Penetration Testing mailing list archives
RE: Learning vs. Play Time
From: "Les Bell" <lesbell () lesbell com au>
Date: Sun, 8 Feb 2004 08:52:01 +1100
"Robert E. Lee" <robert () dyadsecurity com> wrote
<For me, the value of a class is not in the test or even the certification at the end. The lasting value is in the knowledge and skill set that you refine and take with you back to your job. << Couldn't agree more, Robert. I agree with everything you say in your email, with one proviso. I'm the author of a Linux security class; however, the company that markets the class was insistent on renaming it "Hacking and Securing Linux", even though there's very little "hacking" in it and it's almost entirely "securing". Fact is, course titles that mention hacking sell much better than ones that don't, and that can make the difference between a profitable course that will continue to run, and an excellent course that dies due to lack of attendance. One other point, while I'm here - doesn't anyone's bullshit meter move across to the yellow when they realise that just about the only training available for a certification is from the same organisation that promotes the certification itself? In these cases, don't people realise that the certification is a marketing tool to sell the course, and that there are no external guarantees about the quality of either? As a contract instructor, I've had the experience of teaching vendor-developed courses that contained incorrect material - downright factually incorrect information. However, the certification exam is *directly based on the course*, so that the exam *also* expects the candidate to provide the incorrect answer in order to be marked correct! I've had to teach people "This is wrong - in the real world, do it *this* way - however, if you're doing the exam, make sure you answer *that* way!". Knowledgeable people who attempt the test without attending the course are disadvantaged, of course, as they will give the factually correct answer, but be marked wrong. The close relationship between the course developer and test developer (the same person?) allows poor quality material to slip through, to the detriment of all parties. To me, the ideal is to have an independent body that develops and maintains a respected certification. Third parties then develop courses, books and other training material to prepare candidates for the exam. This way, the examining body assures not only the quality of the candidates, but also of the training they've undergone, and it avoids the incestuous situation of poorly-educated candidates scoring well on a poorly-designed exam. I would only countenance a single body doing both training and certification if it was accredited, i.e. its systems and procedures had been thoroughly audited (a process I'm looking into for my own courses, so people won't have to take just my word for how good they are!). Best, --- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- RE: Learning vs. Play Time Les Bell (Feb 12)