RE: CISSP Question

["Simmons, James" <jsimmons () eds com>]

Craig,
I would like to see what post you are talking about were I have engaged
in public defamation. I do not believe that I have made any statements
to that effect. I have raised questions, that can then be justly
answered. I have not once made a statement claiming that they are
practicing in illegitimate endeavors.  I have asserted my claim that the
prices can be cut down for the good of the industry, and have questioned
where the estimated influx of money is being spent? That is not public
defamation. 

And I have stated again that I am in the process of obtaining the
required material for a complete analysis. I have made broad sweeping
statements about greed in general, but nothing directed at ISC2 or any
other specific company.  If you will actually spend the time and read my
posts, you will see that I am questioning the certification industry as
a whole. It is just because of you and David's position to the CISSP
that the conversation always drifts towards that company. It is a
position that you are familiar with and thus a better change to provide
insight into the discussion. In fact I have even stated many times that
I do not wish, nor mean to have to "pick on" ISC2, but it is just a
hazard that comes with being successful and being known.

I have been very careful not to point fingers at any single entity, but
all my numbers and recourses come from publicly available sources of
which I have been trying to document within my argument. So instead of
continuing with a discussion, YOU, Craig,  make false accusations.
 1) You are making implications and innuendos and implying that these
are the truth.
I have never once said that what I said was the truth. I have even gone
out of my way to state such, many times. I present questions. They may
be blunt, but implying that a question is the truth?

Now I will admit that some of my statements can be perceived to the
opposite of what I meant, but instead of talking to me and giving me a
chance to print a correction, or at least the chance to clarify what I
meant, you openly attacked me. 

****>>Rather however than obtain the information, you have decided to
state that people who are not in agreement with your tactics are
unprofessional and can not have a rational discourse.<<*****

No I stated that people who initiate personal attack are unprofessional
and can not have a rational discourse.

****>>>I would argue that a professional would obtain the facts prior to
making assertions and than only make assertion if and when any
impropriety is discovered.<<***

I presented estimates. I went to great lengths to say so, and then
followed with the fact that I cannot make any claims as to where the
money is going. I even ended the post with a question asking where it
was going? If you have a problem with my numbers, then address your
concerns towards that issue. I am open to hear your estimates and we can
discuss a reasonable compromise.

***>>>One of the key tenants of professionalism is ethical behavior.
Spreading implications and innuendos as the truth is unethical.<<<***

Again I never once said that what I presented was the truth. I presented
my research, and asked for input. 

So out of respect of everyone I will restate my "pointed question" in a
more friendly way. 
"With $4 million dollars minimum, in dues, annually, and the added
income of tests, reviews, and all the other sources of income, can
anyone provide any insight or find any published information as to where
this money is being spent? And why is it not being utilized so to afford
for a drop in the price of the present certifications, to provide better
accessibility to those who do not have $500+ to spend on this
internationally recognized certification?"

Regards,

Simmons

PS 
I was going to send this response to ISC2 like you did with your point,
but I am going to refrain in the hope that we can get an active member
of ISC2 on the line so that we can get some information answered without
waiting on snail mail.

-----Original Message-----
From: Craig Wright [mailto:Craig.Wright () bdo com au] 
Sent: Tuesday, May 15, 2007 4:12 PM
To: Simmons, James; david.a.harley () gmail com
Cc: security-basics () securityfocus com; service () isc2 org
Subject: RE: CISSP Question

Hello James,
The issue is that you should be contacting ISC2. James, you are in
effect making assertions as to the legal status of ISC2. They are a
member controlled non-profit organisation. You are in effect asserting
that they may be engaged in some impropriety and in effect squandering
member's funds on illegitimate endeavours.

What you have done is in effect defamation on a public forum.

Published defamation is called libel. There are several defences,
primarily:
1       what you said was true;
2       you had a duty to provide information.

If you had discovered that the books are not correct for ISC2, it could
be argued that you have a duty to make a statement, you may be protected
under the defence of "qualified privilege." However, this is not the
case in your statements. 

You are making implications and innuendos and implying that these are
the truth. The facts are readily available and are publicly audited.
Rather however than obtain the information, you have decided to state
that people who are not in agreement with your tactics are
unprofessional and can not have a rational discourse.

I would argue that a professional would obtain the facts prior to making
assertions and than only make assertion if and when any impropriety is
discovered.

"Bitching" about certifications is one thing. When this degrades into a
petty slinging match about an external third party, this is another
matter.

If you wish to denigrate ISC2, I would expect that you demonstrate some
of the professionalism that you purport to hold and first check the
facts. Or to put this in another format that may be easier to understand
(as much as I hate analogy). On gaining a new client do you rant and
spread FUD as they have product X which has been known to have
vulnerabilities in the past, or do you test the system first and when
finding nothing, report that.

One of the key tenants of professionalism is ethical behaviour.
Spreading implications and innuendos as the truth is unethical. 

In a classic formulation approved by Geopel J. of Supreme Court of
British Columbia CA, a communication is defamatory if it "tends to harm
the reputation of another so as to lower [him, her or it] in the
estimation of the community or deter third persons from associating or
dealing with them."

"If the defamatory communication takes a permanent or semi-permanent
form - that is, if it is written, or spoken while being recorded or
filmed such that it is preserved in some way - then it is libel, and
actionable without proof of actual pecuniary loss. If it is spoken only,
then it takes the form of slander and, with some exceptions, only the
economic losses that can be proven to have resulted from the false
communication can be recovered.

Defamatory imputations that depend on an interplay between the impugned
words and the facts and circumstances that surround their publication
fall, at law, into the category of "true innuendo'."

You have attempted without recourse to the truth or facts (which are as
stated available) to impugn an organisation where you have no proof or
duty to do so. This is libellous. I hope that you are clever enough to
desist on this line of discussion.

There is a rather large line between arguing that certification is not
of value as you started and defaming the reputation of a respected
organisation.

I do not care if you like ISC2 or not. This is not discussion or debate.
It is mud slinging and belongs in a gutter.

Regards,
Craig S Wright



Craig Wright
Manager of Information Systems

Direct +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW)
Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497 www.bdo.com.au

Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

The information in this email and any attachments is confidential.  If
you are not the named addressee you must not read, print, copy,
distribute, or use in any way this transmission or any information it
contains.  If you have received this message in error, please notify the
sender by return email, destroy all copies and delete it from your
system. 

Any views expressed in this message are those of the individual sender
and not necessarily endorsed by BDO Kendalls.  You may not rely on this
message as advice unless subsequently confirmed by fax or letter signed
by a Partner or Director of BDO Kendalls.  It is your responsibility to
scan this communication and any files attached for computer viruses and
other defects.  BDO Kendalls does not accept liability for any loss or
damage however caused which may result from this communication or any
files attached.  A full version of the BDO Kendalls disclaimer, and our
Privacy statement, can be found on the BDO Kendalls website at
http://www.bdo.com.au or by emailing administrator () bdo com au.

BDO Kendalls is a national association of separate partnerships and
entities.

-----Original Message-----

From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Simmons, James
Sent: Wednesday, 16 May 2007 3:45 AM
To: david.a.harley () gmail com
Cc: security-basics () securityfocus com
Subject: RE: CISSP Question

Have I ever said anything specific about everyone who has a CISSP?
Please present my quote? I understand that people will do what they can
to obtain work, make more money, what ever.  I have never said anything
against that. My WHOLE point is that this industry is placing too much
emphasis on certifications, and that a lot of them are flawed or
suspect. That is where all this started. If anyone has found anything
that I say insulting, then they are just projecting my words upon
themselves for no reason. I have stated scenarios were unqualified
individuals see these certification as a fast track to more money. Did
that hit a never with you? Do you perceive yourself as one of those, so
you take offence? 
I have stated that HR uses certification as a cookie cutter
qualification for filling positions. Are you HR? Did you take offence to
that? Maybe it was my point that a lot of management do not understand
what to look for in a certification, and thus go with the most popular.
Are you guilty of this? Is this why you think I am attacking you?

I am not attacking any one person, because honestly I do not care about
your personal life. I am looking to raise some questions, feel out the
community, and obtain different point of views. I have received a lot of
good e-mails from people, and a few varied responses. I have ran into
very few people who are actually willing to defend certifications, let
alone engage in a discussion about the validity of them. I am pointing
out oddities I see in the industry. You can either correct them if you
have the proof or the reasoning, or you can add in your own opinions and
start a civilized discussion/debate. 

I know nothing of anyone on this forum, just as much as anyone on this
forum knows anything about me. I am not here for friends. I am here to
have a civilized discussion, and get the view points of the people that
frequent this mailing list. That is the purpose of this mailing list. If
you have too thin of skin, that you take these comments as personal
attacks, then maybe the tubes is not a place for you. 
And again I will quote myself since no one seems to want to read it.
> > Since I will have to send off and wait for the tax information for I
cannot say much at >>this time in the way of where the money is going.

My figures I quoted are called estimates. They were presented to
continue the discussion until I can obtain the final numbers. But
instead of either trying to correct the estimate, I am berated by not
using the real number, which I, time and time again, say that I am
trying to obtain. I am not saying that I am leaving it up to anyone else
to obtain for me (because honestly I would not trust anyone else's
numbers without a reputable source link anyways). I am just pointing out
that instead of attacking me someone can continue the conversation with
a rebuttal, be it with actual figures or corrected estimates.

I have enjoyed and learned a lot from this discussion based on the
positive feedback. David, I have to say that I am not attacking you
personally and if you perceive it that way, then I can only hope that
you will understand that it is not my intention. 
If anyone finds anything wrong with what I say, then I encourage them to
write me offline and I will write a retraction, or at least address the
issue and try to make my point clear against misunderstandings. In fact
I am still waiting for my retraction to be posted where I misquoted $30
million dollars annually, when it is really $5 million annually in dues
alone.

I need you to understand that I am not attacking anyone that has the
certifications. They are doing what they believe they need to. That is
understandable if not noble. It is just the whole idea of the group
mentality, I am attacking something that you are apart of and so by
association you believe that I am attack you. I am not. There is no
innuendo, just estimates. If you have a problem with my estimates, then
present your own. I tried to present them fairly in that I did not
account for a lot of the money that is coming in.  I did that as an
offset. 

So I hope we can continue this discussion, because I value the other
sides input. It prepares me for my presentation / debate I will be
submitting. So I am looking for someone to put holes in my argument, and
not make it a personal battle. 

Regards,

Simmons

-----Original Message-----
From: David Harley [mailto:david.a.harley () gmail com]
Sent: Tuesday, May 15, 2007 9:58 AM
To: Simmons, James; 'Craig Wright'
Cc: security-basics () securityfocus com
Subject: RE: CISSP Question

> As I stated before the $24 million was a gross UNDER estimate. You can

> easily see when I were I was disclosing my figures were I was making 
> the UNDER estimates, and how in reality they would come out to far 
> more then I quoted. If you have an issue with my figures, then refute 
> them.

I know, I said I had nothing to add to this discussion, but this is
ridiculous. 

If I do have anything, it isn't a defence of (ISC)2. If you believe that
their claim to be a non-profit organization is dishonest, it's up to you
to prove it with real figures: it's not up to Craig or myself to
disprove it: I have other priorities. If you want to know about their
finances, there are better ways than posting here. Innuendo is not
debate. 

Making unsubstantiated allegations against SANS and (ISC)2 doesn't prove
anything about the value of any of their certs, and I'm tired of being
dissed, directly or obliquely, because I hold one of them.

--
David Harley CISSP, Small Blue-Green World Security
Author/Editor/Consultant/Researcher
AVIEN Guide to Malware:
http://www.smallblue-greenworld.co.uk/pages/avienguide.html
Security Bibliography:
http://www.smallblue-greenworld.co.uk/pages/bibliography.html