Thats a good point, however automounting in read only mode would save somebody from making the mistake of mounting in write mode, which is more common then you would think.

I agree with you 100% that they both have their place, but the only reason I keep a windows system at home is for gaming. For the most part, I think a big reason for people using Linux is that its free and people either don't want to pay for Windows or are too lazy to pirate it. Either way I think people are underestimating the cost factor that goes into choosing an OS. There are some exceptions, like people choosing linux to get more experience on the platform, however rarely is it some ideal of open source over close source or its more secure, thats just a smoke screen for cheapskates who don't want to pay for an OS. If Vista was priced between 50-100 bucks for the various versions, I think you would see alot of people buying it, whereas people sick of the WGA just don't want the hassle, so they run ubuntu or debian. In a large scale professional environment, I would have to say maintenance of an open source linux distro(ie Not Redhat Enterprise or Novell SUSE) is much more difficult then windows. Microsoft provides a more structured upgrade path, better documentation, and better support. For a small shop linux makes sense, but when your talking 500-1000 servers, I think running an open source linux distro is a bit more difficult.

I'm not really concerned about it for myself, I have plenty of experience analyzing systems and forensic images. I just was wondering if the cert was getting watered down, it must be if people with no experience are getting it.

Yeah, its really wierd, seeing tons of reports about, while certain vendors are saying it is a non-event. We've still only seen a few, that were non-managed systems. Old dats were detecting it as IRCbot or SDbot. Looks like it won't be that bad for most, but should serve to announce loudly which machines on your networks are unpatched/unmanaged.

The current bot/worm is MocBot is supposedly spreading on unpatched 2K boxes using the MS-040 vuln, but still getting conflicting reports about how serious it will be.

I've used Helix quite a bit and the way it logs every action your perform makes it most valuable. The only complaint I would have is that is that it will not automount usb sticks and often will not have the correct video drivers available when booting to linux.

Here's a couple places where you can learn by doing and not from reading a book. They both have been around awhile, so the solutions have been made public years ago

http://www.hackthissite.org/
http://www.pulltheplug.org/wargames/index.html

Enjoy

Not a big fan of having a board arbitrarily decide if you get the certification or not, too much room for politics.

I believe its best practices to notify the vendor and give them 6 months to patch prior to releasing to the public. From all that I've heard, many times they don't respond at all. If they don't do anything it 6 months, post to the bugtraq list or your site of choice.

iDefense and some others also offer payment for previously unkown exploits and I believe they pay well for remote root exploits, as opposed to others like local, priv esclation or dos.

Yeah I figured there would be more too, I found alot of sample policies but not many actual sample forms. Here's a few, hope they help

http://alertsite.com/AlertSite_Security_Scan_Authorization.pdf
http://www.auxs.umn.edu/files/SecurityScanPolicy.pdf

While wireless security is certainly lacking, I think Internet Explorer is the more important vulnerability. There still finding huge exploits in 6.0, wait till 7.0 goes mainstream it will be even worse. IE is the most ubiquitous portal that essentially serves as the gateway to spyware/adware/malware etc. I think that once companies start running a WPA2 wlan with AES encryption and a Radius server, hacking that network becomes extremely difficult and will rely more on trickery then an actual technical flaw.

I would have to say the answer is 4.

The TCP connection process isn't cumbersome SYN/SYNACK/ACK, thats it. Yeah its not a simple as UDP, but really its not "cumbersome" for an enduser in anyway.

Question 4 states bandwidth, however doesn't specifically say network bandwidth. While not completely generic you could interpret that in several ways. In the broadest sense, a given computer only has enough bandwidth to support so many half open connections before it can't take anymore. I would also tend to believe that network bandwidth is directly relevant, as an attacking computer with huge pipe, will overwhelm a target machine with smaller pipe very easily, even though it doesn't take that many packets to create a SYN flood condition.

For anybody who is a long time forensics examiner, what certs are the most valued in forensics. I currently have the GCFA and may attempt the ENCE after I take the training, however I've never heard of the CCE that they are doing the giveaway for. Could some please give a ranking of which ones they feel are the best or most valuable.

Thx

CERT has a very good set of training info freely available online

https://www.vte.cert.org/vtelibrary.html

I'm a big fan of Languard as well, the scan for missing patches functionality is great, however I hate one thing, how it always pops up the yypasswd thing for everyhost.

As far as Nessus, one thing I never liked about Nessus is that you had to set up the server and then run a seperate client. I've only used it on linux, does this newer version on windows still require that?