on Windows 7
Add Printer
Local Printer
Add Local Port
\\XPMACHINE\printersharename (Make the share name one word or you have to "" quote the whole thing)
Friday 30 December 2011
Reset Windows 7 Enterprise Trial
We should also mention that it can be rearmed 5 times
"slmgr /rearm" (to reset the 100 days)
"slmgr /dlv" (to find number of rearms left)
"slmgr /rearm" (to reset the 100 days)
"slmgr /dlv" (to find number of rearms left)
Monday 26 December 2011
One for the n00bs
SOURCE:http://daveshackleford.com/?p=277
We’ve all been a n00b at some point. I don’t care who you are, at some stage of the game you didn’t know much, or started a new gig, or tried something for the first time in full view of other people, or whatever the case may be – you’ve been a n00b. My friend Raf Los at HP, who I’ve known for years and has been through the security gamut just like me, posted a really interesting semi-rant the other day, check it out here. His observation? We crusty security types kind of suck at letting new people into the club. I don’t know about most of you (well, actually I do), I hated cliques in high school. The “you can’t sit at our lunch table” crowd. The “we’re having a massive party at XYZ’s house tomorrow night, and you can’t come” crowd. Yes, we all know who I’m talking about.
We’ve kind of become that crowd.
We’re not welcoming, or mentoring, or open-minded about new people coming in. Be honest – when was the last time someone arbitrarily asked you to guide them or lend some experience, where you really went out of your way to help them learn about infosec? This is, of course, for all you crusty types like me. Well, I was pretty lucky, I guess – I had a few really kick-ass people who let me ask a plethora of questions in the early days, and really bolstered my confidence and desire to keep forging ahead: Lampe, Herb, Jimmy the Slick…I’m talking to you.
So I have some advice for the n00bs. Those of you that aren’t truly n00bs anymore, you may want to check out an earlier post of mine called “Career Tips for Security Geeks.” Noobs, read this first, then read that one too. So here goes:
Please please please please PLEASE do not come out of school with a degree in “Information Assurance” or some other bullshit and tell me you are a security professional. You are not. You are either a) still my intern for another year until I have hazed you sufficiently, or b) the new anti-virus admin. Yes, I’m serious. Experience and technical skills count in security – I’ma let you finish, but first you will be starting at the bottom rung of the ladder if all you have is said IA degree and a will to learn. This leads us to…
Show me. Yep. Don’t talk theory, or concepts, or God forbid mention wretchedness like the Bell-LaPadula Model. Help me get security in order. Models don’t actually DO anything. They’re great for drunken whiteboarding sessions. And CISSP exams.
At this point, you’re thinking “Wow – Shack said he was going to help us out! He’s being one of those clique-ish types, though!”. Well…not really. That’s all the harshness I’m giving out, and there are good reasons for this advice. Well…one more, don’t get cocky. We’ve got way too many cocky folks already, and we’re trying to change the dynamic. So here’s some more practical advice for the n00bs:
Really, the best security people came from some other backgrounds. I really think you should spend a few years doing something else first. Coding, systems admin or network admin, DBA, etc. How can you secure stuff when you have no experience with it? Security isn’t all about IDS, pen testing, etc. The most important security is mitigating risk in regular old technology design and use, and you should have some hands-on time with THAT before you go saving the world.
Understand the following: TCP/IP, Cisco IOS, Windows admin (basic), Unix admin (basic). Pick a scripting language and endeavor to become a little bit proficient with it. Not a lot, that’s OK, but a little Perl-Fu or Python-Fu or Ruby-Fu or just Shell scripting-Fu can go a LONG way. These are basic skills. What about security? Re-read #1 above. Now do it again.
Allocate $500 and go visit your friend Amazon.com. Or better yet, roll Ramen noodle style and get used books by perusing titles at www.bestbookdeal.com. It rocks. What to buy? Hacking Exposed, latest edition. Counter-Hack Reloaded. Network Security Hacks (2e). Everything written by Richard Bejtlich. Malware (Skoudis and Zeltser). Security Engineering (2e). Applied Cryptography. This is a good start, look for others too – read them and keep going. Plan on spending $50-100 a month on books.
Understand how to lock down operating systems. Read the CIS benchmarks, DISA STIGs, and vendor guides from M$ and others. This is 101 stuff, and you need to know it WAY before you get to the “sexy” things like pen testing.
Become familiar with a packet sniffer of your choice. Wireshark is good. So is TCPdump. Both are free, and you can start breaking down packets and looking at them to see what the hell is going on.
Learn about Snort. Spend a month or so installing it, tweaking the configs, learning about rule creation, planning architecture and so on. Will it be your only IDS? Maybe, maybe not, but it’s the best for the $$$ and you need to learn.
Download the Backtrack security assessment toolkit from http://www.remote-exploit.org/backtrack.html. Load it up in a test network (repeat – test network. Did I mention test network?) and start running some tools to learn about scanning (nmap, hping3), vulnerability scanning (OpenVAS, maybe Nessus for local scans or if you have a license), and pen testing with Metasploit and exploits from Milw0rm and others.
Plan on going for the SANS GSEC certification. Forget about your CISSP or anything else right now, you need a solid set of fundamentals, and the SANS Security Essentials course is your best bet. I teach for SANS, full disclosure, but I endorse this with no bias whatsoever – it really is the best for newcomers to the field.
You now have the basics. Specialties, like code security, Web app security, pen testing, network security, etc all come a bit later. I won’t go into all that here, but you should be waking up every day with a fire under your ass. READ! Check out blogs and sites like darkreading.com, csoonline.com, packetstormsecurity.org, and others. Listen to Paul, Larry, John, Carlos and gang at www.pauldotcom.com to get in the spirit of things. And when you tell someone you are new to the field, and you have a legitimate question that they can help with, don’t let their lack of social skills get in the way. If they won’t help you, find some of us that aren’t worried about impressing the clique and we’ll help you. I got my OWN lunch table. And you’re invited. Unless you have, like, body odor or something. Then you’re not.
We’ve all been a n00b at some point. I don’t care who you are, at some stage of the game you didn’t know much, or started a new gig, or tried something for the first time in full view of other people, or whatever the case may be – you’ve been a n00b. My friend Raf Los at HP, who I’ve known for years and has been through the security gamut just like me, posted a really interesting semi-rant the other day, check it out here. His observation? We crusty security types kind of suck at letting new people into the club. I don’t know about most of you (well, actually I do), I hated cliques in high school. The “you can’t sit at our lunch table” crowd. The “we’re having a massive party at XYZ’s house tomorrow night, and you can’t come” crowd. Yes, we all know who I’m talking about.
We’ve kind of become that crowd.
We’re not welcoming, or mentoring, or open-minded about new people coming in. Be honest – when was the last time someone arbitrarily asked you to guide them or lend some experience, where you really went out of your way to help them learn about infosec? This is, of course, for all you crusty types like me. Well, I was pretty lucky, I guess – I had a few really kick-ass people who let me ask a plethora of questions in the early days, and really bolstered my confidence and desire to keep forging ahead: Lampe, Herb, Jimmy the Slick…I’m talking to you.
So I have some advice for the n00bs. Those of you that aren’t truly n00bs anymore, you may want to check out an earlier post of mine called “Career Tips for Security Geeks.” Noobs, read this first, then read that one too. So here goes:
Please please please please PLEASE do not come out of school with a degree in “Information Assurance” or some other bullshit and tell me you are a security professional. You are not. You are either a) still my intern for another year until I have hazed you sufficiently, or b) the new anti-virus admin. Yes, I’m serious. Experience and technical skills count in security – I’ma let you finish, but first you will be starting at the bottom rung of the ladder if all you have is said IA degree and a will to learn. This leads us to…
Show me. Yep. Don’t talk theory, or concepts, or God forbid mention wretchedness like the Bell-LaPadula Model. Help me get security in order. Models don’t actually DO anything. They’re great for drunken whiteboarding sessions. And CISSP exams.
At this point, you’re thinking “Wow – Shack said he was going to help us out! He’s being one of those clique-ish types, though!”. Well…not really. That’s all the harshness I’m giving out, and there are good reasons for this advice. Well…one more, don’t get cocky. We’ve got way too many cocky folks already, and we’re trying to change the dynamic. So here’s some more practical advice for the n00bs:
Really, the best security people came from some other backgrounds. I really think you should spend a few years doing something else first. Coding, systems admin or network admin, DBA, etc. How can you secure stuff when you have no experience with it? Security isn’t all about IDS, pen testing, etc. The most important security is mitigating risk in regular old technology design and use, and you should have some hands-on time with THAT before you go saving the world.
Understand the following: TCP/IP, Cisco IOS, Windows admin (basic), Unix admin (basic). Pick a scripting language and endeavor to become a little bit proficient with it. Not a lot, that’s OK, but a little Perl-Fu or Python-Fu or Ruby-Fu or just Shell scripting-Fu can go a LONG way. These are basic skills. What about security? Re-read #1 above. Now do it again.
Allocate $500 and go visit your friend Amazon.com. Or better yet, roll Ramen noodle style and get used books by perusing titles at www.bestbookdeal.com. It rocks. What to buy? Hacking Exposed, latest edition. Counter-Hack Reloaded. Network Security Hacks (2e). Everything written by Richard Bejtlich. Malware (Skoudis and Zeltser). Security Engineering (2e). Applied Cryptography. This is a good start, look for others too – read them and keep going. Plan on spending $50-100 a month on books.
Understand how to lock down operating systems. Read the CIS benchmarks, DISA STIGs, and vendor guides from M$ and others. This is 101 stuff, and you need to know it WAY before you get to the “sexy” things like pen testing.
Become familiar with a packet sniffer of your choice. Wireshark is good. So is TCPdump. Both are free, and you can start breaking down packets and looking at them to see what the hell is going on.
Learn about Snort. Spend a month or so installing it, tweaking the configs, learning about rule creation, planning architecture and so on. Will it be your only IDS? Maybe, maybe not, but it’s the best for the $$$ and you need to learn.
Download the Backtrack security assessment toolkit from http://www.remote-exploit.org/backtrack.html. Load it up in a test network (repeat – test network. Did I mention test network?) and start running some tools to learn about scanning (nmap, hping3), vulnerability scanning (OpenVAS, maybe Nessus for local scans or if you have a license), and pen testing with Metasploit and exploits from Milw0rm and others.
Plan on going for the SANS GSEC certification. Forget about your CISSP or anything else right now, you need a solid set of fundamentals, and the SANS Security Essentials course is your best bet. I teach for SANS, full disclosure, but I endorse this with no bias whatsoever – it really is the best for newcomers to the field.
You now have the basics. Specialties, like code security, Web app security, pen testing, network security, etc all come a bit later. I won’t go into all that here, but you should be waking up every day with a fire under your ass. READ! Check out blogs and sites like darkreading.com, csoonline.com, packetstormsecurity.org, and others. Listen to Paul, Larry, John, Carlos and gang at www.pauldotcom.com to get in the spirit of things. And when you tell someone you are new to the field, and you have a legitimate question that they can help with, don’t let their lack of social skills get in the way. If they won’t help you, find some of us that aren’t worried about impressing the clique and we’ll help you. I got my OWN lunch table. And you’re invited. Unless you have, like, body odor or something. Then you’re not.
Who to Recruit for Security, How to Get Started, and Career Tracks
SOURCE:
http://securosis.com/blog/who-to-recruit-for-security-how-to-get-started-and-career-tracks
Who to Recruit for Security, How to Get Started, and Career Tracks
Today I read two very different posts on what to look for when hiring, and how to get started in the security field. Each clearly reflects the author’s experiences, and since I get asked both sides of this question a lot, I thought I’d toss my two cents in.
First we have Shrdlu’s post over at Layer 8 on Bootstrapping the Next Generation. She discusses the problem of bringing new people into a field that requires a fairly large knowledge base to be effective.
Then over at Errata Security, Marisa focuses more on how to get a job through the internship path (with a dollop of self-promotion). As one of our industry’s younger recruits, who successfully built her own internship, she comes from exactly the opposite angle.
My advice tends to walk a line slightly in the middle of the two, and varies depending on where in security you want to go.
When someone asks me how to get started in security I tend to offer two recommendations:
Start with a background as a systems and network administrator… probably starting with the lowly help desk. This is how I got started (yes, I’m thus biased), and I think these experiences build a strong foundation that spans most of the tasks you’ll later deal with. Most importantly, they build experience on how the real world works – even more so than starting as a developer. You are forced to see how systems and applications are really used, learn how users interact with technology, and understand the tradeoffs in keeping things running on a day to day basis. I think even developers should spend some time on the help desk or cleaning up systems – while I was only a mediocre developer from a programming standpoint, I became damn good at understanding user interfaces and workflows from the few years I spent teaching people how to unhide their Start menus and organize those Windows 3.1 folders.
Read a crapload of action thriller and spy novels, watch a ton of the same kinds of movies, and express your inner paranoid. This is all about building a security mindset, and it is just as important as any technical skills. It’s easy to say “never assume”, but very hard to put it into practice (and to be prepared for the social consequences). You are building a balanced portfolio of paranoia, cynicism, and skepticism. Go do some police ride-alongs, become an EMT, train in a hard martial art, join the military, or do whatever you need to build some awareness. If you were the kid who liked to break into school or plan your escape routes for when the commies (or yankees) showed up, you’re perfect for the industry. You need to love security.
The best security professionals combine their technical skills, a security mindset, and an ability to communicate (Marisa emphasized public speaking skills) with a wrapper of pragmatism and an understanding of how to balance the real world sacrifices inherent to security.
These are the kinds of people I look for when hiring (not that I do much of that anymore). I don’t care about a CISSP, but want someone who has worked with users and understands technology from actual experience rather than a library shelf, or a pile of certificates.
In terms of entry-level tracks, we are part of a complex profession and thus need to specialize. Even security generalists now need to have at least one deep focus area. I see the general tracks as:
Operational Security – The CISO track. Someone responsible for general security in the organization. Usually comes from the systems or network track, although systems integration is another option.
Secure Coder – Someone who either programs security software, or is responsible for helping secure general (non-security-specific) code. Needs a programmer’s background, but I’d also suggest some more direct user interaction if they’re used to coding in a closet with pizzas slipped under the door at irregular intervals.
Security Assessor (or Pen Tester) – Should ideally come out of the coder or operations track. I know a lot of people are jumping right into pen testing, but the best assessors I know have practical experience on the operational side of IT. That provides much better context for interpreting results and communicating with clients. The vulnerability researcher or penetration tester who speaks in absolutes has probably spent very little time on the defensive or operational side of security.
You’ll noticed I skipped a couple options – like the security architect. If you’re a security architect and you didn’t come from a programming or operational background, you likely suck at your job. I also didn’t break out security management – mostly since I hate managers who never worked for a living. To be a manager, start at the bottom and work your way up. In any case, if you’re ready for either of those roles you’re past these beginner’s steps, and if you want to get there, this is how to begin.
To wrap this up, when hiring look for someone with experience outside security and mentor them through if they have the right mindset. Yes, this means it’s hard to start directly in security, but I’m okay with that. It only takes a couple years in a foundational role to gain the experience, and if you have a security mindset you’ll be contributing to security no matter your operational role. So if you want to work in security, develop the mindset and jump on every security opportunity that pops up. As either a manager or recruit, also understand the different focus of each career track.
Finally, in terms of certifications, focus on the ‘low-level’ technical ones, often from outside security. A CISSP doesn’t teach you a security mindset, and as Shrdlu said it’s insane that something that is supposed to take 5 years of operational experience is a baseline for hiring – and we all know it’s easy to skirt the 5-year rule anyway.
I’m sure some of you have more to add to this one…
—Rich
http://securosis.com/blog/who-to-recruit-for-security-how-to-get-started-and-career-tracks
Who to Recruit for Security, How to Get Started, and Career Tracks
Today I read two very different posts on what to look for when hiring, and how to get started in the security field. Each clearly reflects the author’s experiences, and since I get asked both sides of this question a lot, I thought I’d toss my two cents in.
First we have Shrdlu’s post over at Layer 8 on Bootstrapping the Next Generation. She discusses the problem of bringing new people into a field that requires a fairly large knowledge base to be effective.
Then over at Errata Security, Marisa focuses more on how to get a job through the internship path (with a dollop of self-promotion). As one of our industry’s younger recruits, who successfully built her own internship, she comes from exactly the opposite angle.
My advice tends to walk a line slightly in the middle of the two, and varies depending on where in security you want to go.
When someone asks me how to get started in security I tend to offer two recommendations:
Start with a background as a systems and network administrator… probably starting with the lowly help desk. This is how I got started (yes, I’m thus biased), and I think these experiences build a strong foundation that spans most of the tasks you’ll later deal with. Most importantly, they build experience on how the real world works – even more so than starting as a developer. You are forced to see how systems and applications are really used, learn how users interact with technology, and understand the tradeoffs in keeping things running on a day to day basis. I think even developers should spend some time on the help desk or cleaning up systems – while I was only a mediocre developer from a programming standpoint, I became damn good at understanding user interfaces and workflows from the few years I spent teaching people how to unhide their Start menus and organize those Windows 3.1 folders.
Read a crapload of action thriller and spy novels, watch a ton of the same kinds of movies, and express your inner paranoid. This is all about building a security mindset, and it is just as important as any technical skills. It’s easy to say “never assume”, but very hard to put it into practice (and to be prepared for the social consequences). You are building a balanced portfolio of paranoia, cynicism, and skepticism. Go do some police ride-alongs, become an EMT, train in a hard martial art, join the military, or do whatever you need to build some awareness. If you were the kid who liked to break into school or plan your escape routes for when the commies (or yankees) showed up, you’re perfect for the industry. You need to love security.
The best security professionals combine their technical skills, a security mindset, and an ability to communicate (Marisa emphasized public speaking skills) with a wrapper of pragmatism and an understanding of how to balance the real world sacrifices inherent to security.
These are the kinds of people I look for when hiring (not that I do much of that anymore). I don’t care about a CISSP, but want someone who has worked with users and understands technology from actual experience rather than a library shelf, or a pile of certificates.
In terms of entry-level tracks, we are part of a complex profession and thus need to specialize. Even security generalists now need to have at least one deep focus area. I see the general tracks as:
Operational Security – The CISO track. Someone responsible for general security in the organization. Usually comes from the systems or network track, although systems integration is another option.
Secure Coder – Someone who either programs security software, or is responsible for helping secure general (non-security-specific) code. Needs a programmer’s background, but I’d also suggest some more direct user interaction if they’re used to coding in a closet with pizzas slipped under the door at irregular intervals.
Security Assessor (or Pen Tester) – Should ideally come out of the coder or operations track. I know a lot of people are jumping right into pen testing, but the best assessors I know have practical experience on the operational side of IT. That provides much better context for interpreting results and communicating with clients. The vulnerability researcher or penetration tester who speaks in absolutes has probably spent very little time on the defensive or operational side of security.
You’ll noticed I skipped a couple options – like the security architect. If you’re a security architect and you didn’t come from a programming or operational background, you likely suck at your job. I also didn’t break out security management – mostly since I hate managers who never worked for a living. To be a manager, start at the bottom and work your way up. In any case, if you’re ready for either of those roles you’re past these beginner’s steps, and if you want to get there, this is how to begin.
To wrap this up, when hiring look for someone with experience outside security and mentor them through if they have the right mindset. Yes, this means it’s hard to start directly in security, but I’m okay with that. It only takes a couple years in a foundational role to gain the experience, and if you have a security mindset you’ll be contributing to security no matter your operational role. So if you want to work in security, develop the mindset and jump on every security opportunity that pops up. As either a manager or recruit, also understand the different focus of each career track.
Finally, in terms of certifications, focus on the ‘low-level’ technical ones, often from outside security. A CISSP doesn’t teach you a security mindset, and as Shrdlu said it’s insane that something that is supposed to take 5 years of operational experience is a baseline for hiring – and we all know it’s easy to skirt the 5-year rule anyway.
I’m sure some of you have more to add to this one…
—Rich
Subscribe to:
Posts (Atom)