Dailydave mailing list archives
RE: Career Progression
From: "Clemens, Dan" <Dan.Clemens () healthsouth com>
Date: Fri, 26 Mar 2004 09:31:44 -0600
Training? I've heard of that... (c) The Reg. I even remember working somewhere that paid for me to go on soul crushing Oracle App training courses, waaay back in the mid 90s. They seemed to think they were doing me a favour - which is when I decided I had to get the hell out of Logica :)
Having said that I now work for a security firm and, well, let's just say I haven't had any training.
I guess I think about training as both a good thing and a bad thing depending on how you view the world. (or how you learn..) The positive side of training is to remind yourself that you are teachable and train-able, even if the information is something you don't already know. I think way to many system administrators and or security "gurus" think they are so above any training course and even though they might be above a course I must say it is priceless to learn how to be taught and basically learn how to listen to what people are saying to get the general topic of discussion. I think the negative side of training is the simple fact that it gives people who generally wouldn't conceptualize things the feeling like they have completely grasped a specific subject matter in contrast to knowing they are only hitting the tip of the ice cap, which should motivate them to follow the thread at hand. Both negative downsides of the training battle seem to be rooted in pride and arrogance. Another thing to think about is how people learn. Commonly in our generation we grew up learning the things that interested us and then learning how to learn. The generations before us don't really seem to grasp this concept , which in my mind is why they tend to push people to have certifications more than encouraging people to take ownership of their workload and to strive for excellence. More less I think the themes in the generational gaps tend to be a very modern approach to learning versus a very agricultural approach to learning. The older generation wants to think of things in a very modern mindset which would demand that if you put in this value into this production line you get this product. Hence the stress on so many lame training classes (as one would say) or the stress on so many 'certifications'. The younger generation in contrast is much more agricultural, and much more used to thinking that things will grow over time, things must be experienced , sometimes there are seasons of growth, while sometimes there aren't - Some people grow in programs, while some do not. Not to err on the side of living in a world where procedures and rules don't apply, but I think these are some of the mindsets when thinking about training, or no training, certs or no certs. Many people want to pose, and say they are something so they get certs or training. Few people truly try to become something and to simply "be rather than to appear".. Anyhow, i am probably getting a bit off topic here...sorry.
this IDS crap that I got involved in by accident. Plus the fact that we're paying 20G for two guys for 1 week, per application, to do what I used to do for my crappy annual salary. I could use 10k a week and work 7 or 8 weeks out of the year. I'm OK with that. ;)
hell, me too! But I'd make a lousy sales droid (what with looking like Shaggy on a bad day & not liking the idea of pretending to be friends with people for money) and without someone to bring me bits of paper with networks to attack, I'd be back on the street pretty fast.
Granted I'm at the lower end of the professional pentesting pay scale for the UK, but I wouldn't see $10K in a month let alone week. Which is not to say that I don't envy those of you in small boutique setups or who have profit-sharing or whatnot... but I got into this so I wouldn't feel like going postal every morning, not for the money.
Oh yeah, back to my question: Any suggestions, comments quips on what I should be focusing on now and how to get where I want to be? I just
Personally I think most of this has to do with discipline and surrounding yourself with people smarter than yourself. (Being on this list would be a good example of this for me ) I am by no means the uber eleet hacker, but I do believe in the process of discipline and recognise that discipline is the foundation of becoming better at <insert infosec profession here>.
Sounds like you're in a similar place to me - I know what I need to know next - C and systems programming (got Perl, got tons of experience with OSes, apps, servers, networks, firewalls et al.) The next step I aspire to is being able to do some original research & publish something useful - ie, not XSS or '../' in some sourceforge webserver.
I think a CS background is what you and I both miss, and my impression is that most if not all the well-known exploit developer /researcher types DO have a formal CS background.
Some good books I have been reading over the past year to get a better understanding of computer science involve the following: C.S. 'Learning Assembler Step-by-Step' 'Exploiting Software' 'Windows 2000 Kernel Debugging' Protocols Implementing CIFS DCE/RPC over SMB -samba and windows nt domain internals Online methodologies which have been useful. OSSTM OWASP *.anything with sql injection using netcat for everything. Future books. Design patterns Training I am planning on attending Havlars Reverse engineering and code auditing course while also checking out the sensepost classes at blackhat. I guess I really think it has to do with challanging yourself, and knowing where to grasp the knowledge you need when you need it, while also practically applying this in a real world scenario. (eg work...) Anyhow, I hope this wasn't too much of a rant and it helped someone... I am by no means an uber hax0r like Aitel or any of the other exploit researchers. I primarly have been on the defensive side for years and years. This year I am going to move into the offensive realm while trying to be more creative in solving problems that I encounter with creativity and programming. All of this requires discipline , and a heart that says ' I am teachable ' tightly coupled with 'i am going to try this and mess up'. Ok ok... I'll shutup now. -Simply, Daniel Uriah Clemens Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Career Progression rick_list (Mar 25)
- Re: Career Progression wirepair (Mar 25)
- Re: Career Progression Andrew Simmons (Mar 25)
- <Possible follow-ups>
- Re: Re: Career Progression rick_list (Mar 25)
- RE: Career Progression Clemens, Dan (Mar 26)
- Re: Career Progression Matt Hargett (Mar 26)