The case study approach is MBA school level good, and to treat security seriously, you need to do case studies and those engagements. The students the author writes about don't seem to understand how good that course is. Sort of a relief blank slate students can't just learn this stuff in a single course, but it also makes me angry that people coming into the field seem this stupid and lazy. When you imagine not ever having been any sort of interested hacker and working in security, without actual tech and architecture skills, it's a checkbox filling job, typically when you are young enough to accept risk you cannot understand.
I recently saw this in a certain big-n consulting firm's security risk assessment, which was clearly done by a young grad, and it had been filled out to specifically lie about the controls and levels of assurance in a system that was part of a massive health initiative. If anyone discovered it (we did), the consulting firm could fire the person who was too inexperienced to have had the integrity to present the real findings to a client who was also engaged in what was essentially risk fraud, if there were such a thing. But it was obviously on purpose.
For older experts working with this new cohort, I'd recommend that you understand that incompetence is a strategy for them, as if you present as knowledgable, you can be held accountable for errors and omissions, where if you are obviously ignorant, you can just shrug and fail upwards and let the nerds take the fall. If it's not explicitly illegal with consequences to misrepresent something, expect it. The reason many milennials seem so feckless is because being useless is how they get others to do things for them, and this is an actual life strategy. In security consulting, you deal with IT project managers like this all the time. Professional values like competence, integrity, and polish that I think many senior technologists value have been replaced with a kind of formlessness and repulsive avoidance of percieved conflict, and addressing it directly is an unforgivable humiliation. Non-technologists (people who don't do or make) mostly exist in an infinite game of musical chairs, so the students in this case may have been exercising a conscientiously cultivated and refined ability to avoid responsibility.
This course material is precisely what I would expect someone in the field to understand, though I think the only way to understand it is to develop tools the students don't have, which is an emphasis on physical domain competence. The good news is they create a lot of additional work for the competent, but the bad news is, they will rot the organizations they attach themselves to. :)
This is a pretty astoundingly condescending essay you've written here. There are a lot of things about it I disagree with, but to save time let's just focus on the "incompetence as a strategy" angle.
I don't disagree that in society today, you are often better off being uselessly incompetent unless you're a serious expert, but I wouldn't blame that on "lazy, feckless millennials." The education system we put students through is practically designed to produce this mindset. You can bust your ass all through school and get straight A's or you can do the absolute minimum, demanding clear guidance and instruction every step of the way.... and get straight A's. We don't ask students to ground their thoughts in real-world application or call out stupid/pointless processes, so I don't know why we'd suddenly expect them to be good at it when they hit college. I certainly wasn't and neither were my peers.
This is something that I feel really hurts us from a diversity perspective as well. If you have business-savvy parents you'll learn "how the world works" from them. If you don't, you have basically no hope. You're certainly not going to learn it from your barely-more-than-minimum-wage earning "civics" teacher that is fresh out of school themselves with a bachelors in education. Even less likely if you're in an area where schools don't have a lot of resources or opportunities to expose students to "white-collar life" growing up.
> that people coming into the field seem this stupid and lazy. When you imagine not ever having been any sort of interested hacker and working in security, without actual tech and architecture skills,
That is not being lazy or stupid. That is signing to a course with expectation you will learn something new.
It is fairly normal in anything. Hardworking smart people sign for language lessons, trade school, accounting course, driving lessons and what not without knowing anything and then learning it.
This seems pretty dreadful. Most shops have the kind of documentation that Greenspun has students generating here, but few of them ever actually consult it; in the real world, especially in elite shops, security is an engineering problem more than a management problem.
This is excellent. I one-time taught a college level cybersecurity course and definitely tilted my syllabus away from the typical stuff you see in favor of things like this.
It's all good to play around with John-the-ripper and whatnot, but more like this is needed.
Ideally there would be 30 or over students randomly chosen.
The class probably has less than 30 students to begin with.
And the bias and friction for students to set up an account and review makes these results spurious to begin with.
Still, three hour lectures ? I don't need my University's School of Education to tell me that's not an effective way to teach humans anything.
We know in a safety critical environment, where giving something your full attention is vital to the survival of yourself and others you care about, human watch keepers are not effective for the 4-8 hours they are often given this task, even though they know that becoming ineffective will get somebody killed.
For lab work, where setting up and shutting down are time-consuming, and a mix of activities may help improve focus, a double (2 hour slot) might be reasonable anyway but if you're planning three hours of standing at the front talking, your students are not going to benefit anything close to how much they would from three separate one hour lectures.
I recently saw this in a certain big-n consulting firm's security risk assessment, which was clearly done by a young grad, and it had been filled out to specifically lie about the controls and levels of assurance in a system that was part of a massive health initiative. If anyone discovered it (we did), the consulting firm could fire the person who was too inexperienced to have had the integrity to present the real findings to a client who was also engaged in what was essentially risk fraud, if there were such a thing. But it was obviously on purpose.
For older experts working with this new cohort, I'd recommend that you understand that incompetence is a strategy for them, as if you present as knowledgable, you can be held accountable for errors and omissions, where if you are obviously ignorant, you can just shrug and fail upwards and let the nerds take the fall. If it's not explicitly illegal with consequences to misrepresent something, expect it. The reason many milennials seem so feckless is because being useless is how they get others to do things for them, and this is an actual life strategy. In security consulting, you deal with IT project managers like this all the time. Professional values like competence, integrity, and polish that I think many senior technologists value have been replaced with a kind of formlessness and repulsive avoidance of percieved conflict, and addressing it directly is an unforgivable humiliation. Non-technologists (people who don't do or make) mostly exist in an infinite game of musical chairs, so the students in this case may have been exercising a conscientiously cultivated and refined ability to avoid responsibility.
This course material is precisely what I would expect someone in the field to understand, though I think the only way to understand it is to develop tools the students don't have, which is an emphasis on physical domain competence. The good news is they create a lot of additional work for the competent, but the bad news is, they will rot the organizations they attach themselves to. :)