From: lucas.burke@sungard.com
To: jericho@attrition.org
Date: Tue, 30 May 2006 15:18:51 -0400
Subject: everything else


hey jericho-

why do you guys keep a list of certified CISSPs on your website?

-L




From: security curmudgeon (jericho@attrition.org)
To: lucas.burke@sungard.com
Date: Tue, 30 May 2006 15:30:47 -0400 (EDT)
Subject: Re: everything else


: hey jericho-
:
: why do you guys keep a list of certified CISSPs on your website?

For easy reference of course!




From: lucas.burke@sungard.com
To: jericho@attrition.org
Date: Tue, 30 May 2006 15:36:46 -0400
Subject: RE: everything else


i don't get it..  like, who cares.

is this information useful somehow?




From: security curmudgeon (jericho@attrition.org)
To: lucas.burke@sungard.com
Date: Tue, 30 May 2006 15:41:39 -0400 (EDT)
Subject: RE: everything else


: i don't get it..  like, who cares.

We obviously care.

: is this information useful somehow?

Extremely.


ps: shouldn't you be telling me you are a CISSP on the list, in the
interest of full disclosure? or just get to the point and say you don't
like your name on our copy of the list? or call us godless heathens?




From: lucas.burke@sungard.com
To: jericho@attrition.org
Date: Tue, 30 May 2006 15:51:04 -0400
Subject: RE: everything else


uhmm, i don't care that you have the list..  i was just curious.
the information is freely available on isc2's website so it's not like
it's private anyway.  that's why i was wondering why you kept it and
thought it was useful.

heathens are not godless - they are pagans, and most are polytheists.
=P

so what's the big deal?  simple social engineering data?




From: security curmudgeon (jericho@attrition.org)
To: lucas.burke@sungard.com
Date: Tue, 30 May 2006 15:54:14 -0400 (EDT)
Subject: RE: everything else


: uhmm, i don't care that you have the list..  i was just curious. the
: information is freely available on isc2's website so it's not like it's
: private anyway.  that's why i was wondering why you kept it and thought
: it was useful.

Well, if you notice on their site, you search by name and get a few
results. If you are a deviant malicious evil blackhat ((c) ISC2) then you
can trick their site into dumping the entire list. This is a pretty bad
case of information disclosure given that the list contains so many email
addresses (for spammers), and the rest of the information (for SE like you
mention). And of course, a security outfit like that not adding basic
filtering to such a search interface is a *tad* embarassing.

Oh, did I mention that they tried to fix the bug and failed? Twice? =) So
the latest list in the /ee directory isn't available to everyone but it is
a lot more current with a lot more names. Having the original up proves
the point just fine I think.

: so what's the big deal?  simple social engineering data?

It's more or less a reminder that they can talk about security all day
long, push their certification to whoever, award it to any cluebag they
want.. but in the end, it means nothing. They have how many CISSPs at
their disposal, and they can't fix their own search interface? =)




From: lucas.burke@sungard.com
To: jericho@attrition.org
Date: Wed, 31 May 2006 10:16:03 -0400
Subject: RE: everything else

well, no offense but i find it pretty much useless - other than for
basic recon work.  there are no personal identifiers other than what the
users choose to put up there.  you'll notice that i have name and
company only.
you can dump the list by country if you want, so it's not very hard.
and besides, the cissp is not hard to get.  just because someone has it
doesn't mean much.  giac certs are much harder and more practical.  so
in that respect i totally agree with you.

but anyway, disorder - it's ironic that you talk about using information
against people when you put so much of your own dirt on your webpage.
it looks like you cut your teeth on h/p scene back in the bbs days.
based on your hosting provider and your old distros, i'd guess that
you're in TX.  but i digress.  (i'm sure you know how much information
someone could pull off of your site.)

it's amusing how the scene has changed though, huh?  i knew a few people
back in those days.  *wink*




main page ATTRITION feedback