Penetration Testing mailing list archives
Re: Certifications: Not worth the paper they are printed on?
From: "Craig Wright" <craig.steven.wright () gmail com>
Date: Thu, 9 Oct 2008 08:48:44 +1100
Thanks for the paper tiger-bit ;) Although I would state for my part that I also have a couple GSEs (I sat and passed the GSE-Malware last week), 26+ SANS certs (inc. many golds). I also start my 12th degree next year and have several books to my name and over 100 published papers (mostly academic and generally "too mathy"). I could also have a indication of a striving for knowledge ;P As a person who has had more certifications expire than many people ever get, I have to say it comes to what, how and many other factors. Some certifications - the GSE's, CCIE etc have a multi-day lab. These are of course worth more than a multi-guess exam. Even there - some exams and certifications have more value than others. I admit, there are some REALLY stupid recruiters. For instance I have a call earlier in the year asking if I have Checkpoint certifications. My comment was "I have installed over 1,000 of them and I co-authored the NGX R65 book". The answer was, "but are you certified to install firewalls". I hung up on the person. As far as I know, I am about the only person with over 100 certification of any real merit, but I can say from experiance that it is not a way to become a "paper tiger". I have an exam re-certification on average every 19 days. The process does not allow for sittiing on ones ass. I also can not "brain-dump" for the exams and there are no brain-dumps for the SANS exams. The initial investment is also large. If we take the SANS/GIAC courses alone, the 28 SANS exams expire every 4 years. This is 7 GIAC re-certifications a year average (and though I have a GSE and do NOT need to re-sit, sit I do :). Even then I have done some rerally stupid stuff and made dumb comments when jet-lagged or after too many drinks. Following 20 hours on a plane, I could not remember what "printf" did one time. In my case, I do not do these for more money. In fact, re-certification exams cost me a 5 figure sum each year. I could argue that the cost will never be repaid as long as I work if I was to stop now. In my case, no certification is worth the money. I plan to sit the GSE exam next year. This will be the third and I will have collected all of the GIAC GSE's - but this in no way will add a cent to my income, and nor will there ever be a fiduciary return. The same goes for book writing. You are lucky to make $20 an hour writing, and in some cases you end up in the hole. Like everything, you have to look at the person on a case by case basis. Would I hire me as a System Admin or helpdesk person - no. I may be able to do the job, but if I was going for it I would ask why. The same goes for high level roles. What are you looking for? Much of this comes to what the individual wants from the certification. In my case I love study and knowledge. Regards, Dr. Craig Wright GSE-Malware, GSE-Compliance, LLM ... http://gse-compliance.blogspot.com
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Dragos Ruiu
Sent: Wednesday, 8 October 2008 6:41 PM
To: Jay D. Dyson
Cc: pen-test () securityfocus com
Subject: Re: Certifications: Not worth the paper they are printed on?
On 5-Oct-08, at 4:59 PM, Jay D. Dyson wrote:
To be perfectly blunt, just because someone *claims* they have "over
100 certifications" doesn't mean they actually do. Based on that
simple reality, I have to dismiss outright your claim that there's
anything broken about today's certifications at all.
I wouldn't even worry about verifying a claim of "having over 100
certs." The claim alone makes the claimer a verified "paper tiger" -
who should probably be exempted from whatever selection process for
just being dumb by making that claim.
cheers,
--dr
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan November 12/13 2008 http://pacsec.jp
Vancouver, Canada March 16-20 2009 http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp
---------- From: <MAILER-DAEMON () lists securityfocus com> Date: Thu, Oct 9, 2008 at 8:53 AM To: craig.steven.wright () gmail com Hi. This is the qmail-send program at lists.securityfocus.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <pen-test () lists securityfocus com>: ezmlm-reject: fatal: Sorry, I don't accept messages of MIME Content-Type 'multipart/alternative' (#5.2.3) --- Below this line is a copy of the message. Return-Path: <craig.steven.wright () gmail com> Received: (qmail 19439 invoked from network); 8 Oct 2008 21:53:34 -0000 Received: from mail.securityfocus.com (205.206.231.9) by lists.securityfocus.com with SMTP; 8 Oct 2008 21:53:34 -0000 Received: (qmail 8979 invoked by alias); 8 Oct 2008 21:44:02 -0000 Received: (qmail 8975 invoked from network); 8 Oct 2008 21:44:01 -0000 Received: from mx2.securityfocus.com (205.206.231.36) by mail.securityfocus.com with SMTP; 8 Oct 2008 21:44:01 -0000 Received: from qb-out-1314.google.com (qb-out-1314.google.com [72.14.204.168]) by mx2.securityfocus.com (8.13.1/8.13.1) with ESMTP id m98LlNQo004846 for <pen-test () securityfocus com>; Wed, 8 Oct 2008 15:47:23 -0600 Received: by qb-out-1314.google.com with SMTP id q13so3030421qbq.26 for <pen-test () securityfocus com>; Wed, 08 Oct 2008 14:45:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:mime-version:content-type; bh=orRCZVyPuvcZqYuAQ0jznbsYWAiAsj40EAIsMQXqrDw=; b=JPpm3z5ACzyMCv8Aey3xkLoerE+gOYrauDgxX951DU+wEE8GYhHyQlWueVI0pR114W q40rH8VQU+QG++S3yHTUC6U6r49aH5q8x26U9XYLZBirnD1FYzimurXsFAVvm7Dqa4MI gwG77SR6gvn+kwfcr/B7nGVEFCaWwoXnvWeBM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:mime-version:content-type; b=bj+j5lUtxDbDyPWKoOm0x89s5t3IUgMt6g0Y9MNwiIZY+nb8NI9xgmHHAzj9Ejfoiq zaKAvxNardiOkeMWWQpWVgbnnIK/weZYM/ccXdW02XLeaGxJ4PpaRarNo/hGH0jQDTuL RMWDuagteelaT0445nAbcmufskUfBg0N6fUdE= Received: by 10.187.224.14 with SMTP id b14mr1679797far.4.1223502351144; Wed, 08 Oct 2008 14:45:51 -0700 (PDT) Received: by 10.187.190.16 with HTTP; Wed, 8 Oct 2008 14:45:51 -0700 (PDT) Message-ID: <120110cb0810081445v4f1422c3i2f50510812795c48 () mail gmail com> Date: Thu, 9 Oct 2008 08:45:51 +1100 From: "Craig Wright" <craig.steven.wright () gmail com> To: pen-test () securityfocus com Cc: dr () kyx net MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_84911_26355937.1223502351126" ------=_Part_84911_26355937.1223502351126 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------=_Part_84911_26355937.1223502351126 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline <div dir="ltr"><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="ProgId" content="Word.Document"><meta name="Generator" content="Microsoft Word 12"><meta name="Originator" content="Microsoft Word 12"><link rel="File-List" href="file:///C:%5CDOCUME%7E1%5C220%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_filelist.xml"><link rel="themeData" href="file:///C:%5CDOCUME%7E1%5C220%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_themedata.thmx"><link rel="colorSchemeMapping" href="file:///C:%5CDOCUME%7E1%5C220%5CLOCALS%7E1%5CTemp%5Cmsohtmlclip1%5C01%5Cclip_colorschememapping.xml"><style> <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-1610611985 1107304683 0 0 159 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-1610611985 1073750139 0 0 159 0;} @font-face {font-family:Consolas; panose-1:2 11 6 9 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:modern; mso-font-pitch:fixed; mso-font-signature:-1610611985 1073750091 0 0 159 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0cm; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;} p.MsoPlainText, li.MsoPlainText, div.MsoPlainText {mso-style-priority:99; mso-style-link:"Plain Text Char"; margin:0cm; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.5pt; font-family:Consolas; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;} span.PlainTextChar {mso-style-name:"Plain Text Char"; mso-style-priority:99; mso-style-unhide:no; mso-style-locked:yes; mso-style-link:"Plain Text"; mso-ansi-font-size:10.5pt; mso-bidi-font-size:10.5pt; font-family:Consolas; mso-ascii-font-family:Consolas; mso-hansi-font-family:Consolas;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Calibri; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;} @page Section1 {size:612.0pt 792.0pt; margin:72.0pt 72.0pt 72.0pt 72.0pt; mso-header-margin:36.0pt; mso-footer-margin:36.0pt; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style> <p class="MsoPlainText">Thanks for the paper tiger-bit ;)</p> <p class="MsoPlainText"> </p> <p class="MsoPlainText">Although I would state for my part that I also have a papers (mostly academic and generally "too mathy"). </p> <p class="MsoPlainText"> </p> <p class="MsoPlainText">I could also have a indication of a striving for knowledge ;P</p><p class="MsoPlainText"><br></p><p class="MsoPlainText">As a person who has had more certifications expire than many people ever get, I have to say it comes to what, how and many other factors. Some certifications - the GSE's, CCIE etc have a multi-day lab. These are of course worth more than a multi-guess exam. Even there - some exams and certifications have more value than others. <br> </p><p class="MsoPlainText"><br></p><p class="MsoPlainText">I admit, there are some REALLY stupid recruiters. For instance I have a call earlier in the year asking if I have Checkpoint certifications. My comment was "I have installed over 1,000 of them and I co-authored the NGX R65 book". The answer was, "but are you certified to install firewalls". I hung up on the person.<br> </p><p class="MsoPlainText"><br></p> <p class="MsoPlainText">As far as I know, I am about the only person with over 100 certification of any real merit, but I can say from experiance that it is not a way to become a "paper tiger". I have an exam re-certification on average every 19 days. The process does not allow for sittiing on ones ass. I also can not "brain-dump" for the exams and there are no brain-dumps for the SANS exams. The initial investment is also large. If we take the SANS/GIAC courses alone, the 28 SANS exams expire every 4 years. This is 7 GIAC re-certifications a year average (and though I have a GSE and do NOT need to re-sit, sit I do :). Even then I have done some rerally stupid stuff and made dumb comments when jet-lagged or after too many drinks. Following 20 hours on a plane, I could not remember what "printf" did one time. <br> </p><p class="MsoPlainText"><br></p><p class="MsoPlainText">In my case, I do not do these for more money. In fact, re-certification exams cost me a 5 figure sum each year. I could argue that the cost will never be repaid as long as I work if I was to stop now. <br> </p><p class="MsoPlainText"><br></p><p class="MsoPlainText">In my case, no certification is worth the money. I plan to sit the GSE exam next year. This will be the third and I will have collected all of the GIAC GSE's - but this in no way will add a cent to my income, and nor will there ever be a fiduciary return. The same goes for book writing. You are lucky to make $20 an hour writing, and in some cases you end up in the hole. <br> </p><p class="MsoPlainText"><br></p><p class="MsoPlainText">Like everything, you have to look at the person on a case by case basis. Would I hire me as a System Admin or helpdesk person - no. I may be able to do the job, but if I was going for it I would ask why. The same goes for high level roles. What are you looking for? Much of this comes to what the individual wants from the certification. In my case I love study and knowledge. <br> </p><p class="MsoPlainText"> </p> <p class="MsoPlainText">Regards,</p> <p class="MsoPlainText">Dr. Craig Wright GSE-Malware, GSE-Compliance, LLM ...</p> <p class="MsoPlainText"> </p> <p class="MsoPlainText">> <span style="" lang="EN-US">-----Original Message-----</span></p> <p class="MsoPlainText">> <span style="" lang="EN-US">From: <a href="mailto:listbounce () securityfocus com">listbounce () securityfocus com</a> [mailto:<a href="mailto:listbounce () securityfocus com">listbounce () securityfocus com</a>]</span></p> <p class="MsoPlainText">> <span style="" lang="EN-US">On Behalf Of Dragos Ruiu</span></p> <p class="MsoPlainText">> <span style="" lang="EN-US">Sent: Wednesday, 8 October 2008 6:41 PM</span></p> <p class="MsoPlainText">> <span style="" lang="EN-US">To: Jay D. Dyson</span></p> <p class="MsoPlainText">> <span style="" lang="EN-US">Cc: <a href="mailto:pen-test () securityfocus com">pen-test () securityfocus com</a></span></p> <p class="MsoPlainText">> <span style="" lang="EN-US">Subject: Re: Certifications: Not worth the paper they are printed on?</span></p> <p class="MsoPlainText">> </p> <p class="MsoPlainText">> </p> <p class="MsoPlainText">> On 5-Oct-08, at 4:59 PM, Jay D. Dyson wrote:</p> <p class="MsoPlainText">> > To be perfectly blunt, just because someone *claims* they have "over</p> <p class="MsoPlainText">> > 100 certifications" doesn't mean they actually do.<span style=""> </span>Based on that</p> <p class="MsoPlainText">> > simple reality, I have to dismiss outright your claim that there's</p> <p class="MsoPlainText">> > anything broken about today's certifications at all.</p> <p class="MsoPlainText">> </p> <p class="MsoPlainText">> I wouldn't even worry about verifying a claim of "having over 100</p> <p class="MsoPlainText">> certs."<span style=""> </span>The claim alone makes the claimer a verified "paper tiger" -</p> <p class="MsoPlainText">> who should probably be exempted from whatever selection process for</p> <p class="MsoPlainText">> just being dumb by making that claim.</p> <p class="MsoPlainText">> </p> <p class="MsoPlainText">> cheers,</p> <p class="MsoPlainText">> --dr</p> <p class="MsoPlainText">> </p> <p class="MsoPlainText">> --</p> <p class="MsoPlainText">> World Security Pros. Cutting Edge Training, Tools, and Techniques</p> <p class="MsoPlainText">> Tokyo, Japan<span style=""> </span>November 12/13 2008<span style=""> </span><a href="http://pacsec.jp">http://pacsec.jp</a></p> <p class="MsoPlainText">> Vancouver, Canada<span style=""> </span>March 16-20 2009<span style=""> </span><a href="http://cansecwest.com">http://cansecwest.com</a></p> <p class="MsoPlainText">> pgpkey <a href="http://dragos.com/">http://dragos.com/</a> kyxpgp</p> <p class="MsoPlainText">> </p> </div> ------=_Part_84911_26355937.1223502351126-- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- RE: Certifications: Not worth the paper they are printed on?, (continued)
- RE: Certifications: Not worth the paper they are printed on? John Babio (Oct 06)
- Re: Certifications: Not worth the paper they are printed on? R. DuFresne (Oct 06)
- RE: Certifications: Not worth the paper they are printed on? Ray Chow (Oct 06)
- RE: Certifications: Not worth the paper they are printed on? R. DuFresne (Oct 06)
- Re: Certifications: Not worth the paper they are printed on? Matt - MRS Security (Oct 07)
- RE: Certifications: Not worth the paper they are printed on? Stuart Criddle (Oct 08)
- RE: Certifications: Not worth the paper they are printed on? Ray Chow (Oct 06)
- Re: Certifications: Not worth the paper they are printed on? Jon Kibler (Oct 09)