Wanna get EC-Council CEH? Think again.

cowill

NetworkNewb wrote: »

I think your just looking in the wrong spots. If you want certs that deal with Penetration Testing you should look at OSCP and OSCE. Sec+ and CISSP aren't going to teach you those things. Not sure who thinks they do... and I definitely wouldn't categorize those (OSCP and OSCE) as "joke" certs in terms of the real world either.

This CEH is pretty much an entry level Pen Testing cert. I'm going to tell people when I get it... I think your a little paranoid to think people are going to start coming after you if you do.

Well I see the cert on many types of listings other than Pen Testing.....Around here in the DC area, a CEH could get you a lot in info SEC...not just pentesting.......As long as you get in the door is what it's about to me....

And to say I'm paranoid....LOL perhaps....however......I just wouldn't go around bragging about having ANY Sec certs OSCP, CISSP...O.P.P.....etc.....in my opinion...anybody can get hacked..cert or no cert...and after you get hacked....nobody will care about your cert.....that's like a bodyguard who gets his @$$ kicked.....he could be licensed to carry a scud missile in his back pocket....after he gets beatdown....nobody will care what he WAS able to do and what he HAS done......he will be known for getting his @$$ kicked.....

At least if you get hacked and you come off as humble....you can keep it moving and bounce back

*Edit*....I may include a cert in a professional setting....But its not something I would brag about or act like I'm better than the next person cause I have it..........

NetworkNewb

I might have to get this shirt and wear it around everywhere lol

cowill

networknewb wrote: »

i might have to get this shirt and wear it around everywhere lol

lmao.......

OM602

Been lurking on these forums for quite a while, loads of good info.
Just like to add my two cents as I just passed the exam this morning at 82%
Easier than I expected(compared to Boson), rushed through the final questions as I was confident of passing.


Stuff I used to prep


CBT Nuggets - James Conrad. Quite entertaining, listened during commute
Matt Walker's AIO bundle - Very entertaining writing style, loads of practice questions.
Boson - These practice exams were actually harder than the real ones, due to the fact the right answers were harder to single out.. If you score 80+ here, I think you will definitely pass the real test.


As for the Cert Value, it depends on your current infosec skill level and preparation. As I'm quite new to the infosec field I learned alot, during the study phase. Paid for this out of my own pocket, which made me study harder.
The exam itself is nothing special, but then again, apart from the hands-on exams(like OSCP/E or CCIE)all exams are just memorizing facts(with 20% random BS you'll never need any point in your life again, this exam may have been closer to 40 ) Even open-book SANS certs are not worth alot(can only speak for GCFE though), the extra value is in the training/study.


That being said dealing with EC-Council is an absolute PITA. Compared to SANS for example. Even apart from the language barrier, the whole process of signing up/booking the exam is pretty ehm bureaucratic.
As for the price, any cert is worth it, if it helps you land that dream job. If you don't have a lot of infosec experience it's definitely a good cert to get started with, and shows you have some affinity with hacking.
I advised more experienced collegues(OSCE) in the pentesting fields against it.

aspiringsoul

I definitely agree that I feel more like a Certified Ethical Script Kiddie...

I would never refer to myself as a Hacker, not with my current level of knowledge.....I'm nowhere near the skill level of those who would call themselves hackers.

But my parents and friends think I am a hacker, so I've got that going for me....which is nice.

aspiringsoul

NOC-Ninja wrote: »

The best hacker i know dont even have CEH, CISSP, CISM and all this sec certs.

I know a couple of IT pros that can do magical things with Cisco Switches, Routers, Firewalls, yet they don't pursue certifications...

IronmanX

I started reading this thread and though oh boy i have a lot to write in response.
I'm glad the 2nd and 3rd page had more constructive things to say.

The original post is a little hard to read through, although i believe the poster did say at one point English is not his first language. The original poster is coming off as being a little sour. He has said numerous times he has passed, although I'm thinking he didn't pass and is now bashing it (many comments from the OP about don't work for a company who thinks this cert holds value. Yeah that US DOD they don't know what they are doing ).

#1. Pearson Vue. Seems the original poster had many issues with Pearson Vue going into the exam. I gave them my voucher number and when I was there in person my ID and Validation code. I sat at a PC with a mouse and clicked away. It would have been nice if they had lazy boys and a frappuccino but it was what I expected it to be.

#2. No Diploma, Degree, Certification, Boys Scout Badge makes you an expert at anything. You go in pass the bar (to be able to practice law) does that make you a top dog expert lawyer....
It is a bit odd to me that people equate Certified Ethical Hacker to Hacking Expert. I never think of a Certified Auto Mechanic as automatically being an expert in all things automotive.
As a side note I would not take anyone seriously who brags about any credentials they have.

#3. Price. CEH is a mid level security certification. Higher then SEC+ GSEC lower then the OSCP. When I first started reading about how expensive CEH was I thought great no problems getting my company to pay for other courses offered by SANS or Offensive Security. Then I looked into the price of SANS and Offensive and it was nearly twice the price.
***Where are people getting their pricing information from???
GPEN is $5500 ish
OSCP is $4900 ish
CEH was $3000

#4. Script Kiddie. I didn't get this at all out of my experience. Never once was there training on running a script blindly. I would have been good with some metasploit coverage. If anything one of the big problems is this course covers many tools and your expected to know advance options for many of them.

#5. Value. This got covered already by someone else. The CEH cert fulfills the 2nd most DOD 8570 requirements. (CISSP 5 CEH 4 GCIH 2 GSEC 1 Security+ 1 GCIA 1 ect.. ). EC Council may have its problems but getting their cert approved by the US DOD to fulfill the requirements needed for 4 of its positions is not one of them. That is value right there. If you wish to work for the DOD the CEH has value and from that other corporations will look and see what the DOD has done and base there decisions of what holds value off of that. Edward Snowden held the CEH cert, not that attaching his name to this cert gives the cert value.

#5.1. CEH != CISSP. They don't cover the same things. There may be over lap but as stated before by other CISSP is for security management (more policy based).


Things that discredit people who should know more about security after taking the course:
"CEH: This is really an entry level offensive hacking/vulnerability assessment exam. Once you complete it you won't be Kevin Mitnick,"
^^^No you wont become Kevin Mitnick. His exploits where non technical in nature (Dumpster Diving, Social Engineering, Buying a Card punch to ride transit for free etc...). Not to say that CEH doesn't cover Social Engineering.

EC Council Web Site Hacked and your personal information stolen out of their database. Please re-read your material on DNS Spoofing Web Site defacement.

CEH covers old tools and topics. What are you looking for, 0 day exploits?



EC Council has its problems for sure. If the original poster speaks English as a second language and took the test in English I feel sorry for him. I have posted my issues with the CEH exam before. Most of which are echoed by others in their constructive feedback, hpwever was not stated in the OP post.
Wording of questions not the best...
Expecting you to know little details about so many different tools.
Questions not covered in the material. Questions that seem to come out of no where.
Too many slides in the course material (that is the biggest understatement)
ect...

IronmanX

NetworkNewb wrote: »

I might have to get this shirt and wear it around everywhere lol

I was given this shirt at the end of my course:

griffondg

IronmanX wrote: »

#3. Price. CEH is a mid level security certification. Higher then SEC+ GSEC lower then the OSCP. When I first started reading about how expensive CEH was I thought great no problems getting my company to pay for other courses offered by SANS or Offensive Security. Then I looked into the price of SANS and Offensive and it was nearly twice the price.
***Where are people getting their pricing information from???
GPEN is $5500 ish
OSCP is $4900 ish
CEH was $3000

CEH was about $1,800 for online course and exam.
OSCP was $1,150 for 90 days of lab time and exam

OM602

Difference is though, you can easily do CEH without that online course.
Doing OSCP without the lab time won't work

NetworkNewb

griffondg wrote: »

CEH was about $1,800 for online course and exam.
OSCP was $1,150 for 90 days of lab time and exam

Also, the fact you can get the GPEN and other SANS courses for only $900 instead of $5500 with doing the work-study option.

IronmanX

Oh I never knew about the Work Study option.
Seems pretty cool basically you work at a SANs event, pay $900 and get access to on demand training for 4 months. If you book at the hotel the conference is at you get an exam voucher added. Seems like a very good option for new grads.

cyberguypr

^ you don't need to stay at the hotel if you are local to wherever the event is being held.

impelse

Two thing guys:

1. CEH is only the beginning and help you to get some basic knowledge of penetration testing and pass HR filter.
2. Normally people who doesn't have the certification always talk bad about the CEH.

colemic

@ironman

#1 - no issues w/PV.

#2 - 'I never think of a Certified Auto Mechanic as automatically being an expert in all things automotive. ' Unfortunately most of the world doesn't see it that way. That includes HR depts. and hiring managers who are ill-informed as to the capabilities and expectations of the test.

#3 - I am pretty sure OSCP isn't that much, and CEH is definitely not 3k. And more importantly, it is NOT a mid-level certification. It is, at best, an introductory cert. No one I would take seriously thinks otherwise.

#4 - covering tools' settings is one thing - but if you don't understand what you are doing you can cause some serious damage. And the test doesn't go near deep enough, and covers far too many tools, for it to be anything but an introductory certification.

#5 - Value is in the eye of the beholder. While it may get you through HR filters for DoD contracts, it speaks nothing about your skillset or capability for a specific job. Snowden has nothing to do with this cert, if anything it demonstrates an unethical hacker IMO.

#6 agreed.

re: EC Council being hacked - whoever did it, supposedly gained access to their email, which would have had thousands of scanned passports, in addition to web site defacement. You're only addressing part of the hack.

Again, JMO.

gespenstern

IronmanX wrote: »

He has said numerous times he has passed, although I'm thinking he didn't pass and is now bashing it

Sure, any decent discussion should start with ad hominem, isn't it, IronmanX? OK, rule is accepted. You probably see yourself as a superhero, at least, that's what your nickname suggests, so why not start with belittling the topicstarter by claiming that he is probably a liar? Alas, it was a stupid move on your part because it's easy to prove for me by just scanning my report. It's not stellar on points earned, but, as I already told, I had hard times taking this exam seriously and did virtually no preparation (never opened Conrad, AIO, did zero labs, etc), so most likely I missed a couple of questions about outdated Blackberry hacking tools or some nmap switches that I don't use often. And pass is a pass, after all. Proof. So, fck off, plz.

IronmanX wrote: »

Yeah that US DOD they don't know what they are doing

Yes, they don't, in this particular case. Are you a person who always agrees with authorities without any regard on whether they are right or wrong? Because it sounds like you can't come up with your own educated opinion and use referrals to authorities instead of proving your point with facts and arguments.

In this case using this cert as a requirement puts a shade on DoD HR practices and, hopefully, with appropriate efforts from InfoSec community this will be fixed in the future. Or, as another option, EC-Council finally fixes their sh!t.

Yes, this cert and certification body are FLAWED and the cert doesn't live up to its hype and should be disregarded by InfoSec community because of it being unprofessional and undervaluing profession.

IronmanX wrote: »

#1. Pearson Vue. Seems the original poster had many issues with Pearson Vue going into the exam.

No. I had other issues with VUE in the past, but not in this case. All the process flaws are on EC-Council's part. I will briefly repeat my points for your convenience (yeah, the fact that you haven't read the post is attributed to my poor English):
- Many mistakes in all documents with proofs. Even with my poor English I pointed some of them. Apparently, for some strange reason, you are okay with their mistakes, but not mine.
- Scheduling process is poorly documented or straight up wrong.
- Nobody knows what is Eligibility Code for. Do you know what it is? I don't remember you addressing this point.
- Process is manually done via e-mails between EC-Council employees.
- Both Prometric and VUE contain false information on the process of scheduling this exam.
- EC-Council falsely claims that Prometric is an option while it is not.

IronmanX wrote: »

#2. No Diploma, Degree, Certification, Boys Scout Badge makes you an expert at anything. You go in pass the bar (to be able to practice law) does that make you a top dog expert lawyer....

You clearly don't get the point. This cert is over-promising and under-delivering, in major part, because of its name. Do you know who a hacker is? I'll give you a brief explanation. A hacker is a person who understands the system being hacked on a so deep level that allows him to see flaws in the system and exploit them to his benefit. And just in case, a person who uses metasploit without understanding what it does to exploit vulnerabilities that went public but were not patched in due time is a script kiddie.

It's similar to claiming that you are an architect after passing an associate level exam.

IronmanX wrote: »

#3. Price. CEH is a mid level security certification. Higher then SEC+ GSEC lower then the OSCP.

It is an entry level at best and it is spoiled by the hype. Yet, you can easily find a lot of positions that are looking for CEH certified people putting this cert in a row with CISSP. Just a JD from yesterday, they ask for CISSP, CEH, SANS. Proof. These guys clearly don't understand what they are asking. In no way CEH should be put on one line with CISSP. In addition to this these guys ask for any GIAC cert (SANS is not a certification body) messing it with SANS.

And you should have read messages in this thread proving the price point more thoroughly.

IronmanX wrote: »

#4. Script Kiddie. I didn't get this at all out of my experience. Never once was there training on running a script blindly. I would have been good with some metasploit coverage. If anything one of the big problems is this course covers many tools and your expected to know advance options for many of them.

...and what you just have described is exactly a script kiddie. Again, hackers are not the ones who are good with metasploit and nmap options and switches and can use them to exploit known unpatched vulnerabilities. I can teach my wife how to do that provided some time for studying. Hackers are the ones who see vulnerabilities where nobody else sees them, discover them, exploit them/or report to vendors if they are ethical ones. E.g. Zeus trojan authors are hackers. Google employees who discovered heartbleed are ethical hackers.

IronmanX wrote: »

#5. Value. This got covered already by someone else. The CEH cert fulfills the 2nd most DOD 8570 requirements. (CISSP 5 CEH 4 GCIH 2 GSEC 1 Security+ 1 GCIA 1 ect.. ).

I guess you are repeating another point that you've made without a number for it...

IronmanX wrote: »

#5.1. CEH != CISSP. They don't cover the same things. There may be over lap but as stated before by other CISSP is for security management (more policy based).

That's a long-standing misconception that CISSP is a management exam. I can tell where it comes from. When pure technologists attempt it they often feel themselves overwhelmed by business continuity and risk assessment concepts that are more related to management and express their frustration with this terra incognita as a 'management exam'. In reality majority of questions on the exam are technology related. E.g. on my exam I had pretty in-depth tech questions, like about IP protocol numbers for less known protocols, TCP packet structure or phases of AES algorithm. It is a well-rounded exam with a vast majority of questions being tech related.

And in reality my CISSP knowledge was enough to pass CEH without ANY preparation. No courses taken, no books read. So I stand by my point: if you studied well and eligible for CISSP (i.e. have 5 years of XP in the field) it will probably be enough to pass CEH. At least it worked for me.

IronmanX wrote: »

Please re-read your material on DNS Spoofing Web Site defacement.

So, looks like you claim that you have a solid information on what has happened to EC-Council on both defacement occasions. All right then...

If we stick to the facts we don't know much besides web-site defacement, we can only speculate on what was the depth of this penetration and what assets were affected. They could have stolen everything and only part of the hack related to defacement could get into the media. At least, if we agree with google apps domain hijack version, the malefactor most likely had accessed e-mails and as I already mentioned the whole application process is done via e-mails. Which is insecure on its own cause many of SMTP servers pass e-mails in plain text and majority of them do not check certificate validity.

IronmanX wrote: »

EC Council has its problems for sure. If the original poster speaks English as a second language and took the test in English I feel sorry for him. I have posted my issues with the CEH exam before. Most of which are echoed by others in their constructive feedback, hpwever was not stated in the OP post.
Wording of questions not the best...
Expecting you to know little details about so many different tools.
Questions not covered in the material. Questions that seem to come out of no where.
Too many slides in the course material (that is the biggest understatement)
ect...

Yet, you fail to admit a single problem described in the main post, "hpwever" many of them are hard to refute, it's better to just dismiss them altogether... English is my second language, you are right, I may have missed something, "ect"...

IronmanX

#2 - 'I never think of a Certified Auto Mechanic as automatically being an expert in all things automotive. ' Unfortunately most of the world doesn't see it that way. That includes HR depts. and hiring managers who are ill-informed as to the capabilities and expectations of the test.
^^I assume you don't work in HR but IMO HR is well aware that recent grads are not experts in their field of study. I dunno maybe on have more faith in there abilities then you do haha.

#3 - I am pretty sure OSCP isn't that much, and CEH is definitely not 3k. And more importantly, it is NOT a mid-level certification. It is, at best, an introductory cert. No one I would take seriously thinks otherwise.
^^The OSCP price I quoted is right from there site. These prices are live in person training prices.

"an introductory cert"
^I say mid level because its not introductory and it not expert level.
Someone with no experience isn't going to pass. It requires 2 years of work experience to qualify.


"#4 - covering tools' settings is one thing - but if you don't understand what you are doing you can cause some serious damage. And the test doesn't go near deep enough, and covers far too many tools, for it to be anything but an introductory certification."
^^^My experience was that it went quite in depth into TCP/IP and how things worked in detail. How an Idle scan works, session IDs/hijacking, password hashes(didn't cover hash salting in detail), detailed NMAP and Wireshark usage.
Yes it did cover many tools but seemed to focus on core tools mostly. A little annoying covering so many tools with specifics and really what is the point.
I'm trying hard to think where it didn't go into detail where i wish it had.... What did you feel it did not go into enough detail on? I did live training so maybe a lot of this is coming from people (Its not just you saying this) who just did the exam and in those 130 questions didn't get asked about I dunno lets say password hashes in detail?



re: EC Council being hacked - whoever did it, supposedly gained access to their email, which would have had thousands of scanned passports, in addition to web site defacement. You're only addressing part of the hack.

^^^I believe the email hacking was debunked. The picture of snowden passport was a fake something about the numbers on the passport not being correct. I can't find where i read that now so maybe i'm wrong.

Oh I found this on Ars:
"The graphic they used for their proof of their hacking the site is not a genuine snowden passport and has been altered to give the appearance of a genuine snowden passport. The code at the bottom indicates an issue period not consistent with the the email date with the same pic and the stated issue date in the pic."

IronmanX

"Yet, you fail to admit a single problem described in the main post, "hpwever" many of them are hard to refute, it's better to just dismiss them altogether... English is my second language, you are right, I may have missed something, "ect"..."

It is easy to dismiss because you come off as being so angry and nothing was constructive.

Your issues seem to be
A: Over Hyped
B: HR people are idiots.

Your anger just doesn't seem based on fact. Why is it over hyped. Who is hyping CEH up? haha You stated you didn't try for the CEH exam so it doesn't sound like it was hyped up to you all that much. What did those HR people do to you that any HR person who writes the letters C E and H next together on a job posting is dumb and as such the organisation is dumb?

"In this case using this cert as a requirement puts a shade on DoD HR practices and, hopefully, with appropriate efforts from InfoSec community this will be fixed in the future"

^^^That seems to be the common theme from you here:
"I'm going to get the InfoSec community to shame all those HR people who write CEH in a job posting."

Yes I don't believe NMap is a script kiddie tool.

royce

No discussion of CEH is complete without a link to Errata: Charlatan - EC-Council (ECC). My own experience with EC-Council's official CEH self-paced video training materials (v8 coursework) is 100% in line with attrition.org's claims. EC-Council course materials plagiarize vigorously and without penalty -- from vendor technical docs, marketing whitepapers, and even third-party personal blogs -- without citation or attribution of any kind. Their earlier claims that the plagiarism was inadvertent and due to third-party subcontractors does not stand when the practice continues for years.

Their entire educational approach also stresses rote memorization of a relatively random assortment of isolated facts without providing conceptual context -- the why of what they're stressing.

I also find it extremely telling that their own internal incident handling practices apparently do not include "if someone gets your credentials, change them as part of remediation": So Who Hacked EC-Council Three Times This Week? ? InfoSec News. They failed to do so -- twice.

A CEH certification is an HR checkbox. For actually learning what matters about security, seek elsewhere.

colemic

#2 - I wish I lived in your world, where HR knew what certs are appropriate for each positions. In reality, Helpdesk positions want MCSE, and every InfoSec position wants CISSP and/or CISM, sometimes even GSE, even for analyst-type positions.

#3 That is factually incorrect, you don't have to have two years of experience, if you pay the $$$ to take their one-or-two-week training. That does NOT equate to two years of experience, in any reality. It is an introductory cert by any known definition.

#4 You stated it exactly - what's the point of covering so many tools (many obscure) with specifics... because gosh, that's exactly what a script kiddie does. And ANY tool can be used by kiddies. NMAP is probably one of the more popular ones they use, I would guess, behind metasploit.

#5 Context check on aisle 5, please - yes, someone stated that. And someone called them out on it, and said that it was, indeed, consistent with passports issued at that time, to the point of checksums, and the commenter who claimed it wasn't real didn't back it up with anything of substance. Granted, no more have surfaced *that we know of* and this is the only claim I have ever seen that the passport scan was doctored.

Security certification group EC-Council

gespenstern

royce wrote: »

No discussion of CEH is complete without a link to Errata: Charlatan - EC-Council (ECC). My own experience with EC-Council's official CEH self-paced video training materials (v8 coursework) is 100% in line with attrition.org's claims.

Thanks, man, that's a valuable addition to this thread, lol

NetworkNewb

I think I need to make up a entry level Cert and put a fancy name on it... Require 2 years of experience (so by then you shouldn't even need it) or require ppl to take an expensive course. Something like "Certified Master Hacker Security Practitioner"

Bet EC is laughing all the way to the bank with this.

ramrunner800

You seriously need to take a breath. This is the most appalling post I've seen on techexams, but you've been heading this way for awhile in this thread. Everybody understands your point, most people see where you're coming from, some do not agree with you. You are now just being hysterical and uncivil. These boards are a rare bastion of civility and helpfulness on the internet; you are dragging everybody here down and have thoroughly embarrassed yourself. Are there no moderators to lock this?

PC509

CEH isn't intro level (Not as entry level at Security+), so it's lower-mid level. Definitely not upper level. But, it's not intended to be. As with all certs, though, it's the checkbox on your resume that gets you noticed. After that, it's what you know. With CEH, I'd assume you know basic security concepts. Not enough for CISSP, but beyond the basics of Security+. It also shows you want to move forward in the career. Everything else, you have to prove. Kind of like you wouldn't trust a fresh MCSE with your Windows forest (at least, I'd hope not), you shouldn't trust a fresh CEH with your security, either.

It can be a great cert to show dedication to the field and basic knowledge. It's not a miracle cert, it's not some magical hacking cert. But, you'll understand the concepts and how to apply them.

Yes, the name "Certified Ethical Hacker" is a bit much, but it gets attention. It's a business, and that's what they do. Is it respected by others? It can be, but I wouldn't go bragging about it trying to be some hotshot. It doesn't make you a hacker or some security expert. But, like all other certs - it gets you past HR. From there, it's all about what you can do. You may already be a hacker or expert and are working on grabbing some certs to pad the ol' resume, or you may just be looking for the foundations.

I guess you get out of it what you want. If you have no use for it and think it's just a basic, entry level certification, then don't take it. It won't help you. If you see value in it for a job you want or want that foundation knowledge, and can justify the cost - then it's a great certification and you should take it. I wouldn't take the Network+, as it wouldn't hold value for me (after CCNA, it's near worthless unless a job requires it). It's value is based on the individual and their goals. Just because I hold little value in the Net+ in my career now, doesn't mean someone else shouldn't hold value in it.

note: I'm studying for the exam, haven't taken it yet. So, no first hand exam experience.

ramrunner800

I apologize, because the quote I included seems not to be there. That was not directed at you NetworkNewb, rather at gespenstern, and this:

gespenstern wrote: »

Sure, any decent discussion should start with ad hominem, isn't it, IronmanX? OK, rule is accepted. You probably see yourself as a superhero, at least, that's what your nickname suggests, so why not start with belittling the topicstarter by claiming that he is probably a liar? Alas, it was a stupid move on your part because it's easy to prove for me by just scanning my report. It's not stellar on points earned, but, as I already told, I had hard times taking this exam seriously and did virtually no preparation (never opened Conrad, AIO, did zero labs, etc), so most likely I missed a couple of questions about outdated Blackberry hacking tools or some nmap switches that I don't use often. And pass is a pass, after all. Proof. So, fck off, plz.



Yes, they don't, in this particular case. Are you a person who always agrees with authorities without any regard on whether they are right or wrong? Because it sounds like you can't come up with your own educated opinion and use referrals to authorities instead of proving your point with facts and arguments.

In this case using this cert as a requirement puts a shade on DoD HR practices and, hopefully, with appropriate efforts from InfoSec community this will be fixed in the future. Or, as another option, EC-Council finally fixes their sh!t.

Yes, this cert and certification body are FLAWED and the cert doesn't live up to its hype and should be disregarded by InfoSec community because of it being unprofessional and undervaluing profession.



No. I had other issues with VUE in the past, but not in this case. All the process flaws are on EC-Council's part. I will briefly repeat my points for your convenience (yeah, the fact that you haven't read the post is attributed to my poor English):
- Many mistakes in all documents with proofs. Even with my poor English I pointed some of them. Apparently, for some strange reason, you are okay with their mistakes, but not mine.
- Scheduling process is poorly documented or straight up wrong.
- Nobody knows what is Eligibility Code for. Do you know what it is? I don't remember you addressing this point.
- Process is manually done via e-mails between EC-Council employees.
- Both Prometric and VUE contain false information on the process of scheduling this exam.
- EC-Council falsely claims that Prometric is an option while it is not.



You clearly don't get the point. This cert is over-promising and under-delivering, in major part, because of its name. Do you know who a hacker is? I'll give you a brief explanation. A hacker is a person who understands the system being hacked on a so deep level that allows him to see flaws in the system and exploit them to his benefit. And just in case, a person who uses metasploit without understanding what it does to exploit vulnerabilities that went public but were not patched in due time is a script kiddie.

It's similar to claiming that you are an architect after passing an associate level exam.



It is an entry level at best and it is spoiled by the hype. Yet, you can easily find a lot of positions that are looking for CEH certified people putting this cert in a row with CISSP. Just a JD from yesterday, they ask for CISSP, CEH, SANS. Proof. These guys clearly don't understand what they are asking. In no way CEH should be put on one line with CISSP. In addition to this these guys ask for any GIAC cert (SANS is not a certification body) messing it with SANS.

And you should have read messages in this thread proving the price point more thoroughly.



...and what you just have described is exactly a script kiddie. Again, hackers are not the ones who are good with metasploit and nmap options and switches and can use them to exploit known unpatched vulnerabilities. I can teach my wife how to do that provided some time for studying. Hackers are the ones who see vulnerabilities where nobody else sees them, discover them, exploit them/or report to vendors if they are ethical ones. E.g. Zeus trojan authors are hackers. Google employees who discovered heartbleed are ethical hackers.



I guess you are repeating another point that you've made without a number for it...



That's a long-standing misconception that CISSP is a management exam. I can tell where it comes from. When pure technologists attempt it they often feel themselves overwhelmed by business continuity and risk assessment concepts that are more related to management and express their frustration with this terra incognita as a 'management exam'. In reality majority of questions on the exam are technology related. E.g. on my exam I had pretty in-depth tech questions, like about IP protocol numbers for less known protocols, TCP packet structure or phases of AES algorithm. It is a well-rounded exam with a vast majority of questions being tech related.

And in reality my CISSP knowledge was enough to pass CEH without ANY preparation. No courses taken, no books read. So I stand by my point: if you studied well and eligible for CISSP (i.e. have 5 years of XP in the field) it will probably be enough to pass CEH. At least it worked for me.



So, looks like you claim that you have a solid information on what has happened to EC-Council on both defacement occasions. All right then...

If we stick to the facts we don't know much besides web-site defacement, we can only speculate on what was the depth of this penetration and what assets were affected. They could have stolen everything and only part of the hack related to defacement could get into the media. At least, if we agree with google apps domain hijack version, the malefactor most likely had accessed e-mails and as I already mentioned the whole application process is done via e-mails. Which is insecure on its own cause many of SMTP servers pass e-mails in plain text and majority of them do not check certificate validity.



Yet, you fail to admit a single problem described in the main post, "hpwever" many of them are hard to refute, it's better to just dismiss them altogether... English is my second language, you are right, I may have missed something, "ect"...

NetworkNewb

gotcha, deleted my last post

You must spread some Reputation around before giving it to ramrunner800 again.

Megadeth4168

Seems to be a lot of anger here....

I recently took the C|EH (self study option) and like others here can agree with some of the points made. The process to validate experience just to take the exam is cumbersome and inconsistent across various communications (e-mail differs from the process on website which differs from the process on the enrollment form). I will say that every time I contacted support for clarification, I was always promptly given direction.

I went into the exam knowing that it's not going to be very hands-on and that the concepts will be more entry level than I would like. I took the exam because it might be the foot in the door I need, it might give me the slight edge over another candidate for a job and lets face it, I'm already collecting CPEs for CISSP, so upkeep is easy. I'm under no illusion that simply passing C|EH means I can be a good pen tester/hacker. That's why I set up labs, read, Attend SANS and will likely sign up for OSCP at some point as well.

Again, I went into this exam knowing what it is. That didn't stop me from treating it like any other exam I've ever taken. I purchased 2 books, read them cover to cover and learned a couple new things and refreshed myself on some other material. At the end of the day, that's what it's about, did you learn anything from the journey? I would have been disappointed if I knew every thing in the 2 books I read, but I did learn something new and that is worth something.

gespenstern

You seriously need to take a breath. This is the most appalling post I've seen on techexams, but you've been heading this way for awhile in this thread.

I would respectfully suggest to skip reading it then. Other people may find factual information described in here valuable.

Everybody understands your point, most people see where you're coming from, some do not agree with you.

Clearly not everybody, there are some objections as you can easily see.

I can guess where they come from. Some people may have invested in this cert and expect returns. Undermining this cert (that's what I'm doing here) clearly undermines their prospects and may even have financial impact. That can make people angry and try to shut down this thread. I hope that it's not true in your case. I would suggest them not to store all eggs in a single basket and not to stick to a cert that is connected to cases of unprofessional behavior, plagiarism, poor quality, poor security and so on.

After all, it's society's obligation to push certification authorities to meet some standards if they aren't able to do it themselves. EC-Council may change and these criticisms could be used to address their issues.

You are now just being hysterical and uncivil.

Not likely, I'm pretty old, not emotional.

Are there no moderators to lock this?

PM them. They may show up and ban me and delete this thread. No big deal, it would mean that I just don't belong here as being arrogant and hysterical and harsh truth isn't welcome. Instead, atmosphere of being polite towards nearly fraudulent certs is what is welcome. After all, the certs allow people here to get past HR filters and therefore they are good no matter what and should be respected, aren't they?

BlackBeret

The cert is over-hyped for sure. I think the main disconnect between people on its value stems from the self-study option versus the course. I'm noticing the people that took the course, put in work, etc. seem to say they learned a lot. The people that already had two years+ experience and just took the test say that the test is garbage because it doesn't meet the hype. I did the self-study option without studying anything and didn't find the test challenging at all. I also expected this considering I had more than 2 years experience. Personally I think that if you changed the name and took the hype away, this test would be at the exact level it should be based on everyone's comments.

@gespenstern - To answer your question about the eligibility code and explain why you had problems with the registration process....The eligibility code is what you get from EC-Council after having your voucher approved. You then put that in to their online order form to pay for and register for the test. If you had done this you would not have had to email them to manually register for it. The system isn't automatic, but the instructions weren't hard to figure out.

qasimchadhar

looks like they learned nothing from past. Their ilearn pages (including auth page) are still delivered in HTTP.