• Irongeek Security
• Hacking Illustrated Videos
• InfoSec Articles
• Mobile Pen-testing Tools
• Apps/Scripts
• Reviews
• RSS
• Your IP
• Podcasts
• Hoosier Hackers
• Newscat
• Links
• Contact
• Forums
• Workout
• Nutrition
• Supplements
• Humor
• Irongeek Campuses
• Fed Watch
• Books
• Store
• About
• Follow @irongeek_adc



DerbyCon 2014 Higher Education Panel for Hackers: Irongeek’s Thoughts

 

Bill Gardner, Ray Davidson, Nathan Husted, Rob Jorgensen, Samuel Liles and I were part of the “Higher Education Panel for Hackers” at DerbyCon 2014. The idea of the panel was to discuss issues dealing with obtaining a formal degree from a traditional school of higher learning in an information security/cyber/information assurance related major.  One conclusion I came away from the panel with was that it is hard to dive deeply into the issues in only an hour with six guys sharing one mic. Sam wrote up his thoughts on the questions asked at the panel (http://selil.com/archives/5932) and I’d encourage everyone else who was on the panel to do the same. In this article, I’ll play the role of the jaded hacker type who spent almost sixteen years working in higher education and someone who has master degree in security informatics. My answers below reflect my thoughts on the questions, as well as being somewhat of a response to some of Sam’s views. Some of the question may have been interpreted differently by other panel members, so these are not so much disagreements as divergent thoughts.

 

1) Is there a meaningful difference between education and training?

 

The core idea of this question, to my mind, is can you get the same thing out of trainings (at SANS, Derbycon, Blackhat, etc.) that you can from a formal university environment?  I love Sam’s quote/analogy “Do you want your daughter to get sex education at school or sex training?”,  but I think it is not the best analogy in this case. Let’s say I’m an employer, why is the assumption that the person receiving the training is viewed as my daughter? If I was seeking to employ someone, I’d see them more as my whore, in which case I’d want them to have sex training. Ok, “sex worker” may be a more politically correct way to say it, the point is that I would want them to have a practical, hands on knowledge, and not just a high level overview. Granted, as Sam pointed out, knowledge and skill is not the same thing, but they are interrelated. While attaining skills, you do attain the knowledge unless you’re just an automaton going through the motions that accomplish the task. Most hacker types I know would see how it’s done, start to do it, then dive into it deeply to understand why something works so they can improve it.

 

On the Knowledge, Skills, and Abilities hierarchy, I like this model, but how do you know which knowledge is true unless you apply it? I was once told by an instructor that they could have legally drove around during one of their student’s research projects and tested for default passwords on wireless routers, but did not because of human subjects/ethics concerns. I’m pretty sure that would break the Computer Fraud and Abuse Act under unlawful “access devices”, even if the passwords were easy to guess/well know. For other professors in security related fields I’ve had to define what a pentest was, or even what a USB hub was. I think most trainings are more than just “training” in the sense of just learning the commands. Not to shill for SANS but I picked up more from the two classes I had with them than most of the graduate courses I ever took. I also learned things from the one BlackHat training I sat in on that I use on pretty much every pentest. I can’t say the same for some of my university classes.

 

2) What is the role of certifications, and accreditation?

 

Oh damn, I’m just not sure. I know some are considered hardcore (OSCP) and some kind of a joke (Ethical Hacker) but it has been such a long time since I went for a cert I really don’t have an informed opinion anymore. In the late 90’s/early 2000’s I got an MCSE in NT 4, a CNE (Novell) and a bunch of CompTIA stuff. I definitely learned from it. Even when my personal training/study was less hands on, and more braindump oriented, I at least learned the terminology and obtained enough knowledge to be able to Google for how to do something. W. Somerset Maugham once said "The ability to quote is a serviceable substitute for wit." My corollary: "The ability to Google can be a serviceable substitute for technical knowledge."

All that said, I doubt certs will land you your dream job, but may get your foot in the door.

 

3) Are real world skills being imparted?

 

This is a crap shoot, depending on where and who is teaching. I was an Electronics (got an associates) and a Computer Science (got a bachelors) undergrad and an Security Informatics major for my masters. I’d say my associates and my bachelors taught some directly useful skills, but my masters not as much. Then again, as a graduate program, you expect it to be more theoretical than an undergrad degree. I learned a lot of great things in Apu Kapadia’s class on privacy networks, and even though it was my worst grade, Predrag Radivojac did his best to teach me machine learning (read calculus, stats and programming courses combined) concepts that I may someday use in security anomaly detection.

 

There is a lot of talk about how some skills become outmoded, and this is true, but even developing a skill in something outmoded (Novell Netware for example) will give you skills that still apply today. You may not have experience with Windows 2020, but having some knowledge of 2012 may still give you knowledge you can apply because some things stay the same. Details about users, groups and objects change, but just understanding the concepts helps you pick up the specifics of other systems. Yes, the best tools change, exploits become outdated and patched, but dumb/naive configurations last forever.

 

4) Is it worth the cost?

 

Tough call. Having a degree in something will get you past some HR filters (ever notice everybody hates the people that go into HR lines of work?). Speaking about more than just infosec, I’d say anything in a STEM or medical field may still be worth it. People who get a bachelors in Women’s studies are idiots for choosing a degree that gives them no marketable skills beyond writing, deserve their student loan debt and are the reason for what wage gap there is. Costs are pretty high in higher education, and seem to keep getting worse. Part of this is the wasting of money on useless vice chancellors and provost, part of this is student’s loans that cause idiot students to think “hey, it’s free money now, and when I get my masters in X Studies I’ll be able to pay it back”. As for as knowledge imparted for the money, I’m pretty sure I have a higher degree of education (university wise) than most people I work with, but feel more ignorant than they are on many practical matters. I’d say the bachelors was worth it, mostly because of learning structure in my work habits, some coding, and how to write more better. I got my masters for basically free since I worked at the New Albany Paper Mill for most of the time I was going and got three free credit hours per semester. If I had paid for it all by myself I would not have gone for the masters.

 

5) Are the degrees recognized?

 

Another tough question. Degrees directly related to infosec are pretty new, and there are so many names: Information Assurance, Cyber Security, Security Informatics, Information Security, etc. As Sam pointed out, “Computer Science” is recognized, and there are a lot of schools offering degrees. “Infosec” degrees have some maturing to do when it comes to an accepted name and common curriculum I imagine.

 

6) Who has a good program?

 

I don’t know who to recommend here. I guess Marshall, just because I like Bill. There were some professors at IU who I thought were impressive (Apu Kapadia and Predrag Radivojac) but overall I can’t recommend it. Purdue has Sam Liles and Eugene H. Spafford (one of the few security academics that actually seems well known amongst security practitioners).

 

On the subject of research programs vs. applied programs, I’m not sure it is a false dichotomy. The problem with research universities is that the professor’s core responsibility is likely doing “research”, publishing papers (often ones that don’t matter and few read) and getting grants. Real teaching can take a back seat, with professors missing more classes than the students. I recommend looking at reviews of the professors in the program to see how much time is spent in class, and how much is spent elsewhere.

 

7) What are the benefits, risks, and pitfalls of a university education for the hacker?

 

    For hacker types that ask “why” or have a problem with rules that don't make sense, or are not evenly applied, universities can be pretty frustrating. For what I’ve seen, the STEM fields don’t seem to have as many political problems, but problems do exist, just to a lesser extent. I guess the biggest risk is the cost, but unlike majoring in “Women’s Studies”, at least you should be able to pay off the loans. Just be careful and choose a program that is not considered a complete paper mill, and of course keep your budget in check.

 

8) Long term, what is the direction of information security and systems security education for the hacker community?

 

To quote Sam: “The hacker community has an assumption of owning information security.” I’m not sure that is true, because I realize most people in infosec jobs seem to view it as just a job. Lots of people in infosec I doubt would see themselves as hackers, and I’m under no illusion that we are the majority in corporate work settings (barring certain companies that are small, focused on tech, and pretty much all hacker types). The people I see at hacker cons are not really representative of infosec in general. I also don’t think the faculty we had on the panel are representative of faculty in general, they have the passion to go to a conference on their own time and I think they care more about education than the average professor. Granted, many con goes are more there to party with people with similar interests than learn, but they can be great places to network and find new information. I think making fun of words like Cyber, CISSPs, APT, etc. is fine when warranted, does the business world really denigrate those that don’t respect buzzwords?

 

Queue rant on universities and professionalism: After spending 16 years working at a university, getting an associate's in electronics, bachelor's in computer science and a master’s in security informatics, plus teaching three semester long courses, I’m not sure a university is the best place to learn professionalism. Some “teachers” can be very egotistical, more interested in the gratification of having a bunch of captive students listen to them than the gratification of actually teaching. I think the image we have in popular culture praises professors too much, few are the “Dead Poets” type that inspire students to greater things, most are just doing a job that is easier than working in the commercial space. Public image is everything to universities, admins are largely scumbags (if so many weren't ass covering weasels laws like the Clery Act would not need to exist, also see current news stories on thefire.org), and university officials/processes seem fairly corrupt. I’ve been told that the institution I came from was not a good example, but I’ve also been told (by someone who dedicated his life to the place) that it was better than most. At least in the corporate world, money works as a metric. If a CEO has a few bad quarters, he might be ousted. How often do you hear about a chancellor or university president being fired for poor performance? For professors, tenure seems to do more harm than good. It seems that the bad professors with tenure are hard to fire, and the “good” ones won’t stand up and fix problems when they arise. Reminds be of a probably apocryphal story: A man sees a full grown work elephant tied to a post with just a rope and asks a villager why it does not just snap the rope and walk away. He is told that as a baby elephant, it was tamed by chaining it to the post instead of using just a rope, and as much as it strained, it could not break free as a baby elephant. Eventually, it just gave up trying, and as an adult, still thinks it can’t break what binds it. I think a lot of “good” professors are that way too. After 4 years of not rocking the boat and/or kissing professors’ asses to get a bachelor's, then 2 more to get a master, then 2 more to get a doctorate and finally 5 years of not upsetting anyone so they can get tenure, even “good” professors won’t stand up. I’ve seen too much selective policy enforcement, lying and ass covering to ever think modern higher ed is a place to learn professionalism.

 

Ok, rant over, sort of. In the future, I don’t know what higher ed information security programs will become. Degrees that focus on infosec are kind of new, and it’s hard to say how they will pan out. Hopefully they will come up with a more common agreed upon curriculum, and maybe a common name (I prefer the name Information Security to Information Assurance, Security Informatics or [drink] Cyber) for the sake of bypassing HR filters. More distance ed will also help, allowing access to more people. Really, while universities can teach you some useful skills, if you really want to excel you have to have passion, study on you own and share knowledge with others. I prefer the professionalism of hackers (get stuff done) to the professionalism of universities (just keep the organization going). If more of us with a passion for infosec did teach at universities, maybe we could correct some of the problems in the culture of higher ed.

Printable version of this article