At 02:30 PM 22/02/98 -0600, Sami Yousif wrote:
## Reply Start ##
>So, a security certification/training program can only certify that the
>person taking the program has the potential to learn, and maybe lead
>him/her to the methods and resources needed to be able to effectively do
>their job; since any other information would be outdated by the time
>they get back from the training.
That's all a degree can do, BSc, Masters or Phd.
In fact many Phuds spend the rest of their careers defending
their thesis against advances in the body of knowledge.
(How's that for a sweeping generalization!)
In fact I'm old enough and ugly enough to have seen a BSc
change from a discipline which teaches young minds how
to think, reason and search out answers, to a production
line for technological cannon fodder.
Back in the days I was still hacking V7 kernels, I
interviewed a fresh CS grad. We'd just done some
tweaks to the disk handler routines and associated code.
They included changes to bfree() and bwrite() to sort the
free list blocks before writing. Nothing fantastic, but it
did put a limit on the rate at which the coherency of the
freelist decayed. It turned out to be a 3-line change and
used insertion sorting, for reasons which will be obvious
to old kernel hackers, and after a moments thought to most
people. So I asked this newgrad how he would go about
sorting the freed blocks. I asked this because it was
a question which didn't rely on having had field experience,
but could be derived completely logically. He said he would
use Quicksort. The rest of the interview went by
The issue isn't that insertion sorting was outdated by
Quicksort. I doubt if ANY of Knuth Vol1 is outdated.
I still see managers making the mistakes Fred Brooks
documented; my dog-eared copy has a 1972 copyright.
No, its not an "All A are not B" situation, its that
there are INDIVIDUALS who cannot learn. Some can
generalize from the specific (e.g. derive rules based
on experience) and those who can specify from the
general (e.g. learn better at the theory level
then apply it). This is not new; educational
researchers, both school, college and famed institutes
such as IBM, have been using much those words above
that I quoted since before I first heard them in my
Just as ther are some colleges which produce the
techno-clones, there are organizations which print
Having seen the context of the CISSP, the scope of the
CBK and examination domains, having met and spoken with
people who developed it and many who have sat it,
I am not quick to put it down.
I don't doubt that it could be passed by wannabes who
plough thru the reading list the month before the
exam but have no real knowledge. But the same could
be said many degree courses. Presumably that is
why re certification on the CISSP requires field work
rather than exams.
Aesthetically, I find 'salvation thru suffering' a
philosophically unsound precept, along with 'baptism
by fire'. However, my observation is that these are
certainly ways of accelerating th learning process,
so long as you are willing to tolerate the attrition
rate. Could we produce larger numbers slower?
I don't know.
## Reply End ##