It's worth noting that powershell is included in all Windows versions going forward, as well as other MS server products such as Exchange, SQL Server, etc.

Powershell is really powerful, and if it's there, I don't see any reason not to use it.

Also, if you haven't seen it, check out this module: http://code.msdn.microsoft.com/bsonposh

Just for following infosec news. I really don't care what my friends are doing every second (if fact, I'd rather often not know).

I've amassed a pretty good selection of people to follow. I'm sure I'm missing some, and I know I need to weed out some that post mostly fluff, but it's a decent start: www.twitter.com/infosiege

Maybe in terms of putting letters behind our names, but I don't think that is representative of overall technical knowledge. You had a detailed learning path for penetration testing written and published when I was just getting started out, so I'm going to have to respectfully disagree with you with there. I'm flattered you don't consider me a total noob though :p


I totally understand. Honestly, I just chase after certs because they force me to learn things that I may not normally go out of my way for. They're just a challenge and a way to verify that I've retained a small amount of knowledge in whatever subject. Plus, if I learn something, I might as well pad the resume whenever I can.

I feel the ADHD pain as well. I'm lucky if I can get through a paragraph or two without my mind wandering


Ah, ISACA exams, making (ISC)2 exams appear to be straight-forward. I took the CISA on the same day. I couldn't stand to look at that material anymore, no way was I staying around longer to check my answers. That's the only exam I've taken that I am legitimately concerned about. The CISSP wasn't easy, but I left cautiously optimistic. With this one, it was like, "What's the greatest risk? Being set on fire, or having an artery severed?" You could spend all day making arguments either way. I tear the questions apart on exams like those as well.


Like I said, I really don't see you getting a lot out of the GPEN. Any interest in web app or wireless pen testing? The web app one actually falls under their "programming" umbrella, and the guys at the office who have taken both thought the GWAPT was more intense. The wireless one (GAWN) looks insane; I believe that's the highest level course that they offer a certification for. Also, if you just want to learn and aren't too concerned about getting letters behind your name, don't forget that SANS offers a lot of courses that don't have corresponding certifications.

Here are a few that seemed fun:

709 - Developing Exploits for Penetration Testers and Security Researchers
567 - Power Packet Crafting with Scapy (short course)
558 - Network Forensics

A full list is here: http://www.sans.org/security-training/courses.php

Also, what about OffSec's OSCE?


Yea, that sounds like that should keep you busy. I used to try to plan this stuff out far in advance, but I've found that I never stick to it. Like you, I'm kind of fickle about some of these things, and even if I have the perfect plan, something new and interesting always seem to come out of the blue, and my path totally changes. Now I just line up the next challenge and worry about what's next only after I'm done with that.

I like the ones that embody the spirit/purpose of EH, such as "Pwning for good" and "Have you tested your security today?"

Witty one-liners like "And God said, \"nc -L -p 7777 -e /bin/sh\" and there was root" (which was awesome) don't really convey an actual message. That may not be the goal though; that's just my two cents. It just seems like there are plenty of other stores, such as Think Geek and Jinx that already have a lot of things like that.

As far as the designs go, I think it would be more aesthetically pleasing to put the URL on the back (not sure if that's possible there). The current designs look a bit cluttered on the front. Alternate colors (white text instead of navy) would also be nice for the darker shirts.

From what I know about you, I think the GPEN course would be a waste for you. However, it's hot and looks good on a resume. You should do what I did and just challenge it. You don't get any course materials, but you do get two practice exams to gauge areas where you may need improvement. I did the exam in about an hour and ended up with a 91. I also skipped the lab exercises because the lag was unbearable, and those were about 1/3 of the questions I got "wrong." I'd say it falls in between the CEH and OSCP in terms of technical difficultly. I know your knowledge/skills crush mine, so you should be able to pass that exam in your sleep.

I don't have any personal experience with it, but there's a teaser of GREM material here: http://vimeo.com/9474345 I don't think there's any question that the courses are quality; it's just whether or not you already know the material.

I highly recommend getting a Technet subscription. I use that extensively.

After I perform a clean install, I typically take a snapshot. I may make one more after significant configuration changes (i.e. setting up a new domain, installing DNS, DHCP, etc.). That way I can always have a semi-usable network, but I still have a great deal of flexibility where I can test things quickly. I can always copy one of the clean installs, test whatever I need to, and then blow it away when I'm done with it.

I use VMware Workstation 7. VMware Player or VirtualBox will certainly get you by if you don't want to shell out any money. Workstation just has a lot of additional features, such as the ability to simulate slow WAN links.

Which Dell server do you have? Sometimes you can get storage working if you disable RAID.

I'm not sure what virtualization packages you're having problems with, but USB pass-through works very well in VMware Workstation 7.

Here's the new revision of that adapter that some of us have been purchasing (I haven't really had a chance to play with it yet): http://www.amazon.com/High-Gain-Long-Rang-Alfa-9dBi-Mount/dp/B0038Q4AIG/ref=wl_it_dp_o?ie=UTF8&coliid=I3LTWBRPXRYBBQ&colid=BQRJ4R1QKAS2

If you're just looking for network connectivity, the physical hardware won't matter for a VM. However, if you're trying to work specifically with wireless (i.e. injection), you're going to need to have the adapter appear as a wireless connection in the VM.

That's what I use; I like it a lot.

I've seen favorable things for Password Safe as well (but I've never used it myself): http://passwordsafe.sourceforge.net/

Nope, I'm wrapping up a psychology degree at the University of Minnesota. I'm leaning towards an MSIS at Nova once I complete that.

The PDF and videos will be watermarked with your personal information. In my experience it doesn't take them that long to prepare the materials for you, so it probably is a little bit of a buffer.

I don't see how this is that useful. While the search query itself may be concealed, if the next activity is accessing a site with, "Hot @#$ #$@$#@ing #@$ @#$," in the title, it's going to be pretty obvious what you searched for...

I wasn't giving you a hard time; I have a difficult time believing the story as well. Especially when it comes from a fiction writer

Several things struck me as odd.

*Using a high percentage of your CPU doesn't cause your desk to shake.

*What processes does she have to kill every day?

*She studied Unix but can't reload OSX or simply disconnect the machine from the network/internet?

*How did he damage the installation disc?

*Losing the respect of kids over a computer problem seems pretty harsh. It sounds like they would have the savvy to backup files and reload the OS.

*How did the place of employment also get hacked? Is it the same OS? Using the same credentials password? Are the same applications from the internet being installed?

*Careers have been ruined and book deals have been lost? Yet she knows how to boot to a live CD. Why not just save the files on a USB stick at that point?

The whole thing is overly dramatic and doesn't provide very basic technical details (i.e. how were they communicating?). The fact that this occurred on OSX doesn't lend a lot of credibility to the story as well. That's obviously not "hack proof," but it significantly less likely to get owned than Windows. Were random applications from the internet being install?

This would take some serious dedication from the attacker, and most people with the time and abilities would go after financial gain, not harass some random woman on the internet.

I'm not saying this is absolutely fabricated, but it does seem really far-fetched. I just skimmed the other blog posts, but I didn't see any other mention of this, and the other entries have been pretty open (to say the least). I'm also skeptical of new members with "critical issues" that never bother to follow-up and work through the problem.

This seems like a great way to start a social engineering attack. The next post may be asking to help move millions of dollars before the hacker can compromise the account information

Anyway, no offense is intended to the OP. If this is true, please provide more details, so we can get some idea of what's actually going on. You've gotten a lot of good advice for such a scenario. I'd add that you would want to perform a credit check as well; look for any suspicious activity or accounts.

Why? Doesn't your entire desk shake when you use a high percentage of your CPU?

Google the OP a bit. There are some other pretty outrageous stories out there...