Re: How do we do our job?

[Bennett Todd <bet () rahul net>]

1998-04-30-14:23:10 Darren:
> Maybe...but what about those who feel slighted because working
> with computers isn't regarded the same as it is accountancy ?

You know, I believe I have never in my life met or heard of such
a person. Have you? Or is those who feel so slighted actually a
non-existent debating point? I find it hard to imagine such a person....

> For example, it's a lot harder for a person to grab a book on
> accountancy, read a bit and then go around charging people $10,000
> to do XYZ for them and not give them value for money.

Yup. And if the computer industry's rate of advancement and development
should become as stable as that in accountancy, perhaps because it gets
a few thousand years of experience under its belt to figure out how
things should be done, then perhaps we'll be able to erect artificial
barriers to make such fraud harder.

> Whereas in the computer industry, what surety do we have that your
> references are worth anything?

Only common sense and intelligence, the same scarce resources that are
always required to check references.

> Who has ever given bad references on a resume?

Not me. Some people I've caught, though. It's really not all that hard.

> Yet, at the same time we're all saying that taking measures that would
> attempt to deal with these scenarios are worthless.

No, that's not what we're saying. We are instead saying that noble
though such efforts would be if they were workable, as things stand
they're rather worse than worthless, they are fraudulent. When it's
impossible to certify the body of knowlege required to practice your
trade effectively, what's left for certification to do? Be a meaningless
rubber-stamp of interest only to people who can't assemble the
references or pass a good technical interview?

> I can't believe anyone who actually takes pride in their work as a
> computer security professional would want to make it any easier for
> frauds to inhabit the industry but yet here you all are saying that
> taking the time to "certify" those who can at least meet some common
> level is pointless.

I've never met anyone with experience and credentials in the security
field who believed that computer security expertise could be usefully
tested for and certified.

I don't propose making it easier for frauds; I'm all in favour of
effective measures to make their life harder. Sadly, certification in
computer security doesn't seem to profit anyone except those same
frauds.

> Sure, there will always be "good" and "bad" people who manage to pass
> whatever tests there is, but at least if they screw up they can be
> de-bar'd or deregistered or whatever and no longer able to legally
> portray themselves as being certified.

So you're not claiming a benefit to the testing process, as much as a
closed lodge, your friends and your friends only get to wear the special
badge. That sounds useful, sure. How do you propose to define ``screw
up''? What would be grounds for stripping smoeone of their credentials?
Who would decide?

> But if said certificate also helps us keep scum out of the industry,
> then that's an evil I'm prepared to endure.

If on the other hand you believed that scum were the only people who
could actively profit from certification, then how would you feel about
it?

-Bennett