Silicon Shecky

Infosec Practitioner

Connect

Time for a rant

By Leave a Comment

This post is going to piss some people off, if they read it. I love the infosec community as a general statement, but there are things that get under my skin. I understand people have opinions and thoughts, but sometimes the “rockstars” can go too far.

Dan Tentler, @viss on twitter, recently went off on certifications and using the letters after your name. If someone who is respected wants to go ahead and unfollow people and not communicate with them because they put CISSP or GCIH or OSCP after their name that is his prerogative. Slamming people for wanting to show off their hard work, especially on a more professional social media platform like LinkedIn, that is something that bugs the hell out of me. Other professions, say Doctor, Lawyer, Professor, will put those letters that they worked hard for after their name, and rightfully so, without anyone shaming them for it. Why should our profession be any different?

I know that there is a lot of controversy about certifications. I know some like the CISSP might not be thought of highly inside our profession. Still we have a lot of us who have not only gotten these certifications, but actively work to keep them through CPEs. Some certifications are thought of as mills due to them just being about memorization, yet those same things that are supposed to be memorized are, in a lot of cases, the foundations of understanding security. They are not the be all end all, but are an important building block.

The next thing about using the certification letters after your name, it allows people to see you accomplished something. Looking at the ISC(2) site as of January 1, 2018, in a world of a few billion people, there are 122,322 CISSPs (based on ISC(2) showing how many members have that certification). Over half of those are in the U.S. (79,617). Now you put it in different spots on LinkedIn and it becomes easier for recruiters to find you. It also shows you had the initiative to get training, and see it through to completion. That is big in the world of HR, especially considering how many of us do not have college degrees or degrees in something other than IT. Even then, we still posh people who have not come up through the ranks at times, but I digress. The point is that a certification can differentiate one from others, give them a leg up on getting a job.

Final point for this rant is personal vindication. The amount of times I hear/see people, including myself, talk about imposter syndrome. The amount of low self esteem in our industry is amazing. Working hard to get a certification, any of them, is something the individual should be proud of. Recently, not only I, but a few others I know of have gotten or are studying for the CISSP exam. Two of us passed and both had the same thing, we were exhausted after the exam. The four of us have been averaging 3-6 months of studying for the exam. That is a lot of work and effort for a “mill” exam. The people I know who have been working on and getting their SANs cert take the class and then take another month or two at least before taking the exam (I have seen 6 months sometimes) and those are open book exams. Why should we be ashamed of showing we worked hard to achieve something? We should be proud of it, and not afraid to show it.

Yes there are people out there who should not have X certification and have it anyways. There are people who should not be Doctors, Lawyers, Nurses and more who have passed the requirements an are one. You should evaluate each individual on their own merits, not shove them or praise them just because of the letters they have earned that are after their name. We say we need more people in our field, we talk about mentoring, but when we turn around and then decide that we look down on people who have a certification, we defeat our purpose.

Practice What You Preach

By Leave a Comment

Over the last week, the infosec community has had a hard lesson thrown at it. Are we going to actually learn from it though?

 

We are self righteous, our community, the world of infosec. We preach, make fun of, pick on, slam, and do just about anything else negative about how things get handled. We forget that we are human also, with the same tendencies. We refuse to see it, we feel we are above it, but we are not. It is a huge security hole in our world, and one that can be exploited. This reared its head in a large way with the whole Marcus Hutchins (aka: @MalwareTechBlog) situation.

Think about it, when a new breach is announced, and immediately attributed to X group or Y country what is our reaction? We laugh about it, make fun of it, joke about it. How many times on twitter have we playes the Russian/Chinese/North Korean hacker line? How often have we bitched about how fast the government lays blame on a certain group/country for hacking? How often do we say we must wait until we have more information and a better analysis? How well did we do all this with Marcus’s situation? We failed.

We failed and failed in a big way. I am not saying he is guilty or innocent, that will come out later, but our reaction to events was very telling. First we got wrapped up in not knowing why he was picked up and being held by the FBI. Wanting to know is fine, we wanted the information, but we started (and some continue) on a breach of trust issue with the Feds because of this. We started yelling for his freedom, he did not do anything wrong we claimed and he has only helped us with things like the kill switch for wannacry. Then when the indictment came out we started splintering some jumping on he didn’t do this, he could not have done this, all the way to how could he have done this. Still we had those that were just out and out blaming the FBI for bungling it and breaking trust. Yet, the FBI did nothing wrong, in fact they even respected the supposed “safe zone” of Defcon 25 (if it actually is treated as such).  They waited until he was in the airport, a much easier place to make an arrest with less fuss. They held and arraigned in the normal legal time frame (24 hours from what I have been told). Yet we went off the rails because he is one of our own. We lost focus, we showed that our paranoia can be used against us.

Think about it. Let us say someone wanted to manipulate us, so we were looking in the wrong direction. The cock up not just one thing like an arrest, but an arrest, a fake malware situation, and maybe a couple other things. Our emotions start running high because of the arrest, we are so caught up in those emotions that we make mistakes on the malware and send out a huge warning because we are not thinking straight. Now, while everyone, media, corps, us, are focused on these things, a slower, stealthier attack happens. One that say brings down a power grid, messes up the 911 system, or the like. Something we could have noticed, or better yet that the Feds noticed and tried to get our help about. Where were we, the defenders? Where were we, the experts?

It really comes down to a case of practicing what we preach. It is fine to speculate and question, but to go off half cocked without all the information, in the first few minutes (ala notpetya) or hours is bad form. We are hacker/infosec. We are great are digging into things and understanding/breaking them to make them better. Something like Marcus’s situation needs to be looked at the same way we would approach a breach or worm outbreak. Put the emotions on the shelf and analyze then reassess as more information comes in. In other words, Practice what we preach.

 

Google.. what are you doing?

By Leave a Comment

Google’s Bradley Horowitz recently announced that Google+ will be accepting Nicknames and Pseudonyms. Considering other changes, is Google+ drowning?

People from day one have been asking for anonymity on Google+ and now Google has a few ways to hide your real name from the world. At least that is how it seems. With the announcement a couple of friends tried setting up nicknames. And while they could add them into their profile, they couldn’t change the name that people saw. Hopefully that portion just hasn’t rolled out yet.

The Pseudonym Policy on the other hand will require some verification. The methods could be rather arbitrary as they say the will require either real world or online verification of some sort. The arbitrary nature of the verification process is where I see problems coming in. The other question is what should be a nickname and what a Pseudonym?

Finally, Google is forcing people to sign up for Google+ when they get any of Google’s services. While we all know that this is a sure fire way to artificially increase the numbers for Google+, there is another problem with this. The naming policy, unless you get an approved pseudonym, requires real information such as your full name. This limits the usefulness of Gmail as an anonymous e-mail account. Not only that, but it could drive people to picking up Yahoo or Hotmail accounts again. Forcing people to sign up for a service they don’t want and will not use is a bad business decision on any company’s part. It really makes you wonder if Google+ is drowning in its own hype.

Right now I am taking a wait and see approach. I have a Google+ account already, and I do have a Google+ page set up for SiliconShecky, which eventually I will find a tool that will post my articles to Google+ like I post to twitter automatically. Also check out this article from Ars Technica for more information.