Well its time to do what seems like my annual Linux installfest where I get a new machine and decide which is the best Linux distro to see me through the next year.

I blew away my Ubuntu-themed Gentoo machine and installed Backtrack. That didn't work out because of slackware. So I needed an alternative. My distro had to meet the following criteria:

• Solid package management with the ability to automatically resolve and install dependencies
• Up to date package tree (i.e. not Debian)
• Package tree which contains the majority of the pen test tools I use
• An installer! (preferably GUI)
• Preferably Gentoo based (not essential but it would be nice)
  

So that left meant Debian based distros were out for points 2 & 3, Fedora was a contender but the choice came down to:

• Sabayon - by far the sweetest friggin eye candy Linux has seen to date
• VLOS - It met all the criteria. Working Gentoo install with minimum fuss
• Gentoo - Build it by hand and configure it up how I like (again)

Sabayon 3.3 just blew me away. I love it. It is so functional AND beautiful. But all beauty has its flaws... Sabayon the testing package tree from Gentoo. This leads to massive problems upgrading packages. I have persisted with this because its so nice, but the jury is still out.

VLOS (formerly Vida Linux) is great, Anaconda installer, some basic binary packages (OpenOffice, Firefox) to get you going quickly. I really like this distro and will use it for all my future Gentoo only installs, but it lacked the polish of Sabayon.

Gentoo by hand... only for servers. Not doing it again for Desktop, I use VLOS if Sabayon doesn't pan out. I'm tired of long winded manual installs and configuring a million text config files by hand (especially X).

One of my colleagues has got me using Backtrack for pen testing. I have used Whoppix/Whax in the past but Backtrack has come a long way since then.

I was really enjoying it until I tried to install OpenOffice and Krusder... dependency hell. I like Slackware but I've said it before, its package management sucks to put it bluntly. Why couldn't the Backtrack developers have chosen Debian, Fedora, Gentoo etc etc as a base. Any distro with a modern packagement system.

Great distro but tarballs are so old school, I guess I have been spoilt by Gentoo. Backtrack is destined for a VM but not my primary Linux pen testing desktop.

I am finding that the security resources that I rely on out on the Internet, are more and more based outside of the US.

I am not sure why but I have a few theories, firstly all of the early innovators have sold out, either to a big corporation (McAfee, Symantec et al) or have gone commercial (Sourcefire, Tenable).

Secondly, potential litigation in US might also be scaring off the innovators from openly publishing their works. A good example is the Oedipus project, where the author of the software's employer claimed copyright in part of the work causing a promising project to be pulled from the 'net, not to mention the wrangling over issues such as the ownership of the Ethereal name (now WireShark). Lets face it Information Security is big business and $.

Thirdly and finally it could be that talent is being snapped up by big consulting firms and security vendors in Graduate and Post-Graduate programs. Anyway this is nothing more than opinion with not much to back it up (like most blogs ;-)

Some of the non-US sites that have been grabbing my attention recently (and some not so recently) are:

• Astalavista.net: the hacking and security community portal - (Germany)
  
• Sensepost: Security company, the home of Bidiblah, Crowbar, Suru, Wikto, Bile - (South Africa)
• ISECOM: The Institute for Security and Open Source Methodologies, the home of the OSSTMM guide - (Spain)
• IITAC: The International Institute for Training, Accredition and Certification, this is an amazing security learning resource, its awesome. (Germany)
• Damn Vulnerable Linux: An associate site of IITAC. Good training DVD with videos (Germany)
• Hakin9: This the site of the best security magazine on the planet. The magazine has great tools such as a bootable Linux attack distro plus a CD of tutorials. There also tools and a downloadable copy of the magazine. (Poland)
• OISSG: The home of the Information Systems Security Assessment Framework. (India)
  
• Darknet: One of the coolest InfoSec blogs around. (UK)
  

Here are some nice security tips for system and email security for newbies and end users.

IT Security has got a list of the Top 25 Most Common Email Mistakes People Make and how to protect against them along with an article The 20 Minute Guide to Securing Your PC: 20 Tips to Secure Your Box.

If all end users followed these steps we wouldn't see some of the botnet and worm activity that we have seen to date.