Reminds me of when I was in the Navy and I went to Navy Security and Vulnerabilities Technician school. I was all excited, so I went out and bought a copy of Hackers Exposed and read through the whole thing, learning everything from how to determine what family and version of operating system a computer is running by what ports are open, to how a buffer overflow attack actually works.
Fast-forward to the class, and we're sitting there running tools like BackOrifice that exploit vulnerabilities that had been patched for years, and learning that a SYN flood is "a malicious attack". That's it, just "a malicious attack". When I asked about the difference between a SYN flood and a Christmas tree attack, I got a blank stare and "they're both malicious attacks".
I spent the rest of the class in the back of the room, reading the Armadillo Book.
Also, I did not once in my brief Navy career get to hack an enemy computer. Hugely disappointing.
That's exactly it. I've worked for agencies where the Chief IT Security Officer (if they have one, or an equivalent role) got that exact training, and nothing more, and was considered the site expert.
Like I said, it isn't all bad. Two of the best security guys I know work in the government, and one of them was actually ex-Navy. But the hurdle for finding people that can get top secret clearances AND tie their shoes often proves too high to hire anybody, much less somebody qualified.
Yeah, military schools on scientific/technological subjects can be very disappointing. Not all of them, obviously, but computer science topics get distilled down to be accessible to the bottom 20% of attendees. Having spent over a decade in the Marines, I learned not to get excited about anything like that... unless the schools were taught by civilians.
Fast-forward to the class, and we're sitting there running tools like BackOrifice that exploit vulnerabilities that had been patched for years, and learning that a SYN flood is "a malicious attack". That's it, just "a malicious attack". When I asked about the difference between a SYN flood and a Christmas tree attack, I got a blank stare and "they're both malicious attacks".
I spent the rest of the class in the back of the room, reading the Armadillo Book.
Also, I did not once in my brief Navy career get to hack an enemy computer. Hugely disappointing.