Hello everyone,

It has been some time since I last posted on EH.  I am glad to see that some of the familiar faces are around. 

I was hoping to get some advice.  I am looking for training options for a developer without much security experience.  I would love something that goes over secure coding practices, especially in web applications.  The course would need to not only cover potential vulnerabilities but also present options for fixing them.  As an additional request, it would be great if the class could work as a segue into future webapp penetration testing training.

SANS is out because of their price range unfortunately.  SensePost has some good options, but they are based out of South Africa.  I am trying to find something that is either online or offered in the Southeast US. 

Thanks in advance

Sweet!  It's getting added to my list.

I saw this on Slashdot the other day.  It looks like another company is trying to sell software by using the "security by obscurity" argument.


http://www.businessweek.com/news/2011-01-11/google-android-more-vulnerable-than-iphone-antivirus-maker-says.html

MacGyver could have made a new router from just the paper clip.

Welcome to the club!

If you want something a bit more hands on, you can try your hands at OSCP from Offensive Security.  There are quite a few people here with this certification.  I am sure that they can tell you more.

http://www.offensive-security.com/information-security-certifications/

I took one of their other courses a while back.   I thought that the instructor was knowledgeable and I found the course organized well.  It wasn't the most challenging though.   Sounds like Foundstone needs to give away some free classes to this community for reviews.

It's been a while, but if I am not mistaking, the book tells you which compilers to use and when.   If I remember correctly, it mostly focuses on GCC.

The poll results in the article seem to indicate that people consider this to be another frivolous lawsuit.  I couldn't agree more.

I am with Chris on this one.  It doesn't sound like the spouse took "reasonable" efforts to secure her email account.  I am curious to see how this turns out.  I have seen much crazier law suits that ended surprisingly. 

What do you mean by "user's PST got hacked?"   PST files really don't have much in terms of security, all you have to do is open it.   The password protection feature is very rudimentary and can easily be defeated.   Are you sure these emails aren't coming from outside and aren't something like NDR bombs?

Happy New Year everyone!   

I still use VB quite a bit, especially on .NET.   It is a bit of a limiting language, but if you are working in a framework, than it's quite bearable.  It's major advantage is that it's very easy, and like the others said, it's a good stepping stone to other languages.   One of the biggest issues with it is that it obscures too much from the programmer.  You become too complacent and that can lead to poor coding practices. 

NMAP has a variety of spoofing and IDS evasion options available.  They are very well documented here:

http://nmap.org/book/man-bypass-firewalls-ids.html

In general, if you want to spoof an IP address, you have to have control of that address in order for you to get a reply.  This is just due to the design of the TCP/IP protocol suite.  You don't always care if the spoofed packets come back to you.  Sometimes, you just want to flood the IDS with a bunch of random sources masking the actual port scan.  A really stupid IDS will make it difficult for the operator to detect your port scan.

This is exciting news.  The price is rather hefty, but I believe it is still cheaper than Core IMPACT.  I can't wait until someone does a side by side comparison of the two.  I will have to play with the trial version in the mean time.

I agree that forensics is very serious work, there is much at stake.  Your investigation, report, and/or testimony can make or break a case. It also has a direct influence on the lives of the people involved.  Still, if you find the investigative aspect of the work interesting, why can't you enjoy it?  I tend to equate interesting and enjoying with fun.  Sil, I think that you and I may have a different definition of fun

Also, I don't know about all feds, but the ex-feds I work with made good money in the government.  The problem with the fed pay scales is that you can move up very quickly, but after a while your salary plateaus.   You are still making good money, but not as much as the high-end of the private sector.  This is usually when some make the jump.