Re: Can Dave be cloned?

[Gadi Evron <ge () linuxbox org>]

[snip]

> Interesting!  I know some lisp but haven't used it for years, and I
> don't know any haskell at all (never heard of it, in fact).  I should
> have mentioned that I'm looking for people more technically skilled
> than I am, which is another degree of difficulty.  I'd been thinking
> along the lines of perl and/or python--anyone else think I should
> stress other languages?

[snip]

> Yes, I often think that geezers like me who grew up writing programs
> in hex and entering them using the front panel switches have a more
> useful mental model of a computer.  OTOH I'm pretty sure I wouldn't
> hire myself for the jobs I'm trying to fill ;)


Okay, some thoughts and then a possible solution at the end (skip to it 
if you like).


I believe an high-level knowledge (working and advanced) of assembly is 
indeed a good thing. It doesn't usually show you all the good potential 
employees, and would miss many of them if you aim for *mostly* network 
or linux people - but it definitely should be one of the languages to 
watch for, if not the only one. That and knowing what IDA Pro is.

There are so many high-payed security professionals out there who know 
absolutely nothing. They just one day came out and decided "I am going 
to be a security professional!" and that was that. They usually wouldn't 
know much beyond sales and that they research exploits using "C", and 
when pressured further, "and C++". :)

There is no real "training program" (thank the heavens), and every 
security professional *usually* knows a lot on some issues and close to 
nothing on others.

I believe that the main categories for good security people, are those 
who at one or other time of their life had REAL-:

1. *nix knowledge. Usually but not always cancels out Windows knowledge.
   Preferable to watch for those involved with online open source
   development projects and who know how to hack the kernel.

2. Reverse Engineering knowledge or ASM/HEX (plain RE, old crackers
   (potentially good people, but have a reliability issue), software
   protection, malware analysts, network engineers of the higher level,
   vulnerability researchers?).

3. Methodology planning knowledge . Most of these, although they should
   be as high-up and smart in the snobism scale of the above, are
   lame-O-so-called-consultants who
   don't know ****... which is why I have a hard time trusting them.

Usually I'd say the snobism rating goes by commodity.. there aren't as 
many reversers, so they would be first in the elite and snobism rating. 
Then goes the *nix community, and then comes the consultants community.

Prejudiced opinion about them all:

*nix guys are good people. They have the best ideas about life. :)

Reversers are a very rare commodity, whether network or binary, they are 
extremely good at what they do, and they are indeed very rare.

The consultants (i.e. methodologists or corporate security guys) are 
usually even more snobish (I should know, unfortunately I started going 
down that path lately), but by their own accord. Finding good ones is 
extremely difficult and close to impossible. The market is FULL of 
"fake" ones. I believe that the "real" and rare ones are even more 
important than reversers, as they are the most rare.

As to why I chose to rate the kind of people we are by snobism is not 
because we are all snobs or because.. okay, we are all stuck-up snobs.

:o)

Another thing is again, reliability. 80% (made up number, not including 
the *nix people) of the above combined categories went down the "dark" 
path of our force at one time or other, so it should not dis-qualify them.
Actually, I'm the only guys I know who hasn't. And that bites back at 
you in the community. That said, reliability in a person is still 
important as once they are your employees, you need to trust them and 
they are not so easy to trust.

----

As to finding people.. in TH-research I started something that helps 
bring the 200 or so members together.
They send me their resume's or what they are looking for in candidates 
and I connect them together. I have been considering to start a private 
mailing list for that purpose where proven security professionals of all 
ages and levels could share job-related issues (resume's and ads).

Emphasis on the private. I would hate for it to become an MCSE ruled 
list. It would kill the idea of finding the right people for these kind 
of jobs, and besides.. we are a pretty tight community. We know 
everybody directly or through a friend.

Why not take it to the next level? If I hear back with support I'll 
start something using Mailman.

        Gadi.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave