Re: RE: Requesting Informational Interview

[Justin Ferguson <jnferguson () gmail com>]

On Fri, Jun 19, 2009 at 4:56 AM, <rracic () gmail com> wrote:
> I tend to agree with your statement as well, Erin. It has been my experience that many of my colleagues with no formal
> education lack the expert understanding of how things work behind the scenes.

Not to disagree with the points that a person should really understand
what they're doing; I'm disagreeing that you find that in academia.
What I've seen from academia in general is a whole lot of theory and
very little application. The one exception I would truly make here,
and this is off of limited first hand experience would be
Ruhr-Universität Bochum. I would've said the exact opposite, people
with formal educations tend to lack basic comprehension of matters
because by and large they did their course work and that was it;
whereas self-taught people found their own motivation and thoroughly
explored and *applied* the knowledge.

Truthfully, after working at some of the top rated jobs in this
industry, I'd have to say that probably somewhere around 30% of my
competent colleagues had a formal education, or even one that's
related (i.e. neel mehta & biology). When I do hire for security and
looking at someones CV, I pretty much disregard most all security
related training, and throw out CS degree'd applicants, I tend to look
for electrical engineers as they've worked closer to what the subject
matter is than any other subject.

With a few rare exceptions (i.e. immunity's offerings), most of the
trainings you find out there related to security are rubbish and put
on by people who've never written an exploit or broken into a box.
Those who can't, teach.


>  Furthermore, understanding how to run tools is great for the
> pen-tester but of no value to the community.

I hate 'for the community' type arguments as they're often made by
people who have contributed next to nothing and filled with feel-good
but ultimately empty meaning.  Pressing enter doesn't make you
competent, you're right, neither does your degree. A person will learn
more in the time it takes them to find their own bug, write their own
exploit and pop a box than anything they will learn in (most)
universities (imho).

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------