Attached as DOC file as well.

Play Trivial Pursuit with Security+ for Only $225!

Question: What is true about Kevin Mitnick?

A. He is a felon released from prison that now teaching social engineering tricks.
B. He is an amateur compared to Frank Abagnale, Jr.
C. He has a book out called the Art of Deception
D. All choices are correct

Answer: D. All choices are correct

If you are wondering how this data will make you a better IT professional in regards to security, all I can say is at least in the real-world; they can both teach you how to smell social engineering scams.

If you are reading this Mr. Mitnick, this is not intended to belittle you. I loved your book and suggest every IT person should read it. Hell, everyone should read it. Now I have never met you, and I did meet Frank Abagnale, Jr. Compared to him, you ARE an amateur. You wound up in prison, like Frank did. However it appears nobody wants to publicize that Frank escaped a Federal maximum security prison by walking out the front gate. THEN the FBI cut a deal. Its OK Kevin, Frank is much older and had more time to figure things out.

So, what does all this have to do with Security+? Plenty. CompTIA item writers come from the front lines. The only stipulation is the item writer cannot be a trainer or author. That pretty much insures you will get folks writing questions that have no relevance to the real world. I don’t have to have met, or even care who Phil Zimmerman is to use Pretty Good Privacy (PGP). Yet some item writers think knowing who Phil is creates a measurement of your Security abilities.

I would really like to know why having the name, Rijndael burned in my brain for creating ASE makes me somehow magically be more productive with this encryption scheme.

If you have taken the Security+ test, drop me a line for your favorite Huhs? I’ll update this document as they come in. Your tip could be worth $225 to someone. And if enough people pass this document around, maybe the folks writing A+ 2003 will get a clue that knowing Alan Shugart is the father of the SCSI interface doesn’t help me make a SCSI chain work better.

At Large,
Tcat Houser

Attachment: play trivial pursuit with security.doc
This has been downloaded 51 time(s).

Report this post to a moderator

I'm laugh if I hadn't blown so many bucks already on this exam ... $495 to sit it here

Tcat - you know very well my thoughts on this damn exam. It still grates on me that a so-called professional certification can be so filled with subjective answers.

My fav is ... What is considered the most common form of Social Engineering? (not the exact wording, but close enough).
From experience working in different industries I would have to say that it depended on the location and the industry ... IE. In the fashion design area it would be dumpster diving as must designers prefer charcoal drawings above any
current computer based system, but in say something like the banking industry I
would guess the telephone would be the deal.

__________________
Go hard or go home!

Report this post to a moderator

Thanks Russ! (Other thoughts?)

Save some money Russ by using http://www.ExamVouchers.com (you can even put $5 in my pocket if you tell them I sent you).

The last CompTIA exam that was written by professionals was N10-001. Now David Groth and I are "competiors", and we still managed to put our head together and come up with questions that we're not subjective for that exam. No more 'professionals' writing CompTIA exams. I can't fix that. I can make dang sure we all don't pay over and over for subjective questions.

Report this post to a moderator

I'll be sure to do that if they are useable here in NZ.

__________________
Go hard or go home!

Report this post to a moderator

other thoughts? hmmm, I guess there is overly much emphasis placed on operational/organisational policy. I think in most cases the CEO or the VP doesn't send memos to the tech staff about issues ... lol. Supposed to be 15%, but I would bet on my second attempt was much higher.

To quote a security analyst who missed

quote:

---

Bottom line is they're testing someone on their ability to guess for a good 20% of the questions. "Here's 4 right answers, which one do WE think is right?".

---

__________________
Go hard or go home!

Report this post to a moderator

I can memorize ports.

Thing is they will put stuff like

Which port is used for Yahoo IM:

A. 80
B. 119
C. 21
D. 5000


I know the first 3 aren't right.

Only good thing about ports I guess

Report this post to a moderator

heh heh heh - so true

__________________
Go hard or go home!

Report this post to a moderator

Tcat and Russ ....you guys are critical about these exams in general....but seem to be critical and wise only after aquiring so many certificates as mentioned in your profile. Is it like ...you loose the value of money if you have lots of it...?

Report this post to a moderator

I don't fully get the question

I know I have to take every exam because I would have no credibity as a author if I didn't pass what I was writing about.

Security+ is a much needed cert for the industry. And yes, I am wondering in public why knowing who Phil Zimmerman is helps you run PGP. Since the next subject matter expert writing the questions for CompTIA xyz+ maybe *you* or another reader here, hopfully this line of public questioning will notch things up for say, A+ 2003. If not, we're going to get questions about who was Alan Shugurt?

Report this post to a moderator

Someone wrote me privately and complained about SkipJack. Judging by the persons age, he would have been playing with tonka trucks when SkipJack was a hot topic.

I present my "skipjack" piece from the aborted i-Net+ Ik0-002 book.

"(Wise Owl) Asymmetric encryption involves two keys (public-private)
(Wise Owl) Symmetric encryption uses one key (secret key)


Skipjack
Contrast Skipjack with the offerings you just read. It is not a public key solution such as PGP and RSA. With this encryption scheme transaction carries its own key, enfolded within it. This means that even if one transaction is compromised, that information cannot be used to compromise another transaction since each key is unique to each transaction. And it is nearly impossible to break even one transaction, even by brute force techniques.

One measure of security is often taken by judging key space - the bigger the key space the better. Compare Skipjack to PGP or RSA that supports a key space of 2 to the 2048th power. By comparison, Skipjack supports a minimum key space of 225 to the 2000th power.

While the term Skipjack may not be familiar to you, if you watched the news in the mid 1990’s, you are familiar with Skipjack. Remember the United States government pushing the idea of the Clipper chip? Clipper is the popular name for Skipjack. In the real world, Clipper is dead."



(Real World Owl) i-Net+ objectives say know what Skipjack is. Know it when over like a lead balloon.

Report this post to a moderator