wow, that made the EC-Council look like a bunch of money grubbing hacks. Discounting the fact that some of those posters might have been ex instructors, I wasn't that impressesed with Bavisi's post, or the person claiming to be him. The "Mile2" president had a much more professional and concise response. That aside it confirmed my beliefs that the CEH cert is just learning a bunch of tools, but I will reserve final judgement until I take the course and exam. I think everyone on this form should read that blog flame. Of course apply the usual internet skeptism. But I can't help when reading it and think that the EC-Council are scamming chumps who put out dated courseware with lots of errors.

wow, heated discussion on that blog.  i remember seeing that when it came out back in May/June.

i'll throw my opinion in here about it.

*I think there are very very few certs out there that should bring the word "expert" to someone's mind when they see it in someone's signature block.  one's like CCIE and the RHCE come to mind.  Ones like CEH, CPTS, CISSP, etc do not come to mind.  they should mean to someone they have a broad general knowledge of those types of subjects and that they passed a test demostrating that. 

*All certifcations are out to make money, no cert vendor does anything not to make money.  its stupid to sit there and say that company x is only doing this for the money, or company y is greedy.  they all want to make money with their cert. 

*If i recall correctly, and i may be wrong, aside from some of the SANS training and certs, CEH was the first mainstream attempt at a hacking cert.  If anyone has never tried to write any type of course, lesson plan, documentation, i can say from experience that its hard and takes a LONG time to do it right.  Does that excuse EC-Council from plagerizing and lack of grammar in its text, no, but  as someone who has written course material i can see how it could come about.  its also very easy to come after someone has written courseware and say that it sucks and how they could do much better (Mile2--and they did) but its much harder to actuall CREATE that material in the first place.

*I have said it before and i'll say it again.  a 5 day bootcamp is not going to make anyone an expert.  and it seems like alot of the comments in that blog are from people that thought they would be coding up exploits and hacking the planet on day 6, that's just silly. 

*Also from experience with bootcamps i doubt that most people really have the background required to get the most out of a real hacking course.  while this doesnt condone just teaching tools, again i can see how you can get led down that road.  you could spend a  whole week talking about  networking before you ever get into using tcpdump or etheral and to really understanding how a packet crafting tool works and what it can really be used for--that could take another week.

*teaching exploits on old OSes. this one comes up a bit all over the place. an exploit is an exploit is an exploit...a remote exploit on Windows 2k in the grand scheme of things is the same as an exploit on Windows 2003.  if you arent going to go into painful detail of the differences of exploiting things on the different OSes, the getting a remote shell on a Windows 2000 box is the same as Windows 2003.  what you do with that shell is really what's important and not really discussed in any of those courses in great detail.  another good reason is that there arent that many reliable exploits for win2k3 out there in the wild.

I guess that's enough of that, i am interested in what other people think about the blog.  Frankly i think people expect too much out of a 5 day course and expect to be spoon fed all that knowledge at the same time.  becoming a good security professional takes YEARS of work, studying, breaking things, getting stuck on a problem and working thru it, and just having the interest to keep plugging on thru it. 

hope that makes some sense and helps someone...

oldDB,
excellent comments and i agree with you completely...

It is crucial for a cert vendor to not be a cert mill and be on the up and up.

they should trim down the tools, you dont need to discuss 10 different port scanning tools when most people use nmap.

now one thing i forgot to mention is that while EC-Council "certifies" the instructors to a point ( i think they have to take an official CEH class and pass the test), if people are getting crappy CEH training its not necessarily EC-Council's fault its the company that is conducting the training. EC-Council should definitely respond to complaints and either take away that companies ATC status or decertify that instructor if they arent on the up and up

I couldn't disagree with you more. Does a Comp Science degree from MIT or South Hampton Institute of Technology hold more value or credibility? I think you know the answer to that. Its for that same reason, I'm pursuing a graduate degree from a well known school over several years, while watching my coworkers get an MBA\Masters in 1 year by writing a life paper, attending   classes that count as 3 credit hours but only meet once, and getting a diploma with a college name on it nobody has ever heard of. Credibility counts. By your logic, If I created a kick ass cert and named it Certified Elite Hacker by the ODB Council it would hold the same value as a real CEH, just because I made the test interesting and valuable. So I would personally like a little more transparency on who the EC Council is and what their qualifications are exactly. The blog flame casted serious doubt on them as a bunch of name droppers and possible scammers. Also, just to make it clear, I'm not bashing the test itself, as I have never taken it. I will defer to your guys knowledge, however it appears early on errors have a been a problem, which happens occasionally with other certs as well.

Well I once read a blog that claimed that all of us humans were being raised for alien food. Internet anonymous blogs really have little value to me no matter how well written they might be.  Any way, I think I need a little more credible independent research before I jump to any conclusions or develop grave doubts.  I still maintain that I have heard only good things from people that actually have had dealings with the EC-Council.  Their test is credible and its not something you just send them money for.  A diploma mill makes it easy to get a diploma by just paying them money. The EC-Council test is not a lay down. It’s not easy. You have to have a reasonable amount of knowledge to pass it.  I am reserving judgment until something a little more substantial is revealed  about them rather than some internet anonymous blog.  Perhaps Don can request  a spokes person from there to make a post?

I found that blog and posted a reply somewhere near the bottom. After doing so, I found that you can go to ECC's site and maneuver your way to 'Press Releases.' That has some information in there that counters a lot of arguments from that blog against ECC. Also, CEHv5 is written much better than v4.