First of all, I want to say that I *love* this question! (Partly because I'm in
a job I don't like and need something new, but also because the question is
excellent!) I also think you have some really good ideas already.
Talking about cons is excellent, and even if they have not been to any, you can
tell when someone truly is interested (talk to me about Defcon or Shmoocon and
I'll get this look in my eye and a smile, even though I've yet to successfully
attend).
Also, sites and tools is an excellent means, as any of us who have passion for
this field will usually be happy to talk about it. Maybe not all our IRC
channels and hangouts as we tend to be a group the enjoys our privacy and
super-secret locations. :)
One of my personal little measures is talking about or finding out how someone
spends their free time. If they do networking/security/sysadminning only at
work and the rest of their evening and weekends are spent on their own life,
they may have less passion for the work. Someone who "geeks out" at home as
well as work has some passion and enthusiasm. I call it just plain being a
geek. I've known people in this field who barely touch computers at home after
work and are not geeks, and they typically are not as valuable as geeks.
Granted, some people do have lives, families, and things that make them not
able to fully feed their inner geek, and that is alright. But most passionate
people will have enthusiasm and passion when discussing their inner geek.
I would say talk about some key ideas floating around right now, things that
can spark some thinking and openness in discussion (over a beer!):
- full disclosure
- wireless security/future
- certifications (CISSP, SANS, CEH...)
- cons
- describe the security/insecurity of their own network, home or at work
(obviously this can be touchy, but give them the trust that you won't blab
anything they may tell you if you know their employer); insecure habits may not
indicate lack of passion, but chances are they know the right thing to do and
just have not had the means/resources/time/backing to do it. "Yeah, I know I
should get hooked up with a proxy when I connect to IRC, I just haven't done it
yet, too many other things excite me..." or "Yeah, we should block IM on the
firewall at work, but every time I do, the CFO cries bloody murder..."
- their website/blog (or their fav sites/tools)
- what web browser they use
- OS preferences/experience (a touchy subject as you never know violent fanboys
until you encite them, but still a very revealing subject)
<-snip->
Evening,
Showing my age I'm finding it increasingly difficult to find security geeks who
are truly passionate about security. There seems to be a recent trend in
unpassionate people chasing either the money, an easy ride or something that
isn't as dull as network or system administration.
So how would you identify passion quickly, personally I like what cons have you
been to? If they are passionate but poor they would reply none but I'd like
to .... What books have they bought, what tools do they use what sites
do they visit email them at night and see how long it takes them to reply
what else?
--
Andy Cuff
Computer Network Defence Ltd
www.SecurityWizardry.com
---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher
Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.
http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------
