RE: death of the security community

[Bob Radvanovsky <rsradvan () unixworks net>]

See comments below.

----- Original Message -----
From: Craig Wright [mailto:cwright () bdosyd com au]
To: John Vill [mailto:kalookalaa () hotmail com], security-basics () securityfocus com
Subject: RE: death of the security community


> Hello,
> I agree with "The fewer people who are learning about computer security
> the bigger the threat becomes". I would have to add that I do not agree
> that there was ever a large or significant proportion of people in the
> field however.

Agreed.  This has been a relatively small field/industry that has exploded within the past 3-5 years.  However, simply 
having a title with the word "security" on it does not constitute (to me) people who are *knowledgeable* IN "computer 
security" (per se).

> I would also disagree with the analogy of the flow of information drying
> up to just a few drops. There are large deposits of information, papers
> educational material etc available. MIT has open learning and offer
> course curricula for free.

'Ya just gotta know where 'ta look for it.  REMEMBER: "Google is *your* friend."  ;)  When in doubt, Google IT!!(tm)

> The difference is that there is a greater requirement for knowledge. One
> who could just get into the industry with no training or experience but
> to whom the "wizardry" or being a home Linux user propelled forward
> would have a hope a decade ago. Now that person is just another
> wantabee. Not that things are perfect yet.

So tell me (either you, or anyone else reading this on the discussion forum)...is there such a thing as a 'script 
kiddie security analyst'?  By this, I am referring to the many (so-called) "security consultants" from the large 
security/auditing consulting companies who simply run a suite of programs that are pre-defined in their requirements 
and puke out a large report that looks intimidating, charging  tens of thousands of dollars to state that they've done 
a "security assessment".  I *challenge* anyone who works in this realm of the industry who feels otherwise -- BUT TO 
TAKE MY CHALLENGE ERQUIRES PROOF.  If you disagree with me, your mission is to provide something that disproves me 
"theory" (the reason that I state "theory" in quotes is that I've been through 5 security [ahem] "assessments" from 
rather large, reputable consulting firms, only to do the EXACT SAME BLOODY THING that I did before they did theirs, and 
more importantly, have them charge between $50,000 and $300,000 for an "assessment" -- I have proof, too) that larger 
security consulting companies merely run the same set of suites of programs that everyone can do (and does) "in-house".

Just because you know know to start the NMAP program does NOT constitute that you know *how* to "run" NMAP and what it 
actually does.  Too many times, people have stated to me that they've run NMAP, but are unable to tell me how they did 
their test, and why it was necessary.

> The issue is the lack of knowledge generally. Finding basic mathematical
> skills is becoming more difficult (Bayesian Networks for Risk - there
> are applications). Grammatical skills (writing a report). The technical
> skills are becoming easier to find. Unfortunately they are of less use
> to an organisation unless they are supported by other skills.

Agreed.  The human (interaction) skills are (by far) THE MOST IMPORTANT skills needed.  

QUOTE OF THE YEAR "Anyone can use a "techno monkey" to run NMAP."

-rad

SIG: "'Ya just gotta love it, baby!  Pucker up and kiss 'da fish!!!"

> Regards,
> Craig
>
> -----Original Message-----
> From: John Vill [mailto:kalookalaa () hotmail com]

> Sent: 21 March 2006 7:56
> To: security-basics () securityfocus com
> Subject: RE: death of the security community
>
> Its like video games... PC games used to rule and it was all good. Now
> people realize how much money can be made in that industry so theres
> just one crappy fps after another because consoles have taken over.
> Hmmm, maybe that was a little bit of a stretch but hopefully you get
> what I mean. I think the community is already dead. Its not the way it
> used to be and it won't be like that again anytime soon. It seems like
> the free flow of knowledge has been reduced to a few drops here and
> there. The fewer people who are learning about computer security the
> bigger the threat becomes.
>
>
>
> > I seem not to understand what is happening to the security

> > community..The profit and earning a living of the expert in the field

> > is going to lead to the death of the security community.Now full

> > disclosure movement is getting to be commercial disclosure, whereby

> > each security community wants to expliot you to pay them to even get

> > the latest vulnerability report and expliot,even when you need it to

> > penetrate your server before the bad guy does.Which doesnt aid the

> > people of the basics but even helps the scriptkiddie community(the

> > greatest fear we face)I hope attention is given to these...and d

> > fathers of d security comm' should have a re think, cos the continuity

> > of the pursue of profit would bring the security of the internet wide
> as an open gate.
> > odabo
>
>
>
> ------------------------------------------------------------------------
> ---
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
> University program offers unparalleled Infosec management education and
> the case study affords you unmatched consulting experience.

> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity
> Planning, Computer Emergency Response Teams, and Digital Investigations.
>
>
> http://www.msia.norwich.edu/secfocus
> ------------------------------------------------------------------------
> ---
>
>
> Liability limited by a scheme approved under Professional Standards
> Legislation in respect of matters arising within those States and
> Territories of Australia where such legislation exists.
>
> DISCLAIMER
> The information contained in this email and any attachments is confidential.
> If you are not the intended recipient, you must not use or disclose the
> information. If you have received this email in error, please inform us
> promptly by reply email or by telephoning +61 2 9286 5555. Please delete the
> email and destroy any printed copy. 

> Any views expressed in this message are those of the individual sender. You
> may not rely on this message as advice unless it has been electronically
> signed by a Partner of BDO or it is subsequently confirmed by letter or fax
> signed by a Partner of BDO.
>
> BDO accepts no liability for any damage caused by this email or its
> attachments due to viruses, interference, interception, corruption or
> unauthorised access.
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management 
> education and the case study affords you unmatched consulting experience. 
> Tailor your education to your own professional goals with degree 
> customizations including Emergency Management, Business Continuity Planning,
>
> Computer Emergency Response Teams, and Digital Investigations. 
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------