Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Learning vs. Play Time
From: "Clement Dupuis" <cdupuis () cccure org>
Date: Sat, 7 Feb 2004 19:13:12 -0500

Good day Robert,

For me, the value of a class is not in the test or even the
certification at the end. The lasting value is in the knowledge and
skill set that you refine and take with you back to your job.  I also
have made lasting relationships from the classmates, students, and
instructors that I've met over the years.  All of these mean a lot
to me than the "e-i-e-i-o" at the end of my name.

Fully agreed.  As you have notice this is why we are not making use of
the Official CEH curriculum but our own.  The CEH did not address any
business issues, did not address methodology in version 2, and a lot
more foundation skills and knowledge that a tester is required to have
was not in their courseware.  The CEH official courseware Version 3 is
100% better but still has some refinement to make it in line with

felt was missing in the security class space.  Many non-vendor
security classes have a very narrow tools based focus.  While I agree
that knowing how to use your tools in a test is important, I feel
knowing why and when to use them is far more important.  

You sound like me doing my intro on day one.  I totally agree, you are
NOT going to show people how to become an Uber Security Tester in a
week.  If you succeed in showing to them what being a tester is all
about, what steps should be followed, what are the obstacles, and give
them the foundation skill and pointers they need, then you have
succeeded in your mission of putting them on the right track to success.

I had student who are applying their skill out in the real world, many
of them have written back to express their joy that we only covered a
dozen tools and show them what to look for and where to look for and how
to look for it.  One student did 12 tests so far and on all of the tests
he found vulnerabilities whether it was a server, an application,
physical security environment issues, or other issues that might not
even be network related.

The CEH class represents the other kind of class.  One that is
"fun", "exciting", but not overly useful to the serious professional.
While I have a lot of respect for Clément (one of the instructors for
Intense School), I have very little respect for any organization that
markets "hacker" classes.  

No offense taken Robert.  I think that what you realize is the reality
of the market right now.  Marketing as the OSSTMM is seeing right now,
is essential in getting the word out.  Even if you have the best
methodology in the world but nobody knows about it, it does not help the
masses.  I am not one to get all wrap up around semantics.  I have seen
endless thread on what terms it should be called and the use of the word
Hacker in any way, shape, or form.  If you wish to throw Hacker,
Hacking, Cracker or whatever in the name of the course I do not care.
What I do care about is what is behind the offering, who is delivering
it, and the quality of the content.  Based on those three criteria I do
believe that all of the students I have taught to had their money worth.

While choosing where to spend your time and money, consider the
community you are aligning with.  If you look at ISACA, SANS, ISC2,
ISECOM, etc.. they all have a true dedication to security and the
betterment of the global information security community.  Contrast
value of being affiliated (via education/certification) with any of
those organizations over a piece of paper and a cd of toys.

All of the organization that you have mentioned above are this big not
only because of their community involvement but in large portion because
of the quality of their offering and their whole philosophy and approach
to security.  Look at the people at SANS, they are all professionals in
the field that live and breathe by Information Security.  This is what
allowed them to become THE leaders on the market and have the financial
means to make a significant difference in the information security world
by using the money generated through their education wing to generously
contribute back to the community on a scale like nobody else does (I
would probably exclude ISC2 from this statement).  Pete could tell you
this as well: once you become as big as the OSSTMM has become, this is
no longer a project you do at night, it is a full time job if you wish
to take things to the next level.  The only thing that is keeping ISECOM
alive without killing Pete is kind contributors like you and many
others.  However, reality is that the OSSTMM will have to get some
financial means, revenues, or an Angel as a way to support itself if it
wishes to become a player in the same league as the ISACA, SANS, and

I do believe this can be accomplished while being through to the
fundamentals that Pete has set for ISECOM.

Best regards


Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]