From jericho at attrition.org Mon Aug 27 12:24:32 2012 From: jericho at attrition.org (security curmudgeon) Date: Mon, 27 Aug 2012 12:24:32 -0500 (CDT) Subject: [attrition] Indian Media: Get Over Your Fascination With 'Whiz Kids' Message-ID: http://attrition.org/security/rants/indian_whiz_kids.html Indian Media: Get Over Your Fascination With 'Whiz Kids' Sun Aug 19 16:52:13 CDT 2012 jericho Introduction India is a proud country, with a wealth of cultural history and tradition that is simply fascinating. Considered by some to be the oldest living civilization, the historical diversity and significance of their culture cannot be measured. Today's India is substantially different however, especially to the rest of the modern world looking in. Americans see it as the land of poorly outsourced tech support, Bollywood, and chicken tikka masala. In the realm of computer security, India is seen as a hot bed of plagiarism and charlatans. One of the greatest contributing factors to that is how the Indian media focuses on technology. Over the last decade, they seem to have developed a sick obsession with supposed "whiz kids" and alleged geniuses that will save us from the security nightmare that plagues us. Unfortunately, each of these whiz kids is really no more special than the previous, except perhaps a bit younger. Many of the touted experts published a book in their teens, but the same media doesn't write about the plagiarism that is found in most of them. [..] From jericho at attrition.org Mon Aug 27 13:49:54 2012 From: jericho at attrition.org (security curmudgeon) Date: Mon, 27 Aug 2012 13:49:54 -0500 (CDT) Subject: [attrition] Are you a CISSP? Message-ID: If you are, you should be aware that ISC2 board elections are coming up. Last year, Wim Remes decided to run a petition to get his name added to the ballot, and ultimately joined the board. He did so seeking to help change ISC2 for the better, to begin to tackle the many criticisms leveled against the organization, and their CISSP certification. This year, four more people are looking to join the board. Each of them are going through the petition process, which requires 500 signatures from current CISSP holders. This will get their name on the ballot, where they hope to get elected to the board to bring more change. I have been an outspoken critic of ISC2 in the past. This includes one published article on the Code of Ethics [1], countless Tweets, dozens of mails to ISC2's general counsel, and more. Recently, I also did a guest bit for a presentation on "Why You Should Not Get a CISSP" at DEFCON 20 [2]. The presentation was done by Timmay, and the most revealing part was exposing how the CBK had barely been updated the last 15 years. Personally, I think the current ISC2 board is stale and needs a refresh. I think the same people are frequently re-elected and have little motivation to make real change within the organization. Since it is ridiculously profitable, there may not be much incentive to do so for some of them. On the other hand, look at what ISC2 has done in terms of community outreach and supporting non-ISC2 security projects or initiatives. It was only a few months ago that ISC2 finally made an appearance at BlackHat, after Remes helped push for more public interaction from the organization. So, if you are an active CISSP holder, consider the value of your certification. Consider what ISC2 does, especially with the money you have given them. Remember that with around 100,000 CISSPs, frequently obtained by non-security people, that the value of the certification is slowly dwindling. It is NOT a measure of security knowledge; it is a punch line to many jokes. I believe you should be concerned about this, and look to change it. That starts with having a more active, outspoken, and driven board. Please read these petitions and consider alternative board members this year: (1) Boris Sverdlik (@JadedSecurity) [http://jadedsecurity.net/2012/08/22/isc2-bod-vote-2012/] (2) Dave Lewis (@gattaca) [http://www.liquidmatrix.org/blog/vote-for-dave/] (3) Chris Nickerson (@indi303) [http://change.isc4thepeople.com/] (4) Scot Terban (@krypt3ia) [http://krypt3ia.wordpress.com/2012/08/23/isc2-board-candidacy/] This summary of candidates and more perspective comes from Robert Graham (@ErrataRob) and a blog post he wrote about the subject [3]. Thanks for your consideration, - jericho [1] http://attrition.org/security/rants/cissp_convenient_ethics/ [2] http://attrition.org/security/conferences/ [3] http://erratasec.blogspot.com/2012/08/these-guys-want-to-reform-isc2cissp.html