I don't post much anymore, so I don't have mod points, or I'd give them to you.
Hahahahhahaha, I'm going to go out on a limb and say you don't work in IT cdwi?
Sarcasm was super effective
Obvious troll is obvious...I hope.
Xamarin is actually a VERY nice visual studio alternative. Not just for mobile either..
Yeah just target
Both of these ideas would be awesome. Perhaps too awesone for real life.
Its not a workplace...its a guthub repo. Also you implied its not okay to have an unpopular opinion outside of the workplace...why wouldnt the "cant have an opinion brigade" jump on you?
What happens when you have a dissenting, unpopular opinion? In you're ideal world you wouldnt be able to express it. Wouldnt that bother you?
Haha I was thinking of the morrowind lizard-thing daedrics when I read this.
Surprisingly norton is relatively lightweight these days. Ghost and 360 screwed the pooch and people are unforgiving.
Which is exactly why I pointed out that it satisfies PCI WAFs catch automated tools. Thats it
People shouldn't be punished for sleeping it off in their car. I was under the impression that it wasn't a DUI if the keys weren't in the ignition though.
The issue I was getting at in response to the person I responded to was pretty simple: alcohol destroys your judgement. So you may care about the license being lost when sober, but then your inhibitions are gone, and you don't.
Some of the folks responding got a little crazy with it o-o
I've actually gotten to the point where I think WAFs are absolutely useless. As far as WAFs go though I would recommend against mod_security, as fingerprinting it via it's helpful errors is a cakewalk.
The upside to WAFs is that they prevent automated attacks...buuut snort's dynamic preprocessors seem to do this FAR better.
Either way an IDS/IPS/WAF just isn't enough. In a non-automated attack bypassing them is trivial. Half the time I can simply use URL encoding for an attack string. Some poor WAFs don't even do recursive checking, so things like nested XSS code works.
On one pen-test a client had WAFwoof, and I was doing union injection, and iterating tables..like 20 requests a second. Not one. Single. Alert.
Rules-based filtering with regexes/etc just won't keep a determined attacker out. It's a good idea to have, but fixing the underlying applications is far more important. If I have PUT permissions on a directory it doesn't matter how good the ruleset is.
It just pisses me off the the PCI council, and similar rules for HIPPA, say "oh hey vulnerable apps? Don't worry about it you've got a WAF!"
It may not enable you to command respect from everyone, but GSE is an insanely difficult certification to get.
You have to have 5 provable years in IT security just to take the exam, the exam is extremely difficult, and the 48 hour lab is ridiculously hard. If you can't read packet dumps, you won't pass, if you can't write exploits yourself..you won't pass.
You get nmap, nessus, wireshark, metasploit, the SNORT source, and some low-level command-line tools. The boxes are pretty hardened so nessus and metasploit are basically a waste of time. Some of the nmap scripts were very useful, but alot of it involved very, very low level vulnerabilities.
No custom tools...that was a big problem for me.
Most pen testers wouldn't be able to identify OR exploit them. So having the certification means you are better than 90% (or more) of the pen testers you'd run into. On it's own it may not garner respect, but it should certainly hint that the GSE knows what he/she is doing.
All GIAC certifications are solid. They are expensive, but they are very worth it. And if you can get a GSE you have a gold star something like only 50 people period have.