Hey everybody. In the interest of giving back to the community (and the fact that I *really* need to start advertising more), my company (EliteSec) has created a simple project for setting up Sonarqube to test against your own codebase.
Sonarqube is an open source static code analysis tool. I've created a simple Vagrant script that will:
1. Download an Ubuntu 18.04 VM
2. Install Docker
3. Install Sonarqube
4. Setup all routing for your local machine.
Check it out:
Long poll tiem!
Should I make a poker card deck (for myself, and possibly share the text so you can make yours) that would work as a cheatsheet for pentest/DFIR?
I'd simply like a deck of cards where I can pick a card at random, and practice what I find on the card.
Oh, and I'm still quite convinced that my environment is broken, or the final "challenge" I need to overcome is beyond my current abilities/patience level. Both are quite possible, but my give-a-fuck-o-meter is reading zero, so either way I'm not losing sleep over it. I will admit, however, that I hate losing.
The more places I ask about the eWAPTX exam, the more I realize:
1. Nobody knows what it is.
2. Nobody seems to have actually completed it.
Yet I know people have done it, but they seem that they don't want to talk about it. I don't blame them. Email and DM has been sent to INE staff, so now I wait. One thing is for certain - this does not represent a real client engagement in the slightest. This is straight out of CTF hell, with concepts being forced onto you.
Today I submitted a failing eWAPTX report for my first attempt. I also vowed that unless they acknowledge the broken exam scenario, it will be my last submission to INE/eLS. While the exam had some challenging parts, it was more broken than anything else. Requests for help fell on deaf ears, and the quality of the course overall let me wanting. I look to OSWE next, because I want a decent web cert from a reputable company. Sadly, INE is not that company.
Service-oriented companies like mine are actually treated like second-class citizens, and I've called them on it. The answer? They seem to be ignoring my calls. I'm a candid individual, and it can get me into trouble. I suspect I"ll lose this job, which sucks because I'd love to get the money, but I'm not working for free.
Just needed to vent into a void for a bit. 5/5 - fin
Their community isn't small, but $5k isn't small for me either. All you get is a "recommendation" from them. I get it, word of mouth is important, but I can do an awful lot of advertising on my own for $5k, and reach a wider audience.
This is about the equivalent of a "we'll pay you in shares" offer from a startup in the valley. Thanks, but no.
Not to mention my actual value of joining this "community" is falling flat. They are clearly product-focused, not service-focused. 4/n
To be fair, I generally stay on the low end of things as I'm trying to build up my credibility, but still. Then the inevitable question comes up - would you be willing to trade services? I.e. we can add you to our "recommended vendor" list for our clients (for the not-for-profit, which is a pseudo incubator). I said no, cash is king for me right now. That and their "preferred vendor" list is normally $5k/year, which is a deal coming down from $20k! Did I mention they're a not-for-profit? 3/n
The time comes for a ballpark quote. This isn't my first conversation with them, nor is this my first rodeo. Folks, quoting by the individual hour can be a huge pain, it's always best to give a bulk figure for the job. I quote fairly, at least by my rate, and I'm questioned on it. That's fair. I explain based on previous experience, I have a rough idea of the time required to pull this off, the tooling costs involved, plus how much I like you. Yes, that is a factor as well. 2/n
It's story time - I had a meeting with a potential client this week that runs a not-for-profit; not a non-profit, that's different. Anyways, it's for a standard vulnerability assessment, meaning they are looking for more than a Nessus scan, but don't run any exploits and bring down their network. Fine, that's cool. Standard lift-and-shift, they've got ideas on locking down systems, yadda, yadda, yadda. 1/n
Took a look at a #passwordless company today. Seems they're tooting all about the FIDO2 standard and how you can "do away with passwords by just using your phone!"
Is it really killing the password? Or are you moving away from 2FA to 1FA and just calling the "something you have" as the second factor? Maybe a push to your phone followed by a fingerprint scan would be 2FA, but that's not what they're selling. I found it interesting, but I'd argue it isn't passwordless.