extern blog SensePost;

Hacking By Numbers Online - your thoughts?

Wed, 7 Jan 2009 08:42:00

We often get asked by students of our Hacking By Numbers courses if the course environments or at least the VMWare images are available after the training is over. As a result we've started to experiment with a model for offering our courses in an online environment. The idea would be to maintain the full numbers of labs and technical work, maintain the high standard of trainers and materials, but make the training available via the internet to people at various diverse locations. The approach we've been testing appears to show some promise, so we're hoping to ask some of you for your input and opinions.

The model we have in mind works like this:

1. Our slide decks have been ported to a Flash format with voice-overs blended in. This allows the students to browse through the materials, pause the presentation and move forward and backward as they please. The voice-over is by an experienced trainer and is presented in the same anecdotal style we use in our regular courses. There's also a transcript of the speaker's presentation that ensures students understand the trainer and allows them to copy and reuse text from the dialog.

2. The Flash slides are accompanied by the same lab sheets and accompanying answer sheets that are used in our regular training.

3. In order to complete the labs students connect to a Microsoft Terminal Server over the Internet. Each student has their own desktop that's pre-installed and configured with everything they'll need, including an SSH session to the Linux box that's needed for some of the labs. In this way the student walks right into a clean pre-configured environment with a full Windows and Linux toolset. All the targets, along with the classroom infrastructure like web and DNS servers, are available on virtual networks attached to the Terminal Server.

4. The course is broken up into a series of 'modules', where a module corresponds to a number of slides from the deck, followed by a lab exercise from the lab sheets. The students can work their way through the slides in the module then tackle the corresponding labs by logging onto the Terminal Server.

5. Although students work their way through the materials and labs on their own time, they are expected to complete each module within a certain amount of time. At the start and end of each module there is a trainer briefing that occurs via Skype. Students are given an overview of the materials and labs to follow and are given the opportunity to ask questions and make comments.

6. There is also an interim Skype briefing at fixed times at the start and end of each day. Finally, students have the opportunity to submit questions via email during the course of the day that will be dealt with by the trainer at the next briefing. In this manner we envisage a two-day classroom being spread over a five-day or even a seven-day period.

So that's the basic approach. We've started by porting our Cadet Edition in this fashion because it had the least labs and (as a beginners course) seemed to make the most sense. There's a brief course summary at the end of this message. But before we take the course live, we're planning to take it for a few test runs and hopefully get some input and feedback from you. Basically, there are three questions we want to ask:

1. Have you done online training before? If you've done online courses, what are your observations? Did it work for you? What did you and didn't you like?

2. Do you think our online approach is a workable learning tool? Do you think our approach can work and would you be interested to attend a course presented in this manner?

3. What would you be prepared to pay for such a course? Here's some benchmark pricing for you to consider - A CEH course starts at $ 695.00 (normal pricing seems to be $ 895) - A SANS @Home hacking course starts at $3,275.00 - The Offensive Security Offsec 101 starts at $ 550.00 (and goes up to about $ 700, without 'options') - Our Cadet course retails at Black Hat from $ 2,200.00, with fully configured laptops provided Our total training content amounts to about 2 days. Given this, what do you think would be a fair price to pay for this course?

Finally, we're planning to hold a free online 'beta' of the course early in 2009. If you'd like to take part, please let us know by contact 'training@sensepost.com'

"Hooker" approach to break-in!

Wed, 7 Jan 2009 08:06:00

Interesting post on cost/benefit analysis of hacker and hooker attacks....

behrang

Headhunter: Employers Hate World Of Warcraft Players

Mon, 5 Jan 2009 16:07:00

This is an old post, regurgitated because it yielded some spirited discussion.

Apparantly headhunters are being told to avoid World of Warcraft players:

http://www.alleyinsider.com/2008/12/headhunter-employers-hate-world-of-warcraft-players

It's an interesting twist, because a little while back i also recall hearing an itconversations interview on in-game leadership skills..

My own views on this are mixed.. i find the amount of time spent on gaming to be staggering (at least with gamers ive spoken to) but ive also heard some pretty hard core hax0rs talking about gaming.. hmm....

Dont look now, but it seems they broke the Interwebs again..

Mon, 29 Dec 2008 21:00:00

Those pesky hackers!

Alex Sotirov (of heap feng shui fame, famous for breaking everything from Vista, to web browsers, to facebook) and Jacob Applebaum (of cold-boot attack fame, and more importantly of "knuth is my homeboy" fame) will be talking in a few hours at the 25c3 conference in Germany and by all accounts its going to be an "Internet Breaker".

There is a fair bit of speculation on the nature of the bug (though most people some confident that its routing protocol related) and HD Moore has blogged that the pair have sought legal advice pre-publishing.

If i had to, i would take a guess at BGP too, mainly because the talk is labeled "Making the theoretical possible" which was a tagline used by the l0pht back when they were talking about shutting down the internet with BGP related attacks.

The only problem i have with all this, is that it reveals confusion over how we measure "the year" when we award pwnies.. if the talk happens on the last day (just about) of 2008.. Does it count for pwnies 09??

/mh

We going to sue and make Squillions.....

Mon, 29 Dec 2008 08:02:00

or maybe not... The twitters informed me that Singe uncovered a case of brand plagiarism!!!1! -snip-

-snip-

So lets review..

the logo looks shockingly the same
they no doubt, behind closed doors refer to themselves as SP too
just based on their staff numbers, they probably have 16 good looking people there too!

i had the lawyers lined up but decided to dig more info. on them first..

We opened doors in 2000, and i was hoping to find proof of these copycats having started like 2 weeks after us.. hmmm..

According to wikipedia: "Schering-Plough Corporation (NYSE: SGP) is a pharmaceutical company founded in 1851" + has "Revenue US$ 12.69 billion (2008)"

Archive.org shows the logo in use at least back in 2000

Bah! looks like we will have to make our money some other way!

/mh