It was a lot better than expected, I was hooked!  Compared to that other recent documentary about "hackers" where most of them were really just script kiddies except l0pht, Jericho, cDc, and a few others, this movie was not really about hackers but the guys were at least "for real". They certainly have skills in managing TBP.
I did notice they use Varnish, which is cool because it was developed by a Dane xD (Okay, he was "only" the architect and lead developer .)
Lots of high profile websites use Varnish because it's a damn good product 

I think I may have gone through some or all of the courseware from a third party provider as well. Questions were just as horrible as CEH, but I heard the actual exam questions were like, making serious infosec people die

Using a corporate blog in that way has just severely damaged their reputation more than it already is, and writing "fuck you" and threats of physical violence only attracts trolls and those who may want to prove Joe wrong that he's not the smartest nor the strongest guy in the world.
If he makes a response video (which I doubt as he's not Greg Evans), it will most likely become viral and be "songified" or perhaps even get unwanted attention from organisations/hives/groups such as Anonymous.

I do however, look forward to how the aftermath will unroll. Personally I'm hoping for drama, popcorn, perhaps even a movie. Mostly because of the other affected vendors.

He's beginning to sounds more and more like Gregory D. Evans.
(http://attrition.org/errata/charlatan/gregory_evans/) Except that Joe, actually knows something.

No it's not. Many people defy attrition.org and the infosec community at large still. The length at which strategisec ripped off others' work is not just limited to a single episode. It's spread out across multiple vendors.

However, most of the "students" who are also doing all the hard work, are simply taking other infosec courses and rewriting them into strategisec courses, easy way to minimize the amount of work you have to do.


It doesn't make sense any sane infosec professional would do this, but this is the case and it is not the only case. The only thing that makes sense, is simply that it shortens the time needed to come up with new courseware. It's the easy way to make money. Use others' courseware, modify it so it looks like your own, sell it cheap, profit. It's almost like the botnet business and I know this sounds harsh, but it's about cutting corners and taking shortcuts.


It does make sense. I am not sure who authorized to copy other vendors' courseware, but if it was Joe McCray himself, he may not be the whitehat / ethical hacker other people believe he is. I myself, do not know. I only know that this has been going on for months.

Fun side-note:

What is real? How do you define real? If you're talking about what you can feel, what you can smell, what you can taste and see, then real is simply electrical signals interpreted by your brain.

The documentary about the founders of the Pirate Bay. Share it with the world! Support the filmmakers of this free film here www.tpbafk.tv
A film by Simon Klose

http://www.youtube.com/watch?v=eTOKXCEwo_8

Enjoy! 

Worst part is, despite I have seen some of this talks and liked the way he presents, and I hope he will continue to do so, the way that strategicsec is run, is startling as what has recently just been mentioned in the news, is like nothing. I'm surprised this "trend" hasn't been caught yet.

Often they specialize in application (i.e. program) security or web application security, where network security is another part as well. There are of course, those who specialize in network security only, but they are often security engineers and not penetration testers, unless they attack the protocols themselves.

In my current job, we have people in those 3 fields, plus other mandatory fields for everyone, such as but not limited to wireless security, physical security (social engineering), PCI (that's another team), etc.

So yeah, I forgot to mention people specialize in PCI as well, but that's not penetration testing though, even though some parts of it is related somewhat when you have to check whether a client is in PCI scope or not.


It is impossible to know "everything". No matter how many years, no matter how much experience you got, there will always be old, perhaps extremely old, new, or very new things, even current things you will not know about.

I often see people extremely skilled in application security (reverse engineering, buffer overflows, heap overflows, dep, rop, aslr, etc), who are brilliant in this field, but lacks knowledge in web application security. (Often crucial and specialist understanding of how everything can be tied together, including many of the possible attack vectors. Knowing the most basic ways can be taught to anyone, even non-hackers.)

SEC542 is a very basic course, which prepares you to do the GWAPT exam, where I was given a test exam a couple of years ago. I had never studied the course, yet I passed without knowing about SOAP and a few other things that you hardly, ever see when conducting a penetration test. (I have tested a few big lists of web services, and yes it was boring, but at least I gained some experience during that, such as it's rarely any critical bugs you find, it's often just user account related problems, often rated as low or medium risk. Meaning it's just "filler space" in a report.)

Anyway, yes you can do it. I'm a hacker, and yes I knew how to write secure PHP code when I took the exam attempt (I wasn't taking the actual certification). To me, it was extremely easy, but then again I am already a hacker so of course it's easy when I specialize in web application security.

Having previously taken GPEN (and passed, and become a mentor), I knew how the exam layout would be, how the questions would be phrased (i.e. in a weird way that doesn't make sense until you understand "their language"), and of course how much you had to think about each question. Because when I did my first GPEN exam attempt (test exam, not actual exam) without any study, I passed as well without any study, but I wanted to increase my score, so I studied a bit. Anyway during that test exam, there were a lot of questions where I was thinking, is this a trick question? This is way too easy to be included in this type of exam that proves your skill, but they weren't.

Sometimes the questions can be a bit strangely phrased, so you will have to think for a while about what they actually mean. But it's nothing compared to some custom CEH courseware I went through for fun, while I was working as tech support and wondered how hard CEH would be. Not because I want the cert though, just want to see how hard / easy it would be to pass, plus it was free at my previous job. (The custom courseware.)

I think it must be a comedy movie he or she is creating when he (or she) wants to interview a "Certified Ethical Hacker". (Yes, I know that he (or she) probably doesn't know about the reputation of this certification and how low rated it is within the infosec community. To the original poster (fayelopez69), a colleague recently removed CEH from his CV, because it degrades his public image within the industry.)

Asking your questions here in the open however, will make it possible for more hackers (and of course, script kiddies and wannabes) to respond, and give you a more appropriate answer, to all of your questions. Plus, a person in the future may have the same questions, and since this website is indexed by Google, the person can search on Google where this thread may pop up, and then that person don't need to ask the same question(s) again. Brilliant  

Note: There's a reason why we're sharing our knowledge and ideas here in the open, instead of hiding and keeping our knowledge private.

I think it's exaggerating a bit when it's called "All you wanted to know". There are many things I want to know, but I know how to learn about them, the only problem is time. The other things I might want to know, are hard to learn because of hardware requirements, or because the technology or knowledge doesn't exist yet.

Anyway, for a beginner event, I guess "All you want to know" can be anything, starting from "Pentesting is penetration testing, and a DNS A record is for IP addresses, done", ending to what ROP chains are and how they work.

Indeed I did DragonGorge, and it was also my first course and certification I had ever taken, plus I don't have any lengthy education, or for that sake, a long history of relevant business experience. (Of course, as I am a community guy, I've been in the hacking world for a long time.)

Yea, during the course and the certification it became increasingly harder, hence the reason the writing style changed to display my frustration  
I'd say it's exploded brain cells, it was nice to be in several scenarios where you have to think outside the box and come up with clever solutions  

Well, in the beginning she said she understood I had to study most evenings where I could be at her place 10pm or so. After a couple of weeks the whining began, but during the actual exam I had specifically told no whining as I will lose concentration completely, she respected that and I am glad she did.

Afterwards though, she began to whine again but that day when I got the email, nothing could as previously said, ruin my mood. Passing a certification is just a great feeling when it's been a long and hard journey.

The reason she became my ex, was not related to OSCE, even though it could've been a cool story   "The only certification that will make your wife or girlfriend leave you" xD (I broke up with her, as I realised I now had OSCE and didn't need a girlfriend, jk, it was for other personal reasons   In short, she was bad for me (I know that most women complain about a lot of things (because it's socially accepted in most cultures), but this one was over level 9000), but it's the kind of bad that feels a little good hehe )

Thanks for the feedback / response, I enjoyed writing it :-)

No, but I did:
https://forum.intern0t.org/blogs/maxe/95-cracking-perimeter-part-1.html

https://forum.intern0t.org/blogs/maxe/101-cracking-perimeter-part-2.html
https://forum.intern0t.org/blogs/maxe/108-cracking-perimeter-part-3.html
https://forum.intern0t.org/blogs/maxe/111-cracking-perimeter-part-4.html


A couple of thousand, people that appreciated reading them :-) I don't put bad stuff in my papers, code, pocs, etc.
(Some of them may have very basic anti script kiddie measures, but it's as simple as finding the field where I wrote: you have to uncomment this line or the script won't work.)

Manual Shellcode: http://www.exploit-db.com/wp-content/themes/exploit/docs/17065.pdf

Bypassing Anti-Virus Scanners:
http://www.exploit-db.com/wp-content/themes/exploit/docs/17066.pdf

The thing is, it isn't hard questions from what I heard. It's simply the time being allocated that's extreme and these are facts just a couple of days old. The time being allocated, may variate between Australia and the UK. Also, despite that a friend thought he failed recently, he actually passed. (He didn't complete everything.)