From: lucas@fungard.com To: jericho@attrition.org Date: Tue, 30 May 2006 15:18:51 -0400 Subject: everything else hey jericho- why do you guys keep a list of certified CISSPs on your website? -L
From: security curmudgeon (jericho@attrition.org) To: lucas@fungard.com Date: Tue, 30 May 2006 15:30:47 -0400 (EDT) Subject: Re: everything else : hey jericho- : : why do you guys keep a list of certified CISSPs on your website? For easy reference of course!
From: lucas@fungard.com To: jericho@attrition.org Date: Tue, 30 May 2006 15:36:46 -0400 Subject: RE: everything else i don't get it.. like, who cares. is this information useful somehow?
From: security curmudgeon (jericho@attrition.org) To: lucas@fungard.com Date: Tue, 30 May 2006 15:41:39 -0400 (EDT) Subject: RE: everything else : i don't get it.. like, who cares. We obviously care. : is this information useful somehow? Extremely. ps: shouldn't you be telling me you are a CISSP on the list, in the interest of full disclosure? or just get to the point and say you don't like your name on our copy of the list? or call us godless heathens?
From: lucas@fungard.com To: jericho@attrition.org Date: Tue, 30 May 2006 15:51:04 -0400 Subject: RE: everything else uhmm, i don't care that you have the list.. i was just curious. the information is freely available on isc2's website so it's not like it's private anyway. that's why i was wondering why you kept it and thought it was useful. heathens are not godless - they are pagans, and most are polytheists. =P so what's the big deal? simple social engineering data?
From: security curmudgeon (jericho@attrition.org) To: lucas@fungard.com Date: Tue, 30 May 2006 15:54:14 -0400 (EDT) Subject: RE: everything else : uhmm, i don't care that you have the list.. i was just curious. the : information is freely available on isc2's website so it's not like it's : private anyway. that's why i was wondering why you kept it and thought : it was useful. Well, if you notice on their site, you search by name and get a few results. If you are a deviant malicious evil blackhat ((c) ISC2) then you can trick their site into dumping the entire list. This is a pretty bad case of information disclosure given that the list contains so many email addresses (for spammers), and the rest of the information (for SE like you mention). And of course, a security outfit like that not adding basic filtering to such a search interface is a *tad* embarassing. Oh, did I mention that they tried to fix the bug and failed? Twice? =) So the latest list in the /ee directory isn't available to everyone but it is a lot more current with a lot more names. Having the original up proves the point just fine I think. : so what's the big deal? simple social engineering data? It's more or less a reminder that they can talk about security all day long, push their certification to whoever, award it to any cluebag they want.. but in the end, it means nothing. They have how many CISSPs at their disposal, and they can't fix their own search interface? =)
