JohnsNotHere @JohnsNotHere@infosec.exchange

So if someone made a podcast about security that's aimed at the C-Level, would you listen to it? Not the usual deep, technical, jargon but rather aimed at executives. No news, just best practices.

Please boost for maximum coverage.

#infosec #podcast

Hey everybody. In the interest of giving back to the community (and the fact that I *really* need to start advertising more), my company (EliteSec) has created a simple project for setting up Sonarqube to test against your own codebase.

Sonarqube is an open source static code analysis tool. I've created a simple Vagrant script that will:

1. Download an Ubuntu 18.04 VM
2. Install Docker
3. Install Sonarqube
4. Setup all routing for your local machine.

Check it out:

https://github.com/EliteSec-io/vagrant-sonarqube

Incorporation is complete, I can start making noise about https://elitesec.io

For those who are looking for #pentesting #vulnerabilityassessments or just #infosec help, make sure to consider us. We're based in Canada, but happy to help whomever we can reach. Many thanks!

Happy Thursday Fedi. May the weekend come quickly and bring much-needed relief.

Oh, and I'm still quite convinced that my environment is broken, or the final "challenge" I need to overcome is beyond my current abilities/patience level. Both are quite possible, but my give-a-fuck-o-meter is reading zero, so either way I'm not losing sleep over it. I will admit, however, that I hate losing.

The more places I ask about the eWAPTX exam, the more I realize:

1. Nobody knows what it is.
2. Nobody seems to have actually completed it.

Yet I know people have done it, but they seem that they don't want to talk about it. I don't blame them. Email and DM has been sent to INE staff, so now I wait. One thing is for certain - this does not represent a real client engagement in the slightest. This is straight out of CTF hell, with concepts being forced onto you.

Vendors: If you schedule a meeting with someone and don't show up, at the very least make sure you send an email ahead of time or within the first 15 minutes of the scheduled meeting time explaining why you didn't show. Otherwise, I'll never call you or recommend your service to anyone ever again.

Today I submitted a failing eWAPTX report for my first attempt. I also vowed that unless they acknowledge the broken exam scenario, it will be my last submission to INE/eLS. While the exam had some challenging parts, it was more broken than anything else. Requests for help fell on deaf ears, and the quality of the course overall let me wanting. I look to OSWE next, because I want a decent web cert from a reputable company. Sadly, INE is not that company.

Had a rough start to the morning. Chewed out a sales rep a bit too hard, and now I regret it. Sent the appropriate apology email, but still. Going to take the rest of the day off for myself, since I know this is a sign of stress levels being too damn high right now.

This sucks. I want to expense some new lockpicks as a business expense for EliteSec, but I also want to seal at least one new deal before I make the purchase, but I'm also really looking forward to a new set of picks, but I'm also too cheap to buy them with my personal money...

THE HORROR!!!!

Anyone around here done the eWAPTXv2 cert from eLearnSecurity/INE? I have questions....

Anyone know of a decent assembly language primer? I'm seriously thinking of doing the OSCE this year, and I'd like a decent refresher/learning aid before I sign up.

Service-oriented companies like mine are actually treated like second-class citizens, and I've called them on it. The answer? They seem to be ignoring my calls. I'm a candid individual, and it can get me into trouble. I suspect I"ll lose this job, which sucks because I'd love to get the money, but I'm not working for free.

Just needed to vent into a void for a bit. 5/5 - fin

Their community isn't small, but $5k isn't small for me either. All you get is a "recommendation" from them. I get it, word of mouth is important, but I can do an awful lot of advertising on my own for $5k, and reach a wider audience.

This is about the equivalent of a "we'll pay you in shares" offer from a startup in the valley. Thanks, but no.

Not to mention my actual value of joining this "community" is falling flat. They are clearly product-focused, not service-focused. 4/n

To be fair, I generally stay on the low end of things as I'm trying to build up my credibility, but still. Then the inevitable question comes up - would you be willing to trade services? I.e. we can add you to our "recommended vendor" list for our clients (for the not-for-profit, which is a pseudo incubator). I said no, cash is king for me right now. That and their "preferred vendor" list is normally $5k/year, which is a deal coming down from $20k! Did I mention they're a not-for-profit? 3/n

The time comes for a ballpark quote. This isn't my first conversation with them, nor is this my first rodeo. Folks, quoting by the individual hour can be a huge pain, it's always best to give a bulk figure for the job. I quote fairly, at least by my rate, and I'm questioned on it. That's fair. I explain based on previous experience, I have a rough idea of the time required to pull this off, the tooling costs involved, plus how much I like you. Yes, that is a factor as well. 2/n

It's story time - I had a meeting with a potential client this week that runs a not-for-profit; not a non-profit, that's different. Anyways, it's for a standard vulnerability assessment, meaning they are looking for more than a Nessus scan, but don't run any exploits and bring down their network. Fine, that's cool. Standard lift-and-shift, they've got ideas on locking down systems, yadda, yadda, yadda. 1/n

I have come to browse toots and chew bubblegum, and I'm all out of bubblegum...

Twitter friends are about as ethereal as they sound. Thank the gods for the fedi.

It's not that I don't like the idea of social media, it's just that I don't have anything interesting to share.

You know, I haven't fired up the ol' Alfa and/or aircrack-ng for a while. Might have a small project to do this afternoon...

Took a look at a #passwordless company today. Seems they're tooting all about the FIDO2 standard and how you can "do away with passwords by just using your phone!"

Is it really killing the password? Or are you moving away from 2FA to 1FA and just calling the "something you have" as the second factor? Maybe a push to your phone followed by a fingerprint scan would be 2FA, but that's not what they're selling. I found it interesting, but I'd argue it isn't passwordless.