Dec100

I'm not sure you need to use roaming profiles for what you want to do. Roaming profiles allow users to login to different machines and still see their settings, Internet favourites, etc. As mentioned, these are usually a massive pain in practice. Sounds like you are just asking about mapping certain network drives for users based on something like AD group membership? That is pretty easy with GPO - http://blogs.technet.com/b/askds/archive/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership.aspx

Good point!

So are you asking which is the best way to hide your identity out of the options in your list? Depends on what you are trying to do. Who are you trying to hide from? Are they on the same network as you or over the public Internet? If you are just trying to hide all your activity over the Internet, you've already been given the answer.

Yeah, it's always hard to make time to learn something new. My advice is to allocate a solid hour to work on it a couple of times each week, and promise yourself you will play games after if you complete the hour. Once you get started, you tend to get more into it and it becomes less of a chore. That's what works for me, anyway.

If you can get one of the emails as an attachment (to preserve the headers as Digip suggests), you can copy/past the header into an online analyser to make it easier to read... http://www.mxtoolbox.com/EmailHeaders.aspx It might make things clearer on where it came from.

Digip is exactly right though, it is too much of a grey area. Sure, the finder may simply be stealing a memory stick, but who's to say they didn't just plug it in to identify the real owner in order to return it? Or maybe they had one that looked exactly the same as your one and thought they dropped it. There's a fine line. Safer and more ethical to not have any payload that could get you or your employer into trouble.

What are you trying to achieve? Presumably, you either want to convince management to block USB drives, or you're running some kind of user awareness scheme. I would look to secure a trial of some USB control software (most enterprise AV vendors have a module), scatter some completely benign devices with recognisable device IDs, and then use the software's monitoring/logs to show management or users your results on how many were plugged into company systems. That way you limit ethical concerns and still prove your point. Using software like this would also have the benefit of logging the use of non-authorised USB devices that you didn't plant. Finally, it would potentially show how many USB devices are legitimately used for business, helping you to budget for encrypted or authorised devices to replace them.

Don't take too seriously any attitude you see in these talks. They are preaching to the security converted and trying to show off a little. If anyone really treated clients that way (or cared that much, for that matter), then they would be in the wrong profession. In reality, pentesters are hired to report on the security status, recommend better practice where relevant, and then back off. As mentioned above, it all comes down to money. The client company gets to decide whether fixing or leaving problems is most cost effective. It's simple business. Sure you get clients making questionable decisions, but that is their business. Certainly, don't let anyone's attitude dissuade you from getting more involved in security. You get all types in all professions, but I suspect anyone causing trouble for someone earnestly joining the industry would be quickly shot down by the majority.

I had to pay an import tax charge on mine, but it didn't get held anywhere. I think you'll be fine.

My rules for this are: 1) I'll help when I have time. No chasing or moaning. 2) I'll help as best I can, but if something screws up, I'm not responsible. 3) Friends and family only. I'm not helping friends of friends unless in extreme circumstances. 4) If you don't agree with my advice or explanation, feel free to sort it out yourself however you see fit. Seems to work well enough.

I'm not sure about their terms and conditions for game servers, but could you look into a free account at a cloud service like Cloud Flare? http://www.cloudflare.com/