Time is always best spent building a strong base.  There is more to pen testing that running a tool and getting shell.  I'm not saying that is all you will learn in these classes.  They are great classes but they assume you have some basic knowledge going in.  What sort of previous IT experience do you have?  Are you familiar with the basics of networking?  Do you know any type of coding (Python, Perl, etc...)?  Do you have a lab you can test in?  Also are you going this route because you love puzzles, analyzing data, and taking things apart to figure out how they work?  If so you are on the right track.  If you are looking to make some big bucks only, then you may not be of the right mind set. 

Other than that, you are on the right path by coming here and asking the experts.  There are plenty here who are willing to help as long as you are willing to learn.  Hopefully one day you will add to this great knowledge base.

I think at this point the demand is so high that companies are moving away from trying to find the expert to looking for someone with the ability to become the expert.  The experts are all hired and hopefully happy.  But there are plenty of new guys out there just aching for a chance to get into the field.  I think the biggest thing teachers like Grendel can do is emphasize the learning doesn't stop and the employer may not always be willing to send you off to the $4K SANS course.  Like any career if you want to succeed you need to work at it on and off hours.  A friend of mine tells me I need to unplug but I don't think he quite gets the fact that when I come home and fire up the lab, that is me unplugging.  I can't do somethings I want to do at work, so I do them in the home lab.  It also is me educating myself on what is new out there in the world of InfoSec.  I will say that the actual unplugging is me grabbing the camera and the hiking boots to head off into the hills for some fresh air.  I tend to appreciate that more when I've spent the week working and learning, the brain needs to switch gears every so often.

Also for those of you with students, one more thing to recommend...  If they want to find opportunities, they need to get out there and network.  Go to the local security groups (ISSA, Hackerspaces, etc...).  Get to events like B-Sides and even venture into local user groups for like Linux or OWASP.  Not only will they have the opportunity to learn something or even teach something, they will get to know some people in their area.  Another suggestion is to work your way to doing a talk.  It gets your name out there and hopefully shows people you know a thing or two about something.  The same friend of mine that tells me to unplug also tells me I should do a talk.  Though I still have no idea what it would be about.

Anyway glad I sparked some discussion.  Oh and on the topic of Telecommuting, I have a total of 2 hours of driving a day for my job.  So luckily my current position allows for me to either work from home or work from our SOC which is much closer than my office.  I think the idea of telecommuting is great but I also thing face time in the office is also important.  There are somethings that are best collaborated on in person.

I learned a long time ago that you should always keep your options open.  So naturally I always keep my resume updated and for the most part available on the job boards.  Over the last year or so I've gotten a number of calls/emails for various security jobs.  I would say many are contract based but there were a good number that were full time, only on the other side of the country.  So it is safe to say, there are many jobs out there for Information Security pros ("you're welcome" - Capt. Obvious).  When I made my way over to this career from the general IT Infrastructure realm, I always figured I would stay on the defensive side.  I never considered I would have the skill to be a full time pen-tester, though I do enjoy the feeling of the challenge.  I always figured I was better tooled for defense. 

Then I had a phone interview with a local security firm.  The admin who contacted me didn't mention anything about the job she was contacting me for.  I asked, she still didn't say.  The fact that this particular firm was calling me was enough to peak my interest.  So I had the interview, honestly as phone interviews go, it went pretty good.  We had a good conversation and even after telling them I wasn't interested in the commute, they still tried to pull me in.  Now the job was for pen/vuln testing, again told them I wasn't really looking for that type of position, but they persisted.  So they gave me their "technical" interview.  It consisted some questions about Nessus which apparently required me to just know how to use it.  I then proceeded to tell them a story of a recent assessment I did at work and mentioned SQLi.  They asked me about that.  So I mentioned about inputting javascript/SQL code into form fields to see if it returns data and that was apparently enough for them to consider me worth pursuing.  Mind you I only know of the process of how these things are carried out and how to protect a site against them.  So the call went on with them asking how far I was from another city and that they were thinking of opening an office roughly 30 minutes from me.  They even suggested I still come in to meet them and such.  Figured they get the hint that I wasn't interested.  Then I get a call the following week to schedule an in-house interview.  I declined and apologized if I lead them to believe I was interested (even though I said I wasn't on the original call).

Could I have done the work?  Don't know, I imagine if I made it my focus, I probably could.  Is it something I would like doing?  At this time probably more than what I am currently doing, but not for an almost 2 hour commute along with regular travel around the country.  Just thought I would share.  There is plenty of work to be had out there.  The population of skilled InfoSec pros is growing, but not as fast as the job openings.  If you have "security" anywhere in your resume, you will most likely get a call from some outsourced recruiter or a company who doesn't really know what they want but someone says they need a security guy.  Anyway sorry for the book, but figured I'd share the story.

Good luck out there!

Ran this through some tests, pretty decent even for the free account.

I've been working the Codecademy course and loving it.  I am finding the further I go into the exercises the easier it got to figure out what was needed.  I think I am lesson 5 working with lists and dictionaries.  So they get you through some basics per lesson and at the end they toss you a project.  Some are pretty simple but I find myself going to the whiteboard to throw in the pseudo code to figure out the more complex ones.  They also have an achievement system if you are the gamer type.  One night I actually cheered out loud when I completed one of the harder problems.  So once this is over I will probably pick up this book to drive it a bit further.

Nicely done guys.  I never went further, got caught up on something else.  I might go back to it this weekend.  The 500 errors seem to be a regular occurrence.  I got the link from bbaskin who had similar issues.

No problem. 

http://training.keywcorp.com/cybergames

Came across this from a tweet last night.  Made it up to 5, but can't figure out the process to decode the cipher.  I did figure out the cipher but by that time my eyes were getting heavy.  Might work on it more today.

Great discussion, I love seeing non-hacker types gain a better understanding of the this world and the community around it.  I don't have anything else to add to the explanation of "Hacker" but I am someone who benefits from the good guys.  I am primarily a defender.  I perform mostly vulnerability assessments and help the org address the findings.  Fix the problems we know about before we call in the heavy hitters.  I can do some minor testing though I need the assistance of tools.  I also assist infrastructure teams with better hardening techniques, use of least privileged accounts, and helping app owners better understand app security test reports.  I spend a great amount of time in this community to better educate myself on the latest techniques used to break systems.  I hope to one day find a niche that I can concentrate more on but for now I will embrace the InfoSec Generalist role.  Jack of all trades, master of none I suppose.  But this group here in particular is great and I am glad to be a part of it.

If you want to see some real hacking in action, try to hunt down a local Hacker/Maker Space.  They do projects for everything from making home made soap to building electronic door locks and 3D printers.  My space runs computer clinics every other month as well as open houses so the public can come in and check out the current projects.

I think (and this is just my personal opinion) is that China's goal, at this time, is to grab data.  Get IP from our defense contractors that can be used in two ways.  To boost their own economic strength by reproducing our products and/or sell the data to an allied country. In the future that could change.  Countries like Iran and North Korea would certainly be higher on the list of suspects if an attack on the infrastructure occurred.  There is also nothing to say that China would not provide such services if the price is right but that may be more along the lines of what the RBN provides.  Granted in this example, the source appears to be Chinese in origin, it doesn't necessarily mean the job originated there.

I think the large difference (besides the population ) is that China is filling the seats and training the people.  We are hung up on buying the next magic box rather than concentrating on building the skill pool up.  Where are the incentives to push future college students toward building their skills in the field?  I am not talking strictly the offensive, but we need skilled architects, sys admins, and developers who know how to properly build and manage their environments.

We are so focused looking out over the wall trying to find the next attack.  How do you prepare for an attack that could come from anywhere?  The energy is best spent ensuring that if an attack occurs the damage is kept to a minimum.  Stop buying more hardware and software and start using all the features of the stuff you already own!  Most of the major AV products have a number of features that are rarely used fully (app whitelisting, configured client firewalls, IPS etc..).  Segment the networks, not just to organize, but to limit unnecessary traffic from hopping across the network.  Not everyone needs to RDP into a file server, that can be limited through at least 3 different ways depending on the setups.  Ok I am starting to rant now...

As for the report, I will not deny that the information in the report is valuable to the defenders.  But obviously, at this point in time, the group has now changed it's tactics.  I suppose it will help find systems that have yet to be discovered.

I have a good amount on the Kindle/iPad.  But sometimes I prefer the hard copy, like ajohnson sited, it is much easier to search through.  I tend to throw stickies in my books for areas of note.  I've tried using the bookmarks and notes on the kindle, but those only work with the ebook format.  They don't work with pdfs.  I too am also a fan of No Starch for the same reason.  Another thing is sometimes the content of the book.  If there are a lot of images or pages of code, it doesn't translate well to ebook format.  I do find some books like better in the Kindle iPad app than on the Kindle (regular).  So I mix it up.

My new year's resolution is to be more positive and keep a better eye open for opportunities!

I messed around and got through a couple of the zones but then just ran out of some free time to concentrate on it.  I did like that I wasn't far off on some of the things I was thinking to get past those first couple.  Would have been lost at the crypto pieces though.  There is always next year!

Thanks man, I appreciate the input.  It is tough, I am basically in a generalist role at the moment.  Unless we add more technical staff, I will probably remain their until I burn out or decide to hunt for another opportunity.  I really do enjoy building out architectures, so long as I get to get my hands dirty a little.  But the current corporate setup doesn't always allow for that.  GCIH would benefit me, that part of my job I enjoy as well.  Unfortunately I don't have all the nifty testing sandboxes that the cool kids have.  So again, limited in what I am able to do.  So do it all!  But we won't give you the tools or time to do it.  oh well decisions decisions.  Maybe I'll use the thinking time and strengthen my coding.