As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options
Computer Security
langfor6
Registered User regular
Registered User regular
Why doesn't computer security have more of an academic presence? It's very easy to find wild conjecture discussing computer security and its importance to the corporate world. If it's so damn important why aren't there more legitimate courses of study centered around it?
Perhaps it is more of a trade skill? Or an esoteric realm of knowledge only meant for the chosen few (they still call me Bruce Schneier?)
Please. Discuss.
Perhaps it is more of a trade skill? Or an esoteric realm of knowledge only meant for the chosen few (they still call me Bruce Schneier?)
Please. Discuss.
langfor6 on
0
Posts
but yeah, its a murky world, and people who show aptitude for it tend to get headhunted and given in-house training wherever they end up.
Yeah, it doesn't exactly work that way.
The good news is that corporations are starting to realize this, and they are starting to pay more attention and budget to information security (mostly thanks to Sarbanex-Oxley and similar coporate executive liability laws). Everyday they spend more and more money on developing and implementing policies, procedures and guidelines to protect their information assets. As a result, the need for people who understand that kind of stuff is increasing.
Within the next 5 years you'll be seeing a lot more education programs that focus solely on information security. The Information School at my university is developing a Master's program on it, for example. I'm sure many other higher education institutions are as well.
P.S. Your friend is either a genius or the company that hired him is run by idiots and will soon go bankrupt. $550,000 is an insane amount, and I cannot think of many cases where it can be justified for a 20 year old.
Perhaps he can use his superpowers to keep out hackers using only his mind... or that guy is totally full of bullshit.
On the downside, he's a bit of a pompous cock who sucks at conversation and is pretty much worse at everything else. But that's not what companies hire programmers for, right?
He could hire me to be his conversation tank. I'd only take a modest percentage...
here is a link to MIT's Online Courseware for their undergraduate security class.
organized stuff is out there, but probably more in the form of certificates(sun, cisco, microsoft certified whatever).
It's kinda a moving target and changes a fair bit so it kinda makes formal education a bit weak. my impression from reading a few white hat blogs, most folks who purport hired into the field, have general CS degree and focused on security cause it is what they were interested in and managed to convince someone to hire them for.
I'd have a fairly hard time believing someone who told be they made $550k a year from a company they ripped off. If it was someone I only knew online, I'd pretty much just consider them full of shit. If it was someone I knew IRL, i'd expect evidence in the form of sports cars, mind blowing computer hardware and pimp living arrangements. A collage student? unless there was visible evidence otherwise, I'd pretty much assume had a breakdown and was actually living out of a box somewhere, and wasn't willing to tell me the truth. meh, I know folks who are in computers and make in the range of $100k without degrees, so I guess it's not impossible.
Yep. With the right knowledge, certifications and networking you can basically demand your own pay and people will pay it. Especially in corporate environments where trade secrets are so important.
Now it's entirely possible that Boman's story is the one example of the archetype that isn't complete BS, but he might as well telling us "dude, I know this guy who can bend spoons with his mind." I know where the safe bet lies.
This is especially true considering that most "hacking" is just social engineering, and learning that robs black hatting of a lot of its mystique. It's like seeing the trapdoor behind the magician's trick; the answer to the question "how did he do that" turns out to be so simple that you feel stupid for not figuring it out at first glance. "So you just called people in our corporate directory on the phone posing as company IT support until you found somebody stupid enough to give you their password?" When you discover that you don't pay the guy $Texas to shore up your network, you spend 5 seconds and send an email to the whole company saying (albeit in a slightly more professional tone), "Hey, stupid fuckers. Don't give out information to people you don't know cold-calling you out of the blue, k?"
Because ege is totally right. It's not computer security, it's information security. The part that involves plugging holes in technology you learn as part of your basic networking certification or by attending the occasional Microsoft/Cisco/Oracle/whateverflavoryourcompanylikes/etc trade show. You install patches on your products, wrap inherently insecure technologies (like Windows file sharing) up in VPNs or SSL encryption, enforce strong password policies, keeps your antimalware software up-to-date, deploy a good asset management tool, and run the occasional portscan or password breaker. There, you've taken care of your tech. That's step one, and any systems monkey can do it. Step two involves making sure your people give the right information to the right people, don't give the wrong information to the wrong people, that your people only have access to enough information to do their job at any given time so if a leak occurs the leak is contained, and if a leak occurs the right people know about it as soon as possible. That involves having good processes in place and making sure people know their roles. This happens at a much higher level than just the tech, and requires cooperation from people at every level of corporate management from HR up to the CEO, because as the classic T-shirt that you see on every third geek at Defcon says, "there's no patch for human stupidity."
And I'm sorry, but the only way a 20-year-old could do that part of the job well is if he'd been working in the corporate world since the age of 10. It's not an age thing, it's an experience thing. You can't learn it from a textbook or from late caffeine-fueled nights on your Linux box. You can only learn it by interacting with people and seeing how things work in the corporate environment.
the "no true scotch man" fallacy.
And yeah, hyper-secure tech doesn't help much when your people don't use secure practices.
Another reason I found it hard to believe was that it's a federal crime nowadays to hack into private systems.
It doesn't make sense. Think about it: the kid doesn't have much of a choice anyway, so why would they pay him so much? The company clearly has tremendous bargaining power, so it would make more sense for them to employ him with as minimum a salary as possible, because his other choice is getting sued and jailed.
The UK government is aptly demonstrating this at the moment, what with losing the personal data of several million people and all that jazz.
It's one arm of things. Your people can practice secure procedures but if you don't have the tech, it would fall apart anyway. Each requires the other to function optimally.
With a field as important as it is, and with as much depth as there is, I was curious as to why there aren't an abundance of entire curricula. I took a few psychology classes when I was in school but I'm not qualified to cure your schadenfreude.
I understand the human element, but surely there still exists a need and/or a desire to obtain that in-depth technical knowledge.
This may just be an exposure of personal character weakness here. I've always preferred a formalized plan of study to learning on my own (ie night after night in my basement on my linux box). I'm always afraid that there will be gaps in my learning, and this doesn't just apply to this particular subject.
So while it may implement a way to be secure both technically and in practice, because it's such a pain everyone disables it after a while (topical example - the other is not using an SSH client or whatever and just working outside a secure environment because it's easier).
It's available, if not through academic sources. Every week my mailbox at work gets filled with junk mail from places like Global Knowledge, Microsoft Learning, etc. wanting to give me crash courses in Windows network security.
Perhaps it's too much of a tradeskill, maybe it's too technology-specific, I dunno.
the "no true scotch man" fallacy.
One problem is that by the time the person completes the coursework, what they learned is already obsolete.
didn't take it because it didn't fit into my sched and supposedly wasn't one of the easier cs classes.
I'm calling complete bullshit on this one. There's no way any major company like Viacom would pay an unproven asset $550,000 a year, especially one that is only 20 years old.
As far as an academic presence for Computer Security, there is a rather sizable one. Cryptology, intrusion detection systems, etc. all have a pretty good following in the fields of Computer Science.
There might be more to it than we know. I can think of a couple of edge cases; for instance, if he hacked into their systems and discovered that they have been involved in legally questionable practices, and threatened to disclose them to the authorities when they said they were going to sue him... something like that may justify that kind of salary.
But that's like a one in a billion probability.
Aside from that, it's simply unheard of for a 20 year old -- who doesn't even have a college degree -- to have an executive-level salary.
Your friend is bullshitting you so hard then. Sorry to say.
Even if he was a Will Hunting level of genius, they wouldn't give him that much. Again, it all goes back to being an untested asset. Ultimately, at any big company, HR would be in ultimate control of the salary and they would say "no fucking way" to that kind of salary and they wouldn't even care if he was the smartest man in the world.
This happened with a German hacker and the Half-Life 2 source code being stolen. Gabe Newell told the hacker that he would hire him to improve security and then arrested him as soon as he landed in America.
By the way, excellent signature.
Dropping out of college and showing up in a new car is not proof of anything. Even a dishwasher can lease a lexus.
Yeah, but not really. "So you'll be contributing... 45% of your monthly income to this car payment alone?" is usually followed by laughs and laughs and laughs. Not saying this guy is right (seriously, the back-and-forth on that subject is getting old already) but there is no reason for the hyperbole.