Forum Replies Created
October 27, 2007 at 7:56 am #14437
LOL how did you do that? Just kidding. I think Backtrack has a place but it should not be a crutch. I think its a good place for those new to Linux to see how tools work. But its so important to get beyond that. You need to know Linux inside and out to really appreciate how it applies to hacking. Dont get me wrong, I love easy and fast. But you need to know how to craft an OS to do what you want. Thats what “hacking” is all about in my opinion. Doesn’t matter if its an xbox or some interesting piece of hardware, you need to know how to hack it and make it do what you want. Windows is to restricted.
While on the subject, how many heavy duty hackers even use a live cd? To be honest I have not met one yet. Even the creator of Backtrack installs it as a hard drive install. I asked him why and he told me its too slow if you don’t. So, if you are going to run it as a HD install, why not pick your favorite distro and really learn it? There are advantages. You can install new apps with more ease. In my experience its easier to customize and upgrade a regular Linux distro rather than some “live” cd versions.
Again dont get me wrong, I have nothing but respect for Backtrack. Its an important part of the learning process. Just don’t get stuck on any OS,whether its windows, Backtrack, Gentoo, etc… The idea is we are hackers and work with what works for us.
October 10, 2007 at 4:40 am #13262
Hmm, well I guess its a sad truth that anyone that is from Microsoft makes one a little skeptical, but I have to admit I am. I have found it is really is up to the Admin and have found Apache as secure if updated and applied correctly. I do understand how someone can react that is very close to something like IIS and even more so if they are involved in writing the code. Its your baby and you will defend it to the death, but is that really objective? It would be interesting to have someone involved with writing Apache to do a counter to this.
October 10, 2007 at 2:32 am #14369
Hey thanks for posting here. If you have been in linux for years thats cool. To be honest, I dont think your choice of books has much value. To be blunt, I think that book is weak!
I love linux with my entire heart but it doesn’t always answer your needs unless you can program. Linux only comes to fruition to those that can tweak and change things. Its the ultimate “hackers” OS.
Wine is really a drink to get you inspired, not much of a simulator. If anyone wants to pay me, I will be happy to convert windows apps to linux. I was a bit surpised that cain and able never came out for linux, but oh well. The idea is if you are hacking windows, there is an advantage with a windows app. Well, sorry I never believed that but oh well. There is nothing similar and I suppose thats one more reason to dual boot. Damn you Bill Gates! Your best bet is to collect as many linux apps as possible and try to go from there.
October 9, 2007 at 11:53 pm #14309
It is cool to see this here and thanks for stopping by. I enjoyed having lunch with you and Muts at the Blackhat conference. I am sure everyone here is eager to see BT3 and best of luck with your courses.
October 5, 2007 at 7:06 pm #13649
Yes I agree, comparing a newly certified CEH to a Doctor would be absurd and I certainly didn’t mean to create the impression that I was doing that. I was simply trying to say in a nice way that a newly certified CEH does not necessarily mean he is qualified to practice. If I was looking for a heart surgeon I would rather use someone with years of experience rather than someone fresh out of med school. I see the CEH as a flawed beginning, but I am hoping it will continue to improve.
I have been active in the security field for years and I assume others posting here have also? I mean pentesters that have to try and win a gig doing an audit on a large company. Not people that hack for fun or Admins that only hack test their own networks. Dealing with corporations can be difficult because people there often have a certain mind set. Being able to provide credentials goes a long way in getting the contract for a security audit, at least that has been my experience and other pentesters that I associate with.
I am not sure if I follow the logic of there is no need for a certification because pentesting has been around years before any certification process was available. One could use that argument against any cert then, all the way from a cissp to an A+. Why do certifications become available any way? Because people begin practicing in a certain field and soon there are many people with variations of skill levels all claiming to provide the same level of skill. So the certification process becomes available in an attempt to prove or certify a certain level of skill. Am I saying the CEH as it stands today does this. No I am saying that at all. I would like to see this cert improve or another one comes in its place that the majority of us in the security field would say “yes this proves a good level of skill.”.
September 29, 2007 at 11:29 pm #14243
Good review and I agree totally. I had a chance to preview the book and ended up putting it back on the shelf of the store. The general feeling the book gives is if the authors were rushing to put something together. That might be unfair and I do know it takes a lot of effort to write a book, but if you are going to go 80% why not push it a little harder and go 100%?
September 29, 2007 at 10:19 pm #13647
Yes Emanon (or Noname?) , you have some valid points, but I don’t agree with everything you stated. Just because a newly certified CEH might not be on the cutting edge of hacking doesn’t mean the CEH cert has no value. For instance, when a Doctor first graduates from Med school he certainly is not qualified to present himself as an expert in his field. Depending on the field he pursues, there might be several years of internship. To dismiss the value of his Doctor “certification” simply because he might not be at a high level in his field would not be justified and nor would dismissing the CEH certification on similar grounds. IMO, a newly certified CEH is simply showing that particular individual has the grasp of the fundamentals of how an attacker might “think”. Now how far a CEH wants to develop his skills will depend on his ambition and natural abilities. As in the Doctor analogy, there are good Doctors and bad Doctors. So ultimately it will depend on an individuals reputation, rather than simple certifications. The CEH cert is rather new and developing, but it is a needed concept in computer security. Let’s work on improving it rather than throw the baby out with the bath water.
I do agree that perhaps the term Certified Ethical Hacker might not be the best choice. You cant really certify someone as ethical and the term hacker has so many negatives that some times I am tempted to throw in the towel on that one. I can think of a few easier ones for the public to embrace like Certified Computer Security Consultant, etc…
BTW, the next time you know a group of CEHs being asked to crack a window xp sp2, let me know so I can be there! I do it all the time as do many other CEHs I know.