Re: Identifying passion for security?

[krymson () gmail com]

First of all, I want to say that I *love* this question! (Partly because I'm in a job I don't like and need something 
new, but also because the question is excellent!) I also think you have some really good ideas already. 

Talking about cons is excellent, and even if they have not been to any, you can tell when someone truly is interested 
(talk to me about Defcon or Shmoocon and I'll get this look in my eye and a smile, even though I've yet to successfully 
attend). 

Also, sites and tools is an excellent means, as any of us who have passion for this field will usually be happy to talk 
about it. Maybe not all our IRC channels and hangouts as we tend to be a group the enjoys our privacy and super-secret 
locations. :)

One of my personal little measures is talking about or finding out how someone spends their free time. If they do 
networking/security/sysadminning only at work and the rest of their evening and weekends are spent on their own life, 
they may have less passion for the work. Someone who "geeks out" at home as well as work has some passion and 
enthusiasm. I call it just plain being a geek. I've known people in this field who barely touch computers at home after 
work and are not geeks, and they typically are not as valuable as geeks. Granted, some people do have lives, families, 
and things that make them not able to fully feed their inner geek, and that is alright. But most passionate people will 
have enthusiasm and passion when discussing their inner geek.

I would say talk about some key ideas floating around right now, things that can spark some thinking and openness in 
discussion (over a beer!):
- full disclosure
- wireless security/future
- certifications (CISSP, SANS, CEH...)
- cons
- describe the security/insecurity of their own network, home or at work (obviously this can be touchy, but give them 
the trust that you won't blab anything they may tell you if you know their employer); insecure habits may not indicate 
lack of passion, but chances are they know the right thing to do and just have not had the means/resources/time/backing 
to do it. "Yeah, I know I should get hooked up with a proxy when I connect to IRC, I just haven't done it yet, too many 
other things excite me..." or "Yeah, we should block IM on the firewall at work, but every time I do, the CFO cries 
bloody murder..."
- their website/blog (or their fav sites/tools)
- what web browser they use
- OS preferences/experience (a touchy subject as you never know violent fanboys until you encite them, but still a very 
revealing subject)


<-snip->
Evening,
Showing my age I'm finding it increasingly difficult to find security geeks who 
are truly passionate about security. There seems to be a recent trend in 
unpassionate people chasing either the money, an easy ride or something that 
isn't as dull as network or system administration. 
So how would you identify passion quickly, personally I like what cons have you 
been to? If they are passionate but poor they would reply none but I'd like 
to .... What books have they bought, what tools do they use what sites 
do they visit email them at night and see how long it takes them to reply

what else?

-- 
Andy Cuff
Computer Network Defence Ltd
www.SecurityWizardry.com

---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------