Actually, if it was truely paranoid, he would have said to use something like T.A.I.L.S.  instead of Backtrack. has a mode to look like windows, which makes it easier to use for a standard user. Encrypts everything going out. Read only Live CD or USB.

Yes I use T.A.I.L.S. in hostile environments (at the university, and at hacker cons).

I'm busy enough now, that I really only scan through the threads. if I see something in the scan that says hey this is cool, I'll go back and read the whole thing.

Some use came out of him. I found the "echo -e "OPTIONS / HTTP/1.0\n" | nc -v server 80" from one of the old threads he dug up. Would have been more useful last night.

But I like the generalized version of spam, and then having him hope we'll click his sig link compared to some of the other stuff. I do read this at work, so hard to explain that I'm not surfing porn, but some spammer tossed naked pictures in to the hacker forum I'm hanging out on.

from everything I've heard and seen, everyone is having problems with the fedora build and dns. but I haven't gotten there yet.

The CISSP has a domain on Physical Security, but that is the only cert that I know of that does.

Beyond the defcon groups try to find a local lock sport group. those usually have people all about physical security in them. Somewhere else to look is Maker Spaces. they'll get physical with the hardware.

Maybe the others here will have a better understanding what you mean by Hardware Security, but could you explain it to me?

Right now, all I can think is the physical hardware security of the systems. Things like limiting access; filling the device with epoxy to prevent parts being added, removed or modified; tamper evident labels on teh devices; etc.

@ 3xBan: Ubuntu creates a random root password that no one knows. Way around that in the future (so you can use the gui),
sudo su -
passwd

Set the password to what you want. Also VM usually ignore time, including ntp (been my experience), instead taking it from a "WALL CLOCK" on the host.

I haven't gotten to the Fedora set up section yet. However I would be conserned about putting any box related to a CTF on the internet. It might be better (once I read the stuff on Fedora I'll know for sure), to set everything to HOST based networking (prevent from talking to anything off the host server) and set up DNS at that level. Or at the very least the /etc/hosts file.

It's an option to look at. Create a container file, and then store the data there. she'll have to "mount" the file when she want's to do things. but that isn't hard.

Not yet.

Reminds me of a story Chris Hadnagy tells about when he set up the donations for Brad the Nurse. He talked about it on Social Engineering Podcast episode number 47 38 from DerbyCon

I've got the same without back up. one thing I have been really impressed with is their security responses. I've had a few automated SSH Brute force attacks hit my server from other linode customers. They have been very prompt to respond.

I used to get comments from upper management, and complaints from my staff, that I wouldn't let "trusted" vendors walk around UN-escorted. Be it the Same guy that had been coming to fix the copiers for years, or the Storage Vendor's people who were on site 2 days a week at some point.

Sorry slight thread highjack there. But the point is, just because you use them, doesn't mean they should be trusted. Argument I've started at my current client's site, and the full time direct-hires have picked up and ran with. Just because they're a trusted business partner doesn't mean you give them access to the bank accounts.

I think the better way of dealing with this, is seeing what other companies provide theses services, and then find out if they can out preform (either in equipment or service) Huawei.

I get international business, but I'm starting to think it might be worth copying some of China's model. You want to sell your product here, you have to have a factory making it here. Limited import. Government inspections at random. Etc.

As for offering to let someone inspect your code... What coding standards are there, how long do they have to inspect it. Are they going to inspect each sub release, and as we all know, just because we can't find the hole doesn't mean it's not there.

I like this plan. wish I had the time to give it more than 5 minutes thought. Jason said I should be able to solve it, back at Derby, but really time is a factor, and I feel like I've forgot so much.

I don't feel as bad then. My university workload has kept me pretty buried this term, hoping to work on this and my python study group stuff tonight.