Students in my classes often tell me about practice tests they’ve found online. More often than not I can’t pass the info along to other students because I can’t vouch for the quality of the materials. Practice tests found online too often fall into one of three categories, any of which makes them invalid for me to recommend. Some are created by well-intentioned but unofficial providers, and are riddled with inaccuracies. I wish I had five dollars for every time a student came to me confused after seeing a poorly written question on a free test they found online. Others are created by competitors to my employer. While they might be useful, I can’t really push people towards them in good conscience, can I? But far more insidious than those are the braindumps (practice test questions identical or almost identical to the actual test questions).
I’ve been surprised when students ask me, why not use braindumps? I understand the pressure. If you don’t pass a certification test you could fail to get a job, or lose your current one. But cheating on a test is just wrong. And it cheapens the certification for everyone. Therefore I try to be careful about the sources I recommend, and it really limits which sources I pass along. Over the years I’ve seen many, many more bad practice test providers than good ones.
Recently a student emailed me asking about a particular provider, one I hadn’t heard of. In researching them I found an interesting resource,
CompTIA’s list of unauthorized third party training providers. (CompTIA no longer maintains that page, and refers users to CertGuard.) Though this “naughty list” is necessarily incomplete it’s the best list I’ve seen of known bad practice test sources. It got me looking for a similar list from Microsoft, but no joy. So if you’ve found a practice test online that is relatively inexpensive, promises—guarantees even—that you’ll pass the test, and seems too good to be true … it probably is. One way to make sure is to check it against this list.
Of course that assumes you want to stay legitimate, and for all of our sake I hope you do. Looking at some of the domain names on that list it’s obvious that some people are just looking to pass a test any way they can.
Packet sniffers, or protocol analyzers as they’re sometimes called are useful network administration tools. Admins will use them to look at network traffic much like highway traffic cameras monitor traffic on the roadways. How much traffic is there? Where is it all coming from and going to? What kind of traffic is it? Regular monitoring can answer questions like these.
Even if you never use one, just knowing what they are and how they work is useful for anyone who works with computers. I’ve read stories of IT staff performing a live capture of unencrypted packets as part of a user education seminar in order to demonstrate to end users the necessity of using encryption. Seeing someone’s email sniffed and presented on a big screen can be an eye-opening way to make a point about the necessity of network security.
Historically I’ve recommended Wireshark as a great, free, open-source packet sniffer. Free is always good, and I like the fact that it runs on many operating systems. That way anyone can just download it, install it on their home computer and try it out. Network Monitor, on the other hand, is Microsoft’s answer. Historically it only came with specific versions of Microsoft’s server-oriented products. But it’s been revamped, improved, and is now available as a free download. But you must have Windows 7, or Windows Server 2003 or newer.
So Wireshark might be a good choice for you if you have Vista, XP, or if you are looking for a full-featured, free program that has powerful, commercial-grade add-ons and training available. Network Monitor is definitely worth knowing if you work (or plan to work) in a Microsoft shop, since it will already be available on your servers. Plus, some admins find Network Monitor easier to learn and use for regular, basic tasks. Whichever you use, seeing the depth of information available to you—or anyone who can access your network—is worthwhile.
VirtualForge has created this neat video illustrating XSS (Cross-Site Scripting). It uses a cartoon which walks you through the process, start to finish, illustrating each step. In doing so it provides the clearest definition of XSS I’ve seen.
You can find quite a few videos about XSS on YouTube, but I can’t show many of them in class due to length or other reasons. Many of them have long periods where you’re looking at a screenshot while the faceless narrator gives background information. I would still like to find, however, a clear and concise (about 5:00) video that would be usable in class where someone actually demonstrates a XSS exploit. Until I do, use the VirtualForge video to get a clear idea of what XSS is, then maybe use the YouTube videos linked above to dig deeper and see what it looks like in action.