Generally im quite happy with the ECE system, it seems a good way of maintaining a certification.

The only addition I would like to see on the delta system is exact dates a cert expires and needs renewing, as far as i can see this isn't listed at all.


Also, Is there a limit on how many books or podcasts you can use to build up credits?

I am currently doing a computer science degree full time, so it limits my options for building up credits a bit. Im not sure this counts as higher education, as it isn't directly security related?

What are you compiling the program with? If your using visual studio its probably compiling with /GS switch which will build in buffer overrun protections into your code.

Aside from that I would guess its some protections in XP, I don't think XP includes ASLR which would be giving you issues, but im pretty sure it has Data Execution Prevention built in from SP2, maybe this is giving you issues.

I would suggest for learning purposes, go to an unpatched XP SP0 installation, or better a linux box.

Thanks very much, very helpful, I will have a read through the sections of Applied Cryptography you mentioned.

Hi,

I am making some crypto software for a uni project, I'm using symmetric encryption (block ciphers), and I need to make informed decisions that i can back up with facts on which algorithms to include in the software.

I have decided to offer more that one choice, because if the ciphertext is intercepted it would not be 'as easy' to determine the algorithm associated with it if there's multiple possibilities.

Off the top of my head, I can think of performance and keysize as reasons to pick one algorithm over another. Is there anything else I can use to decide? Are there any tools or papers on algorithm performance?

Off the top of my head I would like to use AES-256, Blowfish-448 and maybe RC6-2040? Im basing that purely off the fact they have decent key size options, and have had been in the public domain for a fair while. Is there anything else that I can use in a report to back up my reasoning? Like why I chose Blowfish over Twofish or say CAST-256? There are no end of options anyway.

Thanks for any pointers,

Thanks alot for all the info guys, makes alot of sense. Will have a read through the papers posted

Hi,

Ive done a limited amount of research on vulnerability analysis and exploit development, and I have a couple of querys about how relevant typical exploits like buffer overlows and format string attacks are today.

Being more specific, most modern operating systems ship with some kind of ASLR, which from what ive seen isnt at all easy to bypass. I would be interested if theres any papers on how it can actually be defeated? Plus theres things avaliable on top of this like stack protection,  grsecurity and selinux locking things down further.

With this in mind, getting shellcode working in a modern OS seems 'near impossible'? Dont get me wrong 5 years ago it seemed incredibly dangerous and easy to do. But from what ive read it seems to be getting to the point where all you can do now is crash a program i.e DoS.

So am I correct in this line of thought? I suppose crashing a program can be considered just as serious, but being able to executing arbitrary code from an OS level vulneratbility or a running process seems to be fading away? Any other attack vectors relevant to these kind of vulnerabilities?

Thanks,

Jack

Thanks for fast reply BillV, I did my certification in May this year, so 3 years it is.

Im still a student at univeristy, so I think my best bet is to write some security articles/how to guides if they are allowed, and keep reading books, podcasts etc. Hopefully that will keep me up to the required level of credits over the 3 years.

Certainly doesnt seem like much point in paying for the exam again if its only 40 credits 

Hi,

Please can someone clarify for me what I have to do in order to maintain my CEH cert?

I have registered on the ECE Delta System, which says i need 120 credits to maintain my cert, so do i have to get these credits and pay to do the exam again?

Or is it a choice of either taking the exam again, or having the 120 points? And is it after 2 years i have to match this critica?

Thanks for any advice,
Jack

Thanks alot.

Hi guys,

Just wondering, are the CEH v5 self study modules examined, or are they purely designed as extra material that you should be aware of?

Thanks,
Jack

Thanks alot for the help, V5 it is Time to start the cramming although i hear some people do these certs in a couple of weeks, i prefer to spread them out of a couple of months and get involved in the practicle side of things, makes them alot more interesting that way IMO and i learn alot more than just passing an exam.

Thanks guys, turns out it expires in June, so i have plenty of time to prepare. Hopefully V6 will be out by then, but doesn't really matter if its not i suppose.

Hi,

I have just been given a code to register for the CEH exam at a test centre, and take the self study route.

Couple of questions i have, How long is this code valid for, ideally now i know i can take the exam, i would like to spend 6 months or so studying now, then register for the exam?

Also is version 6 of the exam likely to be released within the next 6 months? Or am i find using all the current material.

Many thanks,

Hi all,

Im currently a student (20) doing a Bsc in Computer Science, with one year left and all being well i will get a 1st Degree, after which i might do a MEng masters year.

Now im trying to work out some kind of career plan, im a good programmer but going into a 9-5 programming job would bore me to death... But ive always had an interest in security/hacking/networking.

I have a CompTIA linux+ certification, but other than that no real experience in the IT world as im pretty much fully self taught and not had the opportunity for any part time work.

So, is it possible for a UK graduate to get established in a security orientated career? And what would be the best way to get a foot in the door? From what ive heard security consultants and pen testers generally have years of experience. So im just not really sure where to start off once i graduate.

Also how does a security career compare pay wise to say a programmer?

Thanks for any advice,
Jack