B63for
> > ><full-disclosure@xxxxxxxxxxxxxxxxx>;Wed, 23 Nov 2005 23:07:02 +0000 (GMT)
> > >Received: from [69.51.205.98] (helo=amd3200plus)by galilee0.sogetel.net
> > >with esmtp (Exim 4.44)id IQFKKD-0003HI-O5; Wed, 23 Nov 2005 18:14:38 -0500
> > >X-Message-Info: JGTYoYF78jGKs0XkK+pqE3bF7cyg/XaKSmjuxlnoKAc=
> > >X-Original-To: full-disclosure@xxxxxxxxxxxxxxxxx
> > >Delivered-To: full-disclosure@xxxxxxxxxxxxxxxxx
> > >X-Mailer: Microsoft Office Outlook 11
> > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
> > >Thread-Index: AcXwczMm87DbaalkSPWV7bMLVxIiNgAD1ZQQ
> > >X-ACL-Warn: Begin on scan on yes...
> > >X-Virus-Scanned: Scanned with Clam AntiVirus
> > >X-BeenThere: full-disclosure@xxxxxxxxxxxxxxxxx
> > >X-Mailman-Version: 2.1.5
> > >Precedence: list
> > >List-Id: An unmoderated mailing list for the discussion of security
> > >issues<full-disclosure.lists.grok.org.uk>
> > >List-Unsubscribe:
> > ><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>,
> > ><mailto:full-disclosure-request@xxxxxxxxxxxxxxxxx?subject=unsubscribe>
> > >List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure>
> > >List-Post: <mailto:full-disclosure@xxxxxxxxxxxxxxxxx>
> > >List-Help: <mailto:full-disclosure-request@xxxxxxxxxxxxxxxxx?subject=help>
> > >List-Subscribe:
> > ><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>,
> > ><mailto:full-disclosure-request@xxxxxxxxxxxxxxxxx?subject=subscribe>
> > >Errors-To: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> > >Return-Path: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> > >X-OriginalArrivalTime: 23 Nov 2005 23:07:45.0034 (UTC)
> > >FILETIME=[B6A0E6A0:01C5F082]
> > >
> > >Good day InfoSecBOFH,
> > >
> > >Hum... It seems like you have something to settle with SANS, I really do
> > >not
> > >know what they did to get you this mad or what negative experience you had
> > >to go through but they definitively are not on your white list.
> > >
> > > > - Their training is out of date
> > >I guess this is the growing pain.  It becomes an unbelievable challenge to
> > >maintain over 20 tracks.  I do not believe they are all outdated as you
> > >claim; all of tracks are usually updated a couple times a year.
> > >
> > > > - Most of their instructors are unqualified to answer any questions
> > > > that are not in their training books.
> > >Most of their classes have outstanding instructors such as Ed Skoudis, Mike
> > >Poor, Eric Cole, Chris Brenton, Jason Fosen, Joshua Wright, Bob Hillery,
> > >Marcus Sach, William Stearns, etc...   These instructors will not only
> > >answer questions on security topics but have also written the training
> > >books
> > >and have been published in magazine and books as well.  They are well
> > >respected in the community and very competent.  If you would dare to call
> > >any of these instructors unqualified, you must have a very demanding level
> > >as far as an instructor is concerned.
> > >
> > >I totally disagree with your comment about them being unqualified, they are
> > >the best, and they are the people delivering a lot of the live classes.  I
> > >have heard of some negative comments related to their other delivery
> > >mechanisms but their live classes are being done by great instructors.
> > >
> > > > - Most of their instructors will feed you with a marketing pitch for
> > > > their own consulting or product companies.
> > >
> > >Most instructors will introduce themselves within the first few minutes of
> > >the class and this is the extent of it.  I think it is only fair to give
> > >your company credit as well as yourself.  After all, it is your company
> > >that
> > >gives you time to attend and teach in many cases.  If any instructor goes
> > >above and beyond this, they are out of line and not following their own
> > >code
> > >of ethics.
> > >
> > > > - The so called "SANS What Works" program where they endorse vendors
> > > > who have products that actually work and help with infosec issues is a
> > > > sham.  They will list any vendor that pays their 25K "fee" to be
> > > > listed.
> > >
> > >I must agree with you on this one, people think that the products featured
> > >are endorse and recommended by SANS but this is not the case.  SANS is only
> > >showcasing a company and what they have use with success or what has work
> > >in
> > >their very specific case.  The company has you have said has to pay a fair
> > >amount of money to have their case and product showcased.
> > >
> > >It is people reading about it that takes for granted that the product
> > >presented is endorsed by SANS, it is stated clearly on the SANS website
> > >that
> > >it is not the case.
> > >
> > >Of course, nobody from SANS has attempted to dispel the myth (to the joy of
> > >the people who have paid to be part of the program).  I guess they see no
> > >reason to attempt doing so because it is stated clearly on the web site
> > >what
> > >the program is about.
> > >
> > >The name "SANS What Works" is somewhat misleading I must admit.  A bit more
> > >information could be provided on what the program really is, what it stands
> > >for, and what is the endorsement being made.
> > >
> > >
> > > > - Here is how the pyramid works.  You have Northcutt and Paller on the
> > > > top of things as the creators of this so called non-profit (yet they
> > > > have multi million dollar homes in Hawaii).  They *USE* volunteers to
> > > > come up with training material and to run their "mentoring program".
> > > > Then, they take the volunteer work, hand it to their close friends who
> > > > also happen to be their full time instructors let them take credit for
> > > > it and have them deliver the course and of course pay them very well
> > > > for it.  Nothing like making money for your 'non profit" on the backs
> > > > of volunteers who you still charge to attend the training BTW.
> > >
> > >Both Stephen Northcutt and Allan Paller have never claimed to be non profit
> > >because they know that they are not.  Their web site and documentation does
> > >not pretend to be non profit either.  Somehow there is this myth from the
> > >early days that has been going around about SANS and GIAC being non profit.
> > >
> > >
> > >On the training material side:
> > >The training material being developed for the past few years has been done
> > >by people who were compensated for their work and NOT free work as you
> > >claim.
> > >
> > >The local mentor are paid as well, they are not doing volunteer work.  I
> > >have heard good comments and very sad comments about the delivery of the
> > >program.  I guess you mileage will vary depending on who is the mentors.
> > >
> > >I do not know of any regular instructor who has taken someone else material
> > >and claim it was their own.  There is no volunteer that I know of,
> > >producing
> > >training material without getting paid for each slide if it is being used
> > >for training.  In fact SANS has one of the most generous royalty programs
> > >out there.  None of the large training organization out there will pay you
> > >royalties the way SANS does and the amount SANS does.  I must give them
> > >credit on that side.
> > >
> > >You are right: SANS has the best pay in the industry.
> > >
> > >Do you have a specific example of someone who has developed a course, a
> > >short class, or anything for free and the material got used and abused as
> > >you claim by SANS or an instructor or SANS?
> > >
> > >I know SANS is not perfect, they are not what they use to be as a
> > >community,
> > >but they still deliver quality training and credit must be given to them
> > >where it belong.
> > >
> > >Other training vendors are doing nothing to give back to anyone.  At least
> > >SANS are giving back to the community through many projects.
> > >
> > >Take care
> > >
> > >Clement
> > >
> > >_______________________________________________
> > >Full-Disclosure - We believe in it.
> > >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > >Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Follow-Ups:
- Re: [Full-disclosure] Hacking Boot camps!: certifications
  - From: Marco Ermini
References:
- RE: [Full-disclosure] Hacking Boot camps!: certifications
  - From: senator . crabgrass
Prev by Date: Re: [Full-disclosure] Return of the Phrack High Council
Next by Date: Re: [Full-disclosure] Hacking Boot camps!
Previous by thread: RE: [Full-disclosure] Hacking Boot camps!: certifications
Next by thread: Re: [Full-disclosure] Hacking Boot camps!: certifications
Index(es):
- Date
- Thread