I'm generally against reviving old threads, but I'll keep this message here for the sake of continuity.

I'm a little more than half way through my 60 days of lab time and I can't say that I'm disappointed.  I feel comfortable with all the material I've attempted so far (I've coded some exploits before), but I wish I had a better idea of what to expect for the certification challenge.  MaXe laid out a good overview of what to expect so I won't repeat it.  I haven't seen anything so far in the labs that required custom shellcode in the sense that you had to write a lot of your own.  I've mostly been using metasploit.  That being said, I have had to do some creative assembly to get to my premade shellcode, so if you consider that shellcoding, then I suppose you do need custom shellcode.

I wouldn't start this without a solid understanding of assembly and debugging.  I do a fair amount of reverse engineering of malware (actually teach a course on it), so I'm in assembly all the time.  That might be lulling me into a false sense of how hard this is supposed to be (curse of knowledge and all).  Either that or I'm in for a rude awakening one day in November when I sit for the exam....

I'll take a different spin on this.  I've been a government employee and a contractor at different times.  Right now I'm doing both.  I have a full time government job and I contract to private organizations on the side (some of the work in the past has been back to the government but I've navigated the "conflict of interest" waters with care).

Anyway, I agree that contractors are not always much more expensive when everything is taken into account.  That is clearly true.  However, there are times when the government needs an important task accomplished and is fleeced by the one or two contractors who can actually deliver on a bid.  This is unfortunate and puts everyone else in a bad light.  I think contractors also get a bad name because some government contract reps can't manage their contractors.  Then you get this vibe of "I can't believe we're paying these guys to fail" sort of mentality.  That is completely the government's fault.

Overall, it's a mixed bag.  I'll say that I'm generally more confident in the abilities of government employees to "do the right thing" but I'm more confident in the abilities of contractors to "do the competent thing."  They are NOT the same.

First, who told you that gi bill will pay for these?  I have gi bill and getting them to pay for anything has been like pulling teeth.

I know two people who took this class.  They both had differing opinions.  I think this depends on the instructor.   As for exploits, I think they had to develop exploits for custom services.  They also did case studies of how some well known exploits were developed.  Good course overall.  If I find out that gi bill pays for it, I'll probably take it this year.  Please let me know your mileage with the VA.

First, I don't have any example code to throw your way, but I'd tread lightly on this.  I think there are some legal implications in giving your students bot software.

If you were keeping the whole thing in a lab, you might write some simple bot code that sends packets on command (simulated DDOS) in your university lab and provide students access to the controller to see how it works.  That way even if it gets out (and it will), your liability is pretty nill.

Congrats.

I'm with Dynamik and BillV on the counter.  On exams that don't have it (most of them), I keep a tally of questions I "know" I got right, those that I was pretty sure on, and those that I EWAG'd so I can breathe a sigh of relief when I've crossed the passing threshold.  I've never failed a certification exam attempt, but I still find myself wondering as I take the exam.

Anyway, I'm glad you think the questions were concise and well worded.  I've written questions for SANS and the guidelines are very strict about what they will and will not accept.  Because of the stringent QA process, I find the questions much better than those on other exams.

Cool deal and glad you got certified.

I agree with partek.  Demonstration based exams are worth more than knowledge based exams.  OCSP is a good measure of practical ability needed to perform in a pentest environment and does provide a good benchmark for what you can expect from a certification holder.

The problem with demonstration based exams is that they are expensive.  They have to be.  It is much more difficult to test someone's ability to demonstrate concepts than to answer questions about the same concepts.  Employers don't like to pay for certs, especially not high priced certs, because people use them to pad the resume for the next job (at least this has been my experience).  Anyway, there's no perfect cert (as this thread demonstrates), but I agree with partek that those with demonstration based certs are going to get the first calls for an interview (all other things being equal).

Who didn't see this coming?  If you claim you really didn't see this coming, I have some ocean front property in South Dakota I'm getting rid of at CRAZY prices.

The short of it is that someone leaked the HDCP private key to the Internet.  That was sure to come.  Look out for black market devices sure to come.  The below quote says it all.  How long did they think the key would last if the worked out security as an afterthought?


Full story here:
http://www.wired.com/threatlevel/2010/09/intel-threatens-consumers/

If you have $32 to spend, jump over to amazon and buy "Hacking: the art of exploitation."  Then read some papers and realize that your money was well spent from all the time you saved reading a book that gives you a good grounding to digest everything else.  Search the site for some book reviews on this.  It is widely read and universally recommended.

BTW, I'm pathologically cheap, but I do invest money freely in two things:
1.  Good hardware
2.  Good documentation

Both actually save me money over the long haul.  The book falls into the later category.

So I'm late getting this out....  Syngress was really late getting the book out, so we're close to even.  Better late than never though and I especially appreciate the book, it was a joy to read.

This book is broken into two sections.  The first section is a fictional story about a penetration event.  The author went out of his way to cover all the bases: nation state hacking sponsors, the feds, 'geek' kids who get in over their heads, industrial espionage, insider threats, and probably some I've missed.  The second section is a walk-through of the terminology and techniques used in hacking events in the book.  Enough to get the idea and pointers on where to go for more information.  It isn't 'Hacking Exposed' style reading where the authors are trying to walk you through the steps needed to replicate the technique.  Think more from a higher level of the "so what" factor that management often misses.

Lets face it, the author isn't going to win any awards for the fictional story.  It was readable, but it isn't holding court with Dean Koontz.  It is however technically accurate in almost every regard, something that most good fiction isn't.  Also, smattered throughout the fiction are notes on where to find the associated content in the second portion of the book.  This is where the book really comes out on its own.  It is a readable piece of technically accurate fiction that has immediate links to more in depth resources in the back of the same text.  If the topic interests you or you don't understand, simply hop to the back of the book, read a page or two and then jump back in with a working understanding of what is going on.

The two book sections are named STAR (Security Threats Are Real) 1.0 and 2.0.  This should give you an idea of who the book was written for (disbelievers).  I can't say that I learned a lot reading this book, but I've been in the business for more than a decade.  That doesn't mean I'm sorry I read the book.  Again, the fiction was entertaining and I have a new tool in my arsenal when dealing with uninformed management.  No joke, the next time I get questioned on something covered in this book, I'm going to recommend the book to management and then ask them to come talk to me again afterward (and hopefully before making drastic policy decisions).  I think all of us have dealt with far too many CTO's that don't know security (and aren't backed by a good CISO).  This is a good primer to get them to understand the threats involved and even some of the lingo.  The fiction portion was a little over 100 pages and could easily be digested in a good night of reading.  Even with none of the technical backing, I'd still rather talk to a CTO who read (and appreciated) the fiction portion than nothing at all.  System admins without security knowledge are becoming more rare these days, but they would also benefit from this book.  I mean that seriously, even "security aware" system admins often don't understand the range of topics this book covers.  Just having the knowledge of what's out there makes you a better administrator.

An added bonus was a nice list of conferences in the back of the book with mini-reviews of each.  If you are new to the field, this might be worth looking at.

Overall, this is a book that needs the right audience.  If you are just getting into the game, buy the book.  You are guaranteed to learn something and be entertained at the same time.  If you've been in the security field more than a couple of years, you probably won't learn much from this, but I'd recommend you invest in a "loaner copy" for the reasons stated above.

I'd give this 4.5/5 for passing to management, a 4/5 for those just getting in the field, and a solid "buy this as a loaner book" for anyone who's been around.  It's cheap, so it will pay for itself (in time and frustration saved) after loaning it once.

former33t - aka Jake Williams

Both the points above are good. I'll also point out that depending on where you live, your roommate may actually have an expectation of privacy while using your computer (if it isn't password protected, left in an open space, etc).  In other words, you might be opening a whole can of worms by installing the keylogger and he uses the computer.  For instance, imagine he does use the computer, he logs into his bank account (and maybe porn or whatever), you approach him about the computer use and say you have proof because you were logging his keystrokes.  Two weeks later someone drains his bank account.  What is he going to think?

Don't put yourself in that position.  Implement one of the suggestions above steer clear of spying on him.  It will only bring trouble.

I looked at Astaro a couple of years back and they were pretty well on it.  The price range was about what you were looking for and they had all the features we needed:

http://www.astaro.com/solutions/network-security

Best of all, at the time they had a VMware appliance you could test drive and see if you liked the interface.  It's Linux based which was a real plus.  We ended up going with an ASA due to factors outside of my control (but cost more $$).

@ziggy,

That's unfortunate.  I understand it when its the feds doing it (I stopped trying to explain any craziness years ago).  When its the private sector, I lose a little of my hope in humanity...

Pardon me while I throw a fly in the ointment.  My response won't hold a candle to Sil's (as usual, awesome post Sil), but I have to say that depending on the job you want there IS a right answer.  If you are looking for a federal government job or a job working as a contractor to the federal government, get a four year degree (I see that you have a BA so you are probably okay).  The feds love a four year degree.  I don't know what it is, but they see it as important.  Because feds approve contracts coming in the door, contractors like to say X% of my people have 4 year degrees.  It's part of the game (I'm writing this as much for people interested in your question as for you since you already have a degree).  The actual major doesn't matter much.  Underwater basket weaving is okay.  Order of preference goes BA in anything->BS in something->BS in something relevant->MA->MS in something->MS in something relevant.

After a degree, your first cert should make you DoD 8570 compliant.  This is the second (or sometimes the first) thing contractors put in their bid package and the second thing fed job screeners check for. 

After that, get some experience.  It's a sad state of affairs, but that's the way it is.  I've been dealing with it continuously since 1995 and I consistently have a hard time finding the most qualified candidate since HR sends me people who pass screening (based on the fairly arbitrary criteria above).

Bottom line, go get Security+ or CISSP (associate since you don't have the experience) or anything else on the DoD 8570 matrix.  More than anything else you can do (for the level of effort) it gives you the biggest boost in employability.

I'm not sure that I take the paranoid view, but this is nothing but bad news for ArcSight customers from where I sit.  Any time you have heavily invested in an architecture and that architecture is absorbed by a new company, you are in for bad news.  Support is never the same.  HP is monolithic and generally slow to respond to company demands (and even notices of software vulnerabilities).  For an example of the latter, I know people who took the old 'BackTrack to the Max' course where Mutts presented his HPOV vulnerability for more than a year after disclosing it to HP without them doing a thing about it....

Like sil said, post this on a crypto forum and you're bound to get better answers.  I took a crypto class in college a couple of years ago though and I seem to remember that there was a keyspace reduction attack against triple DES.  I remember the question coming up in class why not increase the key length and the instructor went through a proof about how if you could reduce the space on triple DES (at least for some keys) then you could do it for any incremental implementation of DES (like 6-DES or whatever we would go to next).

This paper explains a little about the idea, I'm sure there are more recent examples.  If I were at home, I could pull out my books/notes and get you something better, but I'm on the road.  Hope this helps.

http://www.google.com/url?sa=t&source=web&cd=5&ved=0CCcQFjAE&url=http%3A%2F%2Fciteseerx.ist.psu.edu%2Fviewdoc%2Fdownload%3Fdoi%3D10.1.1.91.555%26rep%3Drep1%26type%3Dpdf&rct=j&q=DES%20key%20reduction&ei=rLt1TIXAO8P98Qak0-GjDg&usg=AFQjCNEFIQXNXmldbWyxgBef3v_DsAascw&cad=rja