unsupported...  in a good mood today, I see 

L-O-L...  I've had one of those days, quite a few times, lately, myself...  too funny!

Good timing for this one, based on what I'm seeing posted yesterday / today, from some folks looking for info like that.  Looks like you're giving them a handout / freebie, today!

I'll help out, as well, wherever there is need, awesec.

Yes, please let us know...  it's kind of an open-ended question, and while folks here are happy to enlighten and help, sometimes it helps us to manage our time here (against our other engagements and responsibilities,) if you can give us some starting direction from which to help you move forward.  One needs to understand, EH-net is a great place to learn and share (I've learned tons here, and always try to return the favors,) but it's also something we do on our own time, or in conjunction with other things.

LOL... I almost said it myself!  (nice, awesec!)

In regards to KamiCrazy's post, he / she asked a very important question:

"I don't have anything specific to add to the discussion but I do want to bring up that going to the cloud you are essentially outsourcing your IT. Or at least part of the infrastructure.
Is that acceptable to your organisation?"

It's interesting that this topic came up, and that this question comes up, as a major provider of webhosting services recently (within the past couple of weeks) had their customers websites defaced.  While it was likely some 'script-kiddie' looking for a thrill - they posted images similar to what might be posted on islamic militant and terror groups' sites - it still doesn't bode well for the customers, whose sites were defaced.  One such site was for a county government's Health Department.  While defacing may or may not have been the worst thing that could have happened (they also had scripts on there to auth to employee data, email, and others, so it could be a lot worse, if the attackers would've gained access to said data through XSS to gain passwords, etc,) ultimately, you have to decide how worth the costs it can be, if you're allowing the security of your 'public image' and public site to be hosted by someone else.

I'd agree fully with savingpvtryansdad, in that it certainly does make things easy for end-users and customers, sometimes, but can be an overall nightmare for IT staff, to try to manage services and security that are out of their control, to whatever extent.

Heh... the author posted on EH-net for comments, within a few hours, after you posted the link...  You two buddies?   

Overall, I think it was a good article, to try to point new folks in the right direction.  I gave him a little criticism (all good) based on how it read, to me, and was glad to see he asked opinions, so he could further himself down the road, and continue to put out the good word.

Nice job, adrianodl.  It's always good to see ANY effort to help others to get started in this field.  I think you kept it concise, while still getting your thoughts and ideas across. 

The only place I had to re-read was where you said, "One good thing about an information security career is that the barriers to entry are fairly low, since the skills can be self-taught."  I had to catch myself from concentrating solely on that statement, as we all know there can be some very HIGH barriers to overcome, depending on what type of job you're pursuing, and with whom.  When I saw you came back with the comments about employers still looking for education and certifications, however, I understood where you were coming from, and it made more sense, in that you helped to distinguish the fact that it's not quite THAT easy, but that the key is to show your knowledge and experience.  I'm not totally certain how I might have reworded that myself, but I think, after you went forward with the idea, you explained yourself well.

Overall, a nice article, and thanks for sharing!

I'm sure if you acquired rainbow tables (or built them to accommodate the character sets and password length) you could probably either script something, or find a tool to pass the data from the tables into a brute force cracking program...  It takes time, but would likely be your best, most reliable, way to TRY to crack it...

Chatting with what tool?  Are you referring to an IM conversation?

There are many different ways you COULD do it, depending upon the service you're using for IM, etc.  You could, for instance, pass a graphic with some embedded code to run ipconfig on the other person's machine, and send you a result, etc.  Or you could, as easily, pass them a url to a local server of yours, and have them click it, then have the server logging the connections etc.  Many ways, but it all depends upon the situation, etc.

By default, however, I don't think most of the reliable IM vendors (such as GMAIL IM, AIM, etc) have a pre-built mechanism for allowing you to log the IP of the user you're chatting with.

I won't discuss as far as safe deposit boxes, but I will tell you that in my case, all data, first is safely tar'd / zipped up into a passworded file and stored on encrypted file store, and I then store the encrypted files in an undisclosed, 'safe' location.

Again, as with the logging, it's all about preference, and yuo sort of have to work out what's best for you and for your customers' satisfaction and safety.

Welcome, n0on3 !

Yeah, the challenges are always a fun way to get introduced to the EH forums and community.  Glad you found the site, as you can always both share and learn a great deal from the other members here.  As don said, it's also a great place for professional networking, so keep us posted on how you move forward.

Hi Breeze.

The answers you get will vary, to an extent.  It depends upon what tools you / the tester uses.  Many tools (such as Core Impact) setup a separate project with it's own mini database and logs, for each project you are doing.  GFI Languard behaves similarly, for record-keeping, for an individual test scenario.  But when using BackTrack or other tools, you often use other means and data folders for record-keeping, where you may file screen captures, logs, files you extracted from a customer machine, etc.  It's sort of based upon the tester, as to how you want to keep record, but you're absolutely correct, in that ALL records should be kept, both for clarification of what steps and tests were performed, as well as for your own safety, after the testing is performed, to cover your backside.  And as for how any / all of this data is collected to begin with, each tester has their own preferences, but in the end, it could be keyloggers, packet captures, screen captures, or any one of MANY other methods of capturing your activities for record.

Once my tests have been completed and the customer has signed off on the deliverables, I securely archive all of the data (won't go into how, as again, this changes per tester, and I prefer to keep my methods to myself,   ) and file it away, for future reference, if absolutely necessary.  (Otherwise I never open it again.)

Hope that helps, at least a little bit...

Congrats, and let us know of any new and exciting info you get out there!

Agreed, Ketchup!  I have a number of their books in my library, already - up to and including the latest Thomas Wilhem book "Professional Penetration Testing: Creating and Operating a Formal Hacking Lab" (which is already in discussion in another forum post  )

Maybe I'll have some time, for a change, to be one of the higher-count posters, and win this one.  The books would come in handy in my reading collection.

Regardless, thanks to Syngress and EH-Net for yet another good contest prize!