former33t

I’ll second this.  The sample you provide is insufficient to determine anything about either the algorithm or the keying material.

That being said, rolling your own encryption algorithm is always a bad idea.  Correctly implementing existing encryption libraries can be difficult (ask the Debian team).  Getting your own algorithm built from the gr…[Read more]

I’d be interested as well to hear your experiences with the CEPT.  I’m equally interested that Infosec Institute is even still in business considering the plaugerism scandal last year…

FWIW, I downloaded the image and extracted the zip file.  This creates multiple .7z files (a multi-part 7-zip file).  Use 7-zip (free) to put them back together.  The whole process took maybe 5 minutes and was far from rocket science.  No offense, but if you can’t reassemble a multi-part archive, even hackme bank is probably a little too advanced for you.

Sorry to resurrect an old thread, but for what it’s worth, I got my RHCSA for RHEL6 earlier this year.  I’d have taken the RHCE, but my company was only paying for the RHCSA.  In any case, the exam was hard but fair.  I don’t know if I’d even bother with the Linux+ exam on my way to RHCSA.  And now RHCSA is required for RHCE too, so in either cas…[Read more]

CEH is great for HR only.  When I do technical interviews, I always ask CEH certified folks how they feel CEH has prepared them to work in security.  Those with other certs (who are on the level) usually tell me that it was a cake walk compared to cert X (besides say A+).  Those who only have the CEH regularly tell me how difficult it is and ho…[Read more]

No offense, but a secret clearance doesn’t really mean anything.  It sure doesn’t cost 60k to fund one.

The cost of living at Ft Huachuca is near nil and you are competing with MI instructors with TS clearances and 20 years of experience.  GD underpays everywhere, but in this case 30k is a gift.  If you don’t take it, someone else will.  IF you…[Read more]

Amen to family time.  Merry Christmas all!

Sorry dude.  I can’t take 30+ minutes of Arabic to see what you are doing to “bypass KIS”.  If you are talking about encoding, migrating processes, or simply killing the AV, I’d hardly call that a bypass though.

If I only I spoke arabic, this would be a great resource.  Can you point me to the specific point in the video where you are bypassing KIS?

Again, assuming I can get a ticket I’ll be there as well.  I was working on a presentation for the conference but school got in the way and somehow passing became more important than presenting….

It sounds like you might be trying to detect illicit software installs on your client machines.  There are much more reliable ways to do that than using a firewall.  Look at client side solutions to protect the endpoint.  These are much more reliable for detecting the sorts of changes you mention.

Reading comprehension ftw:

So the computer has RAS enabled so dad can help out when he’s not around…  he doesn’t need to be an NSA cracker.  He doesn’t even need to be able to hack his way out of a paper bag.  He has access to the machine.  Full disk encryption won’t fix that.  It won’t even help.

If you are worried about him on the comp…[Read more]

So I’ll come full circle with my pricing guess-stimate for this type of work.  When I said $3k, that was a floor value.  I wouldn’t expect anything less than that.  If you are doing your own pentests as an independent contractor, you have to cover your E&O insurance, business overhead, time lost negotiating and drawing up a contract, legal fe…[Read more]

Do you need a pen test, a white box code security review, both?  Do you need someone to hit the webapp from the outside or assess the security of the DB server on which the data resides?  They are very different things with very different pricing structures.  I sounds like you want the webapp tested from the outside.  That is cheaper than pay…[Read more]

I’m generally against reviving old threads, but I’ll keep this message here for the sake of continuity.

I’m a little more than half way through my 60 days of lab time and I can’t say that I’m disappointed.  I feel comfortable with all the material I’ve attempted so far (I’ve coded some exploits before), but I wish I had a better idea of what to…[Read more]

I’ll take a different spin on this.  I’ve been a government employee and a contractor at different times.  Right now I’m doing both.  I have a full time government job and I contract to private organizations on the side (some of the work in the past has been back to the government but I’ve navigated the “conflict of interest” waters with ca…[Read more]

First, who told you that gi bill will pay for these?  I have gi bill and getting them to pay for anything has been like pulling teeth.

I know two people who took this class.  They both had differing opinions.  I think this depends on the instructor.  As for exploits, I think they had to develop exploits for custom services.  They also did case…[Read more]

First, I don’t have any example code to throw your way, but I’d tread lightly on this.  I think there are some legal implications in giving your students bot software.

If you were keeping the whole thing in a lab, you might write some simple bot code that sends packets on command (simulated DDOS) in your university lab and provide students…[Read more]

Congrats.

I’m with Dynamik and BillV on the counter.  On exams that don’t have it (most of them), I keep a tally of questions I “know” I got right, those that I was pretty sure on, and those that I EWAG’d so I can breathe a sigh of relief when I’ve crossed the passing threshold.  I’ve never failed a certification exam attempt, but I still find m…[Read more]

I agree with partek.  Demonstration based exams are worth more than knowledge based exams.  OCSP is a good measure of practical ability needed to perform in a pentest environment and does provide a good benchmark for what you can expect from a certification holder.

The problem with demonstration based exams is that they are expensive.  They ha…[Read more]