Monday, 26 July 2010

Infosec Institute Advanced Ethical Hacking

A while ago I made a post about Infosec Institute's 10 Day Penetration Testing Course . I had some not so great things to say about the first half of the course. I think, in retrospect, the first week would be good for someone just starting out in the field to get their feet wet. There are some things I definitely think I would change, to bring it more in line with that concept, but it's hard for me to judge since I was already outside of that target audience. I have finally had the time to delve into the second week of the training course. This portion of the course focuses on the real meat and potatoes of penetration testing and exploiting. There is still some tool-centric material at the beginning, but the course jumps pretty quickly into the good stuff. It starts covering program memory structure, and how buffer overflows really work. Pretty soon you find yourself writing basic shellcode, and doing memory analysis to perform true exploits.

There are ties back to tools, but mostly in how they can make your life easier. Everything this part f the course covers is done manually before they show you how to use a tool. In my opinion, this is exactly what they should be doing. I do not have an assembly background so some of this is valuable information I have been missing so far. From buffer overflows it moves on to format strings and heap overflows. There are sections on on fuzzing, fault injection and more that I have not gotten to yet. I hope to be finishing up the course in the next few days.

There are some benefits to the online version of this course, such as being able to set your own pace. That being said, I think this particular course would be worth paying the extra money for the classroom experience. These are much more complicated topics than the first week, and if you don't already have experience in assembly and memory structure you may find yourself wanting to ask questions that you will have to answer all on your own. There is nothing wrong with this, of course, but I personally prefer active discussion to simply reading things online.

All in all, my impression of the second half of this training is very different from the first. Anyone who has experience with penetration testing, but wants to delve into the real heart of the subject should take a course like this.

Sunday, 25 July 2010

Moving on and Moving Up

The inevitable has happened. I am leaving my current job, and moving on to a new company. I am very excited about this new opportunity. The company I am going to work for seems like a great place to work. However, this will be the first time my family has moved to a location where we don't know anybody. We will have no friends and no family there. This is the part of this field that isn't so great. Jobs tend to crop up in very specific places, and you have to be ready to pick up and move in order to not lose a great opportunity. It was a hard decision to sacrifice all the personal reasons to stay in favour of all the professional reasons to move. We have family, and friends here that we love very much. We like this area after being here only two years. My children will no longer be able to see their grandparents so often. However I will be moving to a larger, more mature company, in  a great area. The team I will be working with is full of very bright people who take this work very seriously. Even more importantly, the members of my new team know lots of things I don't. I will be working to learn a lot from them, and that is something I am eager to start doing.

Robert Khoo over at Penny Arcade said something in one of their tv episodes, that has stuck with me since. He told a potential employee "To be successful at something, to be like the best of breed at something, means you make sacrifices.I would say nine times out of ten, that means your social life, and that is how you get amazing at something." I think that this is extremely true. Nobody ever got to be the best at something by putting in the same amount of effort as everyone else. You get to be the best by putting in more effort than everyone else, and working as hard as you possibly can. I don't know if I can ever be the best at what I do, but I won't stop trying until I am. I have a long way to go before I can be the next RSnake, lcamtuf, or Tavis Ormandy. The best part of being in this field is that those very people I wish to be better than, will help me along the way. It may not be in a big way, but each of those three people have helped me grow already. Each of them have even taken the time to reply to emails and blogposts.  These are people who will honestly share ideas and knowledge. That, more than anything else, is what makes this field great. So look out guys, one day soon you may be reading a white paper with my name on it. In the meantime I just want to say thank you to all of you, as well as Mark Russinovich over at Microsoft, for taking time out of busy lives to answer a few stupid questions from somebody you've never heard of...yet.