Monday, July 20, 2009

Never forget to enjoy ideas

On a personal note, this weekend was a birthday celebration for both me and my daughter. I am 40, she is 2. A recent student is enjoying a commencent for his bachelores degree with his family in AZ. In one weekend he is recognize for both this and a new ECSA certification. He also has a great personal story.

I am on cloud nine for a number of reasons.

My daughter's presents involved a lot of assembled parts. She (who understands remote controls, cell phones, and will not fall for fake laptop toys verses dads office computer) tried to help assemble her own presents. Those moments were so much damn fun I can't begin to get into it.

I was reminded of a quote from Mr. Rogers many years ago; "Play is serious business for children. It is how they learn" (If you don't know who this is, please wiki 'Mr Roger's Neigborhood)

Is this much different for adults? We often forget to play with ideas. We forget to have fun doing what we do. Even the most dry and boring compliance thing can be approached with the curiosity and wisdom of a child that has not yet learned the "I don't care about this crap, just give me the answers to the test" attitude. Our discipline depends upon this.

Nuance in information assurance is a Mandelbrot formula. There is always something else buried in the details. The only way to enjoy tackling a challenge is inderstand how to play with it.

My friend Jason that just graduated, has this spirit too. I was glad to have met him as he is the very definition of this principle. My daughter is a person I cannot possibly be more proud of as she teaches me what it is like to grow up in this age, and reminds me about what hacking is really about.


Friday, July 17, 2009

Students are evolving faster than the courseware changes

First I would like to thank two very recent classes, one in DC (CEH) and the other in Atlanta (ECSA) for a great time. The fact that those classes were successful were all the credit to the students. They were loose, understood the concept of how a "hacking" course really works, and enlightened each other with different points of view. Even the non-related discussions we had at breaks were educational.

During my CEH class in DC I was talking to another instructor, Claude Williams, a CISSP instructor extraordinaire that has perfected his delivery of that class. I was picking his brain about courseware updates and I brought up my theory that eventually, printed courseware will be outmoded. "Liquid materials" are the next step for training, courses that evolve and are flexible.

I based this theory on a number of issues that I couldn't get into at that moment. He asked me "Do you think this is a good thing?"

I paused for a moment because I had actually never assessed it that way. I just assume it is happening so accept or die. But the truth is that changing courseware "on the fly" plays havoc with a lot of logistic elements of the training industry behind the scenes. It made me realize that the real reason I think fluid courseware is a necessity is not that the subject matter really changes much over time, it is that our students change. Their environments are not the same as they were even a year ago and they are coming into class with difference perceptions of the subject matter.

For example: One of the students in my CEH class mentioned that the tools he uses at work do so much work automatically, that he has no idea what is really going on. I felt like an old man about to give that "When I was a boy I walked uphill both ways barefoot in the snow speech" when I said "When I was a young pentester, we used to have to but effort into network mapping and assessments."

I give this guy a lot of credit for understanding that the ease of use in his tools are not representative of the actual events taking place. But this was also an indication that he would have an entirely different way of looking at the material than those in the room that had no idea what we were even talking about. I worried that those students would get hired one day at a company that does robo-pentests and with adventurous excitement expects to apply the skills he learned in CEH, only to be laughed at and told, "No, just enter this data and click this button. Left click to be specific".

About every third class I get a student who argues "Routers don't pass ICMP". Before I get frustrated I consider why he would say such a thing. It is because in his world this might be the truth, and all he has ever seen.

Training classes are not about validating the students experiences. But the curriculum must be adapted to these perceptions. Otherwise those of us in the adult certification training world will be labeled as "academic dinosaurs".

This is why I characterize my students as teachers. It is why some instructors run classes a bit loose and stress free. We appreciate the contributions we get when people relax and participate. The stories of everyones experience, including life experience enhances the course. Then we turn that around to keep improving every class; even if the printed courseware has not changed.

I think at some point though, it will have to be this flexible in terms of materials also. The turn around window is getting smaller and smaller.

Thursday, July 2, 2009

Student or Teacher?

I just had a spirited debate with Larry Greenblatt, and good friend of mine that founded "Internetwork Defense"(1). We have been back and forth on a few items in our disciplines on many occasions and mostly end up in a similar place that was arrived at from differing angles.

I go back to a statement I make often that the fun of the security vector of information technologies is that you get to be philisophical. It is your job to play with ideas. I teach ethical hacker classes and part of that is selling the idea that critical thinking is a responsibility. You are paid for providing this service. Be respectful and understand the scope of the situation, but challenge wisely. Do challenge the situation.

Instructors and students are interchangable. Larry sat my class and I sat his. Next week I will sit a class of ten student teachers.






Wednesday, July 1, 2009

Technical writing - "With style"

We are currently working on a book that will be published very soon. The process of writing this book has been extraordinarily illuminating. Or, just a lot of fun.

Along the way I wanted to be refreshed on some basic tips for effective penmenship. Knowing one of my editors has a Masters in English and that I can not explain the difference between a noun and a participle if my life hanged in the balance; I was intimidated at first.

All of us have to, and I mean this with criticality, be able to write technical documents and make a writen point effectively. In the information security world reports = dollars. There is a direct corrolation to the size of the payment recieved and quality of chosen words.

I have the benefit of a mentor that humbles me on this front and I pass this experience along to the LPT classes where writing is a requirement.

As I looked for some outside coaching for this book I recalled two resources I have used in the past to get a crach course in how to write good. Kurt Vonnegut in this classic essay about writing with style is something that everyone needs to take a look at. Particularly those in the technical industry.


There is also a tool I think is fun called "Bullfighter". It scoures your documents looking for wordiness, jargon and various forms of BS that complicate the communication. It is available here: