Sunday, March 27, 2016

Why I hate security "experts" (and "trainers")

Why I hate security "experts" (and "trainers")

Disclaimer: This is a pure rant, with no proper grammar, editing & politically (IN)correct logic... I am known to be politically incorrect, but 110% technically astute. I did NOT write this post to please you... You acknowledge that by reading this you will NOT judge the author of this post and Lucideus reputation as a security / service provider :D

Okay, this post was never meant to be written, but hey, every now and then you get a random love letter (e-mail spam) from _some_ company (read: lucideus)

I never wanted to see this page, being a semi-retired professional, hxxp://

Then again when you claim to provide security training using funny jargon words like ATOM (Awareness, Technology, Operations, Management?) - you need to integrate that in to your website and company's security model. You should always practice what you preach, or stop preaching (read: selling snake oil), or be like Bill Clinton, [Telling people] "I am full of shit, I sell snake oil and bullshit" but be honest about it!

Your site is plagued with open ports, ranging from ssh to ftp, and what not! Your site has multiple network, web application (vulns like XSS, CSRF and SQL Injection) and server vulnerabilities, yet you claim to teach Web Application Security, IT Infrastructure Security and Cyber Security, apart from Incident Response which I very much doubt you'd be capable of performing; having a badly developed website which can be pwned by anyone with basic skills in under 40 minutes.

The worst part about this whole training page is "so-called" trainers using the words VA (Vulnerability Assessment) and PT (Pen Testing) in the same line / like a single word. This is the last time, I'll put up with this bullshit. If you can't differentiate between two different process maps in a security assessment, how the hell do you expect people to trust you? Take up your course? Are people so badly educated that they fall for a badly coded website running Apache?

The least you can do as a security trainer, you have to put your money where your mouth is?! Or atleast don't claim to be a security "expert" / "trainer" who trains people on a regular basis. I won't be surprised, if those 60,000 students from 200 plus organizations, come looking for a refund... haha! ;))


Secure your organization first, then start providing security services and training, be orderly in your business operations. So here's another organization, that can NOT secure themselves, but claim to provide security education, sound like a classic case of Catch-22? Fuel for your brain, haha! :D

Reminds of one meme where vijay kant asks manmohan singh for his "bonafide cetripicate signature" for his "practical ejam dumaaro", ofcourse, he said "bleaaase sir" hahaha! :))

And please spam wisely next time, okay?


No comments: