As an additional update, apparently the site was riddled with security holes, leading to at least one "rickrolling":

http://www.theregister.co.uk/2010/09/06/hackiswack_secure/

From http://gcn.com/articles/2010/09/02/hack-is-wack-with-snoop-dogg.aspx:

"Ready to show off your mad freestyle rap skillz? Snoop Dogg and Symantec's Norton are teaming up to sponsor a video contest for raps about hacking, identity theft and computer viruses.

Yes, that Snoop Dogg. Yes, that Norton. Fo' realz y'all. "

Does this help our image, or the image of computer security, or is Norton trivializing the issues in order to increase sales?

My concern is that the majority of the development/bugfix/etc time will be spent on improving and fixing issues in the express version of metasploit, instead of on the framework itself.  That's not to say that the framework won't be improved, but the improvements will be driven by a desire to improve the express version, instead of improving the framework for its own sake.  This may lead to a lot of development work on features we'll never see.

A liveCD only stops one vector of theft, and not necessarily the most sucessful one.  The wonderful thing (for a thief) about phishing attacks is they're largely platform- and browser-independant. 

I don't claim to know the magic bullet to fix the issue, but I suspect it will require a combination of end user education, increasing responsibility on the banks to validate users, and technological improvements from the operating system and browsers that are in use. 

This should be the same vulnerability being discussed on the Full Disclosure mailing list, and if so it's worth noting that it causes a DoS condition on IIS 6 instead of executable access. 

At least, such was the last word as of yesterday evening.

Greetings!

I've been lurking on this forum for a little while, and now I have a question of my very own!   

I'm finishing the flex iClass course for the C|EH, and plan to sit for the test very soon.  In addition, I'm required by my employer to obtain the Security+ certification, and the deadline for that is coming up shortly as well.  I've been studying for the Security+ for a few weeks now, and am fairly comfortable with the material. 

My question is, how reasonable is it to schedule both tests for the same day?  I'd probably take a couple of hours' break between them to rest and recover, of course.  The material for each seems to correspond fairly well;  at least they aren't widely different from each other besides scope (Sec+ being more broad, and the C|EH more focused on Ethical Hacking). 

Looking forward to hearing your thoughts.

Interesting review, and it's good to know that the Ironkey stands up well to attacks.  I'm curious, though, about the password recovery system, which is an online service.  Was any attempt made to recover the password?  What was the result? 

I don't know that I care how secure the hardware is, if the recovery password is as easy to get as Palin's yahoo mail account. 

I'm also morbidly curious to see how the device behaves after it "self-destructs"...