|
I wasn't even trying to be controversial, I've never met anybody who cares about certifications. I could see it being useful as a freelancer if you need to convince laymen, or if you're starting off and don't have anything on your resume yet.
|
#
?
Jul 17, 2019 23:56
|
|
|
|
| # ? May 29, 2024 22:02 |
|
|
CEH is not worth that lol
|
|
#
?
Jul 17, 2019 23:58
|
|
|
IIRC some government jobs want you to have CEH
|
|
#
?
Jul 18, 2019 00:11
|
|
|
xtal posted:I wasn't even trying to be controversial, I've never met anybody who cares about certifications. I could see it being useful as a freelancer if you need to convince laymen, or if you're starting off and don't have anything on your resume yet. If only it mattered who you have met. It’s not the end all be all or even super important, but to say it doesn’t matter is naive.
|
|
#
?
Jul 18, 2019 00:19
|
|
|
xtal posted:I wasn't even trying to be controversial, I've never met anybody who cares about certifications. I could see it being useful as a freelancer if you need to convince laymen, or if you're starting off and don't have anything on your resume yet. LoL, being in the consulting business you would be surprised how much it 'matters'.
|
|
#
?
Jul 18, 2019 00:23
|
|
|
Lots of places won't even look at your resume without cissp. It's stupid gatekeeping, but that's the game.
|
|
#
?
Jul 18, 2019 00:23
|
|
|
I have multiple customers who very much want there to be someone at my company with a CISSP or equivalent certification as part of their MSA process. We don't have one yet, so it has been a huge pain in the rear end. (He's starting in a month, though, and then hopefully I will never have to discuss the matter of certifications again.)
|
|
#
?
Jul 18, 2019 00:26
|
|
|
xtal posted:I wasn't even trying to be controversial, I've never met anybody who cares about certifications. I could see it being useful as a freelancer if you need to convince laymen, or if you're starting off and don't have anything on your resume yet. As for professional worth, I'd say certs in general don't matter. Most certs don't demonstrate mastery. However, cert requirements are usually added as a gatekeeper to weed out resumes by HR (similar to requiring a BS/equivalent experience). If it's not there on your resume it will never be seen by the hiring group. Now if you have a good industry-wide reputation and a corpus to demonstrate (public white papers, industry presentations, etc...) you can probably not bother. But then again, if you're at that point you're likely being actively recruited as opposed to submitting for job openings.
|
|
#
?
Jul 18, 2019 00:27
|
|
|
I just hope we can all agree not to be That Guy who's collecting every certification under the sun, as if they're boy scout merit badges and more==better.
|
|
#
?
Jul 18, 2019 00:35
|
|
|
My goal is to have alphabet soup stretching off into infinity in my email sig.
|
|
#
?
Jul 18, 2019 00:39
|
|
|
Powered Descent posted:as if they're boy scout merit badges Is that not basically what they are?
|
|
#
?
Jul 18, 2019 02:53
|
|
|
xtal posted:I wasn't even trying to be controversial, I've never met anybody who cares about certifications. I could see it being useful as a freelancer if you need to convince laymen, or if you're starting off and don't have anything on your resume yet. Fair enough. Sometimes it doesn't matter. It's often a pretty effective differentiator when you have 50 resumes to sift through. You can absolutely be gatekept out of positions you want by a lack of related certifications, especially anything in consulting or contractor gigs.
|
|
#
?
Jul 18, 2019 03:22
|
|
|
AlternateAccount posted:It's often a pretty effective differentiator when you have 50 resumes to sift through. Effective at differentiating between what sorts of candidates? I can see that it’s easy, but it doesn’t seem like it would be effective at identifying the candidates you actually want to look at.
|
|
#
?
Jul 18, 2019 03:36
|
|
|
Subjunctive posted:Effective at differentiating between what sorts of candidates? I can see that it’s easy, but it doesn’t seem like it would be effective at identifying the candidates you actually want to look at. "This one has a demonstrated ability to write checks to Microsoft, Cisco, AND Amazon. Very impressive."
|
|
#
?
Jul 18, 2019 03:39
|
|
|
"This one, at some point, had enough money and free time to do a cert, or was able to convince a previous employer to pay for it".
|
|
#
?
Jul 18, 2019 04:12
|
|
|
certs, like degrees, are part HR crutch, part stratified class indicator
|
|
#
?
Jul 18, 2019 14:25
|
|
|
that said, there's a place for encouraging use of standardized practice and terminology. Lawyers take the bar exam to reduce the number of grossly-negligent actors in law practice; engineers test for their little blue stamp that makes it likelier that their buildings won't tip over. Until there's some kind of regulatory standard of certification for non-poo poo, learned security personnel with decent credentials widely accepted by the public trust, idk if we can disregard certs altogether. IT in the public sector is a vulnerable shitshow despite many technical middle management positions requiring specific classes of private certifications, but imagine a world where governments couldn't even stipulate that level of pseudo-competence.
|
|
#
?
Jul 18, 2019 14:34
|
|
|
The difference between IT people and any other field that deals with critical infrastructure is that there is no such thing as liability in IT.
|
|
#
?
Jul 18, 2019 14:35
|
|
|
D. Ebdrup posted:The difference between IT people and any other field that deals with critical infrastructure is that there is no such thing as liability in IT. Criminal liability, not thusfar. Financial liability? The EU has been giving me hope this week. Lack of enforcement and liability is one issue in infosec, but I see the lack of guarantees of competence in critical positions as another issue contributing to wilfully-incompetent or inadequate security practice. A CISSP isn't qualified to lead an organization's security program in the same sense that a structural engineer is qualified to lead a team of people. Heck, the structural engineer has a pretty decent body of regulatory agencies they're responsible for maintaining credentials with and reporting severe practice issues to. A whistleblower in an engineering firm has a much better shot of getting another job than an internal whistleblower in infosec. Potato Salad fucked around with this message at 14:51 on Jul 18, 2019 |
|
#
?
Jul 18, 2019 14:37
|
|
|
We anglosphere residents have been collectively driven frothing mad about any kind of regulation whatsoever, and it's going to take a few severe Triangle Shirtwaist Factory fires to give the public a chance of seeing why market forces alone are not adequate for creating industrial practices that are compatible with the values of a healthy society.
|
|
#
?
Jul 18, 2019 14:56
|
|
|
SANS courses and certs are difficult and good and not a paper tiger thing 
|
|
#
?
Jul 18, 2019 15:36
|
|
|
yeah but
|
|
#
?
Jul 18, 2019 15:46
|
|
|
I would argue that there should be rigid certification for writing life-critical software. (yes, yes, even an error in c libraries can be life-critical, bite me.) The point is, somebody who designs the screw used in steel construction isn't expected to be certified as an engineer AFAIK. The person who designs the bridge? Boy, howdy. If you're writing the THERAC-25 code, you should have certification -- not just enforced by a test -- in writing life-critical code. If you're a full-stack engineer writing Web code? Go on your merry way.
|
|
#
?
Jul 18, 2019 15:47
|
|
|
Potato Salad posted:yeah but Wtf is wrong with your phone 
|
|
#
?
Jul 18, 2019 16:50
|
|
|
Arsenic Lupin posted:I would argue that there should be rigid certification for writing life-critical software. (yes, yes, even an error in c libraries can be life-critical, bite me.) The point is, somebody who designs the screw used in steel construction isn't expected to be certified as an engineer AFAIK. The person who designs the bridge? Boy, howdy. There is no equivalent in IT, and few of the people who write critical infrastructure code have even the slightest clue that their work impacts real lives. You need look no further to see this than the "Move Fast Break poo poo" motto that still infects the brains of Silicon Valley, and as a result most every other place that prays at the alter of technological progress above all else. Maybe that full-stack web-developer doesn't need certification, but our industry needs to agree which situations do need it. When I was receiving chemo, it didn't do me any favours to know that despite the software for the pump being written in Ada (a language made to write code for ballistic missiles, aircraft systems, and similarly critical code), there are no guarantees for it being free of errors because there was no proof the code had even been audited. Lying in an intensity-modulation radiation therapy device as I have, knowing about THERAC-25, doesn't do you any favours either. Especially not when you hear the clunk in the wall as the relay switches on and you're about to receive enough radiation that, if you were to get it in your entire body, you'd be dead in 24 hours. In both instances you really want to know that someone has essentially put their life on the line to write proper code. BlankSystemDaemon fucked around with this message at 17:48 on Jul 18, 2019 |
|
#
?
Jul 18, 2019 17:41
|
|
|
D. Ebdrup posted:There is no equivalent in IT, and few of the people who write critical infrastructure code have even the slightest clue that their work impacts real lives. I have never forgotten the day I was sitting in an OS meeting at Apollo Computer. This would have been in the '80s. Developer: You know how we say "this isn't brain surgery"? I just talked to a customer who was using our OS to build software used in brain surgery. Entire audience: Reels in horror. Developer: And they're on the [notoriously buggy] previous release. Entire audience: faints.
|
|
#
?
Jul 18, 2019 18:16
|
|
|
Extensions. https://twitter.com/arstechnica/status/1151826712998682624?s=21
|
|
#
?
Jul 18, 2019 18:20
|
|
|
On the one hand, it makes me more paranoid about using uBlock. But then I remember how many infections are the result of malicious ads. They're never going to solve this poo poo until they actually have strong regulations and imprison people who violate them. So...never.
|
|
#
?
Jul 18, 2019 18:55
|
|
|
Inept posted:On the one hand, it makes me more paranoid about using uBlock. But then I remember how many infections are the result of malicious ads. Ublock Origin has source available, which as far as I can tell none of the extensions in the article did. (It's a bit hard to be sure since several of them have been scrubbed already. I did see that Hover Zoom has been known to be doing this poo poo for 5 years now. (Though maybe that was a different hover zoom since people in that 5 year old reddit thread are saying the extension got taken down. Or google just has a very lenient policy towards "analytics gathering", and you get multiple chances to make it less obvious.) After seeing that article I did go look at all my addons to see which ones didn't publish source. Only two did not, and one of those is by a japanese guy so maybe I'm just not seeing it through translate. quote:They're never going to solve this poo poo Hey, didn't you see google's official response in that article? They're going to solve the problem of spyware addons by making ad-blocking suck!
|
|
#
?
Jul 18, 2019 21:43
|
|
|
Klyith posted:Hey, didn't you see google's official response in that article? They're going to solve the problem of spyware addons by making ad-blocking suck!
|
|
#
?
Jul 18, 2019 23:00
|
|
|
Wait, you can't view the source of Chrome extensions?
|
|
#
?
Jul 19, 2019 19:08
|
|
|
CLAM DOWN posted:Wtf is wrong with your phone ...huh.
|
|
#
?
Jul 19, 2019 22:03
|
|
|
Klyith posted:After seeing that article I did go look at all my addons to see which ones didn't publish source. Only two did not, and one of those is by a japanese guy so maybe I'm just not seeing it through translate. Pretty sure this is the npm problem, though, where what you publish on github and upload to your browser's addons repository don't necessarily have to be the same thing. At least Mozilla and Google ban addons with obfuscated and minified code, so you could, in theory, check if what gets installed into your browser matches what is in github.
|
|
#
?
Jul 19, 2019 22:27
|
|
|
duz posted:Wait, you can't view the source of Chrome extensions? You can see the source inside easily, the extension packages open with 7zip and it's javascript inside. For me the source being published (especially with an OS license) is more about a quick judgement than anything else. I don't have the expertise myself to be sure that a complex extension isn't malicious. But source being easily visible decreases the chances that someone is trying to get away with something. It's not 100% reliable -- see the Stylish extension getting sold to some "analytics" outfit and doing the exact same tracking of complete URLs for every site the users visited. They did that while still being open source, but with an excuse they were finding styles for visited sites. Which again was a thing that regular nerds had noticed and complained about for more than a year before a credentialed security guy blogged about it, followed by mainstream reporting, and then Google & Mozilla killed it. Nalin posted:Pretty sure this is the npm problem, though, where what you publish on github and upload to your browser's addons repository don't necessarily have to be the same thing. At some point you have to rely on other people unless you write everything yourself. For me browsing with zero extensions would be worse than the very small possibility of one of these extensions turning really malicious -- like stealing logins rather than just tracking. OTOH it's easy to have multiple browsers installed now and keep one extension-free.
|
|
#
?
Jul 20, 2019 06:54
|
|
|
Apparently Windows 7 pro doesn't have bitlocker, is there anything free I should use? Can I still do the free upgrade or did Microsoft finally get serious about the no more free Windows 10 thing? I barely used this laptop for years and never even think about the fact that I've got a Windows 7 machine, which I probably should start thinking about considering it's EOL in 2020.
|
|
#
?
Jul 22, 2019 05:50
|
|
|
22 Eargesplitten posted:Can I still do the free upgrade or did Microsoft finally get serious about the no more free Windows 10 thing? Yes you can still install win10 with a win7 key, using the media creation tool.
|
|
#
?
Jul 22, 2019 08:57
|
|
|
What do y'all do about browser extensions in your organizations? Are they an attack vector and if so are you blocking/locking down your browsers? We push a Chrome config down with G Suite with our own company Bookmarks and extensions for our software but we allow users to install their own extensions and log in to Chrome with their personal gmail. Plus they can Firefox too. I'm seeing chatter than browser extensions can basically be turned into keyloggers and poo poo?
|
|
#
?
Jul 22, 2019 16:36
|
|
|
Browser extensions have privileges roughly equivalent to an application they install. You can definitely get hosed that way.
|
|
#
?
Jul 22, 2019 16:46
|
|
|
We use Chrome.... UBlock is installed by default, and another extension we use for Gmail attachments is whitelisted so it can be installed if needed. Outside of that users cannot install additional extensions. We also only allow sign-in to Chrome with our own domain and password syncing is disabled. We also push some managed bookmarks down. This is all done via GPO. Chrome is the only browser allowed and indeed it is the only one installed.
|
|
#
?
Jul 22, 2019 16:48
|
|
|
|
| # ? May 29, 2024 22:02 |
|
|
stevewm posted:Chrome is the only browser allowed and indeed it is the only one installed. The_devil_you_know.txt
|
|
#
?
Jul 22, 2019 17:06
|
|