Right, I can't disagree with you there. He decided to carve his own
path, why don't most people do that?
Adriel T. Desautels
***@netragard.com
--------------------------------------

Subscribe to our blog
http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

I'm not sure about that... I hold a P.E. Degree in Computer Science. But, I've
seen a lot of undergraduate people working very well on infosec. Moreover, i
worked on infosec years ago before my graduation date. wasn't a big deal. And
moreover, time ago (undergrad also) i established a company on infosec.

I mean, Is not a rare exception.
Agree.
The first succeed factor on Infosec is: "be skilled and love infosec".

A degree is preferred on works because you will understand many things that
you won't learn on certifications, by the nature of the certifications of
course; If you study for a certification you won't learn how to code a program
or script, and moreover, in a penetration test, is needed to code some
processes to be succeed.

And, also maths and statistics are required sometimes. Some of statistics
could help you to determine if some attack will be reliable or not. Therefore
you will save time and money...

With a degree you will going to understand many things clearly: from coding,
to system information theory and also maths (important!). But a degree is not
a white card. Many "non skilled on security" people get a degree those days. A
degree does not say anything about your skills on infosec. A certification,
training and experience actually does.

My conclusion:

1- Skills and love infosec are required.
2- Experience and training is required. _climb_
3- Degree is preferred to be a good professional and understand well
everything.
4- Certification will say to others that you have the knowledge in a certain
area (not the skills). You may have the knowledge, but the certification will
say it to others.

----------------

Thanks everyone for your prompt replies.

Really appreciate your affirmation of my decision.

I'm considering The Bachelor of Computing (Networks)... what are your
thoughts on this?

I'd be majoring in Security of course...

Unfortunately, due to my relatively young age, and lack of either the
IB, HSC or SAT, may make this difficult.

I am however trying to get in other ways, eg; by doing a 6-month
course at a Technical College, or by working for at least a year, (8
months off that...). Although sitting the STAT may enable
enrollment...

What are your thoughts on my course selection, and the ways I'm trying
to enter? If you know of any other ways I can enter University to do
the aforementioned course, please inform me of it.

Sam Oke:
Thanks, see you there! ;)

Tomi Tuominien:
That's the year I was born!!! Finland? You're reminding me of Monty
Python now!!! Answer: [A:\... or B:\]

Palaniyappan:
A few, did a bit of hacking in High School, but have only recently
started to learn how that was possible!

Ahmad Taha Zaki:
Do you think for someone non-mathematically minded that Computer
Science would be the right course for me? Or do you believe, as I
currently do, that The Bachelor of Computer (Networks) would be my
best bet?

Shailesh Rangari:
Thanks for your reply. Hadn't thought to contact our Defence
Department... that's a good idea! Well I left school at 16 to pursue
more specialised education.
I studied IT - Networking at Technical College, which is where I
decided to enter the 'world of IT Security'!
But yes, I do have all those certifications, the 3 Cisco ones I did at
technical college, the others I've done through self-study.
Security+ was particularly interesting/difficult. I enjoyed studying
for it, as I learned a lot of new things! I thought I was good at
security, but I hadn't even heard of some of the concepts!!!
Hmm... well I think I'll leave that last comment for after Uni [if I
get accepted], where I'll start a new post here on the different
mailing-lists.

Abel Adushaev:
Hmm... wasn't aware of that. Well I'll create another topic sometime
in the future 'Which certification should I go for next?', but that
won't be for a while, as I still have to get my MCSA & MCSE. Perhaps a
CCNA as well... as Uni!!! [if I get accepted]

Wolfiroc:
I don't understand.... to be in Politics you need a CISSP?

RaptorX:
Thanks! Hopefully I'll get accepted into the course I want! I used to
target the teachers at Technical College, the Security & Linux ones
:P. Good fun!

Noah Chesterman:
For whatever reason, I've noticed that Uni degrees are more respected
then Certifications. Uni graduates, from what I've heard, have an
easier time of finding jobs.

James Copeland:
Thanks! I agree, it woudl make the job interview a hell of a lot easier!

Matthew Wollenweber:
I have considered Computer Science. It seems to be a very good course,
I have a friend in 1st year. My other friends [in my age-group] are
also considering entering Computer Science at University, once they've
finished school. Unfortunately for me, I'm not very good at Maths, or
Science. I'm slowly teaching myself programming though, and if I got
accepted into a Computer Science course, I'd accept! The only thing
is, I'm unsure of how well I'd go... Yes, most I'd have to pickup
osmosisly [if that's a word!], however some formal education may be
helpful, if I end up not being good in the Security field, or if I'd
want to enter more the Mangerial side. For the moment, I'm looking for
a purely technical field. I do have a lot to consider!!! Hmm...
system administration in the Universities IT Department... sounds
interesting!

Adriel T. Desautels:
He doesn't need WINE either!

David Klein:
What do you do?

Adam K:
I play basketball, if that's of any help!!! :D
Not just social connections, business connections as well! (or so I've heard)

Thanks once again for all the replies.

Hy Zaret
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

In this day and age it is very important to get your degree. Prior to graduating I was told by my advisor that my degree isn't to show that I am smarter than other people, it is to show that I have been taught how to learn. It tells any potential employer that you have the discipline to try to figure out new things and you should be able to handle new ideas, and different points of views.


-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com] On Behalf Of Derek Fountain
Sent: Friday, August 07, 2009 7:30 AM
To: pen-***@securityfocus.com
Subject: Re: To go to University - For the CISSP etc. - Good idea/Bad idea???
Oh yes, that old chestnut. Bill Gates is in his mid-50s, not his late
teens like the original poster. Gates grew up in the fledgling computer
world of the 1970s when opportunities and expectations were very
different to what they are now. It's also probably fair to say that Bill
Gates' story isn't that of the typical IT professional.

When a youngster asks for guidance on career and education I think the
example of someone born in the mid-1950s isn't really relevant.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Did everyone miss this?

http://tech.yahoo.com/blog/hughes/13653

Granted, it was an honorary doctorate, but yet a degree
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Actually its absolutely relevant.

Additionally, I never said "don't get a degree". I just suggested not
wasting your time getting a degree on something that will be dated by
the time you're ready to use it.

Go for a degree in law or business, study technology on the side if
that's where your passion is. You'll end up very well rounded and
ready to play.
Adriel T. Desautels
***@netragard.com
--------------------------------------

Subscribe to our blog
http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Yeah, but the fact is that most businesses have an HR dept and unless
you have a degree you won't get
your resume past HR.
It's certainly possible to get a job without a degree, but it's
definitely not the norm.
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

A degree (if you actually apply yourself and use the experience to learn)
will provide you with a foundation that you do not obtain through real world
experience.

Although technology moves on, many of the underlying foundations do not. I
still use old techniques on a daily basis. Knowing the algorithms in a sort
function is actually still extremely useful in analysing packers for malware
reversing. This is not something that you pickup in a normal daily function.
You can learn it on your own, but the added structure often helps people
focus.

I for instance am both a quasi-academic (insert shameless plug for IT
Masters degree, digital forensics
http://www.itmasters.edu.au/WhichQualification/MasterofInformationSystemsSec
urity/DigitalForensics.aspx) as well as working in the "real world". I still
do degrees. I have lost count as to where I am up to, but I am completing
another doctorate, a PhD on the quantification of IS risk.

You can work and study. It is easier to at least complete one degree on
campus, but there are options afterwards that many people take. Even in
networking, a good understanding of the fundamentals can help. Knowing OSPF
in routing is one thing, but understanding how the Dystraka's algorithm
actually functions is a benefit to say the least.

There are many point and click IT people out there. These people can make a
good career which can take them into management etc. Here a degree still
helps (though one with a business/commerce focus is best). If you want to
really get into the depths of computing, work in a lab, design etc, then a
degree is definitely not going to hurt.

As for how fast the IT world changes, don't really believe it.

The foundations of systems and design are 80% the same today as they where a
decade ago. The interfaces and tools have changed, but the principles have
not. I come across the same software errors in code now, the same mistakes,
the same poor coding as I did 2 decades ago. It may be faster, bigger and
more colourful, but we are still making the same errors.

Regards,
...
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
Information Defense Pty Ltd



-----Original Message-----
From: ***@securityfocus.com [mailto:***@securityfocus.com] On
Behalf Of Adriel T. Desautels
Sent: Friday, 7 August 2009 11:19 PM
To: Adam K
Cc: James Copeland; Hy Zaret; pen-***@securityfocus.com
Subject: Re: To go to University - For the CISSP etc. - Good idea/Bad
idea???

1-) Fact, technology evolves so quickly that "new" technology is
considered "old" within the course of one year.
2-) Fact, security is one of the most rapidly evolving areas of
technology.
3-) Fact, most degrees take at least 4 years to attain.

If you are interested in becoming a security professional, what you
learn in school will be out-dated by the time you graduate. The only
thing that you will have that will be of any real value will be your
experience in performing research or in delivering security services,
or maybe in the creation of security technologies. A degree can not,
and will not make you a security expert... only hands on experience
and bleeding edge exposure can do that. You get that exposure by
doing and universities don't "do" all that well.

When I was in college I was also working full time making the salary
of a senior software engineer. In doing that I quickly realized that
college was useless for me as it wasn't teaching me anything that I
needed to know. I found that I was learning about the real and
current technology world while at work, and learning about the old and
dusty technology world while at school. Most of the skills that they
were teaching us at school, especially with respect to security, were
dated or becoming dated. The only thing that I found useful was C, C+
+, and the other programming languages that I learned. Mind you, I
wasn't taught by anyone, I was given a book and told to study it. I
don't need to pay $45,000/year to be told to read a book, I can do
that on my own. If you feel that you need to pay that much to read a
book then give me a call, I've got a lot of good reading material for
you.

With regards to technology, most of the time the only thing that a
degree will satisfy is the emotional and political requirement of the
old school mindset. The truth is that some of the best talent doesn't
come with a degree.

Naturally, degrees are required for doctors, lawyers, etc. I'm not
suggesting that they don't have a place. I am saying that specific to
security they are nearly useless when compared to real world experience.
Adriel T. Desautels
***@netragard.com
--------------------------------------

Subscribe to our blog
http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Adriel, et al -

While I agree with your assertion that the information gained in pursuing a
degree is dated from almost the outset, having the college degree card is A
major requirement to even get into the door. I know from my own experience
that the lack of same is a major handicap. So, yes, pursue the degree in an
engineering or CS or Network environment, but also study and learn on the
job. Having a couple of certifications (CCNA security, CSSLP, CISSP,
whatever) will allow you to standout in the crowd, but not having the degree
basically sinks both of your feet into a concrete block.

Bob

Comments embedded below.
Agreed, but a degree in something useful that you can't learn just as
well on
your own, and whose knowledge won't be dated when you're done.
I think that's a great point but is that something that you need to
get a degree for?
You can take courses at Black Hat etc. Those courses are very focused
and will
help just the same, if not better, won't they?
So you can't count that high? (sorry the wise ass part of me got the
best of me).
Or you can learn about calculating (least cost) distances on your
own. What you
are talking about here would be learned with a degree in mathematics,
and IMHO
that would be very a useful degree.
Point and Click? Isn't that a bit demeaning Craig? There are many
people in the
IT Security industry that don't have degrees and that out-perform
people with
degrees. Sure it might make the people with the degree's upset, but
then again
it might not.

I think that its not point and click as much as smarts, talent and
innovation.
Does anyone else here think that the IT world doesn't evolve?
The foundations for cars are 90% of what they were a a decade ago.
Are you saying
that cars from 1999 are the same as they are today?
The principles have changed significantly in may areas. Methods for
attack and exploitation
have evolved. If there was no change then the security industry would
be dead as the
problems would have been solved.
So you're saying that the IT world hasn't evolved because people keep
making the same
mistakes when writing code? Your argument is flawed. Hell, I can't
believe that I just spent
this much time arguing about the evolution of IT. I'm done with that
subject, its been fun really.
Adriel T. Desautels
***@netragard.com
--------------------------------------

Subscribe to our blog
http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Clearly there are different opinions about earning degrees and that's
fine, each
to their own. People should do what is right for them but I stand by
my opinion.
My opinion is that people should earn a degree in something that will
benefit them,
that they can't learn on their own, and that won't be dated by the
time they graduate.

But again, a degree isn't for everyone and doesn't determine success.
Bill Gates
is a prime example of great success without a degree. He took the
risk and made
it happen.

...

Craig, this is the second time that you've responded to one of my more
intentionally
controversial emails. I couldn't help but do a bit of research on you
and took a look
at your blogs.

Is this fact:

"My name is Dr Craig Wright. I am currently the only GIAC GSE
(Compliance)
holder globally and the most highly accredited Global Information
Security
Professional. Each week I will answer and post the best questions sent
to me."

http://security-doctor.blogspot.com/

Craig, are you also a researcher in that you perform vulnerability
research
and write exploits? Or are you strictly focused on compliance? Do you
perform
penetration tests or just review the results?

I'm not trying to be a wise ass, I'm honestly curious.
Adriel T. Desautels
***@netragard.com
--------------------------------------

Subscribe to our blog
http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




0> fact. most companies, and those include IT/tech companies require a
degree these days, or vast amounts of experience to replace the degree.


so, most folks this day in age are better of doing the college thing and
getting a degree. As many have mentioned it might not have to be a
comp-sci degree, to end up in the field. Love is the main rule of the
game as pointed out by many as well. And a side degree has advantages to
the main course of study being comp-sci. Encouraging someone young, and
lacking in real experience is almost bordering on criminal in this day in
age.

Thanks,

Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

These things happened. They were glorious and they changed the world...,
and then we fucked up the endgame. --Charlie Wilson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFKfItmst+vzJSwZikRAjLZAKDQvZ3/5h3MXlQifj2S4bSfZdRhFACfZd73
1z33oHuBvgeOhBqWeiB7jzA=
=ovOi
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------