Slashdot Mirror

← Back to Stories (view on slashdot.org)

Want a Security Pro? Get Politically Incorrect and Learn Geek Culture

Posted by samzenpus on from the fight-trolls-with-trolls dept.

coondoggie writes "While complaints can be heard far and wide that it's hard to find the right IT security experts to defend the nation's cyberspace, the real problem in hiring security professionals is the roadblocks put up by lawyers and human resources personnel and a complete lack of understanding of geek culture, says security consultant Winn Schwartau. Take Janet Napolitano, U.S. secretary of the Department of Homeland Security, who has said the country can't find the right people for network defense. The real problem is a misunderstanding of computer geeks, their personalities, habits and their backgrounds, said Schwartau today during his talk at the Hacker Halted information security conference."

22 of 314 comments (clear)

  1. The Right People by Anonymous Coward · · Score: 1, Insightful

    People who accept an 80k for 40k for the govt.

    1. Re:The Right People by jtownatpunk.net · · Score: 4, Insightful

      Don't forget the background checks where they spend six months or more interviewing your family and past employers. And the random drug tests. And polygraph tests. And the credit check. And...

    2. Re:The Right People by Anonymous Coward · · Score: 3, Insightful

      No, they think you are a person. And therefore, a potential terrorist.

  2. Right by Antipater · · Score: 5, Insightful

    And the Catholic Church could prop up its declining clergy membership by recruiting straight from the local sex offender registry.

    Seriously, what the fuck? "Legal niceties" is another term for these rules are in place because we don't want to get fucked over again by someone we trusted. They're there for a reason, and actively circumventing them to search for applicants is inviting yourself to get burned. Maybe some of them could be relaxed, sure, like the one-time drug offense bit for security clearances. But just saying "they're narrowing our pool of applicants!"...Shit, Sherlock, that's why they exist!

    --
    Everything is better with chainsaws.
    1. Re:Right by SerpentMage · · Score: 2, Insightful

      The problem he is alluding to is quite interesting. We accept double agents. We accept terrorists who are "converted". We accept criminals who have "seen the light of day." But heaven forbid you smoke a doubie! No, that can't be right, that person is distrustful. WTF?

      Remember this America went to war against Iraq based on a single opinion! An opinion of an "insider". RIGHT... This is good business because the doubie smoker, well he is a real problem for society and the IT infrastructure.

      --

      "You can't make a race horse of a pig"
      "No," said Samuel, "but you can make very fast pig"
    2. Re:Right by bfandreas · · Score: 4, Insightful

      Well, they look for somebody who follows blindly and yet is bright enough to deduce things based on his own observations.

      They are forever condemned to hammer square blocks into round holes unless they find somebody who thinks the Nuremberg defense is absolutely absolving you.

      In my whole professional career(some of it actually required NATO clearance...for blueprints that propably had already been known been known to Teh Enemi for 30 years) I was more than once severely tempted to leak stuff to the national press. Never did, tho. I fully understand what thought process Manning followed when he leaked stuff. We let the fools run stuff and let them cover up their shortcomings with secrecy.

      --
      20 minutes into the future
    3. Re:Right by firewrought · · Score: 4, Insightful

      Seriously, what the fuck? "Legal niceties" is another term for these rules are in place because we don't want to get fucked over again by someone we trusted. They're there for a reason.

      I hate this mindset. Rules are there for a reason, yes, but what is that reason? Maybe it's an ironclad principal of human nature ("people with credit problems are easily bribed"); maybe it originates from a once-applicable idea that is now obsolete ("homosexuals are easily blackmailed"); maybe it originated from prudish mindsets or political agendas that never had any validity to begin with ("marijuana smokers are less trustworthy"); maybe it was meant to appease stakeholders whose concerns or opinions no longer hold sway ("art students are more likely to be communist sympathizers"); maybe you're more desperate than before ("sh*t we need a lot of custom code... isn't there some non-critical stuff that we can let non-cleared programmers work on?").

      Rules are not so eternal as you seem to think... they are but one of many structural elements in complex human systems, and an organization that is poor at reevaluating and changing rules is doomed to ossification.

      BTW, if you RTFA, you'd see that's he's specifically talking about people with AD(H)D, autism, OCD, and perhaps soft drug use. He's also talking about redesigning clearances and pushing back on overweighted HR/legal interests, not outright circumvention of existing rules. (And if he's seen the HR departments that I've seen, he knows they frequently block any meaningful evaluation of a candidate's technical proficiencies and prefer to judge people on their ability to smile, deliver a firm handshake, and make smalltalk with a stranger. Part of it is legal... can't ask that candidate to write a SQL statement like he or she will have to do every damn day on the job because we don't know for sure that it isn't some subtle proxy test to discriminate on race.)

      --
      -1, Too Many Layers Of Abstraction
    4. Re:Right by Anonymous Coward · · Score: 2, Insightful

      We let the fools run stuff and let them cover up their shortcomings with secrecy.

      for blueprints that propably had already been known been known to Teh Enemi for 30 years)

      You are exactly the kind of person these rules exist for--someone with a superiority complex, who thinks they have not only an understanding of everything above them but a way of doing it better and a pure arrogance to assume they are the controllers of information (or know better than the ones who do).

      This is why we have security clearances and personality/psychological assessments to avoid situations like this. They don't need someone 'who thinks the Nuremberg defense is absolutely absolving you' and they aren't forever condemned to 'hammer square blocks into round holes'... they just don't need people like _you_. There are plenty of intelligent, free thinking, politically switched on geeks and nerds who are perfectly capable of respecting the boundaries within which they operate and as a human being I find it insulting that you claim to represent people in our field.

    5. Re:Right by HungryHobo · · Score: 4, Insightful

      study some history. people who follow the "proper chain" tend to just get ignored and shitlisted. What happened after mai lai? the only reason it saw the light of day was that someone ditched the chain and wrote letters to every senior person he could think of. even then how many people actually went to jail?

  3. I'm sure geeks by obarthelemy · · Score: 3, Insightful

    think they deserve special treatment and don't have to be clean, social, pleasant, accountable workers.

    newsflash: they do.

    Corps and Gov are right to want to make more geeks, so they don't have to make do with the half-defective ones.

    --
    The Cloud - because you don't care if your apps and data are up in the air.
    1. Re:I'm sure geeks by citizenr · · Score: 3, Insightful

      think they deserve special treatment and don't have to be clean, social, pleasant, accountable workers.

      newsflash: they do.

      And this is why you get clueless people. Because you hire based on personality and clothes.

      --
      Who logs in to gdm? Not I, said the duck.
    2. Re:I'm sure geeks by RightwingNutjob · · Score: 5, Insightful

      I don't want a "good hacker" whose tendencies toward "counter-culture" are a hard-wired reflex. I want a competent engineer who understands what he's working with and knows how to be effective: sometimes by kissing ass, more often than not by saying "fuck off and let me work" with the right level of polish (sometimes none). If your idea of the best of the pool is someone who hacks and tinkers without being able to buckle down to do some real engineering (which means not just being able to pull off epic shit, but doing it in such a way that it's clear that it accomplishes the objective and isn't only documented between the guy's ears), you're asking for movie hackers, not for what you need.

    3. Re:I'm sure geeks by RightwingNutjob · · Score: 3, Insightful

      And just another analogy. Designing a good lock requires knowing how to pick locks. Knowing how to pick a lock requires picking locks for practice frequently. Picking locks frequently does NOT require being a burglar. Adrenaline junkies do that. Security geeks wanting a job with the lock company don't. That's the difference.

  4. Hiring the right people by Seeteufel · · Score: 4, Insightful

    Your assumption is that the government hires people capable to actually solve the problem. It does, but only in war times. In war times you lose ground when you follow the wrong path. When yo sent the horses against the machine guns. Governments are not interested to actually solve the problem but rather to be in charge of the problem. We know that many security issues could be solved. Simply spent a few millions on security reviews of commonly executed code. and order the companies to provide bug fixes or apply punitive damages, make them partly liable for not fixing security issues.

  5. "roadblocks put up by lawyers and human resources" by M.+Baranczak · · Score: 3, Insightful

    This isn't even specific to the IT field. This is a problem with every organization that hires people. Unless the organization is too small to have lawyers or human resources.

  6. Re:Marijuana/Drug Laws by Chris+Mattern · · Score: 5, Insightful

    I haven't met a too many good hackers who haven't, at least at one time, engaged in some drug use -- whether it be smoking weed (usually), tripping on mushrooms/acid, or cocaine etc..it seems to permeate the culture quite a bit.

    Now, is that because good hackers tend to be drug users--or is it because *you* are a drug user and thus a larger percentage of the people you meet are drug users?

  7. Re:You've got to admit by Nerdfest · · Score: 4, Insightful

    If you've ever worked for the government, you'll know that they ensure it's hard for them to hire anyone.

  8. So basically... by Millennium · · Score: 3, Insightful

    Network security is a position of trust. There is basically no way around this: implicit in running a network is that you have the tools to see what's on it. Encryption only goes so far in such situations, particularly at agencies tasked, in part, with getting at encrypted data.

    This adds up to some employers requiring a greater degree of trust in their employees than is currently the norm. Some geeks, it seems, are unwilling to come to terms with the fact that their life choices may have made them poor security risks in that context. The cases where the risk isn't because of a life choice are sadder, but the risk is just as real, and to ask agencies with bona fide requirements for absolute trust to simply ignore those risks is insane.

  9. Bradley Manning... by IonOtter · · Score: 4, Insightful

    ...had a Top Secret / SCI (secure, compartmentalized information) clearance.

    They crawled up his ass with the Hubble telescope, looked for people he knows, then went and crawled up the ass of *those* people to find out who *they* know that might know Manning. They hooked him up to a polygraph. They checked, re-checked, cross-checked and followed every single link, social media page, every parking ticket, every word on his school records.

    It takes months to do a SSBI.

    And yet, when Manning encountered something that he knew for a confirmed fact that what he was seeing/hearing/reading was against the law, he tried to do the right thing, but got shot down by his chain of command. Feeling as though he had no other choice, he allegedly turned the info over to Wikileaks.

    What the heck do you suppose a "geek", someone who by their very nature has issues with authority, probably has personal issues around justice, and has tendencies towards just about every "ism" that your average government puts people on watchlists for, is going to do when they see/hear/read something that they think is wrong????

    Nabbing geeks off the street to "hack the planet" is fine and dandy for movies about the end of the world, but it doesn't work so well in real life.

    --
    [End Of Line]
  10. It's not just the insane bullshit... by mbstone · · Score: 3, Insightful

    ...of security clearances and credit checks and background checks and peeing in cups, although that's a big part of it (official DoD policy is that any marijuana use is a "serious mental disorder.")

    The other aspect is that they don't really want their security fixed. They don't want to be told that "TBD" on a security plan isn't acceptable.

  11. Re:You've got to admit by Anonymous Coward · · Score: 2, Insightful

    To be fair, this sounds exactly like working for any large corporation. =)

  12. Draft people into Congress ... by perpenso · · Score: 5, Insightful

    For the House of Representatives we should probably draft them, like the Army used to. Walk out to the mail box, open the letter from the gov't, ... damn I have to report to Congress for two years. That way we get a broader sampling of perspectives and experiences. The type of people we want probably would not apply for the job (volunteer). :-)