lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: exibar at (Exibar)
Subject: Training & Certifications

The person that Laura spoke to was mistaken,  right from their website it

In the interim, (ISC)2 Services, 2494 Bayshore Boulevard, Suite 201,
Dunedin, FL 34698 USA, PH: 1.888.333.4458, FX: 1.727.738.8522, will continue
to respond to any employer requests for (ISC)2 credential holder
verifications. Such requests must be in writing on the employer's company
letterhead and a release signature from the CISSP/SSCP must be included in
the request.

That's found here:


----- Original Message ----- 
From: "Ron DuFresne" <>
To: "Dave Howe" <>
Cc: "Email List: Full Disclosure" <>; "Laura
Taylor" <>
Sent: Monday, April 05, 2004 2:16 PM
Subject: Re: [Full-Disclosure] Training & Certifications

> [orig snipped]
> This was recently posted to the firewall wizards list, and relates to this
> topic;
> From: Laura Taylor <>
> Subject: RE: [fw-wiz] Seeking input: Research Proposal: "Is a third
> position
>     possible?"
> Cc:
> Date: Fri, 2 Apr 2004 10:30:33 -0500
> To: 'Crispin Cowan' <>,
>      "'Holt, Philip'" <>
> Something curious to know about CISSP is this....
> I was thinking of hiring a person with a CISSP and called up ISC2 to
> verify
> if they really were a CISSP. ISC2 told me that they never verify if anyone
> is a CISSP as it is an invasion of the person's privacy. I then asked them
> how could I know for sure if this person really was a CISSP and told them
> that the person was not listed in the CISSP database on the ISC2 web site.
> They then told me that not all CISSPs are listed in the database because
> some don't want to be listed. They told me that the only way to verifiy if
> a person is a CISSP is to ask them for their certificate. I then asked
> them if all certificates look exactly alike and can they tell me how to
> know if a certificate it authenticate. I was told that all certificates do
> not look exactly alike and that they have changed their look over the
> years so there is no way to know if a particular certificate is real or
> not.
> After much discussion, it became clear that they were not willing to
> verify if anyone is a CISSP, and that there was no way for anyone to
> really verify this information unless the person chooses to be listed in
> the database on the ISC2 web site. I told them that in my opinion their
> process for certification was not consistent with the concept of "trust,
> but verify" and I ended up not hiring the person I had originally
> interviewed.
> If a certification cannot be verified, to me it is worthless. I'd rather
> hire an MCSE because Microsoft is willing to verify all their
> certifications.
> The philosophies and ethics of 2600 could possibly be questionable, but I
> dare say that ISC2 is not at all the organization that I once thought it
> to be.
> Laura
> Thanks,
> Ron DuFresne
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
> OK, so you're a Ph.D.  Just don't touch anything.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:

Powered by blists - more mailing lists