Penetration Testing mailing list archives
Re: Certifications: Not worth the paper they are printed on?
From: "Craig Wright" <craig.steven.wright () gmail com>
Date: Thu, 9 Oct 2008 08:48:44 +1100
Thanks for the paper tiger-bit ;) Although I would state for my part that I also have a couple GSEs (I sat and passed the GSE-Malware last week), 26+ SANS certs (inc. many golds). I also start my 12th degree next year and have several books to my name and over 100 published papers (mostly academic and generally "too mathy"). I could also have a indication of a striving for knowledge ;P As a person who has had more certifications expire than many people ever get, I have to say it comes to what, how and many other factors. Some certifications - the GSE's, CCIE etc have a multi-day lab. These are of course worth more than a multi-guess exam. Even there - some exams and certifications have more value than others. I admit, there are some REALLY stupid recruiters. For instance I have a call earlier in the year asking if I have Checkpoint certifications. My comment was "I have installed over 1,000 of them and I co-authored the NGX R65 book". The answer was, "but are you certified to install firewalls". I hung up on the person. As far as I know, I am about the only person with over 100 certification of any real merit, but I can say from experiance that it is not a way to become a "paper tiger". I have an exam re-certification on average every 19 days. The process does not allow for sittiing on ones ass. I also can not "brain-dump" for the exams and there are no brain-dumps for the SANS exams. The initial investment is also large. If we take the SANS/GIAC courses alone, the 28 SANS exams expire every 4 years. This is 7 GIAC re-certifications a year average (and though I have a GSE and do NOT need to re-sit, sit I do :). Even then I have done some rerally stupid stuff and made dumb comments when jet-lagged or after too many drinks. Following 20 hours on a plane, I could not remember what "printf" did one time. In my case, I do not do these for more money. In fact, re-certification exams cost me a 5 figure sum each year. I could argue that the cost will never be repaid as long as I work if I was to stop now. In my case, no certification is worth the money. I plan to sit the GSE exam next year. This will be the third and I will have collected all of the GIAC GSE's - but this in no way will add a cent to my income, and nor will there ever be a fiduciary return. The same goes for book writing. You are lucky to make $20 an hour writing, and in some cases you end up in the hole. Like everything, you have to look at the person on a case by case basis. Would I hire me as a System Admin or helpdesk person - no. I may be able to do the job, but if I was going for it I would ask why. The same goes for high level roles. What are you looking for? Much of this comes to what the individual wants from the certification. In my case I love study and knowledge. Regards, Dr. Craig Wright GSE-Malware, GSE-Compliance, LLM ... http://gse-compliance.blogspot.com
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Dragos Ruiu
Sent: Wednesday, 8 October 2008 6:41 PM
To: Jay D. Dyson
Cc: pen-test () securityfocus com
Subject: Re: Certifications: Not worth the paper they are printed on?
On 5-Oct-08, at 4:59 PM, Jay D. Dyson wrote:
To be perfectly blunt, just because someone *claims* they have "over
100 certifications" doesn't mean they actually do. Based on that
simple reality, I have to dismiss outright your claim that there's
anything broken about today's certifications at all.
I wouldn't even worry about verifying a claim of "having over 100
certs." The claim alone makes the claimer a verified "paper tiger" -
who should probably be exempted from whatever selection process for
just being dumb by making that claim.
cheers,
--dr
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan November 12/13 2008 http://pacsec.jp
Vancouver, Canada March 16-20 2009 http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp
----------
From: <MAILER-DAEMON () lists securityfocus com>
Date: Thu, Oct 9, 2008 at 8:53 AM
To: craig.steven.wright () gmail com
Hi. This is the qmail-send program at lists.securityfocus.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<pen-test () lists securityfocus com>:
ezmlm-reject: fatal: Sorry, I don't accept messages of MIME
Content-Type 'multipart/alternative' (#5.2.3)
--- Below this line is a copy of the message.
Return-Path: <craig.steven.wright () gmail com>
Received: (qmail 19439 invoked from network); 8 Oct 2008 21:53:34 -0000
Received: from mail.securityfocus.com (205.206.231.9)
by lists.securityfocus.com with SMTP; 8 Oct 2008 21:53:34 -0000
Received: (qmail 8979 invoked by alias); 8 Oct 2008 21:44:02 -0000
Received: (qmail 8975 invoked from network); 8 Oct 2008 21:44:01 -0000
Received: from mx2.securityfocus.com (205.206.231.36)
by mail.securityfocus.com with SMTP; 8 Oct 2008 21:44:01 -0000
Received: from qb-out-1314.google.com (qb-out-1314.google.com [72.14.204.168])
by mx2.securityfocus.com (8.13.1/8.13.1) with ESMTP id m98LlNQo004846
for <pen-test () securityfocus com>; Wed, 8 Oct 2008 15:47:23 -0600
Received: by qb-out-1314.google.com with SMTP id q13so3030421qbq.26
for <pen-test () securityfocus com>; Wed, 08 Oct 2008 14:45:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=gamma;
h=domainkey-signature:received:received:message-id:date:from:to
:subject:cc:mime-version:content-type;
bh=orRCZVyPuvcZqYuAQ0jznbsYWAiAsj40EAIsMQXqrDw=;
b=JPpm3z5ACzyMCv8Aey3xkLoerE+gOYrauDgxX951DU+wEE8GYhHyQlWueVI0pR114W
q40rH8VQU+QG++S3yHTUC6U6r49aH5q8x26U9XYLZBirnD1FYzimurXsFAVvm7Dqa4MI
gwG77SR6gvn+kwfcr/B7nGVEFCaWwoXnvWeBM=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=gamma;
h=message-id:date:from:to:subject:cc:mime-version:content-type;
b=bj+j5lUtxDbDyPWKoOm0x89s5t3IUgMt6g0Y9MNwiIZY+nb8NI9xgmHHAzj9Ejfoiq
zaKAvxNardiOkeMWWQpWVgbnnIK/weZYM/ccXdW02XLeaGxJ4PpaRarNo/hGH0jQDTuL
RMWDuagteelaT0445nAbcmufskUfBg0N6fUdE=
Received: by 10.187.224.14 with SMTP id b14mr1679797far.4.1223502351144;
Wed, 08 Oct 2008 14:45:51 -0700 (PDT)
Received: by 10.187.190.16 with HTTP; Wed, 8 Oct 2008 14:45:51 -0700 (PDT)
Message-ID: <120110cb0810081445v4f1422c3i2f50510812795c48 () mail gmail com>
Date: Thu, 9 Oct 2008 08:45:51 +1100
From: "Craig Wright" <craig.steven.wright () gmail com>
To: pen-test () securityfocus com
Cc: dr () kyx net
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_84911_26355937.1223502351126"
------=_Part_84911_26355937.1223502351126
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
------=_Part_84911_26355937.1223502351126
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
<div dir="ltr"><meta http-equiv="Content-Type" content="text/html;
charset=utf-8"><meta name="ProgId" content="Word.Document"><meta
name="Generator" content="Microsoft Word 12"><meta name="Originator"
content="Microsoft Word 12"><link rel="File-List"
href="file:///C:%5CDOCUME%7E1%5C220%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_filelist.xml"><link
rel="themeData"
href="file:///C:%5CDOCUME%7E1%5C220%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_themedata.thmx"><link
rel="colorSchemeMapping"
href="file:///C:%5CDOCUME%7E1%5C220%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_colorschememapping.xml"><style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:0;
mso-generic-font-family:roman;
mso-font-pitch:variable;
mso-font-signature:-1610611985 1107304683 0 0 159 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:swiss;
mso-font-pitch:variable;
mso-font-signature:-1610611985 1073750139 0 0 159 0;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:modern;
mso-font-pitch:fixed;
mso-font-signature:-1610611985 1073750091 0 0 159 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.5pt;
font-family:Consolas;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-unhide:no;
mso-style-locked:yes;
mso-style-link:"Plain Text";
mso-ansi-font-size:10.5pt;
mso-bidi-font-size:10.5pt;
font-family:Consolas;
mso-ascii-font-family:Consolas;
mso-hansi-font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.Section1
{page:Section1;}
-->
</style>
<p class="MsoPlainText">Thanks for the paper tiger-bit ;)</p>
<p class="MsoPlainText"> </p>
<p class="MsoPlainText">Although I would state for my part that I also have a
papers (mostly academic and generally "too mathy"). </p>
<p class="MsoPlainText"> </p>
<p class="MsoPlainText">I could also have a indication of a striving for
knowledge ;P</p><p class="MsoPlainText"><br></p><p
class="MsoPlainText">As a person who has had more certifications
expire than many people ever get, I have to say it comes to what, how
and many other factors. Some certifications - the GSE's, CCIE etc
have a multi-day lab. These are of course worth more than a
multi-guess exam. Even there - some exams and certifications have more
value than others. <br>
</p><p class="MsoPlainText"><br></p><p class="MsoPlainText">I admit,
there are some REALLY stupid recruiters. For instance I have a call
earlier in the year asking if I have Checkpoint certifications. My
comment was "I have installed over 1,000 of them and I
co-authored the NGX R65 book". The answer was, "but are you
certified to install firewalls". I hung up on the person.<br>
</p><p class="MsoPlainText"><br></p>
<p class="MsoPlainText">As far as I know, I am about the only person
with over 100 certification of any real merit, but I can say from
experiance that it is not a way to become a "paper tiger". I
have an exam re-certification on average every 19 days. The process
does not allow for sittiing on ones ass. I also can not
"brain-dump" for the exams and there are no brain-dumps for
the SANS exams. The initial investment is also large. If we take the
SANS/GIAC courses alone, the 28 SANS exams expire every 4 years. This
is 7 GIAC re-certifications a year average (and though I have a GSE
and do NOT need to re-sit, sit I do :). Even then I have done some
rerally stupid stuff and made dumb comments when jet-lagged or after
too many drinks. Following 20 hours on a plane, I could not remember
what "printf" did one time. <br>
</p><p class="MsoPlainText"><br></p><p class="MsoPlainText">In my
case, I do not do these for more money. In fact, re-certification
exams cost me a 5 figure sum each year. I could argue that the cost
will never be repaid as long as I work if I was to stop now. <br>
</p><p class="MsoPlainText"><br></p><p class="MsoPlainText">In my
case, no certification is worth the money. I plan to sit the GSE exam
next year. This will be the third and I will have collected all of the
GIAC GSE's - but this in no way will add a cent to my income, and
nor will there ever be a fiduciary return. The same goes for book
writing. You are lucky to make $20 an hour writing, and in some cases
you end up in the hole. <br>
</p><p class="MsoPlainText"><br></p><p class="MsoPlainText">Like
everything, you have to look at the person on a case by case basis.
Would I hire me as a System Admin or helpdesk person - no. I may be
able to do the job, but if I was going for it I would ask why. The
same goes for high level roles. What are you looking for? Much of this
comes to what the individual wants from the certification. In my case
I love study and knowledge. <br>
</p><p class="MsoPlainText"> </p>
<p class="MsoPlainText">Regards,</p>
<p class="MsoPlainText">Dr. Craig Wright GSE-Malware, GSE-Compliance,
LLM ...</p>
<p class="MsoPlainText"> </p>
<p class="MsoPlainText">> <span style="" lang="EN-US">-----Original
Message-----</span></p>
<p class="MsoPlainText">> <span style="" lang="EN-US">From: <a
href="mailto:listbounce () securityfocus com">listbounce () securityfocus com</a>
[mailto:<a href="mailto:listbounce () securityfocus com">listbounce () securityfocus com</a>]</span></p>
<p class="MsoPlainText">> <span style="" lang="EN-US">On Behalf Of
Dragos Ruiu</span></p>
<p class="MsoPlainText">> <span style="" lang="EN-US">Sent:
Wednesday, 8 October 2008 6:41 PM</span></p>
<p class="MsoPlainText">> <span style="" lang="EN-US">To: Jay D.
Dyson</span></p>
<p class="MsoPlainText">> <span style="" lang="EN-US">Cc: <a
href="mailto:pen-test () securityfocus com">pen-test () securityfocus com</a></span></p>
<p class="MsoPlainText">> <span style="" lang="EN-US">Subject: Re:
Certifications: Not worth the paper
they are printed on?</span></p>
<p class="MsoPlainText">> </p>
<p class="MsoPlainText">> </p>
<p class="MsoPlainText">> On 5-Oct-08, at 4:59 PM, Jay D. Dyson wrote:</p>
<p class="MsoPlainText">> > To be perfectly blunt, just because someone
*claims* they have "over</p>
<p class="MsoPlainText">> > 100 certifications" doesn't mean they
actually do.<span style=""> </span>Based on that</p>
<p class="MsoPlainText">> > simple reality, I have to dismiss
outright your
claim that there's</p>
<p class="MsoPlainText">> > anything broken about today's
certifications at
all.</p>
<p class="MsoPlainText">> </p>
<p class="MsoPlainText">> I wouldn't even worry about verifying
a claim of
"having over 100</p>
<p class="MsoPlainText">> certs."<span style="">
</span>The claim alone makes the claimer a verified "paper
tiger" -</p>
<p class="MsoPlainText">> who should probably be exempted from whatever
selection process for</p>
<p class="MsoPlainText">> just being dumb by making that claim.</p>
<p class="MsoPlainText">> </p>
<p class="MsoPlainText">> cheers,</p>
<p class="MsoPlainText">> --dr</p>
<p class="MsoPlainText">> </p>
<p class="MsoPlainText">> --</p>
<p class="MsoPlainText">> World Security Pros. Cutting Edge Training, Tools,
and Techniques</p>
<p class="MsoPlainText">> Tokyo, Japan<span style="">
</span>November 12/13 2008<span style="">
</span><a href="http://pacsec.jp";>http://pacsec.jp</a></p>
<p class="MsoPlainText">> Vancouver, Canada<span style="">
</span>March 16-20 2009<span style="">
</span><a href="http://cansecwest.com";>http://cansecwest.com</a></p>
<p class="MsoPlainText">> pgpkey <a
href="http://dragos.com/";>http://dragos.com/</a> kyxpgp</p>
<p class="MsoPlainText">> </p>
</div>
------=_Part_84911_26355937.1223502351126--
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now
www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
Current thread:
- RE: Certifications: Not worth the paper they are printed on?, (continued)
- RE: Certifications: Not worth the paper they are printed on? John Babio (Oct 06)
- Re: Certifications: Not worth the paper they are printed on? R. DuFresne (Oct 06)
- RE: Certifications: Not worth the paper they are printed on? Ray Chow (Oct 06)
- RE: Certifications: Not worth the paper they are printed on? R. DuFresne (Oct 06)
- Re: Certifications: Not worth the paper they are printed on? Matt - MRS Security (Oct 07)
- RE: Certifications: Not worth the paper they are printed on? Stuart Criddle (Oct 08)
- RE: Certifications: Not worth the paper they are printed on? Ray Chow (Oct 06)
- Re: Certifications: Not worth the paper they are printed on? Jon Kibler (Oct 09)