| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Aug 19 13:22:34 2005 From: jericho at attrition.org (security curmudgeon) Subject: Re: MS not telling enough - ethics : Well done, anyone else who knows of people committing fraud against isc2 : should report them. Unfortunately I don't think its feasible for isc2 to : check everybody. Oh, how coincidental.. : They do random credential checking and I should I know, since I was : audited after I passed the exam. Ethics Complaint Procedures [0] The board and its agents undertake to keep the identity of the complainant and respondent in any complaint confidential from the general public. [..] The board will consider only complaints that specify the canon of our code that has been violated. [..] Complaints will be accepted only from those who claim to be injured by the alleged behavior. While any member of the public may complain about a breach of Canon I, only principals may complain about violations of Canons II and III, and only other professionals may complain about violations of Canon IV. [..] All complaints must be in writing. The board is not an investigative body and does not have investigative resources. Only information submitted in writing will be considered. [..] Complaints and supporting evidence must be in the form of sworn affidavits. The board will not consider other allegations. [..] Where there is disagreement between the parties over the facts alleged, the ethics committee, at its sole discretion, may invite additional corroboration, exculpation, rebuttals and sur-rebuttals in an attempt to resolve such dispute. The committee is not under any obligation to make a finding where the facts remain in dispute between the parties. Where the committee is not able to reach a conclusion on the facts, the benefit of all doubt goes to the respondent. [..] Discipline of certificate holders is at the sole discretion of the board. Decisions of the board are final. -- Ok, let me translate this for you: Keep it private, for your own good, we swear! This way the complaint is kept out of public scrutiny. You have to clearly define what canon was violated, even though they are general and vague. You must personally be injured to complain, even though breaking any of the four canons may not directly harm one individual! You must submit said complaint in writing, and the board does not have time to investigate your complaint at all. Such complaints must be in the form of sworn affidavits [1], signed by a notary as witness to your signature etc. If there is any dispute of facts, which is entirely up the to the (ISC)2 board, it is entirely their discretion whether to act on or continue the process. The board may arbitrarily decide not to pursue or consider additional evidence, will make no effort to research the matter themselves, and drop the matter without further consideration. Even if the board finds someone guilty of breaking one of the canons, the board will decide what punishment, if any, is appropriate, including 'none'. How many hoops does one have to jump through to file a complaint that will actually be considered?! Should I slice my wrists and bleed all over the signed and notarized document in case they need a blood sample or DNA? Does the complaint need to be shouted out from town square right after slaughtering a chicken while juggling hedgehogs? I mean really, how many ways can they make this process counter-productive and full of backdoors so the 'board' can simply ignore your complaint? : Ivan Coric, CISSP You are so proud of our certificiation, you won't even list yourself in the (ISC)2 directory so that we can verify you even hold the certification! [2] : The CISSP cert is the best security cert around, without a doubt. Best for who?! Oh yes, for you since you hold it. And best for those issuing it, since they profit directly from the ceritification and the yearly 'renewal' fee. The fact is, (ISC)2 and the CISSP certification is a marketing ploy and money maker. It is *not* in their best interest to allow the credibility of their certification to be tarnished for any reason, even when criminals are 'earning' it. security curmudgeon [0] https://www.isc2.org/cgi-bin/content.cgi?page=176 [1] http://en.wikipedia.org/wiki/Affidavit [2] https://www.isc2.org/cgi-bin/directory.cgi?displaycategory=503
Powered by blists - more mailing lists