A+ passed, but a little rant

gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
I'm 40, cybersecurity consultant, all life in IT, never worked as a PC tech. Yesterday passed 801 with 815, today passed 802 with 839. No preparation besides doing about ~250 preparation questions at WGU and doing preassessments that are required to get a voucher.

Now to the exam, I never was that frustrated on any other exam. I used to hate CEH, but A+ is a new level of dumbness. I know that it is an entry level exam and questions shouldn't be hard, but I believe that they at least should be consistent and correct. I'd say that around 20 questions out of ~80 in both cases were plain dumb and had several answers that were arguably right even if the question suggested only one correct answer.

I hate to depend on opinions in such a sensitive matter. If a certain problem/task can be resolved using several ways and at least two of them are equally energy-efficient and you are supposed to choose only one of them and you know that only one answer is correct according to exam authors -- that's when you know that this exam sucks. And yet this exam is FULL of questions where you know that the question is dumb.

I always had a feeling that questions for this exam, especially ones regarding security, were authored by people who don't know much about the subject they are trying to test you on. To be specific I'll give three vague examples in order not to describe real questions directly (ended up with 4 actually and 4th was expanded into several).

1. PAE and 4GB of RAM limitation for 32-bit systems. It is well-known and established, that PAE, since it was introduced back in mid-nineties, extended memory addressing bus from 32-bits to 36-bits initially and then even more up to 52 bits if I'm not mistaken (I don't want to verify everything I write here, it is a short post to express my frustration and I write off the top of my head). Meaning that you can address >4GB since mid-nineties.

Yet we all know that around 2008 when people started getting more memory on their PCs it was a common problem that Windows didn't see beyond 4GB (usually even less because of other various restrictions). How so?

The one and only cause of this is MS being greedy and introducing a LICENSING limitation on memory that can be addressed by 32-bit systems. Their thinking was to move people off of overpopular XP to underperforming Vista and that was one of the many tricks they used. I wonder how come that nobody sued them. For what, you ask.

Well, for misleading public as not at one place MS claimed that this limitation is imposed by design of 32-bit systems and in order to overcome it you have to upgrade to 64-bit. Straight up lies. Yes, a single process can't consume more than 4GB (really, 2 GB as the rest of address space is reserved for system stuff, or 3GB with /3GB switch) but the thing is you have tons of processes on your PC and you would benefit from larger RAM size anyways even if a single process can't consume all the memory at once, especially if you are multitasking.

Moreover, other 32-bit operating systems never had this problem, such as Linux, which used PAE and was just fine at addressing more than 4GB.

Moreover, even MS's own server 32-bit operating systems were capable of addressing more out of the box, I'm talking about enterprise and datacenter versions of Windows 2000 Server and Windows Server 2003. Some editions were capable of addressing up to 128GB being 32-bit!

And finally moreover, a researcher named Geoff Chappel was able to overcome this license limitation by kernel binary patching and making 32-bit Windows Vista addressing 8GB.

And yet, some questions on this exam are asked AS IF it is an OS limitation that is a result of being a 32-bit system. PLAIN WRONG.

2. Command line tools. Well, there are more than one tool in Windows that you can use to resolve DNS names to IP addresses and vice versa. Yeah, most likely people will use nslookup but it's hard to argue that it is the only and the best way. For example, you can use ping -a command also if you are tasked to do a reverse lookup DNS query. And how dumb you should be to construct a question that implies only one correct answer but suggesting BOTH tools that could be used for this?

3. Command line simulation for name resolution. Maybe I'm also that dumb but I didn't get what was I supposed to do with command line simulation scenario involving name resolution for the purpose of accessing SMB shares. But I have close to godly windows command-line scripting skills and have written tons of very sophisticated 100+ lines of code scripts that were used enterprise-wide on thousands of production servers. I used to write different time/date converting or math functions from scratch in windows batch/cmd, like calculating time N number of minutes in the future (thank God we now have PoSh), or filtering out files by last accessed time instead of modified etc, etc.

What I would do in real world? I would check various caches, I would check if SMB server is running (sc query lanmanserver) if SMB client is running (sc query lanmanworkstation) if the folder is shared (net share) or are there any stall mappings (net use) and if SMB port is blocked by the firewall (telnet 445 or external MS tool portqry -n servername -e 445). I remember all of this off the top of my head, don't have to look up the syntax and could've done it on the exam. But all the tools I had in the simulation were ping (nodes were pingable) and some other unrelated tools which I used for no purpose only to read at my printout that I failed to use command line tools given a scenario. I FAILED! Was it really I who failed I ask now?

4. Wireless (don't get me even started on this). Some of the DUMBEST measures postionioned as ways to secure wireless on this exam: a) using directional antennas (don't they know that hackers can also use directional antennas to get good quality even on weak signals) b) not broadcasting SSID (totally useless) c) MAC filtering (absolutely useless). Working around all of this is a TRIVIAL task for a hacker and can be done in a matter of MINUTES.

Just DUMB, DUMB, DUMB. Even on an entry level exam you ask entry level, but CORRECT questions. That's what they fail to do. Now I know that I hate CompTIA from my own experience, sorry for this rant and have a nice day! My advice, if anyone is interested -- cut this garbage and go straight to MS exams, get your MCP, MCTS and MCSA, they are of way better quality and less expensive on top of that. Or Red Hat exams (however, I don't have first hand exp. here). Or (ISC)2/GIAC/ISACA/offensive security exams if we talk about infosec. Don't do CompTIA if you don't want to fail for being right on something.

Comments

  • OctalDumpOctalDump Member Posts: 1,722
    The way I look at this, is that the pass mark of 700 (or whatever) is to give the test taker a buffer for nonsense like this. You passed. You will probably never need to do this exam again (kind of crazy that you needed to do it at all, since you have MCSA/MCSE/MCITP etc. Imagine having to do this every 3 years, or being failed because of stupid questions.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • wd40wd40 Member Posts: 1,017 ■■■■□□□□□□
    I did not read the full "Rant" but:

    If you teach a kid to add 3 + 3 + 3 + 3 = 12 instead of telling him that 3 x 4 = 12 this does not mean that you are ****.
    it means that you want to teach him addition.

    Same thing for A+, it is not meant to be deep, it is designed for beginners, I used to teach A+ more than 10 years ago, I know that 32bit os can use more than 4GB of RAM in some cases and that hiding SSID is almost useless but A+ students do not need to know this as part of the course.
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    wd40 wrote: »
    If you teach a kid to add 3 + 3 + 3 + 3 = 12 instead of telling him that 3 x 4 = 12 this does not mean that you are ****.
    it means that you want to teach him addition.
    All analogies do lie. I, however, would use a more precise one, they teach a kid that 3+3+3=12.
    wd40 wrote: »
    Same thing for A+, it is not meant to be deep, it is designed for beginners, I used to teach A+ more than 10 years ago, I know that 32bit os can use more than 4GB of RAM in some cases and that hiding SSID is almost useless but A+ students do not need to know this as part of the course.
    I don't see any excuse for teaching that. They are endorsing a huge number of tech personnel to do things that are plain wrong and rest assured that they've secured their wireless. And then credit card information gets stolen because of war driving and ends up in the hands of Russian cybercriminals. I wonder do they teach the same things like disabling SSID broadcast in Security+ or CASP.
  • wd40wd40 Member Posts: 1,017 ■■■■□□□□□□
    In Security+ they go deeper (I have the book in-front of me), That is the point., different material for different type of students.

    If we take your example, Wifi, most people will just plug the router in and use the default password, so the thought of to hide SSID or not is not really an issue.

    If you become a penetration testing expert later you will know that antivirus can be bypassed, does this mean that using an up to date antivirus is useless?

    I have 6 CompTIA certificates (and I failed 1) , they are overpriced, but they do provide good information.

    Your problem is that you are trying to apply an engineers level of knowledge here, this will never work.
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    wd40 wrote: »
    If we take your example, Wifi, most people will just plug the router in and use the default password, so the thought of to hide SSID or not is not really an issue.
    That's a typical "security by obscurity" approach and the main problem with that is it tends to give people a deceptive assurance in security because "they did something to secure themselves". The logic here is if they haven't done anything they would have a problem unsolved, a question mark hanging over and would have better chances to eventually find a proper solution because they would think that they aren't secure and therefore should find a way to get secure. But when they disable SSID broadcast they tell themselves "now we are way more secure than before" and rest assured, while in reality they are barely any more secure than it was before.

    There's no more or less advanced way in improper security controls. Security control is either proper or improper. If it is proper it could be more or less strong. Disabling SSID broadcast is an improper way to secure wireless by design. It never was intended to be a "password" sort of control and therefore no controls were put into its design to make it hard to get. It's a facepalm level of stupidity on CompTIA's part to teach people that way and I'm sure that multiple businesses out there already suffered from this in the end because they took advice from a person who was taught on this improperly and this led to a false assurance and eventually to a breach.
  • HondabuffHondabuff Member Posts: 667 ■■■□□□□□□□
    I'm 40, cybersecurity consultant, all life in IT, never worked as a PC tech. Yesterday passed 801 with 815, today passed 802 with 839. No preparation besides doing about ~250 preparation questions at WGU and doing preassessments that are required to get a voucher.

    Now to the exam, I never was that frustrated on any other exam. I used to hate CEH, but A+ is a new level of dumbness. I know that it is an entry level exam and questions shouldn't be hard, but I believe that they at least should be consistent and correct. I'd say that around 20 questions out of ~80 in both cases were plain dumb and had several answers that were arguably right even if the question suggested only one correct answer.

    I hate to depend on opinions in such a sensitive matter. If a certain problem/task can be resolved using several ways and at least two of them are equally energy-efficient and you are supposed to choose only one of them and you know that only one answer is correct according to exam authors -- that's when you know that this exam sucks. And yet this exam is FULL of questions where you know that the question is dumb.

    I always had a feeling that questions for this exam, especially ones regarding security, were authored by people who don't know much about the subject they are trying to test you on. To be specific I'll give three vague examples in order not to describe real questions directly (ended up with 4 actually and 4th was expanded into several).

    1. PAE and 4GB of RAM limitation for 32-bit systems. It is well-known and established, that PAE, since it was introduced back in mid-nineties, extended memory addressing bus from 32-bits to 36-bits initially and then even more up to 52 bits if I'm not mistaken (I don't want to verify everything I write here, it is a short post to express my frustration and I write off the top of my head). Meaning that you can address >4GB since mid-nineties.

    Yet we all know that around 2008 when people started getting more memory on their PCs it was a common problem that Windows didn't see beyond 4GB (usually even less because of other various restrictions). How so?

    The one and only cause of this is MS being greedy and introducing a LICENSING limitation on memory that can be addressed by 32-bit systems. Their thinking was to move people off of overpopular XP to underperforming Vista and that was one of the many tricks they used. I wonder how come that nobody sued them. For what, you ask.

    Well, for misleading public as not at one place MS claimed that this limitation is imposed by design of 32-bit systems and in order to overcome it you have to upgrade to 64-bit. Straight up lies. Yes, a single process can't consume more than 4GB (really, 2 GB as the rest of address space is reserved for system stuff, or 3GB with /3GB switch) but the thing is you have tons of processes on your PC and you would benefit from larger RAM size anyways even if a single process can't consume all the memory at once, especially if you are multitasking.

    Moreover, other 32-bit operating systems never had this problem, such as Linux, which used PAE and was just fine at addressing more than 4GB.

    Moreover, even MS's own server 32-bit operating systems were capable of addressing more out of the box, I'm talking about enterprise and datacenter versions of Windows 2000 Server and Windows Server 2003. Some editions were capable of addressing up to 128GB being 32-bit!

    And finally moreover, a researcher named Geoff Chappel was able to overcome this license limitation by kernel binary patching and making 32-bit Windows Vista addressing 8GB.

    And yet, some questions on this exam are asked AS IF it is an OS limitation that is a result of being a 32-bit system. PLAIN WRONG.

    2. Command line tools. Well, there are more than one tool in Windows that you can use to resolve DNS names to IP addresses and vice versa. Yeah, most likely people will use nslookup but it's hard to argue that it is the only and the best way. For example, you can use ping -a command also if you are tasked to do a reverse lookup DNS query. And how dumb you should be to construct a question that implies only one correct answer but suggesting BOTH tools that could be used for this?

    3. Command line simulation for name resolution. Maybe I'm also that dumb but I didn't get what was I supposed to do with command line simulation scenario involving name resolution for the purpose of accessing SMB shares. But I have close to godly windows command-line scripting skills and have written tons of very sophisticated 100+ lines of code scripts that were used enterprise-wide on thousands of production servers. I used to write different time/date converting or math functions from scratch in windows batch/cmd, like calculating time N number of minutes in the future (thank God we now have PoSh), or filtering out files by last accessed time instead of modified etc, etc.

    What I would do in real world? I would check various caches, I would check if SMB server is running (sc query lanmanserver) if SMB client is running (sc query lanmanworkstation) if the folder is shared (net share) or are there any stall mappings (net use) and if SMB port is blocked by the firewall (telnet 445 or external MS tool portqry -n servername -e 445). I remember all of this off the top of my head, don't have to look up the syntax and could've done it on the exam. But all the tools I had in the simulation were ping (nodes were pingable) and some other unrelated tools which I used for no purpose only to read at my printout that I failed to use command line tools given a scenario. I FAILED! Was it really I who failed I ask now?

    4. Wireless (don't get me even started on this). Some of the DUMBEST measures postionioned as ways to secure wireless on this exam: a) using directional antennas (don't they know that hackers can also use directional antennas to get good quality even on weak signals) b) not broadcasting SSID (totally useless) c) MAC filtering (absolutely useless). Working around all of this is a TRIVIAL task for a hacker and can be done in a matter of MINUTES.

    Just DUMB, DUMB, DUMB. Even on an entry level exam you ask entry level, but CORRECT questions. That's what they fail to do. Now I know that I hate CompTIA from my own experience, sorry for this rant and have a nice day! My advice, if anyone is interested -- cut this garbage and go straight to MS exams, get your MCP, MCTS and MCSA, they are of way better quality and less expensive on top of that. Or Red Hat exams (however, I don't have first hand exp. here). Or (ISC)2/GIAC/ISACA/offensive security exams if we talk about infosec. Don't do CompTIA if you don't want to fail for being right on something.

    With OCD, you may or may not realize that your obsessions aren't reasonable, and you may try to ignore them or stop them. But that only increases your distress and anxiety. Ultimately, you feel driven to perform compulsive acts in an effort to ease your stressful feelings. I got stressed just reading your post. I think CISSP and CEH fried you.
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • thatguy67thatguy67 Member Posts: 344 ■■■■□□□□□□
    wd40 wrote: »
    I did not read the full "Rant" but:

    If you teach a kid to add 3 + 3 + 3 + 3 = 12 instead of telling him that 3 x 4 = 12 this does not mean that you are ****.
    it means that you want to teach him addition.

    Same thing for A+, it is not meant to be deep, it is designed for beginners, I used to teach A+ more than 10 years ago, I know that 32bit os can use more than 4GB of RAM in some cases and that hiding SSID is almost useless but A+ students do not need to know this as part of the course.

    This is the attitude I would have towards the exam if I was gonna take it. A classmate who passed said it's best to view the exam as if it's an end user asking you the questions. Give him a short concise answer, and don't append you own "...but you gotta consider" explanation.
    2017 Goals: []PCNSE7 []CCNP:Security []CCNP:R&S []LCDE []WCNA
  • OctalDumpOctalDump Member Posts: 1,722
    wd40 wrote: »
    Same thing for A+, it is not meant to be deep, it is designed for beginners, I used to teach A+ more than 10 years ago, I know that 32bit os can use more than 4GB of RAM in some cases and that hiding SSID is almost useless but A+ students do not need to know this as part of the course.

    That argument is a bit circular. They don't need to know it as part of the course, because of what's on the exam. What OP is saying is that what's on the exam is in some cases unequivocally false and in other cases just messy (eg two or more right answers or no right answers), and that they should not have wrong things on the exam.

    I think there is a difference between wrong and ambiguous, and sometimes it is a case of which is the best (or least bad) of the available options. It really wouldn't harm anyone to drop the bits that are wrong, and would improve the quality and value of the test.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • wd40wd40 Member Posts: 1,017 ■■■■□□□□□□
    But the information is not wrong.

    A normal 32 bit desktop operating system can only handle less than 4 GB of RAM, and Hiding SSID's will add an extra layer of protection against a normal person that just scan's the neighborhood for networks and try default passwords.

    But as thatguy67 said, there is a "...but you gotta consider".

    gespenstern did not read the books or attend any training, so he missed a lot of "...but you gotta consider" things.
  • OctalDumpOctalDump Member Posts: 1,722
    wd40 wrote: »
    But the information is not wrong.

    A normal 32 bit desktop operating system can only handle less than 4 GB of RAM, and Hiding SSID's will add an extra layer of protection against a normal person that just scan's the neighborhood for networks and try default passwords.

    But that is the bit that is wrong. Mac OS X 10.4 is a normal 32 bit desktop OS and can address more than 4GB of RAM. Not to mention Linux. However, it is going to depend on some nuance in the wording of the question. For example, "A user has added 8GB of RAM to their desktop, but the OS only shows 4GB, what is the most likely explanation?" is probably ok, but "You have a computer with a 32 bit OS, what is the maximum RAM supported?" is a bad question.

    Hiding SSIDs can actually lessen your security in at least two ways: it makes you think that you have done something, so don't take steps that are actually going to be reasonably effective, it causes your laptop to have to actively search for networks which potentially can leak the SSID of the hidden network from a client computer that is nowhere near the cloaked SSID - and besides it breaks the 802.11 standards. I believe that this same mistake was repeated in the Security+ and only corrected in the latest version. Hopefully this means it is fixed in the new A+, too.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • wd40wd40 Member Posts: 1,017 ■■■■□□□□□□
    If you want to learn more about Mac go for apple certification, for Linux you can go for Linux+.

    Again you are missing the point, you dig too deep.

    I passed Security+ last year and it really really really helped me in passing CISA this year, but you have to be careful not to mix the objectives and target audience of each exam because it WILL backfire.

    Simple example:

    What is the best type of disaster recovery sites?
    A: Cold.
    B: Warm.
    C: Hot.

    In Security+ the correct answer will be C: Hot - it is the best but the most expensive.

    In CISA the answer will be D, after analyzing the risks business decided that an insurance policy is the best way to protect the business interests.
  • Ede890Ede890 Member Posts: 17 ■□□□□□□□□□
    I think this is funny because the A+ is Vendor neutral, but draws heavily on microsoft OS and the test is worded for such in terms of capability.
  • cshkurucshkuru Member Posts: 246 ■■■■□□□□□□
    There used to be an Apple module on the A+ you chose eith DOS/Windows or Apple as the second exam. I don't know why it was discontinued.

    "CompTIA formerly offered a Macintosh module and certificate in the repair and installation of Apple computer systems. This module has been discontinued for several years, and currently the only hardware certification for Macintosh computer systems is available through Apple. For more, see Apple's Training and Certification page."
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    wd40 wrote: »
    But the information is not wrong.

    A normal 32 bit desktop operating system can only handle less than 4 GB of RAM

    Even that would be incorrect. Looks like you didn't know, that MS blocked >4GB for desktop OS starting with SP2 for Windows XP. I.e. Windows XP SP1 was perfectly capable of working with >4GB of RAM. I don't remember if I tested this, but most likely Windows 2000 Professional can address >4GB of RAM as well.

    Regarding disabling SSID broadcast -- there's just no way to defend this as a security measure.
  • OctalDumpOctalDump Member Posts: 1,722
    Even that would be incorrect. Looks like you didn't know, that MS blocked >4GB for desktop OS starting with SP2 for Windows XP. I.e. Windows XP SP1 was perfectly capable of working with >4GB of RAM. I don't remember if I tested this, but most likely Windows 2000 Professional can address >4GB of RAM as well.

    Regarding disabling SSID broadcast -- there's just no way to defend this as a security measure.

    The other consideration for RAM support is hardware. I'm not sure that there was a Pentium 4 (or earlier) chipset supporting more than 4GB RAM. There were P6 based Xeon chipset supporting more than 4GB, though.

    In Apple land, you would need the 64bit G5 Macs to go over 4GB.

    If you really want to dig deep into this, then there is no particular reason for "32 bit hardware" to support a 32 bit address register. The 68000 series, the 68000, 68010 and 68EC020 all had 24bit address (16MB). The 68000/68010 was even stranger in that the data path was only 16 bit wide, whereas internally the CPU could do 32bit operations, so it would need double cycles to read (and write) 32bit data.

    So, it does depend on the exact wording of the question. And it would not take much effort to write a question that is correct.
    2017 Goals - Something Cisco, Something Linux, Agile PM
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    OctalDump wrote: »
    The other consideration for RAM support is hardware.

    It certainly is, so in wintel world CPUs supported PAE for decades, same goes with server market oriented mainboards that support >4GB since nineties. First desktop market mainboards from Intel with support of up to 8GB of RAM started being released as early as April 2005, and by 2006 they started popping up everywhere. And if you, say, assembled a high-end gaming workstation during these days and had XP SP1 32-bit running on it you would be surprised to find out that your memory gets capped by 4GB after applying service pack 2. That's how MS forced you to upgrade to Vista, which was introduced a little later. Or use Windows XP 64-bit which lacked video drivers for many videocards at the time and anyways never was mainstream and hard to buy/install.

    Info on intel chipset support and release dates (there are also nVidia, AMD, others):
    https://en.wikipedia.org/wiki/List_of_Intel_chipsets
  • 8thdegreepwnologist8thdegreepwnologist Member Posts: 45 ■■□□□□□□□□
Sign In or Register to comment.