2011
07.15

If you have been keeping up with my Anti-ISC2 rants lately, then you are familiar with the lame attempts that they have made in attempting to get me to remove some content that holds ISC2 in a negative light. I guess I finally pushed them over the edge with the T-Shirt campaign that by the way is still available.

Today, I received a very interesting letter, that had essentially notified me that I am being brought up on an ethics violation because my “hack the interview” presentation that I had given at BsidesCT late last month.  The claim being made states that “This writing invites professionals to engage in fraud and deceit when dealing with prospective employers or clients and gives instructions on how to do so successfully.

 

I seem to recall a certain slide within the deck that specifically notes a disclaimer: hmmm.

 

Did you miss that William Hugh Murray, CISSP? I get it, with 60+ years experience at this point the eyes must be going, or maybe it had something to do with the recent negative publicity I have been directing towards ISC2?

The one thing I found awfully humorous and libelous is the statement you made that I write under a pseudonym of “Abhaxas”, really? Where did you get your source on this?  Abhaxas is the PBS Hacker.. Are you insinuating that I am the PBS Hacker? Those are some huge unsupported allegations.  I’m assuming you just wanted kudo points for the lame attempt at reading my site. It’s ok, I had to pump 3 quad espressos to get through the piece you call a blog. I have a question for you, how does 25 years as an MVS Administrator make you a security expert? You seem to be pretty far behind the times according to your little video clip. William, unlike you I have done some research before putting together this rebuttal.  Which by the way will be included in the letter of intent in the civil matter. I’m getting off topic; let us move on shall we?

One last thing.. Why on earth would you be on cypherspace?

You state in your complaint that I had violated Canon II of the code of professional ethics. “Act honorably, honestly, justly, responsibly, and legally”

 I am a security researcher, and the deck was written to address the inherent danger of the human element, that your little certification fails to address. My piece was written in the same form that most “pen testing” classes are. If you are naïve enough to believe that criminals don’t use security tools in their efforts, then my friend it is finally time to hang up that hat.  Also, I’d like to touch on another point. If ISC2 doesn’t condone Blackhat, Defcon and other such security conferences than why do you reward CPEs for them? Please do not claim that you don’t, you can go ahead and look at my previous “Approved” CPEs

I would hope you are wondering why I am referring to you and ISC2 as one and the same? You aren’t are you? Aren’t you on the board as well as the committee that reviews ethics complaints? Does that not violate Canon II as well? I’m no lawyer, but that does sound like a conflict of interest to me. I know, ISC2 has a strict do as we say, not as we do mentality.

With that said, I’d like to take a look at the code of ethics that I’m sure you had a hand in writing, especially after reading your extremely boring “cheating in computer science article”

Provide diligent and competent service to principals

Shouldn’t you be filing formal complaints against the 500+ CISSP holders at Booze Allen for violating the above? ISC2 does guarantee absolute competence, but the only thing you deliver on is an annual maintenance fee.

Oh and by the way Dorsey, can I send you a shirt?  I know that is what finally put you over the edge. I’m sure you had exhausted every possible avenue you could think off to limit the negative press. Did you think for a second, that this might backfire?  Treat all members fairly, seems to be one of the guidelines you had overlooked.

This whole selective enforcement thing you got going is great. What is the proper route to return the CISSP to sender? Is there an opt-out button? Apparently cigarettes aren’t as bad as some might say…

 

The stovetop did seem to work much better.

 

 

 

 

I will be continuing to rant about the quality of candidates you keep polluting the industry with, and the lack of relevance your certification holds. Please, by all means take a look at the many ways you and your friend William Hugh Murray had violated the code of the ethics, you both spent time writing.

On a final note, I’d like to inform you that I have started reaching out to likeminded individuals to establish a credible open source certification.

11 comments so far

Add Your Comment
  1. WTF? Manipulative? Your advice is on par with:
    You might wear jeans and t-shirts normally at work but they want to know you’re “professional” so meet their expectations and put on a suit for the interview.

    They’re probably just fuming because they forgot to put in the ethics statement “You must not take the piss out of CISSP or ISC2″

    http://en.wikipedia.org/wiki/Taking_the_piss

  2. Love it. I’m buying the shirt. I’ve had MAJOR issues with the CISSP process for some time. Too many top flight pros without one… and too many phony’s with it. Keep up the good rant!

    • Way too many phonies!!!

      • IMO we need a process based on assurance of character. The honest Individual admits where knowledge is lacking and grows. The phoney uses the “Baffle them with B.S.” approach and compromises the system/data. The young up and coming infosec students look promising to me. They tend to notice rapidly that the emperor’s new clothes have gaping holes and they are not a bit shy about it.

        • That’s because they haven’t gotten into the whole wink wink nod nod mentality..

  3. [...] From Jaded Security [...]

  4. You need some type of series that is advice driven for people trying to get into this field. We cannot avoid the reality that there is a huge need for security professionals and I honestly think we are only seeing the tip of the iceberg. There are a lot of people out there who want to do this right, but there is a serious lack of advice on where to start and how to grow in this profession..

  5. This is both comical and worrying.

    This *dubious* security professional has accused you of being a criminal and (in theory*) put your entire professional life in jeopardy simply because he is unhappy over something totally different that you have written.

    Its like me writing a letter to ISC2 complaining that William Hugh Murray, writing under the pseudonym @LulzSec has discredited the CISSP….

    In fact, I am tempted.

    I genuinely hope you see him in court over this. ISC would be secondary fall out.

    * while you may be more than able to continue to get security work without CISSP, the principle remains that Murray has attempted, without any evidence, to end someone’s career in this manner. This could, in theory, lead to a police investigation which, in turn, could lead to you becoming unemployable.

    By its very nature, his behaviour here, making false accusations about criminal behaviour, is a violation of any ethical policy.

  6. I hope you are following @anonymouSabu and @LulzSec on twitter tonight. It seems there might be some more newsworthy events.

    So far, however, there is still no sign that any “l33t” hacker skills have been required. Its pretty shameful that yet another multinational can have such lame-assed security.

    • They are in my irc all the time.. we had them on the show.

      • Nice one – glad to hear it :-)