|
Ethical Hacker Community Forums
|
|
December 01, 2008, 04:23:42 PM
|
 Show Posts
|
|
Pages: [1] 2
|
|
2
|
Ethical Hacking Discussions and Related Certifications / Malware / Re: Whitehat rootkits to prevent theft?
|
on: September 27, 2008, 10:50:40 AM
|
Interesting approach. There is http://www.lojackforlaptops.com/ which has been on the market for several years. It is "a software product that enables law enforcement to recover stolen laptops by tracing them across the Internet." They claim to recover 3 out of 4 stolen computers and utilize a BIOS-based agent to avoid being wiped. I would like to see exactly how the location is tracked. A legit customer would have to assume they can always be tracked too.  We use computrace at work. There are two ways that it can trace the location. 1. It reports in based solely on IP address. 2. It uses a built in 3g card, or GPS to send a location, The best use for this tool however is not recovery, but automated destruction of data. If a laptop is stolen, you can configure the tool to be told to wipe the drive the next time it reports in. If you ahve teh right model of laptop, for example Lenovo and some HP models, computrace is integrated into the BIOS and can wipe the drive even if the thief is running off of an external boot disk such as a livecd. . |
|
|
|
|
7
|
Ethical Hacking Discussions and Related Certifications / Certification / Re: Information Security Superstars - Cert advice
|
on: September 09, 2008, 08:56:48 PM
|
Enough with the cert pissing contest. Interesting post on various certs silxp, some of it I agree with some of it I'm clueless about so I have no opinion. As with anything, I suggest everyone takes anything gleaned online with due precaution and researches it for themselves. Learning how to learn is the first step to not looking like an ass in the end. As far as who should talk about what because of what they have or such, I really don't care. We have an open forum, and any opinions I see and suggestions will be tempered personally with a good bit of googling and searching/asking friends for either confirming or contradicting opinion. I suggest the same precaution to anyone, regardless of who says something.
And welcome to both of you, as I don't think I've said hello to either of you yet.
I agree his post was informative on some of the certifications and agreed with part of it as I mentioned. I simply asked what his knowledge of them were. I'm just asking for some full disclosure on his part. Thanks for the welcome. |
|
|
|
|
8
|
Ethical Hacking Discussions and Related Certifications / Certification / Re: Information Security Superstars - Cert advice
|
on: September 08, 2008, 11:08:59 PM
|
It also does the community no good for you to come here and get rude when people ask how you can speak to certifications that you apparently have not been involved with.
Your perception is yours alone. You asked, I told. I offered an opinion on certs that mean little in the sense that anyone and I mean anyone can read a book, memorize what is in it, pass a test and not have a shred of knowledge on a CBK. I offered an opinion based on my REAL WORLD experience of interviewing people who hold all sorts of certs and have INKLINGS of a clue when it comes to real world experience. You have every right to state the CCIE means nothing, it means technically a lot more than any of the paper certs since there is no input validation (real world testing) to prove that not only does one posses a good memory, but one has applicable knowledge. That is what separates the CCIE from other exams. So while your opinion is your opinion, mines is mines and I offered it with REAL WORLD applied experience, REAL WORLD applicable writings and teachings for some of these same certifications. Think of the irony... Myself being mentioned in about 4 different certification tests of which NONE I care about... Having tools I've written thrown into lab exams and books. Having "securing x distro/technology" used by PhD professors in Columbia, Purdue, Washington University and Carnegie Mellon since 1997... You asked, I told, so I have every right to throw my opinion around, it is after all my opinion. Its what makes the world a great thing. People agree, people disagree, its what makes great discourse, and I've had them with the best of them Bruce Schneier, Marcus Ranum, Theo DeRaadt, RFP and the list of course goes on and on. I can say that anything is garbage based on interviews with people in the know, that doesn't make it so. My point is that if you are going to try to sway people's opinions on a certification, or anything else for that matter, it would be useful to offer up your reasons why and provide background on your reasons, so that we can make our own judgement on your thoughts. It does no good to offer opinions based on heresay. Plenty of people in the know, turn out to really know nothing or are pulling their opinions out of thin air. EDIT: I just wanted to add, I don't think anyone here is trying to be a jerk to you. I think we just want to understand your reasoning. Name dropping doesn't help us understnad why you think GPEN is good for example. |
|
|
|
|
9
|
Ethical Hacking Discussions and Related Certifications / Certification / Re: Information Security Superstars - Cert advice
|
on: September 08, 2008, 09:36:47 PM
|
I have to echo Chris' thoughts. How can you have such strong opinions on certifications that you do not hold? Have you co-authored the course material? Taken the associates classes? I suggest you contact Lisa Lukas @ SANS, Dr. Eric Cole @ SANS for my credentials on authoring VoIP Security - thank you. You can freely see my information on OWASP, Hackproofing Your Network which I've been mentioned and a slew of other books. So the short answer is - as a matter of fact, YES I have authored a lot more than I care to mention about - do I need to prove this, not at any point, but feel free to peruse around and ask perhaps Henning Schulzrinne @ Columbia who uses my VoIP Security tools to teach security... I could go on and on throwing out names at all of the SIRTs (Cisco, Juniper, Foundry, Microsoft) but it would mean little to me. On the flip side, how long have YOU been in the industry... What have YOU authored? I can give you ISBN's for my information and the public domain can surely weed you enough information to see who I am and where I come from. I have a lot of respect for Eric Cole. But, throwing around names of people at SANS and titles of books that you are mentioned in still doesn't qualify you to give opinions on certifications that you do not hold, unless you have taken the exams, written course material for, or evaluated the material of the associated class. I can say that the CCIE is garbage, but my opinion is not valid as I do not have it, have not evaluated the course material. etc. I have only heard what others say about it. Some of the best IA professionals have written nothing and some not so great professionals have written books. That argument is pointless. It does the community no good for you to come here and provide blanket opinions on certifications that you do not really have knowledge of. Same as it would do not good for me or anyone else to offer opinions of certifications that we have not been involved in. It also does the community no good for you to come here and get rude when people ask how you can speak to certifications that you apparently have not been involved with. |
|
|
|
|
10
|
Ethical Hacking Discussions and Related Certifications / Certification / Re: Information Security Superstars - Cert advice
|
on: September 08, 2008, 04:13:11 PM
|
that's some strong opinions about certifications you dont hold.
You're absolutely right, and I find it absolutely amazing that these certification holders have often used works of mines for their books, courses, teachings. I've schooled plenty of certified individuals and have had the honor to being humbled my some as well. I speak from experience and real world where I've dealt with so many throughout my time. From 1997 on through, my history goes back a while specifically on the technical side of systems administration, network administration, network forensics, denial of service attack mitigation and strategies, you name it. I'm no stranger to this arena so feel free to Google away. I have to echo Chris' thoughts. How can you have such strong opinions on certifications that you do not hold? Have you co-authored the course material? Taken the associated classes? I do however agree with your statements on learning as much as possible about operating systems and networking. |
|
|
|
|
11
|
Ethical Hacking Discussions and Related Certifications / Hardware / Re: The Wii Has been Hacked
|
on: February 04, 2008, 09:19:37 AM
|
Having one key pair is probably sufficient in that Nintendo's aim is to raise the barrier to running copied game disks beyond the reach of most customers. It appears to have worked.
Jimbob
I agree with you, they primarily wanted to make hacking the wii more difficult. to that end they succeeded. They made it as complex as they could, without being ridiculous, which is the point I was trying to make by giving the descriptions I did. Having each Wii have its own key pair in addition to the pair that nintendo is using would be an insane level of complexity that would be pretty much impossible to maanage as more and more consoles are made. |
|
|
|
|
12
|
Ethical Hacking Discussions and Related Certifications / Hardware / Re: The Wii Has been Hacked
|
on: February 01, 2008, 11:25:22 PM
|
I think what nintendo is trying to do is two fold, prevent non authorized code from running on the WII and prevent piracy of the data on the discs. To get code to run on the wii I would have to have the secret key to encrypt my code, as teh wii unit appears to only have the public key. Conversely, to decrypt the code on the wii optical game disc, I would need the public key. They obviously knew the weakness of having only two keys which is why they tried to hide the public key in what they though was a secret area of memory. The only way to really make this secure would be to have each wii have its own key pair in addition to the pair nintendo is using now... Can you figure out what the issue is with each wii having its own unique pair?  |
|
|
|
|
13
|
Ethical Hacking Discussions and Related Certifications / Hardware / Re: The Wii Has been Hacked
|
on: January 31, 2008, 03:48:03 PM
|
Yes I am well aware of that. I was trying to simplify it. If you want to get really complex. You can encrypt a message to me using my public key, then you could encrypt it again using your private key. This would ensure that only I could decrypt it (using my private key), I could validate that you sent the message by using your public key to decrypt the second round you setup with your private key. Again, this is a simplification. My post wasn't meant to be complete instruction in public key cryptography  , just to point out that you don't only use a private key for decryption, the key or keys you use depend on what you are trying to accomplish. I haven't read the wiki article, but if you are saying that you always use my public key to send me an encrypted message than your understanding or the wiki's description is flawed. What nintnedo is essentially doing by encrypting using their private key and then decrypting on the wii using their stored public key is essentially encrypt once, decrypt many. So they encrypt a game one time, and any wii can decrypt. This is not a dumb way to do it all. |
|
|
|
|
14
|
Ethical Hacking Discussions and Related Certifications / Hardware / Re: The Wii Has been Hacked
|
on: January 31, 2008, 09:14:48 AM
|
|
The story is correct as far as keys are concerned. If I want to send a message to you, that only you can decrypt, I encrypt the message with your public key. Your private key is then required to decrypt it. If you want to send an encrypted message to me, you would encrypt with your private key and I would decrypt with your public key.
Basically Nintendo is using a private key during manufacturing to encrypt the games, then decrypting at the console with the public key embedded in the console memory.
|
|
|
|
|
Loading...
|
Forum 
Programming : not static?
Forensics : The Julie Amero Case: A Dangerous Farce
