What is on Your Mind?

Perhaps the real problem (which would be worth its own thread but also relates here) is that modern IT business is not about function or achievement but only about compliance.

Here is an example of what i mean: i am part of a "security OS hardening" work group and we define the (securitywise) measures to be taken on a newly installed system to make it "secure". So far, so OK. We are presented a suggested list of measures to be taken which someone compiled beforehand. Fine with me too.

Now i inspect this list and find the item:

* remove telnet client

and i ask how this is security-relevant. Yes, i can understand the server part and i can understand switching it off, but the client poses no security risk to the system at all. It might make sense to remove it anyways, because we want the least possible number of packages installed - but this is IMHO not a security-problem. No, i am told, perhaps i am right and it isn't, but because some list from the BSI ("Bundesamt für Sicherheit in der Informationstechnik", german authority for security in the IT) says so we need to remove it.

Now, i ask again how the existence of a client program poses a threat and am told: "maybe it doesn't but we need to be compliant". WTF?? If one wants to be compliant, then by all means, say so! Don't call it "security", because it isn't!

Certifications come, IMHO, from a similar way of thinking: don't do something to achieve a certain defined goal and measure progress/achievement by analysis of how much of the goal/achievement has been reached - do something because it is prescribed because this way you are "compliant" and if you in fact achieve your goal doesn't matter at all. If you want to go from "A" to "B" it doesn't matter if you actually reach "B" as long as you can prove to have bought all the prescribed tickets because some means of transportation is "compliant" and all others are not.

In terms of certifications: it doesn't matter if you can actually do something, it just matters that you are tested to be compliant (note: compliant, not competent) by a compliant procedure created by compliant experts.

Welcome to the new world where we sell horse manure in cones and call it ice cream - that is OK as long as we do our utmost to make sure it stinks the same every day.

bakunin

Hi,

Long time since I last posted here. 4 years actually.

Anyway, I now work on the Certification team at the Linux Foundation. We offer LFCS (LF Certified System Administrator) and LFCE (LF Certified Systems Engineer) certifications. We also offer specialised certifications, such as COA (OpenStack), CKA (Kubernetes) and CFCD (Cloud Foundry).

The LFCS and LFCE can be taken on your distribution of choice (well, CentOS 7, Ubuntu 16.04 and openSUSE Leap 43). The major benefit is that whilst these exams are skills-based, live exams, they can be taken from the comfort of your own home on any machine with Chrome, a browser plugin, and a webcam, as they are remotely proctored, and you interact via Gate One (a browser-based terminal emulator).

Some of the competencies you complain about are in our exam competencies. These competencies are decided upon by a panel of diverse experts from the industry, of which I am a member. These are based upon the skills that are required in the modern environment, based upon extensive research in the industry.

Whilst the few people in this thread may not use SAMBA, iSCSI or Kerberos, there are a lot of people that do, and they are still relevant skills to possess. If you want to be certified as a Linux generalist, you should know how to do these things. If you didn't, there'd need to be specialised tracks to cater for employers looking for specific skills. Kerberos is rampant - FreeIPA for example - which I see in a great deal of places. Employers need to know that prospective employees have this core skillset.

Our exams are constantly reviewed, and updated as needed, in line with the ever-changing environment we find ourselves in. For example, we are actually refreshing LFCS and LFCE, due for release early next year (I am tech lead on that project, as well as COA and CKA).

Please note, I'm not trying to sell anything here, we are a not-for-profit organisation anyway.

Cheers
ZB

What is the webcam for?

So they can make sure you're not looking in books, using crib notes, talking to people, using a phone, etc.

The screen is also shared (hence the browser plugin), so that your browsing session is monitored.

The entire exam session is also fully recorded, and can be played back later if any dispute arises.

First off: great to see you again! Welcome back! I would really appreciate to see you more often here.

This is actually not what i am complaining about in the modern certifications (i don't know the ones your organisation offers, so what i mean here is the likes of MCSE, CCE, CATE, etc. and yours might be different). What i am complaining about is the way these tests are designed: suppose you want to know if someone is proficient with, say, file system design. What the common tests do is to find out if the candidate knows every one of the 37 ls-commandline options.

Now, i ask you: regardless of knowing or not knowing these 37 commandline options: in real life the problem might be a broken hard disk, which needs to be rescued: companies like Ontrack can copy the data to another (working) disk, but are you able to reconstruct the content of the bad block so that the disk is readable again? Actually a colleague of mine and me did this once for an AIX disk, using dd and awk to reconstruct the FS metadata. It was not only factual knowledge: it was factual knowledge along with the imagination about how to apply that and the experience which told us how to approach such a problem in the first place.

Another example: take "knowledge of LDAP". It is all well and fine to know about the protocol and the tools and procedures, etc.. But this will only help you to create a badly designed LDAP domain if you haven't learned the ("intrinsic") knowledge of what sets apart a good from a bad design. Such knowledge ideally comes from experience: yours, when you do it and the experience of a "mentor" (doesn't matter how you call him) who guides you around possible pitfalls and passes to you what he has learned from his failures. All these latter mentioned things will not be tested by some multiple choice tests like "name the 3 methods of ...." a), b), c), d), e).

A "test" which would indeed test the worthiness of an expert (and not just how good he is qualified as man page) would include giving real-world-(like-)problems to people and judge the solutions they come up with, just like it is done at the academical level: get a theme, write a thesis, then defend it before peers. If someone wants to become a physician he has to do some multiple choice tests too - but ultimately he is given a corpse and has to show that he has what it takes to operate on people. And the task is not "name every tissue you see" but "do a [put your favourite operation here]".

I would be glad to see certifications be worth something: if a person sports an "MD" after his name i know i can trust him to treat me if i'm ill (well, granted, there are better and worse ones). I'd like to see all sorts of certifications giving me the same level of trust about whatever the area of expertise is that is certified.

But again, this is just a pipedream of an ageing hippie, unfit for modern business.....

bakunin

Certificates are good, to balance off weakness (or limited/no) job experience. However, at a certain point, the Certificate is meaningless (ok, maybe some meaning) once your work experience reaches a specific level.
For every job category and employer, these are different.

For real life example, I went thru the HP Unix training suite and completed 7 programs twenty years ago (including Introduction to Unix Scripting). At this point, some/most of those certificates would mean nothing to prospective job in comparison to what I have done in the following 20 years.

So, yes good. To a point.

Just to note that most certifying organizations are registered as "non profit" but that does not mean these organizations "certify for free" and it also does not mean that "a lot of money is not involved".

In fact, in most of these "certifying organizations" many people make a lot of money, especially the employees who have their salaries paid and their travel expenses paid.

I stand strongly by my experience that competent IT people with a lot of relevant hand-on experience do not need to be "certified" and that the major of people who are "certified" do so because they do not have years of the relevant hands-on, real work experience.

In fact, I personally know many "certified people" and almost none of them, to my knowledge, have deep, tangible on-the-job expertise with the systems they are certified for.

Again, I think it is great to learn, study, research and have continuing education; but my direct experience with CISSP was that the entire process was set up to favor their business ecosystem and there was a bias against any expertise that did not fit their business ecosystem model. The fact that ISC2 is a registered non-profit organization does not distract from the facts of how their business model works and how they are bias toward their favorite partners (like certain magazines, certain training schools in their ecosystem, etc.).

Honestly, I am glad I sat for the CISSP and it was good to have insider knowledge into how these organizations operate after becoming a CISSP. I am glad I did it; but not for the reasons one might think! I am glad I experienced how corrupt certification organizations can be and how unskilled (lack of true operational experience) most of their members are!

In closing, let's say you wanted to be a great Unity 3D gaming programmer. Well, you could take 100s of hours of Unity 3D classes and you could learn game programming in C# and how to work in the Unity IDE . You could get lots of certs, but still be a poor game developer.

On the other hand, another person goes out and learns Unity 3D and does not get certified and writes and develops a great Unity 3D application / game which is well known.

Who are you going to hire if looking for a developer?

Of course, you want the second one, the one who actually writes great gaming apps; but the problem is that the good ones often work for themselves. So, you look around, as an employer, and you cannot find a great game programmer to work for you (that you can afford to pay), so you go for the next choice, maybe hire someone with a cert, who at least has passed a series of tests!

So, it is easy to see that the "cert game" is a substitution for true capability and experience; so why not just go roll up your sleeves and develop apps and get hands on IT experience in the areas you are interested it?

After all, it would be better to create and operate a successful web site versus to be "certified" as a web developer; and likewise it is better to have been a sys admin for critical commercial systems (with real day to day IT security issues) versus being certified in IT security!

We are all sure that Steve Jobs was not "certified" in design; and I am sure that Mark Z. was not certified in creating matching algorithms for a "Facebook", LOL

Greatness does not come from certifications. Success comes from having a dream or a vision and the passion and energy to make that dream happen against all odds. This always means learning new skills.

You do not need permission from anyone, or even financial resources, to learn IT, programming, or to develop software apps. However, you do need permission and financial resource to be "certified"; so it should be obvious that the process of "certification" primary benefits the certifying organization, in most cases.