Re: more security people = less security

[Michael Graham <jmgraham () midsouth rr com>]

This is a horrible rant with some fine isolated points within it.
Further comments in-line.

On Feb 3, 2004, at 2:22 PM, Uncle Scrotora Balzac wrote:
> Many hackers (who also view themselves as security experts) are pissed
> off by the landslide of new people, products, and money entering into
> the security space.

Wow.  A community that prides itself on being as bleeding edge and "out 
there" as possible is offended that the mundanes are stepping all over 
their precious playground.  Color me shocked.

> Yes, it's true there are many more people becoming security "experts"
> (using this term as loosely as possible) every day.

Here is where you went from a possibly good argument into just a rant.  
If they aren't "security experts" then they have no business calling 
themselves "security experts."  End of point.; no one would argue.  But 
instead, we have to berate all these dumb noobs for stepping on our 
elitisim.  All you really needed to say was: "The world would be a 
better place if everyone was qualified to do their job."

> And yes, it's also
> true companies are running to the marketplace faster than Whitney 
> Houston
> to a line of coke.

Companies throw money at problems instead of doing the hard work 
required to solve the core issue?  Inconceivable!

> Of course, the obvious benefit: The more people pulled into this space
> from various other backgrounds, the lower the average security 
> administrator's
> level of knowledge becomes.

Again, forgive me, but aren't you just raging against the machine about 
things we've all observed in every sub-field  of IT?  Moron DBAs, MCSEs 
who don't know anything about even windows, Solaris admins who have 
never touched an external array, etc.

> This "dumbing down" happens for several reasons,
>  but the most significant is the way in which these new generations of
> security administrators are educated.

Here you're just being obnoxious.  Yes, all our lives would be much 
better off if everyone who wore a security hat was qualified to do so.  
But that does not prove that more people trying to effect good security 
measures somehow degrades my performance nor the security of the net in 
general.  So what if the guy at company B is doing security because he 
was a mediocre network "engineer"?  Is that as good a thing as if he 
was really qualified?  No, obviously not.  But is that a better state 
of affairs than no one doing that job?  Absolutely and obviously so.

> Typically, they are forced into
> these positions by employers that realize they desperately need 
> security
> staff.

Are you out of work or something?  Consultancy not going so well?  Why 
the vitriol about lesser beings filling these roles?  Again, just 
because a situation isn't the best possible situation doesn't mean it 
isn't better than yesterday's status quo.

> Now you've got some guy sitting there trying to figure out which way
> is up, so where do they turn? To vendors. Be it a vendor of 
> hardware/software
> solutions, or a vendor like SANS (selling propaganda, errr, I mean, 
> "education"
> about open source products backed by commercial entities which SANS 
> purportedly
> invests in).

This is a valid point.  Vendors should not be who you get your 
information from.  Vendors should not be making strategic decisions 
about what you need to do to secure your network.  But again, it's not 
as if this doesn't happen in other fields.  Cisco is built upon 
thousands of mid-sized companies who have about $50,000 more switching 
than they actually need.  We come back to "The world would be a better 
place if everyone was qualified to do their job."

> Although it grates on the nerves of everyone who knows better to see
> all these pen testers running around selling Nessus reports,

Again, the Remaining 4 are selling their boilerplate instead of real 
services.  OK?

> So bring it on! We need *more* new security people and more new 
> products
> to create more confusion, ambiguity, and false senses of superiority.
> Think security consoles only being released for Windows anymore doesn't
> signify anything?! Come on out, the waters fine!

And now we sum-up with the real point of this e-mail.  Noobs r dumb, 
let's remind everyone how hardcore we "real" security people are!  I 
don't disagree with any of your actual points, but that was about six 
more paragraphs than you needed in order to state your (obvious) case.  
The world would be a better place if everyone was qualified to do their 
job.  Hear, Hear!  But do we need to abuse them for trying?


Mike Graham
NOT a Security Expert

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html