Re: [fw-wiz] concerning ~el8 / project mayhem

From: Darren Reed (darrenr@reed.wattle.id.au)
Date: 08/18/02


From: Darren Reed <darrenr@reed.wattle.id.au>
To: mjr@ranum.com (Marcus J. Ranum)
Date: Sun Aug 18 03:51:01 2002

In some email I received from Marcus J. Ranum, sie wrote:
> Paul D. Robertson wrote:
> >> in the past. If you're a true white hat, you're not replete with
> >> hacking technique and you're not the kind of guy who can whip out
> >> a tool to crack into any website any time, or whatever. UNfortunately,
> >
> >I'm not sure I totally agree with this premise- I think I couldsit
> >and find and code exploits on my test network if I had the time.
>
> That's not hacking technique, that's commonsense engineering.

I find a lot of IT is just "commonsense engineering", but how things
go so wrong is a mystery. Well, I guess if you're forced to use
broken tools, what can be expected but a mishapen result ?

> I should have been more clear in my terminology: I meant that you
> don't need to run around with a big encrypted CDROM full of your
> toolz to be a security guru. You need to understand the forms and
> functions of categories of attacks so you can defend against them
> or design around them as _categories_ - having specific knowledge
> (or toolz) to break specific versions of software on specific architectures -
> that's just lame script-kid stuff. And there are a kit of "security
> analysts" whose level of expertise is more in the script kiddy vein
> than not. Perhaps we should call them "Scanner-kiddies" ? ;)

Careful Marcus, it is starting to sound like you're justifying things
like CISSP that teach you lots about nothing ;-)

Maybe you should start offering courses in security and give out
certificates titled MRCRISP (Macrus Ranum Certified Real Information
Security Professional. :-)

"security analyst" is just a job title, nothing more, nothing less.
To give you some idea of how worthless job titles are in IT, you
have people calling themselves 'scientists' in the IT security
industry when you're lucky if they have a bachelors degree in anything
and definately not a Ph.D or anything you'd expect a *real* scientist
in something like biochemistry to have.
:-)

Darren



Relevant Pages

  • RE: [fw-wiz] The home user problem returns
    ... I've been watching with a certain morbid fascination as Marcus has ... in computer security that I do). ... -- Educating users has been proven to work at company after company. ... but my take-away from your blog article ...
    (Firewall-Wizards)
  • RE: [fw-wiz] The home user problem returns
    ... >for you, Marcus (epecially since you have, I dunno, six times the years ... >in computer security that I do). ... >100 users click evil email attachments, ... >Help desk calls, viral infections, falling victim to phishing emails, ...
    (Firewall-Wizards)
  • Re: If I am paranoid, should I do it?
    ... Marcus> use it to strenghten security... ... SSH server machine *by separate means*, manage to extract the server key ... recorded sessions from later decryption, ...
    (comp.security.ssh)
  • Re: Windows XP update problems
    ... You can subscribe to a service that will Notify you when critical security ... updates are released, Marcus. ... MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 ... Cumulative Security update for IE7 for WinXP ...
    (microsoft.public.windowsupdate)
  • RE: [fw-wiz] The home user problem returns
    ... "The superior man, when resting in safety, does not forget that danger ... When in a state of security he does not forget the possibility ... >for you, Marcus (epecially since you have, I dunno, six times the years ... >we set up an environment through quarantining and what-not where users ...
    (Firewall-Wizards)