GIAC/SANS Certification Changes?

venom600 wonders: "SANS and GIAC have recently changed their certification requirements, no longer requiring a practical assignment be completed in order to be certified. This has created some discussion around the value of their certifications moving forward. In addition, SANS recently asked current certified individuals (in an email) to provide quotes about the value of their certifications for an upcoming brochure. Since the requirements have changed, the value of the certification has changed as well, making any quotes an unfair assessment of value. This brings me to my question: What IT security certifications are left (if any) that actually provide value to you?"

Thats not the half of it

[patio11]

Given that they can use Javascript to grab repeated 10k chunks from the memory allocated to Firefox, you could easily conduct a super-phising attack by embedding a javascript loop which started when the target page was loaded, and then used simple heuristics to find personal information (I'm thinking "credit card number" is the obvious chioce -- and even worse, credit card numbers will be stored RIGHT NEXT to the other information filled in the same form due to locality of reference) on the client side. Then, after you use the *client's* processing power to data-mine THEIR OWN memory for you, you transfer the 500 bytes of valuable data you get back to the server via, say, a GET request, and laugh all the way to the bank. Or, if you want to be a REAL bastard, you have the client send a get request to an unprotected comment script somewhere on the internet on a server which is not controlled by you, and then you just look up all the credit card numbers applied in the comments to "Grandma Ester's Fried Chicken Recipe".

On a scale of one to ten I'd put this vulnerability as an eight if anyone bothers to exploit it intelligently. This is very, very, very close to the relative badness of arbitrary code execution.