Sunday, May 18, 2008

Where did you obtain your academic qualifications to make these statements, Mr. Aitel?

Dave Aitel wrote a must read editorial over on Security focus called Thinking Beyond the Ivory Towers

In the information-security industry, there are clear and vast gaps in the way academia interacts with professional researchers. While these gaps will be filled in due time, their existence means that security professionals outside the hallowed halls of colleges and universities need to be aware of the differences in how researchers and professionals think.

I saw firsthand this gap when my group at Cisco funded security research at some of the leading Computer Science (and even information security) programs (that should know better) in the nation. You'd be surprised how difficult it was to find 4-5 projects to fund a quarter.

Anecdotally, I saw an absolute lack of understanding by some doctoral students (and their well credentialed advisors) about which attacks (against protocols, for example, like basic concepts of the what sort access was needed to the network) were practical or even how they would go about conducting them. No clue. And all the formal methods and literature review meant nothing.

And all I needed was my lame English & History degree from Texas A&M to see that -- well and some experience developing (or even just running) an attack tool or two. Even script-kiddie knowledge would suffice.


BTW, the title comes from the comment from Dr. Neal Krawetz, PhD

2 comments:

Anonymous said...

lol! the only person who uses the name 'dr. neal krawetz, phd' is Gobbles. And Gobbles works for Dave Aitel.
http://seclists.org/fulldisclosure/2007/Jun/0387.html
http://seclists.org/fulldisclosure/2007/Jun/0401.html

Matt Franz said...

Even better! Gobbles was great!