August 12, 2011
Certifications and hats
Most certifications are crap, the hat color thing is ridiculous.
Word Count: 544
When I interviewed for my current gig I was told “we don’t give a shit about your certifications, we care about what your abilities are.” And that’s a pretty good tl;dr summary of how I feel. The formula for a good certification is simple: hands on skill tests. We do that with the NOP Cert and it is a surprisingly good bullshit detection mechanism. If a cert isn’t mostly a hands-on exercise I’m not going to pay it much mind.
Certifications are not without their place, though. If you get assigned to manage a technical team of geeks and don’t have a security background then getting a certification is not a bad idea. It will at the very least give you the vocabulary to communicate with the team on some level. If you want to be part of that technical team, your time is very likely better spent elsewhere. The same generally holds true for employers. If you’re building a pen-testing team and are exclusively certification focused it’s a warning sign for me that: you don’t know what you’re doing and/or you’re looking to suckle at the .gov teet. Which isn’t always bad but keeping in mind that anything that’s legit cool for .gov/.mil you’ll never hear about anyway.
Enough time and effort is spent by the security community on defining the mythology of your hat color that you’d think we were an extension of the Catholic church1. There’s been some discussion recently about how some security companies are becoming indistinct from blackhats. I think a good security company, especially a consultancy, should have the ability to operate as much like a blackhat as the customer requires. I’ll leave the particular ethical considerations up to the reader to ponder. If we’re all whores: everyone has a line and everyone has a price to cross it. Ask me for my reasonable rates on child murder!
The distinction between hat colors is difficult to define and probably doesn’t have a real clear shared meaning outside the nerd pack you drink beer with on Thursdays (trivia night). If we’re all a shade of grey, what’s the point? Here are the 2.5 questions I care about:
1) Are you mostly offense or defense oriented?
2) Are you engaging in any ongoing illegal activity?
a) If so, specify.
I’d wager that if you asked the people in the security industry who have an impressive skillset if they’ve ever broken a computer crime law (minus file sharing) most of them would raise their hands. Your definition and my definition of ‘impressive’ may differ but regardless it will be a non-trivial portion.
Fun followup: I saw a disclosure recently where someone said (paraphrasing) “I’m a white hat so I didn’t fuck with him”. Actually what you meant to say is “I’m not a dickhead.” If I use an XSS to set a buddy’s profile to “I eat a bowl of dicks before bed time” that doesn’t have anything to do with hats; unless you’re wearing a strap-on.
This post has been brought to you by: Dubstep – woobwobobWOOOBWOBOBOBOB zzzkzktktk WOOBWOOBWOOB and the Mann co. hat store
 – Though not without its flaws I do admire the absurdity of an organization with hierarchical headgear.