2011
06.04

UPDATE

———- Forwarded message ———-

From: Boris Sverdlik <bsverdlik@gmail.com>

Date: Fri, Jul 1, 2011 at 1:01 PM

Subject: Re: Improper use of the CISSP mark

To: Dorsey Morrow <domorrow@isc2.org>

 

Dorsey,

 

Your correct as things are far easier. I’m not using the mark nor the

logo, please visit the links you had sent, Thanks.. I specifically say

ISC2 hence no trademark or copyright infringement.

 

Selective enforcement of ethics violations, not trademark. Please feel

free to bring me up on an ethics violation, I am gathering enough

information on the “Absolute Competency” you asure employers. I’d love

to be able to have that hearing publicly.

 

Regards,

Boris

 

On Fri, Jul 1, 2011 at 12:50 PM, Dorsey Morrow <domorrow@isc2.org> wrote:

> Boris,

>

> Excellent.  My apologies.  I thought you were in the EU.  This makes things far easier.

>

> Rather odd you are claiming “selective enforcement”.  I can document extensive litigation (which we have all won), regarding misuse of (ISC)² marks.  Can we get them all, not a chance, but we do pursue.  However, the law doesn’t require that I pursue every one of them or even document, as selective enforcement is not a defense.

>

> Simply pull up the first article “Do you still value your CISSP?” on your proposed Google search and read the last paragraph.  He makes a good argument.

>

> I consider the discussion closed.  You can have your say about thinking the CISSP you hold  is not worthwhile, but the Logo Usage Guidelines that you agreed to be bound by govern your actions and are part of the contract you executed.  Failure to remove the images will result in an ethics complaint and (ISC)² considering all remedies.

>

> Respectfully,

>

> Dorsey Morrow, CISSP®-ISSMP®

> (ISC)²® General Counsel

> Security Transcends Technology®

> domorrow@isc2.org

>

> Connect with us!

>

> InterSeC:  www.isc2intersec.com

>

> Twitter:  https://twitter.com/isc2

>

> YouTube:  http://www.youtube.com/isc2tv

>

>

> —–Original Message—–

> From: Boris Sverdlik [mailto:bsverdlik@gmail.com]

> Sent: Friday, July 01, 2011 11:28 AM

> To: Dorsey Morrow

> Subject: Re: Improper use of the CISSP mark

>

> Dorsey,

>

> I appreciate your concerns, but I do reside in the US, the Server

> resides in the US. The more public we make selective enforcement, the

> more public ISC2 claim of absolute competence will be scrutinized. I

> have not violated anything in terms of your ethics statement,

> especially conflict of interest which is one I take very personally.

> On Fri, Jul 1, 2011 at 12:24 PM, Dorsey Morrow <domorrow@isc2.org> wrote:

>> Boris,

>> No, but you did use our EU registered trademarks in a disparaging manner, which is governed by EU law.  US copyright law doesn’t apply because (1) we are talking trademarks, not copyright; and, (2) you aren’t residing in the US.

>>

>> As you wish on the ethics portion.  Remember, there may be hundreds, if not thousands, of “similar articles and pieces written by holders of the certification”.  As I am sure your attorney will tell you, whether I get to them or not is irrelevant in a response.  Same reasoning a police officer will ticket you even if you claim others are speeding as well.   I am focusing on your actions.

>>

>> Respectfully,

>>

>> Dorsey Morrow, CISSP®-ISSMP®

>> (ISC)²® General Counsel

>> Security Transcends Technology®

 

>> domorrow@isc2.org

>> Connect with us!

>> InterSeC:  www.isc2intersec.com

>> Twitter:  https://twitter.com/isc2

>> YouTube:  http://www.youtube.com/isc2tv

 

———- Forwarded message ———-
From: Boris Sverdlik <bsverdlik@gmail.com>
Date: Fri, Jul 1, 2011 at 12:17 PM
Subject: Re: Improper use of the CISSP mark
To: Dorsey Morrow <domorrow@isc2.org>

Dorsey,

While I appreciate the attempt at selective enforcement of ethics
violations, i’d like to refer you to the definition of a logo
http://definitions.uslegal.com/c/corporate-logo/

I in no way used the logo (ISC)2 in any of my artwork. In terms of
usage of the CISSP (trademark), Copyright law Section 107 provides
that “the fair use of a copyrighted work . . . for purposes such as
criticism [or] comment . . . is not an infringement . . . ,”. But it
requires a case-by-case analysis rather than “bright-line rules”.

If you’d file an ethics claim, I’m ok with having my attorney put
together a formal response citing hundreds of similar articles and
pieces written by holders of the certification
(http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=cissp+sucks)

Regards,
Boris

On Fri, Jul 1, 2011 at 12:01 PM, Dorsey Morrow <domorrow@isc2.org> wrote:
>
> Boris,
>
> You are in breach of the Logo Usage Guidelines you agreed to abide by when you applied to sit for the CISSP exam.  Please note that (ISC)² and CISSP are registered marks in the EU.  You are directed to remove  http://jadedsecurity.net/2011/06/30/do-it-for-the-kittens/ and the graphic stating “(ISC)² Sucks” on http://jadedsecurity.net/2011/06/30/what-the-cissp-won%e2%80%99t-teach-you-part-deux/.
>
> Failure to abide by this directive will result in an immediate ethics complaint requesting decertification and (ISC)² considering all legal remedies to protect its intellectual property.
>
> Govern yourself accordingly,
> Dorsey Morrow, CISSP®-ISSMP®
> (ISC)²® General Counsel

> Security Transcends Technology®
domorrow@isc2.org
> InterSeC:  www.isc2intersec.com
>
> Twitter:  https://twitter.com/isc2
>
> YouTube:  http://www.youtube.com/isc2tv
>
>

A little background on me, I have been technical since my dad got me a c64 in 81. I did the whole paper mcse, ccna thing in the 90s. Never really held an SA spot, but somehow got a network eng position (yeah yeah ms networking… Took 2 years till I got over the whole WINS thing).

14 years of IT and 12 of Security.. I know N-Code (if you’re old school you’ll know what that is). I somehow got into security because I took a short term contract creating accounts, and instead of working I scripted the whole thing. Novel 3 people. The Head of Security brought me into her group when her Unix head left. Only unix I had was getting rh working on a stinkpad.  Had to learn VMS because the head of my group and my mentor gave me a book on UNIX for VMS guys. DOH.

Long story short, he had me create my accounts manually of 200 boxes so I can learn the different flavors. Well, there was a dev machine running prod apps and i pulled one of these “-d /” , needless to say the rest of the night was spent manually chmoding the whole damn machine. Good learning experience. Since then have been in Security and have solid experience in everything from physical penetration to implementing a risk management methodology. I have been around the block.

 

Not that I had much respect for the exam to begin with. In 2000 I had met the head of security at a finance house in NYC who was on the board of the test. He was brain dead,  they had outsourced security to the firm I was with. This guy might of been border line retarded.  In 2004 I was with a ProServ organization that used the whole “All our Security guys are CISSP, and yes I was the last one to take the test”  Devoted no study time towards it.

This was ISC2′s response to my “Hack the Interview” article. You know what you guys are a direct violation of your own code of ethics. How much bigger of a conflict of interest can there be? You provide assurance that certificate holders are competent. Great, so you charge for the Exam and charge for a boot camp to pass this exam. Your not going to teach anybody anything in 5 days.  I took a foundstone class in 99, out of 5 days we only got to learn 1 of those days you know why? Cause it took 1 day to teach us Unix guys the basic windows we needed and 3 days to teach windows guys basic Unix.  How the FUCK can you teach even foundation in 5 days? You are a cash machine who has a phenomenal marketing scam going.

8 comments so far

Add Your Comment
  1. Interesting. I am a bit confused about the position ISC2 are taking here.

    Are they really getting themselves worried about terms like “Your Target” and I am lost as to an article fro 2600 being an evil, unethical thing to write.

    Seriously.

    I have held CISSP for several years now and in that time I have also certified as a CEH (sadly), LPT, GCIH and GAWN (amongst other things). The study material for each of these relates to “your targets” and similar terminology, as does social engineering practices. I have even contributed articles for a variety of sources with similar, apparently evil, phrases.

    Does this mean I should surrender my CISSP? (having read this, I may not lose any sleep over that).

    Interestingly, Dorsey seems to take the terms out of context. If I am presenting a lesson for a CEH course, I would talk about the “target of your attack.” Likewise, when I present clients with testing plans I discuss how various structures will be targeted and attacked. In social engineering testing, my documents discus how various cons will be used to trick unsuspecting personnel.

    This is not (IMHO) unethical as it is done with the written permission of the business in question – and always at their request. Simply using the phrase “hacking” as a tag does not equate to unethical behaviour.

    I am somewhat surprised by the stance ISC2 have taken here.

    • I’m not really sure what there stance is aside from were not really sure what were talking about :)

      The CEH was even better, I bought the book Friday, Opened it up on Monday Morning couple of hours before the test and needless to say Passed. I have been a CISSP since 2004 or 5 I don’t remember, and have yet to care about certification. I’m not going to surrender it,I’m doing something even more fun.

      • :) excellent.

        Re: CEH – as with all things, some people find the tests easy, others dont. I know some holders of the CEH who can just about get a workstation to boot when the password is on a post-it attached to the lid, but I also know some holders who have arcane, magical pentesting powers.

        At the end of the day, it is only letters :-)

        • Lol.. I suck at tests though.. Horrible… And if I passed these with no study I’m truly concerned. Lol.. Posty on keyboard ;)

          It’s only letters, but my peeve is perception people associate with the letters.

  2. Boris, I had a similar experience with C|EH. I only took the CEH test because it is a prerequisite to ECSA/LPT which I intend to do at some point. …and it was a dirt cheap and easy cert to add to the resume in case I needed to find new work. (not an issue anymore)

  3. Agree 100%
    CEH, ISC2 bring shame on an industry by willfully promoting ignorance.

  4. Thanks for sharing this. One issue I have with all the code of ethics out there is that they take a center of the universe view with their organization being the center. As security professionals we serve our employers and our clients so we can have money to eat, which may come into conflict with ISC2 or any other number of organizations code of MARKETING conduct. I love how he says you should write it to be more fitting of an infosec professional. Maybe I should share with him how to profit in the stock market when black hats attack! Sony has been a great short lately.

    • Haha.. I am still stunned he called out my professionalism. Lovely.