I read through all of these articles as they've been showing up over the last few months, and as a response I started using knockd.  Check it out if you haven't seen it.  Basically you can set up a "secret knock" for your system before it will open the port in a listening mode.  It adds an extra layer of complexity on any bruteforce attack.

This ties in nicely to a previous thread about how forensics groups will basically expel you if you are ever caught working for the "dark side".  (ie. the defense)  This is the perfect example of where someone needed to stand up and tell the prosecution that their case was fatally flawed at all levels, especially their technical analysis.  The lead detective in this case also made one of the classic mistakes in law enforcement.  He stated that he did his work to "help the victims."  That is nice to say, but it isn't actually his job.  His job is to perform a neutral investigation which produces factual evidence.  If that evidence indicates that the "victim" might not be a "victim", then so be it.  As soon as you get into the mindset of being there to seek justice for victims, then you start sliding down that slippery slope of manipulating the facts to fit your theory rather than making a theory that fits the facts.  If you can't gather the necessary evidence to convict someone, well that sucks but it is what it is.  At some point you have to admit that the reason the evidence might not exist is because the person you are going after isn't the person that committed the crime.  In rare cases you might also find out that your victim isn't a victim.  In even more rare cases, like this one, the person you're trying to convict might actually be the victim.  The only feasible way to go is gather the facts and present them honestly.  Oh, but that doesn't work very well when you're a poorly trained, out of your league hack posing as an investigator who is supported by a prosecutor looking for headlines.  In that case maybe you should just do the honorable thing and drink yourself into a coma.

Sounds like you've already demonstrated the business impact.  "I'll work for you on one condition, you give me the $$ to fix this mess.  Otherwise, I leave and you pay a contractor market rates for them to maintain your system."  And just to echo everyone else here, I wouldn't even consider the "live demonstration" tactic.  It'd be just your luck that the first dollar they spend in regards to security is an investigator to track down who broke into their systems.

I think I need to clarify my response because I agree with RR's comment.  You still need to know the basics, I'm just suggesting that you keep your head up and looking down the road in order to figure out a better way to utilize what you know.  If you go out of your way to be the best security specialist in any one area, you are going to start boxing yourself in from a career perspective.  Guru's are always going to be in need and well employed, but if you make the trade off between learning that extra 1% of hard core tech knowledge in favor of picking up a bit more business knowledge, you'll probably reap significant rewards from the decision.  From a corporate perspective, in the rare occasion that they really a "l337 hax0r", they'll likely reach out a pull in a temporary resource to fill that role.  That's good news if you're a consultant or such and you just bounce from engagement to engagement.  However, if you work for a organization that's purpose is something other than just security (ie. you are in the security department of a normal business), then they will get more value out a of a person that is really good in multiple areas (security, business needs, regulatory/audit, DR, etc) rather than great in one specific area.  There are obvious exceptions, but this is just my observation from working with various clients.  Just sticking with the cloud computing example, your company would rely on you a lot more to provide insight into the pros/cons of moving in that direction, putting together the contracts/SLAs with the providers, and providing long term oversight/audit, etc, rather than hardcore pen testing of the resulting environment.  You still need to know all the concepts, but if you build your career around being the company "hacker guy", then you run a significant risk of having your position go to contractors or consultants.  If you can contribute to the business side, then you have value.  On that note, I'm going to eat leftover turkey.

If you're starting from scratch, why not look down the road a bit and figure out where the industry is going rather than trying to build your skills for where it came from?  There is nothing wrong with focusing on the network or coding sides of the house, but if you still have years to go before your going to be really active in "real world" security, then try to leap from over the whole mess and aim to develop skills that will be in demand in a few years.  Just as an example, start reading up on cloud computing.  Companies are moving over to these environments in a big way, but there are serious security concerns about the whole setup.  Just as there has been a natural progression in security from local systems to networked systems to applications to web apps, the next "big thing" will be massive shared resources.  (Where do you think Google, Amazon, Rackspace, etc are making the highest profit margins right now?) If I was in your position I'd avoid the temptation to be just another hacker, and see if I could be first into the box on these newer concepts.  Just my 2 cents.

There are always going to be cases where one side or the other missed something, but more often than not the defense is going to push for any shred of reasonable doubt based on concepts rather than facts.  It's become very common for the defense to latch onto any shred of malware as possible "proof" that their client did not download that 4GB of child pr0n.  I don't care how security conscious you are, you are almost guaranteed to have some artifact of malware on your system.  There were a couple of high profile cases where the defense argument was based around files that were left behind when the system anti-virus identified a malware and disabled/removed most of the affected files.  Of course it missed some which were left behind but not functional.  The defense argued that it proved the system had been compromised at some time in the past, and it created reasonable doubt because a "hacker" could have used the machine to download the pics.  None of the timestamps lined up, but of course that's because the "hacker" changed them all.  He also arranged all of the pictures into a nice, organized set of folders.  Anyway, in this case the forensics analysts produced the same data (what was on the system) but the defense was based on their version of what that data was saying.

Actually, I have seen this.  There are at least two very well know groups (that I will refrain from naming) that will not accept you into the group, or remove you from the group, if they find out you worked as an expert witness for the defense in a criminal matter.  If you talk to the group members the prevailing opinion is that when you work for the defense, almost 100% of the time you are helping them make their case by challenging the methods or ability of another forensics analyst.  If you are attacking their methods (tools, the science behind data forensics, standard approaches, etc), then you are actually attacking the entire practice of forensics which is bad for the community.  If you attack the ability of the other analyst, then this is often viewed as a personal attack against someone that was trying to catch a crook.  I don't necessarily agree with these arguments, but I hear them a lot.  With that being said, if someone screwed up the case, then they screwed up the case.  Period.  Also, if you do your own analysis and can present evidence that is valid and relevant to the case (ex. you find out that someone's system was actually hacked into and the illegal activities might not have been performed by the system owner but by the intruder) then that should absolutely be presented in court.  However, whatever your motivation might be, as soon as you sit on the other side of the isle there are just going to be repercussions.

Just my two cents, but really make a point to pick up the education and certs.  The main reason is that if you do manage to move into forensics there is a high probability that you'll end up having to testify.  The very first hurdle you have to get through is the validation of your background.  Having the degrees/certs helps that process quite a bit.  If you don't have those on your resume then you'll probably get challenged by the other legal team, and at that point they'll cook up all sorts of questions to try and show gaps in your knowledge or understanding of the tools and methods.  (So Mr. Coolforensicsguy, please tell me every difference between the ntfs and ext3 file systems, explain the md5 checksum algorithm in detail, and inform the court why your evidence should be permissible since you used Encase but are not certified)  The caveat to all of this is if you end up in a field where you do forensics for malware.  In that role you usually are more of an incident responder rather than investigations.

You're referring to privilege escalation on a machine that you already have some level of access to?  There are a lot of tools you can use for that, but metasploit sure wouldn't be my first choice.  They plan to built it out in the future to do this via the meterpreter tool, but it still doesn't seem to be the best option.  Hell, you could just pick the relevant exploit out of:

http://www.milw0rm.com/local.php

The part that really confuses me is that someone would get an email from George Bush and it would INCREASE their level of trust...

Just my observation from various clients:

-A lot of them know what the CEH is, most consider it a good cert, but a smaller group of the more technical clients view it as a paper cert that almost anyone can study for and take without having a lot of hands on knowledge

-There haven't been many clients that know what the OSCP is, but those who do have knowledge of it hold it in fairly high regard since it is more of a hands on testing process

I am not stating my opinion for either mind-set, this just seems to be what I'm seeing at the moment.  It'd be a trade off.  Take the more well known but less techy cert, or take the less well known but more techy cert.

When you say you are working as an analyst, what exactly do you mean?  That title carries a lot of different meanings depending on your organization.  The reason I'm asking is you should first do some research to figure out what area of security you'd like to move into?  For started, do you want to be on the keyboard or do you want to be on the business side?  The guys on the keyboard have the sexier job (Ima 'l33t haxor!), but the guys on the business side might have been career options in the long run.  (CIO, CISO, CTO, IT Aduit/Risk manager, etc)  It's all dependent on where you'd like to end up.

I know this finding has caused a lot of concern or excitement depending on your job description, but be aware that there is a bit of hype around what it actually does.  Some of the analysis that's starting to come out seems to show that the use for the exploit will be somewhat situational. example:
http://it.slashdot.org/article.pl?sid=08/11/07/1312246

my bad. 

sign of the apocalypse?

http://houseofhackers.ning.com/