OSCP will now be proctored.

Earlier today apparently an FAQ page pertaining to OffSec’s new proctoring program for OSCP accidentally went live for a little bit. It didn’t go in-noticed by some in the community and caused quite the shitstorm on Twitter. Lots of people on both sides. The program seems draconian, but apparently it’s a must since there is an OSCP farm in India where you can hire out people to do the OSCP.

At work our pentesting Manager posted in a Slack thread that when they were looking for a pentester in APAC, he must have interviewed 100 OSCPs that couldn’t explain how to conduct an actual pentest. I’m for proctoring but I have reservations as I want to make sure if I have to give up my privacy that it’s a reputable proctor.

Find more posts tagged with

Comments

Sheiko37

The problem isn't the students, it's the exam format.

Sheiko37

JoJoCal19 wrote: »

At work our pentesting Manager posted in a Slack thread that when they were looking for a pentester in APAC, he must have interviewed 100 OSCPs that couldn’t explain how to conduct an actual pentest.

When he still has this problem after OSCP implements proctored exams, can we start blaming the certification rather than the students?

TeKniques

Seems that Offsec is protecting their interests and the reputation of their certifications. Can't really blame them for that.

johndoee

JoJoCal19 wrote: »

Earlier today apparently an FAQ page pertaining to OffSec’s new proctoring program for OSCP accidentally went live for a little bit. It didn’t go in-noticed by some in the community and caused quite the shitstorm on Twitter. Lots of people on both sides. The program seems draconian, but apparently it’s a must since there is an OSCP farm in India where you can hire out people to do the OSCP.

At work our pentesting Manager posted in a Slack thread that when they were looking for a pentester in APAC, he must have interviewed 100 OSCPs that couldn’t explain how to conduct an actual pentest. I’m for proctoring but I have reservations as I want to make sure if I have to give up my privacy that it’s a reputable proctor.

Cheating during the OSCP exam was discussed on reddit a while ago. No, I am not going to go search and find it but it exists. Someone form Offensive Security chimed in further down the thread and stated that they were aware of the alleged cheating. They also stated that violators will have the certifications revoked (Duh

).

I think that they as in Offensive Security are starting to want to keep the respect that the certification yields as a holder and an organization.

So, a proctored exam is the only way to guarantee that the certification itself and the testing environment is not compromised. But, several vendors offer proctored exams. Ec-Coucil and Microsoft are two that quickly come to mind. No matter the thoughts on Ec-Council, CEH lights up job boards more than quite a few GIAC certifications. So, hiring managers in the DoD especially are looking for it. I could care less about the certification course or exam. People want jobs/careers.

This proctored experience is all based upon the individual. If I am a System Engineer/Administrator this means something. Having a proctored MCSE/MCSA/MCP/ exam experience is beneficial. I can take the exam in some shorts and a t-shirt in my bedroom. So, I am all for a proctored exam experience. You have to take the OSCP exam on a personal/work computer anywat, the only difference is they are adding an individual watching you and having you scan your work area/room. It's not an inconvenience to have a proctored exam for the OSCP. You are more than likely home when you are taking it anyway, this time your camera/mic is on. I don't see it being a big deal. It's not a big deal.

I am neutral party. India has been the talk on these forums for quite a while for cheaters. Cheating comes in many different forms. Having someone do your exam is cheating. So is getting exam ****. Cheating is cheating. People in the US **** just as much as anywhere else. The IT Field as a whole (no matter the country) is known for individuals cheating. Most people who have been in IT for a few years knows a person or ten who has cheated. Going 59 mph in a 55 and going 62 mph in a 55 is still speeding.

Offensive Security is not E-Learn Security. They are not sending you monthly emails about some crappy package for exams that are not on job boards every couple of weeks. Offensive Security isn't sending out emails like E- Learn Security about discounts and check out this bug bounty program webinar. Offensive Security isn't spamming you monthly. I said that to say, people find Offensive Security and the course and exams beneficial and/or challenging. It's a reason for that. I am sure with the highest degree of name recognition that they provide in a penetration testing organizational department, they don't care if a handful of people opt out. More than likely those people aren't actively in the field. They probably don't care that someone doesn't want privacy to be questioned. If someone doesn't have anything to hide and they think they can tackle the OSCP exam I don't see an issue. The OSCP isn't for everyone. If OSCP wanted to minimize the pool of OSCP exam takers all they have to do is raise the price of training/certification every year like SANS/GIAC does. That's to easy to do. Guess what? You still minimize the pool of test takers and cater your program to organizations that'll send qualified people to the training that stand the most chance of passing. Just not some Joe who has saved 1k out of his/her paycheck over 6-12 months and feels they might be able to tackle it.

EANx

JoJoCal19 wrote: »

I’m for proctoring but I have reservations as I want to make sure if I have to give up my privacy that it’s a reputable proctor.

Their privacy policy discusses proctoring: https://www.offensive-security.com/privacy-policy/

I've been wanting to do the PWK course for a while and it's on the list for after the CCIE. I don't see proctoring as being a bad thing, just means you wear pants during the exam.

TechGromit

johndoee wrote: »

This proctored experience is all based upon the individual.

This is a good Idea, the chances of someone that holds some GIAC's or a CISSP certs is going to **** is far less likely then someone with no certifications or lower level certifications under there belt. Few people are going to take the risk of having all there certs pulled for ethics violations.

Now that read what the proctoring involves, I really don't have an issue with it. You have to set up web cams where they can see your screen and another to shows them your room. This way they can be ensured no one is feeding you answers and it's you actually typing on the screen. Your session is recorded and can be reviewed at a later date. I still see the potential for cheating here, but it's still at least some kind of protection.

JoJoCal19

EANx wrote: »

Their privacy policy discusses proctoring: https://www.offensive-security.com/privacy-policy/

I've been wanting to do the PWK course for a while and it's on the list for after the CCIE. I don't see proctoring as being a bad thing, just means you wear pants during the exam.

I know that, and I’ve read the proctoring FAQ since people snipped it while it was temporarily up. What I’m saying is, I’m glad they are introducing the proctoring as this will help keep the OSCP from becoming just another CEH. But if you’ve read the FAQ (search Twitter), the proctoring is pretty invasive. If I’m going to have someone watch me for 24 hours, and have to show identification to the webcam, etc, then I hope they are using highly qualified and reputable proctors, not some random third world farmed out labor. That’s all. I want information on the company that is proctoring me. I want to know that the person doing the proctoring has gone through a background check. As it is, I will use a burner laptop because you also have to install remote access software.

Sheiko37 wrote: »

The problem isn't the students, it's the exam format.

Unfortunately it’s not practical to do a 24 hour exam in an testing center environment. This is the only way you can do such a practical exam. The issue is that with this format, of course it’s easy to ****. And as usual when something becomes desirable, people find a way to **** to obtain it. I’ve seen people posting on various OSCP study groups and I wonder how the hell they were even able to complete the sign up process, let alone try and tackle this course/exam.

Sheiko37 wrote: »

When he still has this problem after OSCP implements proctored exams, can we start blaming the certification rather than the students?

I’m curious on your specific issues with the PWK course and OSCP exam. I know you have the OSCP, so I respect your opinions on it, but I disagree with this to an extent. I know in looking at the syllabus the course has one section breaking down the process of a pentest, but the OSCP is not marketed as an entry level course for people looking to learn about what pentesting is. But if someone passes the OSCP, they should know the process, how to conduct each phase, and how to write a semi-decent report. The good thing is that regardless of anyone passing the OSCP, a good technical interview will weed out cheaters. In this case I work for one of the worlds most well-known security companies and needless to say, you’re not BS’ing your way into a job there. If you say you’ve passed the OSCP then you will be tested to that level of knowledge and expected that you can perform those tasks.

Sheiko37

JoJoCal19 wrote: »

Unfortunately it’s not practical to do a 24 hour exam in an testing center environment.

Then don't have a 24 hour exam! It's unnecessary and encourages unhealthy behavior, and it's not about time management because everyone treats it as a marathon.

There's any number of ways to change the certification process, break up the exam into stages, include computer based testing, set up a series of smaller challenges so the student actually has to demonstrate understanding, because at the moment it's just a mad scramble on the web to find the right blog, article, or chat room with the answer.

I’m curious on your specific issues with the PWK course and OSCP exam. I know you have the OSCP, so I respect your opinions on it, but I disagree with this to an extent.

I have many problems with the OSCP. It doesn't prepare you for the real world at all, both technically and socially. What is the goal here really? To have skilled, enthusiastic, socially connected information security professionals, right? What does the OSCP do to achieve this?

I'm doing a course at the moment where the tutor has put significant effort into not only knowing the material, but also how to be an effective teacher, and it really helps. When I reflect on the OSCP it just looks pathetic, you're dropped in a lab... that's it. If you struggle learning you're shunned, told to "try harder", you're on your own. It doesn't encourage collaboration, it encourages hoarding. It encourages "kicking down and kissing up", where those below you are weak, and for those above you desperately beg for a crumb of their knowledge. There's a big ego problem in information security which the OSCP fosters.

They now apparently think the problem is entirely the students and not their method of delivery... what a total lack of introspection.

Their lab is not reflective of real world penetration testing at all.

The OSCP is a blight on information security. It doesn't train you, certifies you for no job, rewards unhealthy habits, and encourages toxic attitudes.

JoJoCal19

Sheiko37 wrote: »

Then don't have a 24 hour exam! It's unnecessary and encourages unhealthy behavior, and it's not about time management because everyone treats it as a marathon.

There's any number of ways to change the certification process, break up the exam into stages, include computer based testing, set up a series of smaller challenges so the student actually has to demonstrate understanding, because at the moment it's just a mad scramble on the web to find the right blog, article, or chat room with the answer.

I have many problems with the OSCP. It doesn't prepare you for the real world at all, both technically and socially. What is the goal here really? To have skilled, enthusiastic, socially connected information security professionals, right? What does the OSCP do to achieve this?

I'm doing a course at the moment where the tutor has put significant effort into not only knowing the material, but also how to be an effective teacher, and it really helps. When I reflect on the OSCP it just looks pathetic, you're dropped in a lab... that's it. If you struggle learning you're shunned, told to "try harder", you're on your own. It doesn't encourage collaboration, it encourages hoarding. It encourages "kicking down and kissing up", where those below you are weak, and for those above you desperately beg for a crumb of their knowledge. There's a big ego problem in information security which the OSCP fosters.

They now apparently think the problem is entirely the students and not their method of delivery... what a total lack of introspection.

Their lab is not reflective of real world penetration testing at all.

The OSCP is a blight on information security. It doesn't train you, certifies you for no job, rewards unhealthy habits, and encourages toxic attitudes.

I actually agree with you on quite a few of those points, and have formulated some of those same thoughts over the years as I’ve done research on the OSCP, as well as followed many blogs and journeys. That’s why I’ve purchased eLearnSecurity’s course first, as their teaching style is more ideal. They hand hold, structure it better, and tailor the learning and exam to more of an actual engagement. The PWK/OSCP is more like dropping you off on an island, Bear Grylls style. But the value I see in the OSCP is that if you’ve PROPERLY put in the time and effort and complete it legitimately, you should be effective at owning machines during a pentest, especially manually.

meni0n

The amount of time I spent being frustrated at the actual PWK content and the exercises.. I spent my own money on this course and then they hand you this pdf with broken exercises where you have to figure out how to fix something first before even completing an exercise or providing very little guidance. I didn't pay money for them to tell me to use google to find how to do something, I paid them to teach me how to do it.

Sheiko37

I'd also like to see the percentage of OSCP holders who are women, just putting that out there...

EnderWiggin

So someone gets to watch you for 24 hours straight? What about going to the bathroom, do you have to bring the camera in with you? What about if you want to go to bed and finish in the morning, do they get to watch you sleep? I'm all for verifying the person is who they say they are, but this seems crazy.

TeKniques

The cynical comment above is funny. I'm sure Offensive Security has thought about all that and has a well defined process behind it.

Some of these other comments ... if you thought the OSCP material wasn't enough hand holding I'd love to read your opinions on the OSCE course.

Mooseboost

I don't have an issue with it. The idea of it isn't new, they have been piloting it for some time now. They didn't just pull this out of the thin air. The exam really is not that bad. You will find people all over the place with their personal opinion of the course and the exam, but the one thing that is consistent is that it is the gold standard for pentesting certification. People scoffing at the difficulty or format of the exam will not change that but a large influx of OSCP holders who cheated their way through the exam will. Offensive Security is trying to protect their position in the market and I cannot fault them one bit. I don't see the format changing. The insane nature of the exam is part of how they market it and builds into its notoriety.

If you go and sit in an exam center, you are on camera. You have to produce an ID (often two forms) and you are proctored. I don't really see a difference honestly. I work from home and every meeting I am in with video shows my room. There is nothing in my office I wouldn't want someone else to see.

Yes, it sucks that it needs to be done. I have no idea why people are trying to blame Offensive Security for cheating happening. That is like saying its OK for people to **** because a professor made a final ridiculously difficult. I fail to see the logic here. It definitely is a people problem and not a vendor problem. Its rampant in India. The issue isn't exclusive to Offensive Security. Cisco is struggling to deal with similar issues regarding CCIE candidates who managed to **** their way through the certification process.

I have had nothing but positive experiences from the community with the OSCP. Yes, there is the occasional toxic person but that is true for literally every community that has ever existed.

ottucsak

The FAQ has been public for several days now, I tweeted about 3 days ago.

I don't mind proctored exams, but not for 24 hours or at home where I don't have a dedicated room where I can take the exam.

Also, keep in mind that this doesn't stop frauds from sharing and collecting exam reports.

chrisone

Should be interesting, hope to be done with the OSCP before they actually implement this format. I really don't care proctored or not.

McxRisley

meni0n wrote: »

The amount of time I spent being frustrated at the actual PWK content and the exercises.. I spent my own money on this course and then they hand you this pdf with broken exercises where you have to figure out how to fix something first before even completing an exercise or providing very little guidance. I didn't pay money for them to tell me to use google to find how to do something, I paid them to teach me how to do it.

Well you obviously arent aware of the offsec slogan or how the course is ran. Thats your fault for not doing enough research to find out that they wont put a bib on you and spoon feed you.

chrisone

To help stop any more FUD here are some facts.

https://www.offensive-security.com/offsec/proctoring/

[FONT=&quot]This solution provides us additional integrity of the exam process, while still allowing you to take the test wherever you like, you don’t have to ask for permission when wanting to take a nap or use the restroom, and other benefits typically associated with our rigorous exam process. This entire process is done with proctors that are full time employees of Offensive Security.[/FONT][FONT=&quot]The proctoring process uses screen sharing software and your webcam. We ask that the screen share remain enabled during your entire exam. However, if you need to change locations or disconnect for any reason, we will pause your exam VPN to allow you to do what is needed and then restart the exam VPN once you reconnect. The webcam may be disabled during breaks and any time you’re not actively in your exam. There is no audio feed for the exam and the proctor cannot hear you. The goal is to be able to be a silent observer during your exam to assist our exam graders with any anomalies they may see in your report.

OSCP has always been an “open book” exam. We encourage you to use Google, your notes, or other tools and the proctor will not disqualify your exam for any of those reasons or for having your phone or another person enter the room. The goal of the proctor is to observe and help ensure you are taking the exam on your own and it is actually you performing the practical skills.[/FONT]

meni0n

I am aware of the slogan, I did pass the exam after all. I just expected to have at least the tools mentioned in the exercises to be working properly and not go hunt down fixes on the forums.

ottucsak

I was pissed off by that first as well, but I lowered my expectations. The whole course is about troubleshooting.

deadjoe

I took the pilot program proctored exam and passed. This proctored thing is no big deal. They should have been doing this from the beginning.

I did wonder though, what did the proctors think of hours of my frustrated body language followed by an ecstatic root dance.

LonerVamp

Sheiko37 wrote: »

I'd also like to see the percentage of OSCP holders who are women, just putting that out there...

...and compare that against every other hacking/IT cert.

You do have some points, but I also feel like you have a particularly bone to grind on the cert...

You have to start somewhere. I don't find the format or the approach to be, "wrong," per se. Does it prepare you for pen tests immediately? Not really, but the rest can be taught by the org.

As far as the hand-holding, I think too many come into this just like I'm seeing in the industry today as a whole: looking for a mentor. It's fine to get some direction, but folks still need to be able to do their own networking, their own research, and put fingers on the keyboard and try things. Hands aren't going to be held terribly long in this profession.

LonerVamp

To be more on point with the topic, I bristled at first, but it's just something that happens to keep the cheaters down. Other orgs do this with their at-home exam takes, though clearly not with the 24-hour requirement.

edit: (No strikethru! This was addressed earlier:) My only concern would revolve around co-habitation, for instance if my spouse/partner/roommates are nearby, will I get in trouble if I say a greeting? What if my computer is not in a private room? Life will still continue around me; if my boss/family calls and I answer it, is that a problem? Will my children, if they are around, be recorded and saved? I'd also have some minor questions about platform, for instance if I run kali on bare metal or through a separate ESX host that I connect to.

Will this stop dedicated cheaters? Not likely; I can still step out and talk to someone (I'll admit in the labs I sometimes talked with a friend who isn't savvy, but let me use them as a rubber ducky/therapy), but it certainly eliminates the people who easily fake this or beg answers online during the test take.

LonerVamp

Sheiko37 wrote: »

I'm doing a course at the moment where the tutor has put significant effort into not only knowing the material, but also how to be an effective teacher, and it really helps. When I reflect on the OSCP it just looks pathetic, you're dropped in a lab... that's it. If you struggle learning you're shunned, told to "try harder", you're on your own. It doesn't encourage collaboration, it encourages hoarding. It encourages "kicking down and kissing up", where those below you are weak, and for those above you desperately beg for a crumb of their knowledge. There's a big ego problem in information security which the OSCP fosters.

Were you ever actually once told, "Try harder," by the admins if you asked for help? Did you ask for help?

Too many people ask for help for something that should be easily Googled. It happens in every forum for students. And it takes a significant amount of empathy and some training to be able to gently nudge someone forward rather than hold their hand or tell them the answers. It's an impossible balance to try and use any one course/cert to bring up entry level people to stand on their own when everyone is wildly different with crazy backgrounds.

JoJoCal19

Now that OffSec has released their post about it and spelled things out, I’m completely for it. They’ve addressed the concern I had about just who was going to be doing the proctoring. I’m glad they kept it in house. That was the only concern I had. From what I’ve seen on Twitter, looks like OffSec has addressed most all other concerns I saw. I understand it won’t be perfect for 100% of people out there, but with the cheap cost, I don’t mind making some concessions (using a dedicated laptop/machine, making sure my family stays out of my office). I have to say, OffSec really has put a lot of thought and effort behind this. I’m glad they got out in front of this before it became an even bigger issue with the cheating. I’m hoping to be able to sign up for PWK around September/October.

Naruto985

I don't mind to be proctored. But I pity those people who watch us. I mean, we all come from different time zones and offsec people sitting in front of a monitor watching us for such a long hours. I guess our face will be imprinted in thier mind for many days 😉😉.
Yes I do have heard about cheating especially all those exams with MCQ where you need to just check the radio button. In a way with proctored exam I guess the organisation or the recruiting company can be sure that the person they are recruiting didn't pass the exam by cheating. This is just to give them assurance, we have seen the candidate taking the exam.
OSCP looks more interesting now

Good luck all

who are taking OSCP. I will start once I am done with eCPPT.

the_Grinch

I have to agree once they spelled everything out I don't have any issue with it. I understand they're protecting the integrity of their exam and everything appears to be very reasonable indeed.

LordQarlyn

Exam cheating has been an issue everywhere, in some countries it was not that rare to pay someone to impersonate you or to swap with you during a break and take the exam for you. All the certifying bodies need to take steps to protect the integrity of their exams and thereby the value of their certifications. Which is why I had no issue with proctoring when I took my ITIL and PRINCE2 at my office, and had no problems with providing a palm scan at the testing center when I took my CISSP.

EnderWiggin

chrisone wrote: »

[FONT=&amp]and other benefits typically associated with our rigorous exam process[/FONT][FONT=&amp][/FONT]

But what if I want to take the test naked? Do I now lose that benefit?

mokaz

Sheiko37 wrote: »

I have many problems with the OSCP. It doesn't prepare you for the real world at all, both technically and socially. What is the goal here really? To have skilled, enthusiastic, socially connected information security professionals, right? What does the OSCP do to achieve this?

I'm doing a course at the moment where the tutor has put significant effort into not only knowing the material, but also how to be an effective teacher, and it really helps. When I reflect on the OSCP it just looks pathetic, you're dropped in a lab... that's it. If you struggle learning you're shunned, told to "try harder", you're on your own. It doesn't encourage collaboration, it encourages hoarding. It encourages "kicking down and kissing up", where those below you are weak, and for those above you desperately beg for a crumb of their knowledge. There's a big ego problem in information security which the OSCP fosters.

They now apparently think the problem is entirely the students and not their method of delivery... what a total lack of introspection.

Their lab is not reflective of real world penetration testing at all.

The OSCP is a blight on information security. It doesn't train you, certifies you for no job, rewards unhealthy habits, and encourages toxic attitudes.

I tend to agree with you here but i guess this is isn't only an OSCP issue but a whole industry attitude.
Anyways, while i've personaly liked very much the "Try Harder" motto, i can understand that being thrown this sentence at every reach out for help at understanding might not be the cup of tea of everyone...

Anyways, i've had a very good time @OSCP & OSCE and i've learned loads on my own.

Now OffSec preotecting their cert's is a good thing - I'm also stunned at whoever would want to **** on these certs, it's so stupid really..

Anyways..
m.