From: lucas@fungard.com
To: jericho@attrition.org
Date: Tue, 30 May 2006 15:18:51 -0400
Subject: everything else

hey jericho-


why do you guys keep a list of certified CISSPs on your website?


-L




From: security curmudgeon (jericho@attrition.org)
To: lucas@fungard.com
Date: Tue, 30 May 2006 15:30:47 -0400 (EDT)
Subject: Re: everything else


: hey jericho-
:
: why do you guys keep a list of certified CISSPs on your website?

For easy reference of course!




From: lucas@fungard.com
To: jericho@attrition.org
Date: Tue, 30 May 2006 15:36:46 -0400
Subject: RE: everything else


i don't get it..  like, who cares.

is this information useful somehow?




From: security curmudgeon (jericho@attrition.org)
To: lucas@fungard.com
Date: Tue, 30 May 2006 15:41:39 -0400 (EDT)
Subject: RE: everything else


: i don't get it..  like, who cares.

We obviously care.

: is this information useful somehow?

Extremely.


ps: shouldn't you be telling me you are a CISSP on the list, in the
interest of full disclosure? or just get to the point and say you don't
like your name on our copy of the list? or call us godless heathens?




From: lucas@fungard.com
To: jericho@attrition.org
Date: Tue, 30 May 2006 15:51:04 -0400
Subject: RE: everything else


uhmm, i don't care that you have the list..  i was just curious.
the information is freely available on isc2's website so it's not like
it's private anyway.  that's why i was wondering why you kept it and
thought it was useful.

heathens are not godless - they are pagans, and most are polytheists.
=P

so what's the big deal?  simple social engineering data?




From: security curmudgeon (jericho@attrition.org)
To: lucas@fungard.com
Date: Tue, 30 May 2006 15:54:14 -0400 (EDT)
Subject: RE: everything else


: uhmm, i don't care that you have the list..  i was just curious. the
: information is freely available on isc2's website so it's not like it's
: private anyway.  that's why i was wondering why you kept it and thought
: it was useful.

Well, if you notice on their site, you search by name and get a few
results. If you are a deviant malicious evil blackhat ((c) ISC2) then you
can trick their site into dumping the entire list. This is a pretty bad
case of information disclosure given that the list contains so many email
addresses (for spammers), and the rest of the information (for SE like you
mention). And of course, a security outfit like that not adding basic
filtering to such a search interface is a *tad* embarassing.

Oh, did I mention that they tried to fix the bug and failed? Twice? =) So
the latest list in the /ee directory isn't available to everyone but it is
a lot more current with a lot more names. Having the original up proves
the point just fine I think.

: so what's the big deal?  simple social engineering data?

It's more or less a reminder that they can talk about security all day
long, push their certification to whoever, award it to any cluebag they
want.. but in the end, it means nothing. They have how many CISSPs at
their disposal, and they can't fix their own search interface? =)




main page ATTRITION feedback