06.04
UPDATE
———- Forwarded message ———-
From: Boris Sverdlik <bsverdlik@gmail.com>
Date: Fri, Jul 1, 2011 at 1:01 PM
Subject: Re: Improper use of the CISSP mark
To: Dorsey Morrow <domorrow@isc2.org>
Dorsey,
Your correct as things are far easier. I’m not using the mark nor the
logo, please visit the links you had sent, Thanks.. I specifically say
ISC2 hence no trademark or copyright infringement.
Selective enforcement of ethics violations, not trademark. Please feel
free to bring me up on an ethics violation, I am gathering enough
information on the “Absolute Competency” you asure employers. I’d love
to be able to have that hearing publicly.
Regards,
Boris
On Fri, Jul 1, 2011 at 12:50 PM, Dorsey Morrow <domorrow@isc2.org> wrote:
> Boris,
>
> Excellent. My apologies. I thought you were in the EU. This makes things far easier.
>
> Rather odd you are claiming “selective enforcement”. I can document extensive litigation (which we have all won), regarding misuse of (ISC)² marks. Can we get them all, not a chance, but we do pursue. However, the law doesn’t require that I pursue every one of them or even document, as selective enforcement is not a defense.
>
> Simply pull up the first article “Do you still value your CISSP?” on your proposed Google search and read the last paragraph. He makes a good argument.
>
> I consider the discussion closed. You can have your say about thinking the CISSP you hold is not worthwhile, but the Logo Usage Guidelines that you agreed to be bound by govern your actions and are part of the contract you executed. Failure to remove the images will result in an ethics complaint and (ISC)² considering all remedies.
>
> Respectfully,
>
> Dorsey Morrow, CISSP®-ISSMP®
> (ISC)²® General Counsel
> Security Transcends Technology®
> domorrow@isc2.org
>
> Connect with us!
>
> InterSeC: www.isc2intersec.com
>
> Twitter: https://twitter.com/isc2
>
> YouTube: http://www.youtube.com/isc2tv
>
>
> —–Original Message—–
> From: Boris Sverdlik [mailto:bsverdlik@gmail.com]
> Sent: Friday, July 01, 2011 11:28 AM
> To: Dorsey Morrow
> Subject: Re: Improper use of the CISSP mark
>
> Dorsey,
>
> I appreciate your concerns, but I do reside in the US, the Server
> resides in the US. The more public we make selective enforcement, the
> more public ISC2 claim of absolute competence will be scrutinized. I
> have not violated anything in terms of your ethics statement,
> especially conflict of interest which is one I take very personally.
> On Fri, Jul 1, 2011 at 12:24 PM, Dorsey Morrow <domorrow@isc2.org> wrote:
>> Boris,
>> No, but you did use our EU registered trademarks in a disparaging manner, which is governed by EU law. US copyright law doesn’t apply because (1) we are talking trademarks, not copyright; and, (2) you aren’t residing in the US.
>>
>> As you wish on the ethics portion. Remember, there may be hundreds, if not thousands, of “similar articles and pieces written by holders of the certification”. As I am sure your attorney will tell you, whether I get to them or not is irrelevant in a response. Same reasoning a police officer will ticket you even if you claim others are speeding as well. I am focusing on your actions.
>>
>> Respectfully,
>>
>> Dorsey Morrow, CISSP®-ISSMP®
>> (ISC)²® General Counsel
>> Security Transcends Technology®
>> domorrow@isc2.org
>> Connect with us!
>> InterSeC: www.isc2intersec.com
>> Twitter: https://twitter.com/isc2
>> YouTube: http://www.youtube.com/isc2tv
———- Forwarded message ———-
From: Boris Sverdlik <bsverdlik@gmail.com>
Date: Fri, Jul 1, 2011 at 12:17 PM
Subject: Re: Improper use of the CISSP mark
To: Dorsey Morrow <domorrow@isc2.org>
Dorsey,
While I appreciate the attempt at selective enforcement of ethics
violations, i’d like to refer you to the definition of a logo
http://definitions.uslegal.com/c/corporate-logo/
I in no way used the logo (ISC)2 in any of my artwork. In terms of
usage of the CISSP (trademark), Copyright law Section 107 provides
that “the fair use of a copyrighted work . . . for purposes such as
criticism [or] comment . . . is not an infringement . . . ,”. But it
requires a case-by-case analysis rather than “bright-line rules”.
If you’d file an ethics claim, I’m ok with having my attorney put
together a formal response citing hundreds of similar articles and
pieces written by holders of the certification
(http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=cissp+sucks)
Regards,
Boris
On Fri, Jul 1, 2011 at 12:01 PM, Dorsey Morrow <domorrow@isc2.org> wrote:
>
> Boris,
>
> You are in breach of the Logo Usage Guidelines you agreed to abide by when you applied to sit for the CISSP exam. Please note that (ISC)² and CISSP are registered marks in the EU. You are directed to remove http://jadedsecurity.net/2011/06/30/do-it-for-the-kittens/ and the graphic stating “(ISC)² Sucks” on http://jadedsecurity.net/2011/06/30/what-the-cissp-won%e2%80%99t-teach-you-part-deux/.
>
> Failure to abide by this directive will result in an immediate ethics complaint requesting decertification and (ISC)² considering all legal remedies to protect its intellectual property.
>
> Govern yourself accordingly,
> Dorsey Morrow, CISSP®-ISSMP®
> (ISC)²® General Counsel
> Security Transcends Technology®
> domorrow@isc2.org
> InterSeC: www.isc2intersec.com
>
> Twitter: https://twitter.com/isc2
>
> YouTube: http://www.youtube.com/isc2tv
>
>
A little background on me, I have been technical since my dad got me a c64 in 81. I did the whole paper mcse, ccna thing in the 90s. Never really held an SA spot, but somehow got a network eng position (yeah yeah ms networking… Took 2 years till I got over the whole WINS thing).
14 years of IT and 12 of Security.. I know N-Code (if you’re old school you’ll know what that is). I somehow got into security because I took a short term contract creating accounts, and instead of working I scripted the whole thing. Novel 3 people. The Head of Security brought me into her group when her Unix head left. Only unix I had was getting rh working on a stinkpad. Had to learn VMS because the head of my group and my mentor gave me a book on UNIX for VMS guys. DOH.
Long story short, he had me create my accounts manually of 200 boxes so I can learn the different flavors. Well, there was a dev machine running prod apps and i pulled one of these “-d /” , needless to say the rest of the night was spent manually chmoding the whole damn machine. Good learning experience. Since then have been in Security and have solid experience in everything from physical penetration to implementing a risk management methodology. I have been around the block.
Not that I had much respect for the exam to begin with. In 2000 I had met the head of security at a finance house in NYC who was on the board of the test. He was brain dead, they had outsourced security to the firm I was with. This guy might of been border line retarded. In 2004 I was with a ProServ organization that used the whole “All our Security guys are CISSP, and yes I was the last one to take the test” Devoted no study time towards it.
This was ISC2′s response to my “Hack the Interview” article. You know what you guys are a direct violation of your own code of ethics. How much bigger of a conflict of interest can there be? You provide assurance that certificate holders are competent. Great, so you charge for the Exam and charge for a boot camp to pass this exam. Your not going to teach anybody anything in 5 days. I took a foundstone class in 99, out of 5 days we only got to learn 1 of those days you know why? Cause it took 1 day to teach us Unix guys the basic windows we needed and 3 days to teach windows guys basic Unix. How the FUCK can you teach even foundation in 5 days? You are a cash machine who has a phenomenal marketing scam going.
From:Dorsey Morrow domorrow@isc2.org To: "bsverdlik@gmail.com" Date Tue, May 24, 2011 at 9:49 AM Subject Inappropriate content Boris, Your posting (see below) was brought to the attention of several members of the (ISC)² Board of Directors. It is their opinion that your posting to that link might appear to support the social engineering position made by the author of the article. Without any commentary, it is hard to draw any other conclusion. This would be in contravention of the (ISC)² Code of Ethics and could be the basis for a breach of the code. I would suggest you clarify on that forum why you posted the link and that you do not condone the action stated by the author. Best regards, Dorsey Morrow, CISSP®-ISSMP®
From:Boris Sverdlik bsverdlik@gmail.com To:Dorsey Morrow <domorrow@isc2.org> Date Tue, May 24, 2011 at 10:31 AM Dorsey, I am the author of the article and Part 1 clearly states that one of the services I provide is Information Security Awareness training to protect organizations from these types of attacks. Please help me understand how is this different from a Malware researcher providing a dissection of an attack? I don't support any tactics and/or methodologies used in a malicious way, however that doesn't inherently mean I will not share the methodologies. Do we as information security professionals seriously believe that security through obscurity works? Regards, Boris
From:Boris Sverdlik bsverdlik@gmail.com To:Dorsey Morrow <domorrow@isc2.org> Date Tue, May 24, 2011 at 10:35 AM Subject Re: Inappropriate content Dorsey, which forum was this on?
From:Dorsey Morrow domorrow@isc2.org To: Boris Sverdlik <bsverdlik@gmail.com> Date Tue, May 24, 2011 at 10:36 AM Subject RE: Inappropriate content See your posting below: CISSPJobsForum. Best regards, Dorsey Morrow, CISSP®-ISSMP®
From: Boris Sverdlik bsverdlik@gmail.com To: Dorsey Morrow <domorrow@isc2.org> Date Tue, May 24, 2011 at 10:42 AM Subject Re: Inappropriate content Ahh. the yahoo e-mail job group. I'm still unsure that the content is inappropriate as if security professionals aren't aware of these methodologies then frankly they should not be in the industry. How would you like me to address it?
From: Dorsey Morrow domorrow@isc2.org To: Boris Sverdlik <bsverdlik@gmail.com> Date Tue, May 24, 2011 at 10:52 AM Subject RE: Inappropriate content Boris, I must start by saying that we don’t necessarily condone a Malware researcher providing a dissection of an attack; at least not without notifying the appropriate parties affected first and providing ways to mitigate. The way the article was written it uses words such as “your target”, “short con” (I presume the negative connotation of “confidence”, as in “con man”), and “how much time you focus on the attack”, instead of “how to defend an attack” or “how to identify such an attack”. I also noted the tags included “hacking”, “manipulate”, and “social engineering”. This reads more like a “how-to” article for 2600 than an advisory article for professionals defending against such attacks. I would suggest that the article be rewritten in the context of how to defend and/or mitigate these issues. As you have adroitly stated, “if security professionals aren’t aware of these methodologies then frankly they should not be in the industry.” So then, why publish this so that others become aware of these methodologies and use them against employers/infosec professionals? I hope you understand the concern over publishing such articles and the reflection it has on the profession. Our job is to prevent such attacks, not provide the tools to commit them. While we want infosec professionals to be aware, we must do so from the perspective of how to identify and defend. Best regards, Dorsey Morrow, CISSP®-ISSMP®
From: Boris Sverdlik bsverdlik@gmail.com To: Dorsey Morrow <domorrow@isc2.org> Date Tue, May 24, 2011 at 11:07 AM Dorsey, It was written as a how to because I'm presenting the information at security conferences which target the types of candidates that I would hire, ones that keep up to date with all threat vector. The security awareness training services I offer demonstrates how to identify and stop these attacks. Malware researchers (not malicious attackers) spend countless hours dissecting code because security professionals charged with protecting their organizations fail to implement proper vetting procedures. They fail because in some cases they hired someone based on a credential who is only knowledgeable in what the crash class for the certification had taught him. Am I too believe ISC2 is ok with a public image that does not support DefCon and/or Blackhat? If that is the case, we shall continue to see failures such as Sony if we do not arm ourselves with the same information available to malicious attackers. This article was put together originally to sell my Security Awareness Program.
From: Dorsey Morrow domorrow@isc2.org To: Boris Sverdlik <bsverdlik@gmail.com Date Tue, May 24, 2011 at 11:26 AM Subject RE: Inappropriate content Boris, Indeed (ISC)² does not condone or participate in Blackhat or Defcon. However, this does not logically conclude that this contributes to security failures such as Sony. To make such an argument means that we only find current and relevant infosec information at those venues, which is not true. While we do not condone or participate, neither do we prohibit members from attending if they believe it provides them an opportunity to learn, so long as they are not associating with or supporting criminal or unethical behavior typically associated with those venues. Nevertheless, that is not what is at issue. Of concern, is that the article is written as a “how to” for criminal behavior, not how to defend for professionals. I am not going to belabor the issue with you. I am simply going to suggest that you may be subject to a Code of Ethics complaint based on the content as presented in the article and would strongly urge that you rewrite to be more fitting for an infosec professional. Best regards, Dorsey Morrow, CISSP®-ISSMP®
From:Boris Sverdlik To: Dorsey Morrow domorrow@isc2.org Date Tue, May 24, 2011 at 10:28 AM Dorsey, Fair enough.. let me digest this and please feel free to delete the post.
From: Dorsey Morrow domorrow@isc2.org To: Boris Sverdlik <bsverdlik@gmail.com Date Tue, May 24, 2011 at 11:31 AM Subject RE: Inappropriate content Boris, We don’t control the CISSPJobsForum, we simply monitor. You will need to either delete or provide clarification. Thanks for your consideration. Best regards, Dorsey Morrow, CISSP®-ISSMP®
Interesting. I am a bit confused about the position ISC2 are taking here.
Are they really getting themselves worried about terms like “Your Target” and I am lost as to an article fro 2600 being an evil, unethical thing to write.
Seriously.
I have held CISSP for several years now and in that time I have also certified as a CEH (sadly), LPT, GCIH and GAWN (amongst other things). The study material for each of these relates to “your targets” and similar terminology, as does social engineering practices. I have even contributed articles for a variety of sources with similar, apparently evil, phrases.
Does this mean I should surrender my CISSP? (having read this, I may not lose any sleep over that).
Interestingly, Dorsey seems to take the terms out of context. If I am presenting a lesson for a CEH course, I would talk about the “target of your attack.” Likewise, when I present clients with testing plans I discuss how various structures will be targeted and attacked. In social engineering testing, my documents discus how various cons will be used to trick unsuspecting personnel.
This is not (IMHO) unethical as it is done with the written permission of the business in question – and always at their request. Simply using the phrase “hacking” as a tag does not equate to unethical behaviour.
I am somewhat surprised by the stance ISC2 have taken here.
I’m not really sure what there stance is aside from were not really sure what were talking about
The CEH was even better, I bought the book Friday, Opened it up on Monday Morning couple of hours before the test and needless to say Passed. I have been a CISSP since 2004 or 5 I don’t remember, and have yet to care about certification. I’m not going to surrender it,I’m doing something even more fun.
Re: CEH – as with all things, some people find the tests easy, others dont. I know some holders of the CEH who can just about get a workstation to boot when the password is on a post-it attached to the lid, but I also know some holders who have arcane, magical pentesting powers.
At the end of the day, it is only letters
Lol.. I suck at tests though.. Horrible… And if I passed these with no study I’m truly concerned. Lol.. Posty on keyboard
It’s only letters, but my peeve is perception people associate with the letters.
Boris, I had a similar experience with C|EH. I only took the CEH test because it is a prerequisite to ECSA/LPT which I intend to do at some point. …and it was a dirt cheap and easy cert to add to the resume in case I needed to find new work. (not an issue anymore)
Agree 100%
CEH, ISC2 bring shame on an industry by willfully promoting ignorance.
Thanks for sharing this. One issue I have with all the code of ethics out there is that they take a center of the universe view with their organization being the center. As security professionals we serve our employers and our clients so we can have money to eat, which may come into conflict with ISC2 or any other number of organizations code of MARKETING conduct. I love how he says you should write it to be more fitting of an infosec professional. Maybe I should share with him how to profit in the stock market when black hats attack! Sony has been a great short lately.
Haha.. I am still stunned he called out my professionalism. Lovely.