go look at the multitude of other sites that do what you are trying to do and figure out what people are using

i dont know of any remotes for SP3 but slap office 2003 on there and you have some vulnerabilities.

so its the security community's fault that SCADA people have bad business practices therefore exploit code shouldnt  be released?

dumb...

what? recertifying doesn't restart your clock?  thats bullshit

I agree that some sort of multifactor is the fix, at least for the short term.

 the problem is how do you pay for all those keyfobs, business have money to do that or have a vested interest is protecting its customers from harm especially when that harm usually means losing business so they may give them to their users.

free email services make money from advertising, i doubt yahoo will be handing out keyfobs and i doubt the majority of yahoo's free email service users will be shelling out the money for them either.  so what are we to do?

well its ok for people to have that attitude, it keeps those of us that know better gainfully employed.

then those people shouldnt call themselves or want to be pentesters

i disagree,

liveCDs are tools, not OS's and should not be treated as such.  You'll learn faster building your own distro (in vmware if you wish) and working through the problems of installation (there really arent any anymore). You can be up and going in less than an hour.  In my life i have blown away more distros than i can count trying to install something with no documentation but i learned from it.  Just booting into a liveCD...its good to show someone "this is linux" to recommend they use that unless there is some extreme reason is not a good way to teach people what they need to know.

I guess if someone has never ever never seen or used linux then ANY liveCD would be ok to familiarize themselves.

as far as using security tools on BT first, having a ton of tools prebuilt for you teaches you nothing about:
1. installing and configuring those tools
2. why you even need those tools

There is something about the act of installing a tool yourself that forces you to think about why you are installing this and what are you going to use it for (especially if you have to go through dependency hell).  that helps more with understanding the methodology than just having that stuff installed for you.

your core tools that a "new person" will need will easily install from source or package management system.  As far as "have confidence that your tools are functioning correctly" if I install them myself i have confidence they work correctly.

Having someone or some distro do everything for you from the beginning does not set people up for success in working through problems on their own later...which is really what security is all about anyway.

if you need more proof then check out the remote-exploit forums yourself and look at the amount of basic linux questions that are in there, questions that shouldnt be there if people had the prerequisite knowledges that BT states you need before using their liveCD which is a good understanding of linux.

<insert learn linux before F*ing around with BT rant here>

both...all...whatever

linux to linux, linux to windows, windows to linux, windows to windos...etc

is the restriction based on just username or MAC? 

sounds like the simple answer is get yourself another username/password

i wasn't trying to be a jerk or start a cert war.  I just personally feel that if you are going to give advice you should either have experience in what you are giving advice on or other experience to make your advice valid (everyone can have an opinion regardless of experience).

I think silxp has since dropped enough information that we can google him and get a feel for his background which to me was wasnt apparent with the initial post in this thread.

you'll have to pardon my pessimism because we've had people talking out their ass on this forum before (not the case this time) and most people dont seem to have any balls to call people out.

can you follow that up with some advice to the original poster?

the advice of figuring out what you want to do first is good, but if you have an idea what industry you want to work in that will help too.

for example, if you want to do any kind of IA work for DoD you need your CISSP, that's just the requirement. 

as far as the CISM, if you dont meet the requirements you can still take the test.  You'll have to check out the ISACA page for details but you can be granted your certification and get your remaining years of experience afterwards.

that's some strong opinions about certifications you dont hold.