RE: [ISN] Stephen Northcutt is sadly mistaken

From: Christopher Lee (clee@private)
Date: Mon Jun 28 2004 - 08:26:52 PDT

  • Next message: InfoSec News: "[ISN] Microsoft Blames Hackers, Not Vulnerability, For Web Attack"

    Interesting comments from hellNbak@private  Just one response to his
    comment about SANS training should be free to all...   
    
    Apart from nothing is free in this world, it does cost money to provide SANS
    training to a large number of audience.   It costs money to rent the venue
    (and all the equipments to go with it), to print the materials, and to pay
    the speaker and the proctors for those conferences.  Yes, the volunteers
    plays a large role in SANS successes, but there are also some full time
    staff dedicated to run the organization and plan the events. Just look
    around the people wearing SANS staff badges in those conference, and you
    will see only some of them are "volunteers".
    
    Granted, some of the folks on this list self-taught everything they knew
    about this craft, but many still relies on top-notch trainings to know how
    to identify and to defend their corporate/personal information assets.  If
    one is to measure the value of any commercially available trainings, SANS
    Institute, in my opinion, provides the best bang for the buck by far.  
    
    Oh, perhaps everyone on this list will also be interested to know other
    options of receiving authentic SANS trainings: online self-study, online
    instructor-led, and locally mentored study sessions.  All details are
    available at www.sans.org.
    
    P/S, I am not, in any way, defending Mr. Northcutt's statement, but simply
    want to clear up any misconception about SANS riding their success on the
    shoulders of an army of volunteers "suckered" into it.
    
    Cheers,
    
    Chris
    
    
    -----Original Message-----
    From: isn-bounces@private [mailto:isn-bounces@private] On Behalf
    Of InfoSec News
    Sent: June 28, 2004 5:45 AM
    To: isn@private
    Subject: [ISN] Stephen Northcutt is sadly mistaken 
    
    Forwarded from: hellNbak <hellnbak@private>
    Cc: stephen@private
    
    I am not a US citizen but seeing how this got spammed across multiple
    mailing lists and seeing how the Internet is in deed a global thing I
    thought I would respond.
    
    > This note is intended for U.S. citizens and is a personal note from
    > Stephen Northcutt.  For the past few weeks CERT and SEI, DoD
    > government funded organizations, have been purchasing google adwords
    > so that when people search for "SANS Training" they see an
    > advertisement for CERT/SEI's network manager course.
    
    So the purchase of Google ads by DoD funded organization is cause for
    a personal note from the great Stephen Northcutt?  They have a service
    to sell so why is this an issue?  Welcome to a capatilist society.  
    You have to spend money to make money.  Either that or you need to
    sucker a bunch of volunteers to work for free....
    
    
    > I have a couple of concerns about this.  The first is trademark or
    > brand related, when you search for SANS training, you should get
    > SANS training.  Other competing commercial training companies have
    > also engaged in this behavior and when I have written them and asked
    > if this how they want to be remembered by the security community,
    > they have discontinued this practice.  I wrote cert@private a
    > couple weeks ago and they continue this practice.
    
    So take the millions you have made on the backs of SANS volunteers and
    purchase your own Google adds or hell, purchase Google and fix search
    engines for all.  Imagine the nerve of a search engine to give other
    results when someone searches for SANS traning.  Why doesn't SANS
    purchase their own ads?  I mean isn't this how Internet marketing /
    Search engine placement is *supposed* to work?
    
    
    > My second concern is that the government offering the course
    > violates the spirit and letter of OMB A 76. "Two of the key
    > principles of Circular A-76 has always been that "in the process of
    > governing, the Government should not compete with its citizens" and
    > that "a commercial activity is not a governmental function."
    
    Commercial activity?  Correct me if I am wrong but isn't SANS a
    non-profit?  Has SANS not enjoyed years of government support via
    attendance and government targetted events?  Did SANS not once receive
    government funding or support?  I read the PDFs you linked to and no
    where in those documents does it say that SANS should be the be all
    and end all of Security Training.
    
    > My third concern is the amount of tax we pay as citizens. The
    > government is in the process of authorizing about 481 billion
    > dollars for DoD spending.  The Department of Defense clearly has too
    > much money if they can afford to create training that mirrors
    > material widely available from SANS, MISTI, CSI, Intense School and
    > other training organizations. I believe the money spent on CERT, SEI
    > and the Office of the Under Secretary of Defense for Acquisition,
    > Technology, and Logistics should each be reduced by at least 10%
    > immediately.
    
    Or perhaps SANS can help solve this problem by reducing the cost of
    their traning courses.  I mean being a non-profit and all and with all
    the volunteer work -- courses should be free.
    
    > I would be honored if you would copy me, Stephen@private
    
    Consider yourself honored.
    
    > how you would feel if the government decided to compete in a
    > disreputable manner with a course that took you months to write,
    > SANS Security Leadership. After that, if you disagree with me, I
    > would love to hear what you have to say.  So please help me and
    > write your congressman and tell them your home address, make sure
    > they know you vote and you agree that the government has no business
    > wasting taxpayer money competing with a course Stephen Northcutt
    > does a better job of anyway.
    
    Unless things have changed in the SANS world over the last year or so,
    many of the courses are the work of volunteers -- volunteers for a not
    for profit organization.  So competition should not be an issue.  In
    fact, eventhough I am not a US citizen, I support the government
    spending a little advertising money, perhaps they have noticed your
    paystubs and seen the potential of such courses as a very profitable
    business model.
    
    The government is doing nothing disreputable at all.  If something as
    simple as purchasing search engine ads is disreputable perhaps you
    should look at the history of SANS.  Hmmm, Hi pot, this is kettle...
    ummmm black!
    
    If SANS cared one bit more about security than their business model
    this would be a non-issue.  The more training courses, and the more
    knowledge that people can obtain on this subject benifets the
    community in general. So there is one more competitor to SANS, that is
    how business works.
    
    I leave you with this definition of the word Sans from The American
    Heritage Dictionary of the English Language, Fourth Edition
    
    \Sans\ (s[aum]n; E. s[a^]nz), prep. [F., from L. sine without.]
    Without; deprived or destitute of.
    
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    
    hellNbak at NMRC.org
    
    http://www.nmrc.org/~hellnbak
    http://www.vulnwatch.org
    
    "There are voices in my head and they don't like you"
    
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
    
    
    The standard this is my opinion and no one else's stuff applies to this
    and any email I send from this address.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec
    junkie!
    (Broke? Spend 15 minutes a day on the project!)
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)
    



    This archive was generated by hypermail 2b30 : Tue Jun 29 2004 - 07:08:08 PDT