There is both a VMWare appliance for a hard-drive install of backtrack and a CD-boot appliance that you point at a .iso file.

It works flawlessly.  Mike is much happy.

• Backtrack 3 USB Slides
• Internet in the Remote Desert
• Build a Hack Bag
• Is Myspace Satan?
• It’s Wireless Audit Time Again

Some presentations from HD Moore:

Introduction to the Metasploit Framework.

Economics of open-source projects and the future for Metasploit LLC and the Metasploit Fund.

• Learning From the Intelligence World
• Metasploit Videos
• Categories of Security Controls in Outsourcing
• Save a Kitten, Write SCAP Content
• Opportunity Costs and the 20 Critical Security Controls

Even if you’re a manager type, you need to watch these so you understand what you’re up against:

Metasploit with db_autopwn video on milw0rm.

Metasploit Framework eXploit Builder video on milw0rm.

• It’s Still not Too Late
• My Inbox This Morning–Metasploit
• Aspen Summit Videos
• Government-Wide Monitoring? ‘Bout Time.
• Do You “Do It” or Do You “Get It”?

With regards to Ian whose idea this is….

If you do a sizeable amount of security/penetration testing, build a “hack bag”.  It’s suspiciously similar to what you would take to a LAN party.  Leave it on your shelf and when you need to go on a top-secret mission, take it along.

Mandatory contents of a hack bag:

• Extension cable and power strip
• SoHo switch/hub (hub is better) and power supply
• Various cat-5 cables (at least one 20-footer or longer)
• Crossover adapter
• Live linux pen-testing CDs (backtrack, knoppix-std, etc)
• USB drive
• Spare notebook and pens
• Multi-pliers

Optional contents:

• Headphones
• MP3 (*cough* ogg) player
• Music CDs
• Blank CDs
• Extra laptop and/or phone power supply
• Digital camera
• Headache pills
• Drinks
• Spare USB cables and/or hub
• Locksmith tools
• Network tap
• Toolkit
• Ethernet tap
• Serial console cable
• Other tools disks

• Internet in the Remote Desert
• NIST and SCAP; SCAP @ Large Part 2
• Backtrack 3 USB Slides
• Digital Forensics: Who should make the keys?
• Hack Disaster Relief

In the circles I frequent, we have a saying that “Either you do it or you get it”.

The people who do it are fairly smart.  They have a stack of regulations that they are well-versed in.  They talk about matching 800-53 controls to implementation details.  They worry about SSP content.  They’re fairly competent.  They can accomplish most of the information assurance tasks out there.

But these people are only 75% of the solution.  We need more of the second type of people if we are going to succeed as a government with this security game.

There is a small subset of security people who get it.  You know who these people are within 3 minutes of talking to them.  They understand what the “rules” are, but they also understand where you have to break the rules because the rules contradict each other (have cost-effective security but implement this entire catalog of controls).

The difference between these 2 groups of people is that the people who get it understand one additional thing.  They know risk management.  They practice risk management on a minute-by-minute basis.  They are able to make cost/benefit/risk comparisons, which is something that you can’t really learn out of a book.

Doctors have the Hipocratic Oath: “First, do no harm.”  Why don’t security practitioners have the Smith Oath: “Above all, do risk management”?

• Core Belief #1 — Security is not Different
• CSIS and Recommendations
• Mike’s Guide to Information Security Policy
• Blow-By-Blow Commentary
• An Open Letter to NIST About SP 800-30

“True confidentiality controls are when you have thermite grenades taped to the top of the servers.” –Michael Smith

• When Google Hacking Gets Way Personal
• DojoCon DDoS Video
• Self-Quote Time #2
• Building A Modern Security Policy For Social Media and Government
• The Accreditation Decision and the Authorizing Official