Intense School featured on "The Today Show"

We were asked to do a piece on the insecurity of wireless networks. The cameras came into our CEH class for some footage, and I was interviewed, but none of that made the final cut. Our friend Chris did a wardrive in Houston and did a great job giving them the demos and soundbites they were looking for. It turned out to be a pretty good piece.

http://today.msnbc.msn.com/id/26184891#33530153

Should practices tests be perfect?

We have had many conversations behind the scenes about this topic. There are no shortage of questions about the ethics and proper use of practice questions in technical training. I believe in them, but should they be always perfect, clean and error free?

A perfect practice exam is far less confusing to a student, and there is no question that incorrectly marked answers keep a learner off balance. But the other side to that coin is that a few curve balls, perhaps 3-5 in 100 questions, discourages memorization and promotes discussion in class.

Ultimately whether or not practice questions are an effective learning and assessment tool is almost entirely left up to the way a student handles them. Memorizing is actually the hard way to do things, and it leaves the student rigid and unprepared if the actual test is off by as much as one word on a relatively simple question.

Understanding the exam concepts is the shortcut, because much of the time even questions where all the noise and trivia are not familiar to the test taker, the answer can be figured out from knowing what the question is trying to communicate.

Many will disagree and I will be criticized on evaluations for having practice exams with a few errors in them, but I am for anything that requires the student have to assess their own confidence in how they are really understanding the material. This is not to say there will always be errors in my tests, but there might be, I'll never tell.

Two Tenents of Teaching

There are two things a person must accept before agreeing to be an instructor:

You cannot call in sick during a bootcamp. (This one comes to mind because I am battling a headcold that all the masking agents in the world can't get rid of)

The second one is a bit more complicated. To borrow a phrase from "A Course in Miracles"; All human expression is either love or a cry for help".

This might be a bit dramatic for a classroom environment, but the point is that most of the time a frustrated student is really just a curious one that hasn't found a way to line up their perceptions with the material. The instructor must never take this personally, even if the he is personally attacked in the process or the course itself is scrutinized to the point of missing the point.

Usually one good eye to eye conversation can resolve this issue. Do not wait until the last day of class to have it. Note to students; ask for this conversation. Instructors; watch out for the need for one and be proactive about it. The outcome is almost always improved if the right amount of empathy is involved.

Hacker Halted Wrap-up

This morning I have returned from HH and must get back to work. As always, I had a great time at the conference, and want to congratulate EC-Council of their hard work putting it together. Some of the highlights were:

Awards: Steven DeFino is "CEI (Certified EC|Council Instructor) of the Year" for the third year in a row and Intense School is the "North American Authorized Training Partner of the Year" for the second year in a row.

Cruise: Terremark sponsored a large yacht and invitied 350 V.I.Ps aboard for a 2 hour cruise that finished at a club in Downtown Miami. It was a perfect evening and the crowd included CEHs from all over the world. It was a party, 'nuff said.

Talks: Too many too good ones to write about them all. Its always fun to take a few days to listen to others talk about security for a change, and I picked up on a lot of new ideas and learned of some things I will blog more about as I research them further. Virtualization and cloud computing, Cyberwarfare, and online fraud were topics that received coverage from a view different angles.

In short, try to plan on being there next year if at all possible. I think you will be glad you took the time and leave with much to think about and inspired energy to expand your studies into new directions.

Hacker Journals - Examples fast and noise free

One of the most frequently asked questions I get is "What is a good website I should be visiting for news, downloads, videos and all things related to security?"

The intent behind this question has changed a bit over time. It used to be that I wanted to provide a long answer involving podcasts, blogs, rss feeds, ways to search YouTube for videos and explain the hazards of downloading "hacker tools" without looking through the source code first.

These days, time constraints are increasingly discouraging security professionals from staying informed. There are two many resources and too much noise to get through. Here is the solution:

http://www.hackerjournals.com

This is a clean, easy to read, noise free aggregation site that combines all of the above into one resource. Its still a fairly new site, so give it some time to fill in more content. But I highly recommend it as a book start page or favorite already.

Series (2 of n): How practice questions work

This series was introduced in a post on August 5th.

This installment address the approach to creating the questions. Reverse engineer the process; the best way to understand technical exams is to try to write one yourself. Keep in mind the following criteria:

You want about a 65% average score the first time they take it, assuming an appropriate audience. Too easy a test is a waste of their time and to difficult a test is a transparent display of how much you think you know or can look up on Google. The practice exam is a teaching tool, first and foremost.

Now, consider this simple approach to just one individual question:

• What do you want the tester to prove he understands?
• Is this better asked directly or indirectly?
• Should they answer the right answer or illiminate the from the wrong ones?
• Is this a question where distractin noise is appropriate, or should you just keep it short?
• What objective of the final "real exam" goal is this practice preaparing them for?

Every practice question can take from 10-30 minutes to create from concept to explaination. In a business day then it would be production to crank out 30 questions. The real questions might have hours of argument from a board of brains behind them. These aren't just made up random trivia, each must be thought through. Each question and false choice has a purpose.

Now, as you are studying for your next exam....try to anticipate what really seems to capture the truth and presence of the class. Step into the shoes of the psycho(metrician) and ask what would it take to fool...you.

Process Oriented Programming

Often times in the CISSP and Security+ classes we are confronted with the need to come up with examples that illustrate detailed terms that don't translate well into "business language".

Some things just suck if they were to happen. And explaining this to a cost/benefit manager is sometimes an exercise in awkwardness for both parties. Here is a good example for the "programmery" (my term) knowledge domains in CISSP. The ones where we get into the weeds about registers and processes and so on:

Follow this link http://www.physorg.com/news169133727.html

This is a practical example of injecting instructions to a process while it is running, voting machines make an example everyone, not just those that work on the secret systems most will never see can understand.