RE: Stephen Northcutt is sadly mistaken

["Christopher Lee" <clee () myhome homeip net>]

Interesting comments from hellNbak () nmrc org...  Just one response to his
comment about SANS training should be free to all...   

Apart from nothing is free in this world, it does cost money to provide SANS
training to a large number of audience.   It costs money to rent the venue
(and all the equipments to go with it), to print the materials, and to pay
the speaker and the proctors for those conferences.  Yes, the volunteers
plays a large role in SANS successes, but there are also some full time
staff dedicated to run the organization and plan the events. Just look
around the people wearing SANS staff badges in those conference, and you
will see only some of them are "volunteers".

Granted, some of the folks on this list self-taught everything they knew
about this craft, but many still relies on top-notch trainings to know how
to identify and to defend their corporate/personal information assets.  If
one is to measure the value of any commercially available trainings, SANS
Institute, in my opinion, provides the best bang for the buck by far.  

Oh, perhaps everyone on this list will also be interested to know other
options of receiving authentic SANS trainings: online self-study, online
instructor-led, and locally mentored study sessions.  All details are
available at www.sans.org.

P/S, I am not, in any way, defending Mr. Northcutt's statement, but simply
want to clear up any misconception about SANS riding their success on the
shoulders of an army of volunteers "suckered" into it.

Cheers,

Chris


-----Original Message-----
From: isn-bounces () attrition org [mailto:isn-bounces () attrition org] On Behalf
Of InfoSec News
Sent: June 28, 2004 5:45 AM
To: isn () attrition org
Subject: [ISN] Stephen Northcutt is sadly mistaken 

Forwarded from: hellNbak <hellnbak () nmrc org>
Cc: stephen () sans org

I am not a US citizen but seeing how this got spammed across multiple
mailing lists and seeing how the Internet is in deed a global thing I
thought I would respond.

> This note is intended for U.S. citizens and is a personal note from
> Stephen Northcutt.  For the past few weeks CERT and SEI, DoD
> government funded organizations, have been purchasing google adwords
> so that when people search for "SANS Training" they see an
> advertisement for CERT/SEI's network manager course.

So the purchase of Google ads by DoD funded organization is cause for
a personal note from the great Stephen Northcutt?  They have a service
to sell so why is this an issue?  Welcome to a capatilist society.  
You have to spend money to make money.  Either that or you need to
sucker a bunch of volunteers to work for free....


> I have a couple of concerns about this.  The first is trademark or
> brand related, when you search for SANS training, you should get
> SANS training.  Other competing commercial training companies have
> also engaged in this behavior and when I have written them and asked
> if this how they want to be remembered by the security community,
> they have discontinued this practice.  I wrote cert () cert org a
> couple weeks ago and they continue this practice.

So take the millions you have made on the backs of SANS volunteers and
purchase your own Google adds or hell, purchase Google and fix search
engines for all.  Imagine the nerve of a search engine to give other
results when someone searches for SANS traning.  Why doesn't SANS
purchase their own ads?  I mean isn't this how Internet marketing /
Search engine placement is *supposed* to work?


> My second concern is that the government offering the course
> violates the spirit and letter of OMB A 76. "Two of the key
> principles of Circular A-76 has always been that "in the process of
> governing, the Government should not compete with its citizens" and
> that "a commercial activity is not a governmental function."

Commercial activity?  Correct me if I am wrong but isn't SANS a
non-profit?  Has SANS not enjoyed years of government support via
attendance and government targetted events?  Did SANS not once receive
government funding or support?  I read the PDFs you linked to and no
where in those documents does it say that SANS should be the be all
and end all of Security Training.

> My third concern is the amount of tax we pay as citizens. The
> government is in the process of authorizing about 481 billion
> dollars for DoD spending.  The Department of Defense clearly has too
> much money if they can afford to create training that mirrors
> material widely available from SANS, MISTI, CSI, Intense School and
> other training organizations. I believe the money spent on CERT, SEI
> and the Office of the Under Secretary of Defense for Acquisition,
> Technology, and Logistics should each be reduced by at least 10%
> immediately.

Or perhaps SANS can help solve this problem by reducing the cost of
their traning courses.  I mean being a non-profit and all and with all
the volunteer work -- courses should be free.

> I would be honored if you would copy me, Stephen () sans org.

Consider yourself honored.

> how you would feel if the government decided to compete in a
> disreputable manner with a course that took you months to write,
> SANS Security Leadership. After that, if you disagree with me, I
> would love to hear what you have to say.  So please help me and
> write your congressman and tell them your home address, make sure
> they know you vote and you agree that the government has no business
> wasting taxpayer money competing with a course Stephen Northcutt
> does a better job of anyway.

Unless things have changed in the SANS world over the last year or so,
many of the courses are the work of volunteers -- volunteers for a not
for profit organization.  So competition should not be an issue.  In
fact, eventhough I am not a US citizen, I support the government
spending a little advertising money, perhaps they have noticed your
paystubs and seen the potential of such courses as a very profitable
business model.

The government is doing nothing disreputable at all.  If something as
simple as purchasing search engine ads is disreputable perhaps you
should look at the history of SANS.  Hmmm, Hi pot, this is kettle...
ummmm black!

If SANS cared one bit more about security than their business model
this would be a non-issue.  The more training courses, and the more
knowledge that people can obtain on this subject benifets the
community in general. So there is one more competitor to SANS, that is
how business works.

I leave you with this definition of the word Sans from The American
Heritage Dictionary of the English Language, Fourth Edition

\Sans\ (s[aum]n; E. s[a^]nz), prep. [F., from L. sine without.]
Without; deprived or destitute of.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

hellNbak at NMRC.org

http://www.nmrc.org/~hellnbak
http://www.vulnwatch.org

"There are voices in my head and they don't like you"

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


The standard this is my opinion and no one else's stuff applies to this
and any email I send from this address.



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec
junkie!
(Broke? Spend 15 minutes a day on the project!)

_________________________________________
ISN mailing list
Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
(Broke? Spend 15 minutes a day on the project!)