RE: Career Progression

["Clemens, Dan" <Dan.Clemens () healthsouth com>]

> Training? I've heard of that... (c) The Reg. I even remember working
> somewhere that paid for me to go on soul crushing Oracle App training
> courses, waaay back in the mid 90s. They seemed to think they were doing me
> a favour - which is when I decided I had to get the hell out of Logica :)

> Having said that I now work for a security firm and, well, let's just say I
> haven't had any training.

I guess I think about training as both a good thing and a bad thing depending on how you view the world. (or how you 
learn..)

The positive side of training is to remind yourself that you are teachable and train-able, even if the information is 
something you don't already know.

I think way to many system administrators and or security "gurus" think they are so above any training course  and even 
though they might be above a course I must say it is priceless to learn how to be taught and basically learn how to 
listen to what people are saying to get the general topic of discussion.

I think the negative side of training is the simple fact that it gives people who generally wouldn't conceptualize 
things the feeling like they have completely grasped a specific subject matter in contrast to knowing they are only 
hitting the tip of the ice cap, which should motivate them to follow the thread at hand.

Both negative downsides of the training battle seem to be rooted in pride and arrogance.

Another thing to think about is how people learn. Commonly in our generation we grew up learning the things that 
interested us and then learning how to learn.

The generations before us don't really seem to grasp this concept , which in my mind is why they tend to push people to 
have certifications more than encouraging people to take ownership of their workload and to strive for excellence.

More less I think the themes in the generational gaps tend to be a very modern approach to learning versus a very 
agricultural approach to learning.

The older generation wants to think of things in a very modern mindset which would demand that if you put in this value 
into this production line you get this product.

Hence the stress on so many lame training classes (as one would say) or the stress on so many 'certifications'.

The younger generation in contrast is much more agricultural, and much more used to thinking that things will grow over 
time, things must be experienced , sometimes there are seasons of growth, while sometimes there aren't - Some people 
grow in programs, while some do not.

Not to err on the side of living in a world where procedures and rules don't apply, but I think these are some of the 
mindsets when thinking about training, or no training, certs or no certs.

Many people want to pose, and say they are something so they get certs or training. Few people truly try to become 
something and to simply
"be rather than to appear"..

Anyhow, i am probably getting a bit off topic here...sorry.

> this IDS crap that I got involved in by accident.  Plus the fact that
> we're paying 20G for two guys for 1 week, per application, to do what I
> used to do for my crappy annual salary.  I could use 10k a week and work
> 7 or 8 weeks out of the year.  I'm OK with that.  ;)

> hell, me too! But I'd make a lousy sales droid (what with looking like
> Shaggy on a bad day & not liking the idea of pretending to be friends with
> people for money) and without someone to bring me bits of paper with
> networks to attack, I'd be back on the street pretty fast.

> Granted I'm at the lower end of the professional pentesting pay scale for
> the UK, but I wouldn't see $10K in a month let alone week. Which is not to
> say that I don't envy those of you in small boutique setups or who have
> profit-sharing or whatnot... but I got into this so I wouldn't feel like
> going postal every morning, not for the money.


> Oh yeah, back to my question:  Any suggestions, comments quips on what I
> should be focusing on now and how to get where I want to be?  I just

Personally I think most of this has to do with discipline and surrounding yourself with people smarter than yourself. 
(Being on this list would be a good example of this for me ) I am by no means the uber eleet hacker, but I do believe 
in the process of discipline and recognise that discipline is the foundation of becoming better at <insert infosec 
profession here>.


> Sounds like you're in a similar place to me - I know what I need to know
> next - C and systems programming (got Perl, got tons of experience with
> OSes, apps, servers, networks, firewalls et al.) The next step I aspire to
> is being able to do some original research & publish something useful - ie,
> not XSS or '../' in some sourceforge webserver.

> I think a CS background is what you and I both miss, and my impression is
> that most if not all the well-known exploit developer /researcher types DO
> have a formal CS background.

Some good books I have been reading over the past year to get a better understanding of computer science involve the 
following:

C.S.
'Learning Assembler Step-by-Step'
'Exploiting Software'
'Windows 2000 Kernel Debugging'

Protocols
Implementing CIFS
DCE/RPC over SMB -samba and windows nt domain internals


Online methodologies which have been useful.
OSSTM
OWASP
*.anything with sql injection
using netcat for everything.

Future books.
Design patterns

Training
I am planning on attending Havlars Reverse engineering and code auditing course while also checking out the sensepost 
classes at blackhat.

I guess I really think it has to do with challanging yourself, and knowing where to grasp the knowledge you need when 
you need it, while also practically  applying this in a real world scenario. (eg work...)

Anyhow, I hope this wasn't too much of a rant and it helped someone... I am by no means an uber hax0r like Aitel or any 
of the other exploit researchers. I primarly have been on the defensive side for years and years. This year I am going 
to move into the offensive realm while trying to be more creative in solving problems that I encounter with creativity 
and programming.

All of this requires discipline , and a heart that says ' I am teachable ' tightly coupled with 'i am going to try this 
and mess up'.

Ok ok... I'll shutup now.

-Simply,
Daniel Uriah Clemens



Confidentiality Notice: This e-mail communication and any attachments may contain
confidential and privileged information for the use of the designated recipients named above. If
you are not the intended recipient, you are hereby notified that you have received this
communication in error and that any review, disclosure, dissemination, distribution or
copying of it or its contents is prohibited. If you have received this communication in
error, please notify me immediately by replying to this message and deleting it from your
computer. Thank you.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave