I kind of feel like this has been hashed over in different threads but after talking with Ryan Linn in IRC (you guys should come join us, the channel is lonely) he suggested starting this topic.

I'm looking for a good study guide for the Security+ 2008 / SY0-201 exam. I'm looking for something that will fill in the gaps in my knowledge while pre-paring me for the exam. I'm also not looking to just pass the exam and say I'm certified, I want to know more about security by the time I"m done.

So, what are your opinions on the current Security+ study guides out there? Are there ones you like more than others, which ones do you think are worth their salt?

(going to jump on the bandwagon here)

This is Ethical Hacker, if you want to be one, maybe you should learn what a firewall is used for and why the owners would chose to block the sites they do.

My family always pushed me towards computers my whole life. Had one in 84 at the age of 7. When I was 19, I was lucky enough to be working for one of the "Original Six Backbone Providers". The part of securing the network interested me, especially after the network got hacked. Several years later, I was lucky enough to get a job where my duties involved using Network General's Sniffers and Infinistream, as well as doing wireless audits for rouge equipment on site.

I hope this is an easy question.

What is the type of things you'd expect to find at your local Security Group meeting? I looked for a local DC group, but DC734 recently changed to ArbSec. Partly because it wasn't what people were expecting.

To be fair, I've only been to one meeting so far, but all they did was sit around BSing and picking locks at a local bar. The bar didn't even have space set up for the group.

I've been told they are supposed to have a standing reservation and that the September meeting was a fluke. They also said they try to have a guest speaker but with end of the summer things got a little kerfuffled.

When I asked about the name change another person there said it was because people were traveling long distances but not finding what they thought a DC group should be doing. (He didn't say what that was though).

I've seen the posts by Good_4sh about some of the fun things they do there, and just wondering what should a person expect to see?

(edit: changed the topic slightly to better fit my question).

Might be a silly question, but are these instructor led or video led? Is there someone there saying do this in this time frame etc, and available on the spot to answer questions?

For work related IM, we're using google's talk, with pidgin and the encryption plug-in. It's only partly set up in the company though. Not everyone is using it. With our facility move (moving from one large location to 3 smaller ones) my department won't have the time to push for everyone to start using it.

I'll try to pop in tonight. I usually hang out on p2p-net though.

impelse,

Sounds like a case of false positives to me. You could try to do the smb option, see if the results differ. You could try the same set up again, and see if it comes back with a different username and password.

Two things we've done in the past at work (xp and S2003), was use Trinity Rescue Kit (trk), and Knoppix 5.1. TRK might be easier, I've had it work on 64 bit and 32 bit systems.

TRK's user guide says how to use it to reset admin password. There are guides out there (google is good) on how to use a Linux Live CD to reset a window admin password.

basic

you should be able to get the network card's drivers off the HP site. Does it work with a linux live cd?

I'll probably not be much help on this one, down side to being a noob, but have you looked at:

ToneLoc or THC-Scan?

Kevin Beaver, in Hacking for Dummies, says he likes ToneLoc. Not having a phone line, I can't really test any. I'm not even sure the modem in my laptop works with my Debian Linux install.

(I'm waiting for someone to laugh at me now). 

While not exactly on topic, what I'd like to see, from a stand point of just starting out is a "easy challenge" section. Something less powerful than the monthly challenge and more like what SANs did the other week with the pcap file for Sec558.

When it was first posted, all I knew was how to load the pcap into wireshark and look for information, but between the 2 threads here, I was able to figure out how to go through all the other 6 steps (stopped before scripting it).

That way multiple people could post their solutions (written up as a howto for future users), find out what they did wrong, what they did right and we get to see other people's writing styles.

I could see a section like that getting mis-used / abused by script kiddies and black hats starting out, but as others have said (thinking Hacking for Dummies and Firewalls and Internet Security) the black hats have their communication channels. It's better to share with the white hats and get people better at security.

But this is just my view.

Chris G's method would be great, I'll have to add it to my list.  Google + site's domain name would be another way. 1 search google for just the site, 2 search google for just the @domain_name.

I think the big question is though, why do want the email address?

From a pentest perspective, I could see collecting the different email addresses for trying to get possible log in names, or people in the company to try and impersonate for Social Engineering.

From a security standpoint to see if people are spoofing your comapny / found an open relay.

From a non-security related world, the only legal reason I could see doing this would be for an EECB (Executive Email Carpet Bomb). http://consumerist.com/259713/how-to-launch-an-executive-email-carpet-bomb

There are other methods, if I recall correctly, covered in Hacking for Dummies. But you really should only try to get email address for ETHICAL reasons. Spamming people is bad. Trying to get the information for just showing of is bad too.

Ryan,
Are you running backtrack as a virtual machine, or on a dedicated computer for this class?

I use Cisco MARS at work, even have a few books on it at home, but have found the the web interface and the over all control of it kludgy. It was in place before I started, and it became mine shortly there after. It's better than nothing, but sometimes I wish it could do more. (or I knew how to make it sing and dance the way I want).