lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.63.0508190802260.2468@forced.attrition.org>
Date: Fri Aug 19 13:22:34 2005
From: jericho at attrition.org (security curmudgeon)
Subject: Re: MS not telling enough - ethics


: Well done, anyone else who knows of people committing fraud against isc2 
: should report them. Unfortunately I don't think its feasible for isc2 to 
: check everybody.

Oh, how coincidental..

: They do random credential checking and I should I know, since I was 
: audited after I passed the exam.

Ethics Complaint Procedures [0]

The board and its agents undertake to keep the identity of the complainant 
and respondent in any complaint confidential from the general public.

[..]

The board will consider only complaints that specify the canon of our code 
that has been violated.

[..]

Complaints will be accepted only from those who claim to be injured by the 
alleged behavior. While any member of the public may complain about a 
breach of Canon I, only principals may complain about violations of Canons 
II and III, and only other professionals may complain about violations of 
Canon IV.

[..]

All complaints must be in writing. The board is not an investigative body 
and does not have investigative resources. Only information submitted in 
writing will be considered.

[..]

Complaints and supporting evidence must be in the form of sworn 
affidavits. The board will not consider other allegations.

[..]

Where there is disagreement between the parties over the facts alleged, 
the ethics committee, at its sole discretion, may invite additional 
corroboration, exculpation, rebuttals and sur-rebuttals in an attempt to 
resolve such dispute. The committee is not under any obligation to make a 
finding where the facts remain in dispute between the parties. Where the 
committee is not able to reach a conclusion on the facts, the benefit of 
all doubt goes to the respondent. 

[..]

Discipline of certificate holders is at the sole discretion of the board. 
Decisions of the board are final.

--

Ok, let me translate this for you:

  Keep it private, for your own good, we swear! This way the complaint is 
  kept out of public scrutiny. You have to clearly define what canon was 
  violated, even though they are general and vague. You must personally be 
  injured to complain, even though breaking any of the four canons may not 
  directly harm one individual! You must submit said complaint in writing, 
  and the board does not have time to investigate your complaint at all. 
  Such complaints must be in the form of sworn affidavits [1], signed by a 
  notary as witness to your signature etc. If there is any dispute of 
  facts, which is entirely up the to the (ISC)2 board, it is entirely 
  their discretion whether to act on or continue the process. The board 
  may arbitrarily decide not to pursue or consider additional evidence, 
  will make no effort to research the matter themselves, and drop the 
  matter without further consideration. Even if the board finds someone 
  guilty of breaking one of the canons, the board will decide what 
  punishment, if any, is appropriate, including 'none'.

How many hoops does one have to jump through to file a complaint that will 
actually be considered?! Should I slice my wrists and bleed all over the 
signed and notarized document in case they need a blood sample or DNA? 
Does the complaint need to be shouted out from town square right after 
slaughtering a chicken while juggling hedgehogs? I mean really, how many 
ways can they make this process counter-productive and full of backdoors 
so the 'board' can simply ignore your complaint?

: Ivan Coric, CISSP

You are so proud of our certificiation, you won't even list yourself in 
the (ISC)2 directory so that we can verify you even hold the 
certification! [2]

: The CISSP cert is the best security cert around, without a doubt.

Best for who?! Oh yes, for you since you hold it. And best for those 
issuing it, since they profit directly from the ceritification and the 
yearly 'renewal' fee. The fact is, (ISC)2 and the CISSP certification is a 
marketing ploy and money maker. It is *not* in their best interest to 
allow the credibility of their certification to be tarnished for any 
reason, even when criminals are 'earning' it.


security curmudgeon

[0] https://www.isc2.org/cgi-bin/content.cgi?page=176
[1] http://en.wikipedia.org/wiki/Affidavit
[2] https://www.isc2.org/cgi-bin/directory.cgi?displaycategory=503

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ