<p>Well, it wasn't that the certification its self or the course materials are overly biased in this sense, but what I got from that particular instructor showed some of the types of bias I hear back at work pretty clearly. We have a different instructor today who, being a former Unix got himself, has a much different perspective. He even included a 10min pitch for truecrypt during one of the sidebars.</p>
<p>I guess the take away is that there is advocacy at the 'user' and 'IT geek' levels, but the procurement and management types are still hearing mostly fear-uncertainty-doubt.</p>
<p>Same thing applied to all the discussions of pki vs gpg. There's reasons for both, but in general there was a consensus equaling 'web of trust' with 'peer to peer,' and by connotation, filesharing and general badness.</p>
<div class="gmail_quote">On Oct 22, 2010 10:34 AM, "Joshua L. Davis" <<a href="mailto:simplehuman@gmail.com">simplehuman@gmail.com</a>> wrote:<br type="attribution">> For what it is worth, I'm an "official" CISSP and based on the test I can<br>
> tell you that CISSP != TRUTH in many cases. This is part of the issue in<br>> DoD. Misunderstandings of OSS. Many folks get this sort of tripe without<br>> questioning the wisdom. I frankly want to be able to look under the hood if<br>
> I need to. Not having this option inherently creates risk.<br>> <br>> Here is a good resource on security and open source if you guys care:<br>> <a href="http://www.dwheeler.com/oss_fs_why.html">http://www.dwheeler.com/oss_fs_why.html</a><br>
> <br>> <br>> -Josh<br>> <br>> On Fri, Oct 22, 2010 at 7:36 AM, George Allen <<a href="mailto:glallen01@gmail.com">glallen01@gmail.com</a>> wrote:<br>> <br>>> I'm taking a CISSP course this week, and unfortunately have to miss<br>
>> the selinux presentation because of it. But it's pretty amazing the<br>>> bias against opensource built into the course. It even involves a bit<br>>> of dissonance: nmap, tripwire, nessus, backtrack all these tools are<br>
>> open-source, but the same people talk about "Open-source code gives<br>>> false security, just because more people can look at the code doesn't<br>>> mean someone will write a vulnerability into it. Or that someone will<br>
>> find a vulnerability and not say anything until after they exploit<br>>> it."<br>>><br>>> At this point I piped up to say "Doesn't what you just said violate<br>>> Kerckhoff's principle that you just talked about - that a<br>
>> cryptographic algorithm should derive it's security from the key, not<br>>> from the secrecy of the algorithm? Then how can you say publishing an<br>>> algorithm leads to security with cryptology, and then violates<br>
>> security with software at large?"<br>>><br>>> He didn't really address it.<br>>><br>>> Still, I think the perception is that opensource is made up of random<br>>> patches from any kid drinking mountain dew in their mom's basement.<br>
>> And they don't realize that there's a whole system which actually<br>>> rejects many patches, and does levels of quality control on both<br>>> incoming and included patches. Maybe this is one thing the advocates<br>
>> also need to emphasize is that linux is developed with a process and<br>>> albiet with the 'bazaar' it's not flat out anarchy.<br>>> _______________________________________________<br>>> Ale mailing list<br>
>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>>> <a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a><br>>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>>> <a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a><br>
>><br>> <br>> <br>> <br>> -- <br>> Joshua L. Davis<br>> 678.831.0182<br></div>