tag:blogger.com,1999:blog-26375047838437505242024-02-20T19:19:46.881-08:00Certisfaction: The IT Training and Certification BlogA clearinghouse of wit and wisdom by preeminent leaders in the IT and InfoSec training space. Regular subjects include: IT Certification, meaningful training tips, Norse myth, Wabbit hunting, CISSP exam tips, the relationship between information security, space colonization and "cool", and, of course the internal workings of the certification industry.intense school marketinghttp://www.blogger.com/profile/02438322305428091218noreply@blogger.comBlogger32125tag:blogger.com,1999:blog-2637504783843750524.post-17737668740214995742010-01-09T09:43:00.000-08:002010-01-09T09:59:13.060-08:00Data vs Life.<span class="Apple-style-span" style="font-family: 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); ">In my opinion, data that people generate in terms of the movement of their lives should not be owned by gatherers of this data. Photographs are a separate argument but will eventually become part of this too. Google has long had an engine to connect cell phone photos to objects.</span><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span><div><span class="Apple-style-span" style="font-family: 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); ">Some of my friends accuse me of conspiracy theory stuff, but I really am not. I do not subscribe to the idea of a separate little group that runs the world (I am not by definition a Republican). I do think "the invisible hand of the free market" nutjobs are being socially engineered. And experience shows there is always one more legal level to reach for.</span></div><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;">Collecting data is one thing because we give it up of free will. If database management systems could be controlled by one entity, we are all screwed. But it is after all a brilliant business play.</span></span></div><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;"><a href="http://developers.slashdot.org/story/10/01/09/136244/Why-Oracle-Cant-Easily-Kill-PostgreSQL?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+Slashdot/slashdot+(Slashdot)">http://developers.slashdot.org/story/10/01/09/136244/Why-Oracle-Cant-Easily-Kill-PostgreSQL?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+Slashdot/slashdot+(Slashdot)</a></span></span></div><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px; "><br /></span></span></div><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span></div></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2637504783843750524.post-29299237266040670692010-01-09T03:27:00.001-08:002010-01-09T03:32:19.234-08:00Relativity theory of training and travelInstructors that travel confront several issues and there are both good and bad. I always chose to view it optimistically. A bootcamp is just one long day at work, but then being at home is several days in normal time that I can enjoy with my family and keep my skills sharp for the next class.<div><br /></div><div>But this is a relative view, since the one long work day I share with students is still 4-8 (or more) days for others in the real world. It is something that can be managed but requires specific effort.</div><div><br /></div><div>If you are a student preparing for a bootcamp class make sure you do two these two things above all else:</div><div><br /></div><div>1. Tell your family, friends, about it and explain the investment. You will drop off the planet for a while in their concept of time, they have a right to know why you are doing this and what you are getting out of it. They will become your encouragement and support structure if you establish expectations in advance. At work, delegate all pertinent tasks and remind your boss to leave you alone. "If he is paying for it, you want to make the most of it" it is a simple but effective argument.</div><div><br /></div><div>2. Set a designated time to call someone at home each day. Spouse, children, friends, or coworkers. Stay connected but be in control of this communication. No emails or text messages during the afternoon lecture as that will cost you 10-15 questions on the exam at least. But if you show you are willing to make time to contact the people who are important to you, it will be easier for them to understand rule number 1.</div><div><br /></div><div><div>Travel training for a living is both very difficult at times and extremely rewarding. For students that only do this occasionally, your instructor can be a great resource for how best to approach this area. Your personal comforts and family needs must be part of the equation if you are going to be able to dive into the studies distraction free. </div><div><br /></div><div>Preparation makes this possible.</div></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2637504783843750524.post-30371242309213045622010-01-05T09:06:00.000-08:002010-01-05T09:19:22.714-08:00Considering Privacy and Copyrights<span class="Apple-style-span" style="font-family: 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); ">My friend Mark brought up one of my favorite topics "Airport Security" and this always leads to a discussion of privacy rights, another of my favorites. </span><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family: 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); ">It is my belief that no one should legally hold the copyright to information about personal lives or habits. Consider the following statement: "We’ve found that they might also suffer from an illusion of control bias that makes them unable to distinguish publication control from control of access to personal information"</span></div><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;">Your credit report, and all of its contents should belong to the human subject. You shopping patterns, search patterns, and GPS patterns should also be owned by you. I don't think this the same as a photograph or sound recording, which are completely different debates.</span></span></div><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;">We (I included) give up so much data in exchange for free services (such as posting on this blog), and it would be intellectually dishonest to think these products would not turn into a business model. Be careful, if we are asked to sign away licenses how far would that fine print go?</span></span></div><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;"><a href="http://www.computer.org/cms/Computer.org/ComputingNow/homepage/2009/1209/W_SP_NudgingPrivacy.pdf">http://www.computer.org/cms/Computer.org/ComputingNow/homepage/2009/1209/W_SP_NudgingPrivacy.pdf</a></span></span></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2637504783843750524.post-87171092039938306482010-01-03T05:24:00.000-08:002010-01-03T06:57:18.215-08:00Taking Tests, Social Engineering and Acting....My 2.6 year old daughter was approached by a talent scout in a shopping mall. The friendly man said, "She is cute, she should be in ads or movies." He gave me his card, I gave my number and a few weeks later we had an appointment.<div><br /></div><div>On a lark we went. No money for this my wife and I agreed. It is either a scam or an adventure.</div><div><br /></div><div>When we got there the agent said "Before they can read, they only go off looks and you never know what they want. But you (considering me) could be an Italian, Latin, French, Irish ..... 30% of all movies are film in Utah because its a non-union state and all they have here are blond haired blue eyes. You have a real shot.</div><div><br /></div><div>He asked me to read a few lines but here is the good part. During this interview the agent subtly explained two things; "When they ask you to mark, say your name and the agent that represents you" the second; "Don't memorize the lines, just do the scene".</div><div><br /></div><div>After some more small talk about what extras are paid and so on, he gave me the lines and left the room. My assignment was to look them over for awhile and prepare a short demonstration.</div><div><br /></div><div>When he came back in he said "Mark!" I stated my name and his company. "Action when ready". He was clearly just seeing if I could follow the most basic of instructions. Internaly I laughed because so many of my students are too busy checking email or sharpening their highlighter weapons to listen. I notice this and utilize the data in every class.</div><div><br /></div><div>I read the scene, I sucked because I was being tested. Just playing around for fun I could do that scene pretty well. I thought about students taking tests, its not much different really. During class reviews we prove this over and over that when not being tested people usually exceed expectations.</div><div><br /></div><div>He said "Let me help you and lets try this again...." then he proceeded to create an emotional place I really didn't want to go that fit the words of the script. I did better this time, but still with hesitation and again didn't follow the second instruction. I tried to memorize and pass the test rather than just doing it. </div><div><br /></div><div>He tried to sell me acting classes.</div><div><br /></div><div>This is what trainers understand; some students come to learn and others come to be made to realize they already "know" and just have to be more flexible. In both cases, the mind has to be opened and challenged, made uncomfortable at times, then encouraged. </div><div><br /></div><div>Its far easier on my side of the projector where I usually sit.</div><div><br /></div><div>We went there on a lark because my daughter was recognized in a mall and what parent doesn't think their kid is a potential rock star? The switch happened and perhaps I was the target all along. Clever social engineering notwithstanding the price is actually reasonable. Not every risk is a threat; I might do it just for fun. If I start acting out movie scenes in my classes like my friend and mentor Larry does, you will now understand where this comes from. </div><div><br /></div><div>What I took away from this most of all was a reminder I give to you: Next time you take a test, don't be tested, just answer the questions and see where you are. You might pass or you might fail this particular benchmark, but that is all it is. You ultimately decide your own settings and spoil in the rewards of earning having exceeded them. </div><div><br /></div><div> But you first must play the scene and find out where you rest.</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2637504783843750524.post-72170758739446636832009-12-13T03:34:00.000-08:002009-12-13T03:40:23.581-08:00Holiday wishes:<div>As I write this I am enjoying another Stromboli in a restaurant in Philadelphia. They claim to be the inventor, and I would not doubt them because it is awesome. I always try to eat the local food in new places. Its a benefit of the job and I must say that occasionally this is a mistake, but 9 out of 10 times this is far better than the standard chain blah.</div><div><br /></div><div>For one thing, you get to hear a few stories.</div><div><br /></div><div>I am in the middle of a three week 20 teaching days in 21 days (the one day off is travel) stretch of 10 hour days and the sound of my own voice is getting on my nerves. But I love the challenge. The students are always people I am happy to have met and today we completed a CISSP class. Tomorrow they will take their exams while I take a train to DC and prepare for a new set of ECSA/LPT students. I also miss my family today, and that puts me in a reflective mood.</div><div><br /></div><div>As I wait for my order and nibble at some garlic bread I overhear a conversation between the waiter and a regular, each have thick “Jersey” accents. I enjoy accents, and this one definitely has its own special character that seems to be in touch with living through both hard and good times. The customer says he just got laid off after 40 years at the same company. </div><div><br /></div><div>My political beliefs about what the source cause of things like this are and the many debates I enjoy with my misguided friends that disagree are suspended for this moment. I would like to think that his experience would be good for something. So I am hoping to overhear some good news in this story.</div><div><br /></div><div>In reflection I wonder that with all of the complaining I do about things that are beyond my control there is one thing I can absolutely do as an activist, as an evangelist, and as a teacher by profession. I can tell people every chance I get; "Pardon my bias; but one way or the other, please keep learning new stuff. Change it up, expand and live. Be available for challenges, sacrifices and changes. They need it, and you need to do it".</div><div><br /></div><div>To be fair this can be a hard thing to do sometimes. I do not feel that those who choose a simpler life should be punished for it. There is always a part of me that frankly wishes for it on some days. And this gentleman, 40 years a wise expert in what he knew how to do will either have to find a new path or he might just get a job tomorrow with the competitor. I don't know. I never got to hear the rest of the story. But I cannot help but wonder, if at some point did he just stopped growing?</div><div><br /></div><div>I have no idea if my conclusion is at all relevant to this man's situation or a reflexive response to the predicament I find myself in. But …..</div><div><br /></div><div>My holiday wish to all; Stay curious. Learn new things next year and never underestimate your capacity to do so. Then next year, share what you know. In this world this is your only "job security".</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2637504783843750524.post-54057810491872661962009-11-30T15:14:00.001-08:002009-11-30T15:45:21.947-08:00Whitehouse security breaches and Balloon hoaxes<span class="Apple-style-span" style="font-family: 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); ">The two that broke into the whitehouse have done this sort of thing before, they take the Captain Janks idea (a frequent crank caller to popular media shows and contributor to the Howard Stern show) a few steps further by actually being there. In this case, simple social engineering accomplishing a physical breach in places this absolutely should not happen is the joke.</span><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family: 'lucida grande', tahoma, verdana, arial, sans-serif; font-size: 13px; color: rgb(51, 51, 51); ">The recent balloon hoax, where a large balloon was launched into the sky with a fictional child trapped in the basket below (he was later found safe but hiding) had caused rescue efforts to waste resources and time. The media was fixed on it in a way similar to watching OJ Simpson's Bronco glide down the road doing nothing for several hours. </span></div><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;">Tiger Woods, popular golfer and manicured by a force of public relations people to be the perfect celebrity, showed he was human and made a "gasp" mistake. It was an interesting one, after a fight with his spouse he crashed his car into a tree. Tiger is doing the opposite of the others in controlling the story, he is trying to hide from it. He is worth an estimated Billion, and there are a lot of people that suck off his success that do not want his archetype tarnished. This only makes the media more curious.</span></span></div><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;"><br /></span></span></div><div><span class="Apple-style-span" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:100%;color:#333333;"><span class="Apple-style-span" style="font-size: 13px;">ISOC recognizes six elements to social engineering: Authority, Scarcity, Liking, Reciprocation, Commitment, and Social Proof. Perhaps a seventh principle should be added: Entertainment.</span></span></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2637504783843750524.post-44866753679895026342009-11-19T06:26:00.000-08:002009-11-20T04:12:07.774-08:00Should Windows be Free?<span class="Apple-style-span" style=" color: rgb(128, 128, 128); font-family:'lucida grande', tahoma, verdana, arial, sans-serif;font-size:11px;"><h3 class="GenericStory_Message" ft="{"type":"msg"}" style="font-size: 13px !important; color: rgb(51, 51, 51); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-weight: normal; overflow-x: hidden; overflow-y: hidden; ">There are different meanings of "free" in this conversation. As the phrase goes "Free as in speech, not as in Beer". In one case free refers to open sourcing the code, and in the other, it means being available free of cost or licencing fee. </h3><h3 class="GenericStory_Message" ft="{"type":"msg"}" style="font-size: 13px !important; color: rgb(51, 51, 51); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-weight: normal; overflow-x: hidden; overflow-y: hidden; "><br /></h3><h3 class="GenericStory_Message" ft="{"type":"msg"}" style="font-size: 13px !important; color: rgb(51, 51, 51); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-weight: normal; overflow-x: hidden; overflow-y: hidden; ">I suppose my question could be interpreted either way. In the free of cost point of view, they did with IE back in the Netscape era, and giving away Windows would certainly impact competition with Linux and Apple. </h3><h3 class="GenericStory_Message" ft="{"type":"msg"}" style="font-size: 13px !important; color: rgb(51, 51, 51); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-weight: normal; overflow-x: hidden; overflow-y: hidden; "><br /></h3><h3 class="GenericStory_Message" ft="{"type":"msg"}" style="font-size: 13px !important; color: rgb(51, 51, 51); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-weight: normal; overflow-x: hidden; overflow-y: hidden; ">Some argue that Microsoft's own practices propagate much of the security issues we have today for example, if Windows was free this wouldn't happen (<span><a href="http://www.pcmag.com/article2/0,2817,2355982,00.asp" onmousedown="UntrustedLink.bootstrap($(this), "1492a285755f837d8cd0a1e948c2422c", event)" target="_blank" rel="nofollow" style="cursor: pointer; color: rgb(59, 89, 152); text-decoration: none; ">http://www.pcmag.com/article2/0,2817,235</a><a href="http://www.pcmag.com/article2/0,2817,2355982,00.asp" onmousedown="UntrustedLink.bootstrap($(this), "1492a285755f837d8cd0a1e948c2422c", event)" target="_blank" rel="nofollow" style="cursor: pointer; color: rgb(59, 89, 152); text-decoration: none; ">5982,00.asp</a>). We would also not have to worry about Virtual Machines being considered entirely knew instances of the computer. The world would be such a simpler place if there was no need for hacked copies of Windows operating without security updates. How much of the botnet activity on the Internet can be traced to this? Consequently, I would be out of a job, as would entire research companies. </span></h3><h3 class="GenericStory_Message" ft="{"type":"msg"}" style="font-size: 13px !important; color: rgb(51, 51, 51); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-weight: normal; overflow-x: hidden; overflow-y: hidden; "><br /></h3><h3 class="GenericStory_Message" ft="{"type":"msg"}" style="font-size: 13px !important; color: rgb(51, 51, 51); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-weight: normal; overflow-x: hidden; overflow-y: hidden; "><span>I won't get into the economic dilema's of solving problems entire industries are built around, but the term "disruptive technology" comes to mind. What would be more disruptive than an Open Source Windows OS? If Windows 7 was believed to be secure, and the average price of a laptop or desktop was nearly a factor of 10 less than Macintosh ($300 vs $3000 after hardware upgrades) how would that impact Apple? If the Open Source community were willing to use Windows would Linux be necessary? </span></h3><h3 class="GenericStory_Message" ft="{"type":"msg"}" style="font-size: 13px !important; color: rgb(51, 51, 51); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-weight: normal; overflow-x: hidden; overflow-y: hidden; "><br /></h3><h3 class="GenericStory_Message" ft="{"type":"msg"}" style="font-size: 13px !important; color: rgb(51, 51, 51); margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-weight: normal; overflow-x: hidden; overflow-y: hidden; "><span>Either way, an alternative revenue model would have to be created. Programmers deserved to be paid too. Whether this would be any better or worse than what we currently deal with would remain to be seen. </span></h3></span>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-2637504783843750524.post-8617072161651136852009-11-16T10:57:00.000-08:002009-11-19T06:49:16.885-08:00CEH Review Guide is Released !!<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLrkGoUaq6SnuG3VXlRxq1nKmiu8eDUzgygC6Ukea1XUNgdL3ClHFroQA2U9liW6fxMTrmMopjwpfubVdBxwzE4eWJO76fwvl-b6UqIWXpxSCXCnKfCp1SOWvXxT8fX6pR743ZaIgUBdg/s1600/CEH+Review+Guide+Book.jpg"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 254px; height: 320px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLrkGoUaq6SnuG3VXlRxq1nKmiu8eDUzgygC6Ukea1XUNgdL3ClHFroQA2U9liW6fxMTrmMopjwpfubVdBxwzE4eWJO76fwvl-b6UqIWXpxSCXCnKfCp1SOWvXxT8fX6pR743ZaIgUBdg/s320/CEH+Review+Guide+Book.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5405826357245779778" /></a><br />The process of writing was extremely interesting. Being my first one, I learned alot that will make the next one twice as easy so I definitely hope to do this again. Thanks to Larry, Nick and Barry for their help along the way. <div><br /></div><div><span class="Apple-style-span" style="font-size: medium;">Cengage was a great publisher to work with as well. So if any others out there get the chance to write for them, I highly recommend it. </span></div><div><span class="Apple-style-span" style="font-size: medium;"><br /></span></div><div><span class="Apple-style-span" style="font-size: medium;">The book is available on Amazon. The ISBN number is: </span><span class="Apple-style-span" style=" color: rgb(51, 51, 51); "><span class="Apple-style-span" style="font-family:arial;"><span class="Apple-style-span" style="font-size: medium;">1435488539</span></span></span></div><div><br /></div><div><br /></div><div><br /></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-2637504783843750524.post-83805144650205186812009-11-13T09:13:00.000-08:002009-11-19T07:11:45.122-08:00A Reminder About Using Wifi On The RoadI while back I performed a test using my AirPcap NX on an airplane that was offering GoGo inFlight service. I sampled about 3 minutes of traffic in Wireshark and parsed it using a tool called "Network Miner".<div><br /></div><div>Short story, I saw that people were using Facebook and in two cases could connect photographs I captured to people on the Airplane. Others were booking Hotels for their business trips (persumably), and some were login into places that revealed passwords because they did not first establish a secure tunnel. That as far as I went with the test, the point was made.</div><div><br /></div><div>I got to thinking abut how many mobile devices such as Cell phones come with WiFi connectivity. Perhaps to save on data costs, they could be set to automatically switch to Wifi when a network is available. This means a cell phone that is normally extremely difficult to breach, would be placed on an unsecured network and become susceptible to sniffing, MiTM attacks, and the whole gamut. Why on earth would anyone want to do that? Buy an unlimited data plan and turn WiFi off.</div><div><br /></div><div>Keep in mind that public wifi is still public wifi, even when you are using a phone instead of a laptop. The Airplane technology mostly wants you to stay on the gateway long enough to give up a credit card and pay the $10, after that, you are one your own unless they change the technology. </div><div><br /></div><div><br /></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-2637504783843750524.post-65467080197160259902009-11-12T15:15:00.000-08:002009-11-19T06:58:20.298-08:00Teaching Abroad - GermanyI recently completed a trip to Germany to teach a CEH class. This was my first experience there. It turned out to be a wonderful place and the entire process could not have been better or more enjoyable.<div><br /></div><div>A couple noteworthy items for future reference: </div><div><br /></div><div>The battery life of a netbook + its portability were invaluable on this 15 hour flight. I got a lot done and hardly noticed the time.</div><div><br /></div><div>When renting computers for a classroom in another country, specify English. Our version of XP in the classroom computers was German, and so were the keyboards. We worked through it, but and thankfully the students were good sports about it and mostly thought it as funny.</div><div><br /></div><div>Also, get to the location a day early or leave a day later. The class will take up all your time, so be sure to play tourist and see some things too. </div><div><br /></div><div>Third, since most of what we do in CEH is illegal in Germany, even to possess the tools in some cases.......well I am not quite sure what to about that :)</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-2637504783843750524.post-81868988857815377862009-10-29T03:49:00.000-07:002009-12-30T03:55:29.979-08:00Intense School featured on "The Today Show"We were asked to do a piece on the insecurity of wireless networks. The cameras came into our CEH class for some footage, and I was interviewed, but none of that made the final cut. Our friend Chris did a wardrive in Houston and did a great job giving them the demos and soundbites they were looking for. It turned out to be a pretty good piece.<br /><br /><a href="http://today.msnbc.msn.com/id/26184891#33530153">http://today.msnbc.msn.com/id/26184891#33530153</a>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-2637504783843750524.post-31814670486635153872009-10-22T18:17:00.000-07:002009-10-22T18:39:41.670-07:00Should practices tests be perfect?We have had many conversations behind the scenes about this topic. There are no shortage of questions about the ethics and proper use of practice questions in technical training. I believe in them, but should they be always perfect, clean and error free?<div><br /></div><div>A perfect practice exam is far less confusing to a student, and there is no question that incorrectly marked answers keep a learner off balance. But the other side to that coin is that a few curve balls, perhaps 3-5 in 100 questions, discourages memorization and promotes discussion in class.</div><div><br /></div><div>Ultimately whether or not practice questions are an effective learning and assessment tool is almost entirely left up to the way a student handles them. Memorizing is actually the hard way to do things, and it leaves the student rigid and unprepared if the actual test is off by as much as one word on a relatively simple question. </div><div><br /></div><div>Understanding the exam concepts is the shortcut, because much of the time even questions where all the noise and trivia are not familiar to the test taker, the answer can be figured out from knowing what the question is trying to communicate. </div><div><br /></div><div>Many will disagree and I will be criticized on evaluations for having practice exams with a few errors in them, but I am for anything that requires the student have to assess their own confidence in how they are really understanding the material. This is not to say there will always be errors in my tests, but there might be, I'll never tell.</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-2637504783843750524.post-30258468018668685952009-10-20T07:09:00.000-07:002009-10-20T07:31:52.167-07:00Two Tenents of TeachingThere are two things a person must accept before agreeing to be an instructor:<div><br /></div><div>You cannot call in sick during a bootcamp. (This one comes to mind because I am battling a headcold that all the masking agents in the world can't get rid of)</div><div><br /></div><div>The second one is a bit more complicated. To borrow a phrase from "A Course in Miracles"; All human expression is either love or a cry for help".</div><div><br /></div><div>This might be a bit dramatic for a classroom environment, but the point is that most of the time a frustrated student is really just a curious one that hasn't found a way to line up their perceptions with the material. The instructor must never take this personally, even if the he is personally attacked in the process or the course itself is scrutinized to the point of missing the point.</div><div><br /></div><div>Usually one good eye to eye conversation can resolve this issue. Do not wait until the last day of class to have it. Note to students; ask for this conversation. Instructors; watch out for the need for one and be proactive about it. The outcome is almost always improved if the right amount of empathy is involved.</div><div><br /></div><div><br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2637504783843750524.post-68599283326750607362009-09-28T05:15:00.000-07:002009-09-28T05:30:05.673-07:00Hacker Halted Wrap-upThis morning I have returned from HH and must get back to work. As always, I had a great time at the conference, and want to congratulate EC-Council of their hard work putting it together. Some of the highlights were:<div><br /></div><div>Awards: Steven DeFino is "CEI (Certified EC|Council Instructor) of the Year" for the third year in a row and Intense School is the "North American Authorized Training Partner of the Year" for the second year in a row.</div><div><br /></div><div>Cruise: Terremark sponsored a large yacht and invitied 350 V.I.Ps aboard for a 2 hour cruise that finished at a club in Downtown Miami. It was a perfect evening and the crowd included CEHs from all over the world. It was a party, 'nuff said.</div><div><br /></div><div>Talks: Too many too good ones to write about them all. Its always fun to take a few days to listen to others talk about security for a change, and I picked up on a lot of new ideas and learned of some things I will blog more about as I research them further. Virtualization and cloud computing, Cyberwarfare, and online fraud were topics that received coverage from a view different angles.</div><div><br /></div><div>In short, try to plan on being there next year if at all possible. I think you will be glad you took the time and leave with much to think about and inspired energy to expand your studies into new directions.</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2637504783843750524.post-31156250116848037302009-09-25T14:45:00.000-07:002009-09-28T05:15:39.061-07:00Hacker Journals - Examples fast and noise freeOne of the most frequently asked questions I get is "What is a good website I should be visiting for news, downloads, videos and all things related to security?"<div><br /></div><div>The intent behind this question has changed a bit over time. It used to be that I wanted to provide a long answer involving podcasts, blogs, rss feeds, ways to search YouTube for videos and explain the hazards of downloading "hacker tools" without looking through the source code first.</div><div><br /></div><div>These days, time constraints are increasingly discouraging security professionals from staying informed. There are two many resources and too much noise to get through. Here is the solution:</div><div><br /></div><div>http://www.hackerjournals.com</div><div><br /></div><div>This is a clean, easy to read, noise free aggregation site that combines all of the above into one resource. Its still a fairly new site, so give it some time to fill in more content. But I highly recommend it as a book start page or favorite already.</div><div><br /></div><div><br /></div><div><br /></div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-2637504783843750524.post-51756322857278908532009-08-16T18:33:00.001-07:002009-08-16T18:49:18.132-07:00Series (2 of n): How practice questions workThis series was introduced in a post on August 5th.<div><br /></div><div>This installment address the approach to creating the questions. Reverse engineer the process; the best way to understand technical exams is to try to write one yourself. Keep in mind the following criteria:</div><div><br /></div><div>You want about a 65% average score the first time they take it, assuming an appropriate audience. Too easy a test is a waste of their time and to difficult a test is a transparent display of how much you think you know or can look up on Google. The practice exam is a teaching tool, first and foremost.</div><div><br /></div><div>Now, consider this simple approach to just one individual question:</div><div><ul><li>What do you want the tester to prove he understands?</li><li>Is this better asked directly or indirectly?</li><li>Should they answer the right answer or illiminate the from the wrong ones?</li><li>Is this a question where distractin noise is appropriate, or should you just keep it short?</li><li>What objective of the final "real exam" goal is this practice preaparing them for?</li></ul></div><div>Every practice question can take from 10-30 minutes to create from concept to explaination. In a business day then it would be production to crank out 30 questions. The real questions might have hours of argument from a board of brains behind them. These aren't just made up random trivia, each must be thought through. Each question and false choice has a purpose.</div><div><br /></div><div>Now, as you are studying for your next exam....try to anticipate what really seems to capture the truth and presence of the class. Step into the shoes of the psycho(metrician) and ask what would it take to fool...you.</div><div><br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2637504783843750524.post-91235893814754877132009-08-13T14:43:00.000-07:002009-08-14T06:26:44.580-07:00Process Oriented ProgrammingOften times in the <span class="blsp-spelling-error" id="SPELLING_ERROR_0">CISSP</span> and Security+ classes we are confronted with the need to come up with <span class="blsp-spelling-corrected" id="SPELLING_ERROR_1">examples</span> that illustrate detailed terms that don't translate well into "business language". <div><br /></div><div>Some things just suck if they were to happen. And explaining this to a cost/benefit manager is sometimes an exercise in awkwardness for both parties. Here is a good example for the "<span class="blsp-spelling-error" id="SPELLING_ERROR_2">programmery</span>" (my term) knowledge domains in <span class="blsp-spelling-error" id="SPELLING_ERROR_3">CISSP</span>. The <span class="blsp-spelling-corrected" id="SPELLING_ERROR_4">ones</span> where we get into the weeds about registers and processes and so on:</div><div><br /></div><div>Follow this link <a href="http://www.physorg.com/news169133727.html">http://www.physorg.com/news169133727.html</a></div><div><br /></div><div>This is a practical example of injecting instructions to a process while it is running, voting machines make an example everyone, not just those that work on the secret systems most will never see can understand.</div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2637504783843750524.post-51040789614509383432009-08-07T18:52:00.000-07:002009-08-07T19:01:30.600-07:00"How to solve it"While researching a test question about virus scanners I ran across these ideas regarding "heuristics". It came from a book written in 1945 called "How to solve it".<br /><br />These are probably the best four suggestions I can give a student on how to deal with the CEH/ECSA/LPT materials. Remembering first off that perhaps the most fundamental heuristic is "trial and error".<br /><ol><li>If you are having difficulty understanding a problem, try drawing a picture.</li><li>If you can't find a solution, try assuming that you have a solution and seeing what you can derive from that ("working backward").</li><li>If the problem is abstract, try examining a concrete example.</li><li>Try solving a more general problem first (the "inventor's paradox": the more ambitious plan may have more chances of success).</li></ol>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2637504783843750524.post-33474722426869324682009-08-05T07:38:00.000-07:002009-08-16T19:14:40.374-07:00Series (1 of n): Using practice exams effectively<p class="MsoNormal" style="MARGIN-BOTTOM: 0pt; LINE-HEIGHT: normal"><span style="FONT-FAMILY: 'Georgia','serif'; mso-fareast-: font-family:'Times New Roman';font-size:12;color:black;" >Part of the current book project I am doing involves writing practice questions. In doing this I have put a lot of thought into the topic and wanted to share some of that here.</span></p><p class="MsoNormal" style="MARGIN-BOTTOM: 0pt; LINE-HEIGHT: normal"><span style="FONT-FAMILY: 'Georgia','serif'; mso-fareast-: font-family:'Times New Roman';font-size:12;color:black;" >First, just to get the controversial part out of the way, I believe in practice questions. They are ethical and it is fair to try to get them as close to the real thing as possible, at least in terms of scope, style, and difficulty level of the real test. That is my opinion and other instructors might disagree. </span></p><p class="MsoNormal" style="MARGIN-BOTTOM: 0pt; LINE-HEIGHT: normal"><span style="FONT-FAMILY: 'Georgia','serif'; mso-fareast-: font-family:'Times New Roman';font-size:12;color:black;" >A risk of providing practice exams is realized if the student can subconsciously understand them to mean "The instructor is essentially taking this test for me, if I do what these questions say and I will pass."<span style="mso-spacerun: yes"> </span>I say subconsciously because I have never heard a student actually say this out loud, but I can tell by the way they ask questions about the exam and their general preparation habits when this perception is taking hold. This is the source of the understandable criticism of practice tests, but it can be managed and handled correctly.</span></p><p class="MsoNormal" style="MARGIN-BOTTOM: 0pt; LINE-HEIGHT: normal"><span style="FONT-FAMILY: 'Georgia','serif'; mso-fareast-: font-family:'Times New Roman';font-size:12;color:black;" >As I write the questions for the book, I am placing in some controls. In the interest of security-open-source-minded full disclosure I don't mind explaining them. The best cryptosystems are well known and understood, but are still hard to solve. That is the good model for practice exams as well. Along the way, discussions about real exams are likely to be brought up as well.</span></p><p class="MsoNormal" style="MARGIN-BOTTOM: 0pt; LINE-HEIGHT: normal"><span style="FONT-FAMILY: 'Georgia','serif'; mso-fareast-: font-family:'Times New Roman';font-size:12;color:black;" >To keep the blog postings reasonable in size, I will address specific topics of practice exams, and how to get the most out of them over the course of several postings. <span style="mso-spacerun: yes"></span>In case you are working on some right now start with this thought:</span></p><p class="MsoNormal" style="MARGIN-BOTTOM: 0pt; LINE-HEIGHT: normal"><span style="FONT-FAMILY: 'Georgia','serif'; mso-fareast-: font-family:'Times New Roman';font-size:12;color:black;" >“Practice exams are extensions of lab, lecture and other learning modes.<span style="mso-spacerun: yes"> </span>Not replacements for them, and not shortcuts to avoid them.”<?xml:namespace prefix = o /><o:p></o:p></span></p>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-2637504783843750524.post-41046826502008319532009-07-20T07:56:00.000-07:002009-07-20T09:24:15.327-07:00Never forget to enjoy ideasOn a personal note, this weekend was a birthday celebration for both me and my daughter. I am 40, she is 2. A recent student is enjoying a commencent for his bachelores degree with his family in AZ. In one weekend he is recognize for both this and a new ECSA certification. He also has a great personal story.<div><br /></div><div>I am on cloud nine for a number of reasons.<br /><div><br /></div><div>My daughter's presents involved a lot of assembled parts. She (who understands remote controls, cell phones, and will not fall for fake laptop toys verses dads office computer) tried to help assemble her own presents. Those moments were so much damn fun I can't begin to get into it.</div><div><br /></div><div>I was reminded of a quote from Mr. Rogers many years ago; "Play is serious <span class="blsp-spelling-corrected" id="SPELLING_ERROR_0">business</span> for children. It is how they learn" (If you don't know who this is, please wiki 'Mr Roger's Neigborhood)</div><div><br /></div><div>Is this much different for adults? We often forget to play with ideas. We forget to have fun doing what we do. Even the most dry and boring compliance thing can be approached with the curiosity and wisdom of a child that has not yet learned the "I don't care about this crap, just give me the answers to the test" attitude. Our discipline depends upon this.</div><div><br /></div><div>Nuance in information assurance is a <span class="blsp-spelling-corrected" id="SPELLING_ERROR_1">Mandelbrot</span> <span class="blsp-spelling-corrected" id="SPELLING_ERROR_2">formula</span>. There is always something else buried in the details. The only way to enjoy tackling a challenge is inderstand how to play with it.</div><div><br /></div><div>My friend Jason that just graduated, has this spirit too. I was glad to have met him as he is the very definition of this principle. My daughter is a person I cannot possibly be more proud of as she teaches me what it is like to grow up in this age, and reminds me about what hacking is really about.</div><div><br /></div><div><br /></div></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2637504783843750524.post-20466886196196634082009-07-17T14:57:00.000-07:002009-07-17T15:41:00.840-07:00Students are evolving faster than the courseware changesFirst I would like to thank two very recent classes, one in DC (<span class="blsp-spelling-error" id="SPELLING_ERROR_0">CEH</span>) and the other in Atlanta (<span class="blsp-spelling-error" id="SPELLING_ERROR_1">ECSA</span>) for a great time. The fact that those classes were successful were all the credit to the students. They were loose, understood the concept of how a "hacking" course really works, and enlightened each other with different points of view. Even the non-<span class="blsp-spelling-error" id="SPELLING_ERROR_2">related</span> discussions we had at breaks were educational.<div><br /></div><div>During my <span class="blsp-spelling-error" id="SPELLING_ERROR_3">CEH</span> class in DC I was talking to another instructor, Claude Williams, a <span class="blsp-spelling-error" id="SPELLING_ERROR_4">CISSP</span> instructor <span class="blsp-spelling-corrected" id="SPELLING_ERROR_5">extraordinaire</span> that has perfected his delivery of that class. I was picking his brain about <span class="blsp-spelling-error" id="SPELLING_ERROR_6">courseware</span> updates and I brought up my theory that eventually, printed <span class="blsp-spelling-error" id="SPELLING_ERROR_7">courseware</span> will be outmoded. "Liquid materials" are the next step for training, courses that evolve and are flexible.</div><div><br /></div><div>I based this theory on a number of issues that I <span class="blsp-spelling-error" id="SPELLING_ERROR_8">couldn'</span>t get into at that moment. He asked me "Do you think this is a good thing?"</div><div><br /></div><div>I paused for a moment <span class="blsp-spelling-corrected" id="SPELLING_ERROR_9">because</span> I had actually never assessed it that way. I just assume it is happening so accept or die. But the truth is that changing <span class="blsp-spelling-error" id="SPELLING_ERROR_10">courseware</span> "on the fly" plays havoc with a lot of logistic elements of the training industry behind the scenes. It made me realize that the real reason I think fluid <span class="blsp-spelling-error" id="SPELLING_ERROR_11">courseware</span> is a necessity is not that the <span class="blsp-spelling-corrected" id="SPELLING_ERROR_12">subject</span> matter really changes much over time, it is that our students change. Their environments are not the same as they were even a year ago and they are <span class="blsp-spelling-corrected" id="SPELLING_ERROR_13">coming</span> into class with difference <span class="blsp-spelling-corrected" id="SPELLING_ERROR_14">perceptions</span> of the subject matter.</div><div><br /></div><div>For example: One of the students in my <span class="blsp-spelling-error" id="SPELLING_ERROR_15">CEH</span> class mentioned that the tools he uses at work do so much work automatically, that he has no idea what is <span class="blsp-spelling-corrected" id="SPELLING_ERROR_16">really</span> going on. I felt like an old man about to give that "When I was a boy I walked uphill both ways barefoot in the snow speech" when I said "When I was a young <span class="blsp-spelling-error" id="SPELLING_ERROR_17">pentester</span>, we used to have to but effort into network mapping and assessments."</div><div><br /></div><div>I give this guy a lot of credit for understanding that the ease of use in his tools are not representative of the <span class="blsp-spelling-corrected" id="SPELLING_ERROR_18">actual</span> events taking place. But this was also an indication that he would have an entirely different way of looking at the material than those in the room that had no idea what we were even talking about. I worried that those students would get hired one day at a company that does <span class="blsp-spelling-error" id="SPELLING_ERROR_19">robo</span>-pentests and with adventurous excitement expects to apply the skills he learned in <span class="blsp-spelling-error" id="SPELLING_ERROR_20">CEH</span>, only to be laughed at and told, "No, just enter this data and click this button. <span class="blsp-spelling-error" id="SPELLING_ERROR_21">Left click</span> to be specific".</div><div><br /></div><div>About every third class I get a student who argues "Routers don't pass <span class="blsp-spelling-error" id="SPELLING_ERROR_22">ICMP</span>". Before I get frustrated I consider why he would say such a thing. It is <span class="blsp-spelling-corrected" id="SPELLING_ERROR_23">because</span> in his world this might be the truth, and all he has ever seen.</div><div><br /></div><div>Training classes are not about validating the students experiences. But the <span class="blsp-spelling-corrected" id="SPELLING_ERROR_24">curriculum</span> must be adapted to these perceptions. Otherwise those of us in the adult certification training world will be labeled as "academic dinosaurs".</div><div><br /></div><div>This is why I characterize my students as teachers. It is why some instructors run classes a bit loose and stress free. We appreciate the contributions we get when people relax and participate. The stories of <span class="blsp-spelling-corrected" id="SPELLING_ERROR_25">everyones</span> experience, including life experience enhances the course. Then we turn that around to keep improving every class; even if the printed <span class="blsp-spelling-error" id="SPELLING_ERROR_26">courseware</span> has not changed.</div><div><br /></div><div>I think at some point though, it will have to be this flexible in terms of materials also. The turn around window is getting smaller and smaller.</div><div><br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2637504783843750524.post-35509745400641872732009-07-02T20:46:00.000-07:002009-07-03T09:06:50.435-07:00Student or Teacher?<div>I just had a spirited debate with Larry Greenblatt, and good friend of mine that founded "Internetwork Defense"(1). We have been back and forth on a few items in our disciplines on many occasions and mostly end up in a similar place that was arrived at from differing angles.</div><div><br /></div><div>I go back to a statement I make often that the fun of the security vector of information technologies is that you get to be philisophical. It is your job to play with ideas. I teach ethical hacker classes and part of that is selling the idea that critical thinking is a responsibility. You are paid for providing this service. Be respectful and understand the scope of the situation, but challenge wisely. Do challenge the situation.</div><div><br /></div><div>Instructors and students are interchangable. Larry sat my class and I sat his. Next week I will sit a class of ten student teachers.</div><div><br /></div><div>(1) <a href="http://www.internetworkdefense.com/">http://www.internetworkdefense.com/</a></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2637504783843750524.post-10793426506437460042009-07-01T09:27:00.000-07:002009-07-01T09:47:42.858-07:00Technical writing - "With style"We are currently working on a book that will be published very soon. The process of writing this book has been extraordinarily illuminating. Or, just a lot of fun.<div><br /></div><div>Along the way I wanted to be refreshed on some basic tips for effective penmenship. Knowing one of my editors has a Masters in English and that I can not explain the difference between a noun and a participle if my life hanged in the balance; I was intimidated at first.</div><div><br /></div><div>All of us have to, and I mean this with criticality, be able to write technical documents and make a writen point effectively. In the information security world reports = dollars. There is a direct corrolation to the size of the payment recieved and quality of chosen words. </div><div><br /></div><div>I have the benefit of a mentor that humbles me on this front and I pass this experience along to the LPT classes where writing is a requirement. </div><div><br /></div><div>As I looked for some outside coaching for this book I recalled two resources I have used in the past to get a crach course in how to write good. Kurt Vonnegut in this classic essay about writing with style is something that everyone needs to take a look at. Particularly those in the technical industry.</div><div><br /></div><div><a href="http://literature.sdsu.edu/onWRITING/vonnegutSTYLE.html">http://literature.sdsu.edu/onWRITING/vonnegutSTYLE.html</a></div><div><br /></div><div>There is also a tool I think is fun called "Bullfighter". It scoures your documents looking for wordiness, jargon and various forms of BS that complicate the communication. It is available here:</div><div><br /></div><div><a href="http://fightthebull.com/bullfighter.asp">http://fightthebull.com/bullfighter.asp</a></div><div><br /></div><div><br /></div><div><br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2637504783843750524.post-91398937179365560442009-06-26T14:27:00.000-07:002009-06-26T15:01:01.079-07:00Don't underestimate a class that is "A mile wide, but an inch deep."In a recent <span id="SPELLING_ERROR_0" class="blsp-spelling-error">CEH</span> class I taught, a group of students had an unusually broad background and motivation for taking on the course. One thing that impressed me a great deal was how well they seemed to understand this even before meeting each other. Everyone had healthy expectations, and were looking toward realistic outcomes, but at the same time I felt it was a challenge to make sure I could both fit the course for them and stay within the scope of the <span id="SPELLING_ERROR_1" class="blsp-spelling-corrected">curriculum</span>. We needed to pass the exam, not conduct an improvised 5 day Q and A session, though I was tempted to do exactly that.<br /><br />This got me thinking a bit about something that recent trends I have noticed has brought to light about the way students and training programs evolve together.<br /><br />I often say that "there are entry level info sec classes but info sec is not an entry level topic". I think the reality however is that as IT assignments branch out, security becomes an efficient solution for bridging and broadening a persons understanding of IT no matter what their background. Sometimes people take <span id="SPELLING_ERROR_2" class="blsp-spelling-error">infosec</span> classes not so directly for security information, but for the unusual point of view. It is very <span id="SPELLING_ERROR_3" class="blsp-spelling-error">unsanitized</span>, imperfect at times, <span id="SPELLING_ERROR_4" class="blsp-spelling-corrected">philosophical</span>, and demands critical thinking.<br /><br /><span id="SPELLING_ERROR_5" class="blsp-spelling-error">CEH</span> paired with <span id="SPELLING_ERROR_6" class="blsp-spelling-error">CISSP</span> is in a sense, a way to be exposed to an encyclopedic knowledge of all of the basics, from techie to <span id="SPELLING_ERROR_7" class="blsp-spelling-corrected">management</span>, from data to packets, and from apps to hardware. Being a mile wide is perhaps harder in some ways than being a mile deep. These classes are incredibly challenging for <span id="SPELLING_ERROR_8" class="blsp-spelling-corrected">precisely</span> this reason. Every student will find one chapter, module or domain that they think has been simplified into silliness. They will also encounter a portion of the class that is so unfamiliar it may seem the instructor has begun to speak a martian language. Yet to those who work in that area, it is as simple silly as the other aspect of the course was.<br /><br />The first step is figuring out the difference, the second step is reconnecting the dots.<br /><br />As any technology advances a compression <span id="SPELLING_ERROR_9" class="blsp-spelling-corrected">phenomenon</span> occurs. What once took a career to learn and master eventually becomes required basics just to attend a 5 day <span id="SPELLING_ERROR_10" class="blsp-spelling-error">bootcamp</span>. "Assumed knowledge" at this point to even enter the discussion of information security is more than many people even care to know in what would be gained in a lifetime of experience in IT.<br /><br />The goals of technical training therefore needs to adapt to this. <span id="SPELLING_ERROR_11" class="blsp-spelling-error">Bootcamps</span> such as what we offer are designed to demonstrate key ideas that help the <span id="SPELLING_ERROR_12" class="blsp-spelling-corrected">disparate</span> parts of day to day experiences come together. Its like finding the one piece of a jigsaw puzzle that helps connect too other vary large assemblies. Sometimes however, a student grasps this catalyst, but has to wait until some time down the road to realize why it is important.<br /><br />One thing we can absolutely guarantee is that all of the effort placed toward this goal will become <span id="SPELLING_ERROR_13" class="blsp-spelling-corrected">useful</span> at some point. No knowledge in info sec is wasted, no matter how unrelated it might seem to a current assignment.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-2637504783843750524.post-32661748088183137842009-06-22T13:15:00.000-07:002009-06-26T15:14:58.889-07:00Putting off the exam (reconsidered).In a recent <span id="SPELLING_ERROR_0" class="blsp-spelling-error">ECSA</span>/<span id="SPELLING_ERROR_1" class="blsp-spelling-error">LPT</span> class a concerned student wondered if he really had to take the exam that week and asked for advice. My response was short "If you take the exam in two weeks instead, what will change?"<br /><br />There was a still pause for a moment. He thought about work, schedule, distractions, other projects. He knew he took the <span id="SPELLING_ERROR_2" class="blsp-spelling-error">bootcamp</span> specifically to step away from those things for 5 grueling days to knock out this challenge. Then he said "Nothing will change, I see that I should just give it a shot on Friday then"<br /><br />He realized it was unlikely that he would make time to study, and that once this training was over, the endgame was to be able to move on; not let it linger around for weeks and months. This is something everyone should consider before they attend a <span id="SPELLING_ERROR_3" class="blsp-spelling-error">bootcamp</span>. It is why it is so important to prepare your schedule to <span id="SPELLING_ERROR_4" class="blsp-spelling-corrected">minimize</span> interruptions and get <span id="SPELLING_ERROR_5" class="blsp-spelling-error">pre</span>-study materials to read up on topics before <span id="SPELLING_ERROR_6" class="blsp-spelling-corrected">coming</span> to class. You want to think about the follow through, the idea that the training will start a new process for your career, it is not the end of one.<br /><br />When the week is over it is important to be able to move on.Unknownnoreply@blogger.com0