lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: dufresne at (Ron DuFresne)
Subject: Training & Certifications

	[orig snipped]

This was recently posted to the firewall wizards list, and relates to this

From: Laura Taylor <>
Subject: RE: [fw-wiz] Seeking input: Research Proposal: "Is a third
Date: Fri, 2 Apr 2004 10:30:33 -0500
To: 'Crispin Cowan' <>,
     "'Holt, Philip'" <>

Something curious to know about CISSP is this....

I was thinking of hiring a person with a CISSP and called up ISC2 to
if they really were a CISSP. ISC2 told me that they never verify if anyone
is a CISSP as it is an invasion of the person's privacy. I then asked them
how could I know for sure if this person really was a CISSP and told them
that the person was not listed in the CISSP database on the ISC2 web site.
They then told me that not all CISSPs are listed in the database because
some don't want to be listed. They told me that the only way to verifiy if
a person is a CISSP is to ask them for their certificate. I then asked
them if all certificates look exactly alike and can they tell me how to
know if a certificate it authenticate. I was told that all certificates do
not look exactly alike and that they have changed their look over the
years so there is no way to know if a particular certificate is real or

After much discussion, it became clear that they were not willing to
verify if anyone is a CISSP, and that there was no way for anyone to
really verify this information unless the person chooses to be listed in
the database on the ISC2 web site. I told them that in my opinion their
process for certification was not consistent with the concept of "trust,
but verify" and I ended up not hiring the person I had originally

If a certification cannot be verified, to me it is worthless. I'd rather
hire an MCSE because Microsoft is willing to verify all their

The philosophies and ethics of 2600 could possibly be questionable, but I
dare say that ISC2 is not at all the organization that I once thought it
to be.



Ron DuFresne
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
	***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Powered by blists - more mailing lists