Process Oriented Programming

Often times in the CISSP and Security+ classes we are confronted with the need to come up with examples that illustrate detailed terms that don't translate well into "business language".

Some things just suck if they were to happen. And explaining this to a cost/benefit manager is sometimes an exercise in awkwardness for both parties. Here is a good example for the "programmery" (my term) knowledge domains in CISSP. The ones where we get into the weeds about registers and processes and so on:

Follow this link http://www.physorg.com/news169133727.html

This is a practical example of injecting instructions to a process while it is running, voting machines make an example everyone, not just those that work on the secret systems most will never see can understand.

"How to solve it"

While researching a test question about virus scanners I ran across these ideas regarding "heuristics". It came from a book written in 1945 called "How to solve it".

These are probably the best four suggestions I can give a student on how to deal with the CEH/ECSA/LPT materials. Remembering first off that perhaps the most fundamental heuristic is "trial and error".

1. If you are having difficulty understanding a problem, try drawing a picture.
2. If you can't find a solution, try assuming that you have a solution and seeing what you can derive from that ("working backward").
3. If the problem is abstract, try examining a concrete example.
4. Try solving a more general problem first (the "inventor's paradox": the more ambitious plan may have more chances of success).

Series (1 of n): Using practice exams effectively

Part of the current book project I am doing involves writing practice questions. In doing this I have put a lot of thought into the topic and wanted to share some of that here.

First, just to get the controversial part out of the way, I believe in practice questions. They are ethical and it is fair to try to get them as close to the real thing as possible, at least in terms of scope, style, and difficulty level of the real test. That is my opinion and other instructors might disagree.

A risk of providing practice exams is realized if the student can subconsciously understand them to mean "The instructor is essentially taking this test for me, if I do what these questions say and I will pass." I say subconsciously because I have never heard a student actually say this out loud, but I can tell by the way they ask questions about the exam and their general preparation habits when this perception is taking hold. This is the source of the understandable criticism of practice tests, but it can be managed and handled correctly.

As I write the questions for the book, I am placing in some controls. In the interest of security-open-source-minded full disclosure I don't mind explaining them. The best cryptosystems are well known and understood, but are still hard to solve. That is the good model for practice exams as well. Along the way, discussions about real exams are likely to be brought up as well.

To keep the blog postings reasonable in size, I will address specific topics of practice exams, and how to get the most out of them over the course of several postings. In case you are working on some right now start with this thought:

“Practice exams are extensions of lab, lecture and other learning modes. Not replacements for them, and not shortcuts to avoid them.”

Never forget to enjoy ideas

On a personal note, this weekend was a birthday celebration for both me and my daughter. I am 40, she is 2. A recent student is enjoying a commencent for his bachelores degree with his family in AZ. In one weekend he is recognize for both this and a new ECSA certification. He also has a great personal story.

I am on cloud nine for a number of reasons.

My daughter's presents involved a lot of assembled parts. She (who understands remote controls, cell phones, and will not fall for fake laptop toys verses dads office computer) tried to help assemble her own presents. Those moments were so much damn fun I can't begin to get into it.

I was reminded of a quote from Mr. Rogers many years ago; "Play is serious business for children. It is how they learn" (If you don't know who this is, please wiki 'Mr Roger's Neigborhood)

Is this much different for adults? We often forget to play with ideas. We forget to have fun doing what we do. Even the most dry and boring compliance thing can be approached with the curiosity and wisdom of a child that has not yet learned the "I don't care about this crap, just give me the answers to the test" attitude. Our discipline depends upon this.

Nuance in information assurance is a Mandelbrot formula. There is always something else buried in the details. The only way to enjoy tackling a challenge is inderstand how to play with it.

My friend Jason that just graduated, has this spirit too. I was glad to have met him as he is the very definition of this principle. My daughter is a person I cannot possibly be more proud of as she teaches me what it is like to grow up in this age, and reminds me about what hacking is really about.

Students are evolving faster than the courseware changes

First I would like to thank two very recent classes, one in DC (CEH) and the other in Atlanta (ECSA) for a great time. The fact that those classes were successful were all the credit to the students. They were loose, understood the concept of how a "hacking" course really works, and enlightened each other with different points of view. Even the non-related discussions we had at breaks were educational.

During my CEH class in DC I was talking to another instructor, Claude Williams, a CISSP instructor extraordinaire that has perfected his delivery of that class. I was picking his brain about courseware updates and I brought up my theory that eventually, printed courseware will be outmoded. "Liquid materials" are the next step for training, courses that evolve and are flexible.

I based this theory on a number of issues that I couldn't get into at that moment. He asked me "Do you think this is a good thing?"

I paused for a moment because I had actually never assessed it that way. I just assume it is happening so accept or die. But the truth is that changing courseware "on the fly" plays havoc with a lot of logistic elements of the training industry behind the scenes. It made me realize that the real reason I think fluid courseware is a necessity is not that the subject matter really changes much over time, it is that our students change. Their environments are not the same as they were even a year ago and they are coming into class with difference perceptions of the subject matter.

For example: One of the students in my CEH class mentioned that the tools he uses at work do so much work automatically, that he has no idea what is really going on. I felt like an old man about to give that "When I was a boy I walked uphill both ways barefoot in the snow speech" when I said "When I was a young pentester, we used to have to but effort into network mapping and assessments."

I give this guy a lot of credit for understanding that the ease of use in his tools are not representative of the actual events taking place. But this was also an indication that he would have an entirely different way of looking at the material than those in the room that had no idea what we were even talking about. I worried that those students would get hired one day at a company that does robo-pentests and with adventurous excitement expects to apply the skills he learned in CEH, only to be laughed at and told, "No, just enter this data and click this button. Left click to be specific".

About every third class I get a student who argues "Routers don't pass ICMP". Before I get frustrated I consider why he would say such a thing. It is because in his world this might be the truth, and all he has ever seen.

Training classes are not about validating the students experiences. But the curriculum must be adapted to these perceptions. Otherwise those of us in the adult certification training world will be labeled as "academic dinosaurs".

This is why I characterize my students as teachers. It is why some instructors run classes a bit loose and stress free. We appreciate the contributions we get when people relax and participate. The stories of everyones experience, including life experience enhances the course. Then we turn that around to keep improving every class; even if the printed courseware has not changed.

I think at some point though, it will have to be this flexible in terms of materials also. The turn around window is getting smaller and smaller.

Student or Teacher?

I just had a spirited debate with Larry Greenblatt, and good friend of mine that founded "Internetwork Defense"(1). We have been back and forth on a few items in our disciplines on many occasions and mostly end up in a similar place that was arrived at from differing angles.

I go back to a statement I make often that the fun of the security vector of information technologies is that you get to be philisophical. It is your job to play with ideas. I teach ethical hacker classes and part of that is selling the idea that critical thinking is a responsibility. You are paid for providing this service. Be respectful and understand the scope of the situation, but challenge wisely. Do challenge the situation.

Instructors and students are interchangable. Larry sat my class and I sat his. Next week I will sit a class of ten student teachers.

(1) http://www.internetworkdefense.com/

Technical writing - "With style"

We are currently working on a book that will be published very soon. The process of writing this book has been extraordinarily illuminating. Or, just a lot of fun.

Along the way I wanted to be refreshed on some basic tips for effective penmenship. Knowing one of my editors has a Masters in English and that I can not explain the difference between a noun and a participle if my life hanged in the balance; I was intimidated at first.

All of us have to, and I mean this with criticality, be able to write technical documents and make a writen point effectively. In the information security world reports = dollars. There is a direct corrolation to the size of the payment recieved and quality of chosen words.

I have the benefit of a mentor that humbles me on this front and I pass this experience along to the LPT classes where writing is a requirement.

As I looked for some outside coaching for this book I recalled two resources I have used in the past to get a crach course in how to write good. Kurt Vonnegut in this classic essay about writing with style is something that everyone needs to take a look at. Particularly those in the technical industry.

http://literature.sdsu.edu/onWRITING/vonnegutSTYLE.html

There is also a tool I think is fun called "Bullfighter". It scoures your documents looking for wordiness, jargon and various forms of BS that complicate the communication. It is available here:

http://fightthebull.com/bullfighter.asp