OK, everyone. As I'm sure you well know, on April Fool's Day, 2005, myself and a few cohorts ran a fairly typical gag. We posted a press release that we had each gotten our CISSP certification, were so damn proud of it, and that there would be a big awards ceremony. As part of the gag, we had a link to a file named "cissp.txt" which we stated as containing a list of confirmed attendees for the gala event. The file contained, of course, almost every CISSP that had opted-in to be included in a publicly searchable database over at www.isc2.org. ISC^2 was not impressed. Along comes Dorsey Morrow, CISSP and General Counsel for ISC^2. He convined one of our crew to remove the file who then posted his correspondence with Dorsey in its place. Next comes the email to me, in which Dorsey cheerfully introduces himself, and knowing my background with those in the legal profession asks nicely if I'd consider removing the file. After a little deliberation, and not wanting the headache, I agree and request until midnight that Saturday to "pull something together to place inside cissp.txt ." Note I state that I am changing the contents of the file, not removing it. That Saturday would have been the 23rd of April. A few hours ahead of my deadline, I cobble together the following: ----- ISC^2 has no sense of humour and enjoys applying legal pressure to people who posted the contents of an entirely public, opt-in database. Perhaps in addition to securing their servers, they maybe have one of their vaunted CISSPs actually review the code that goes into production. Provided, of course, they can find one capapble. It's worth noting their dubious "EULA" on their site specifically mentions prohibitions against harvesting data from their server for spamming. Of the data we collected, no email addresses were gathered. Yet, they still have a problem with us. Doom on you, Charlie. ----- End of story, right? Wrong. On Saturday, the 14th of *MAY* (3 weeks later) I receive the following mail from Dorsey: > AJ, > > Just wanted to follow up on your time line for removing cissp.txt. > > Thanks again! > > Best regards, > > Dorsey Morrow, CISSP-ISSMP > (ISC)?? General Counsel > > > 05/14/2005 18:05:50 Well shit, howdy! If it ain't ISC^2 bugging me again. As a response to this, I offer the following: From aj@reznor.com Tue May 17 00:29:44 2005 Date: Tue, 17 May 2005 00:29:44 -0700 From: aj reznor To: "Dorsey Morrow, CISSP" Cc: Rob@Vmyths.com, jdyson@treachery.net, rforno@infowarrior.org, lucid@unixgeeks.org, jericho@attrition.org, jennifer@granick.com Subject: Re: List of CISSPs Message-ID: <20050517072944.GE6468@reznor.com> References: <200505141906963.SM03268@UNAVAILABLE> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <200505141906963.SM03268@UNAVAILABLE> X-Wu_Tan_Clan_ID..: Grandmaster Terrahawk X-PGP_Key.........: http://www.reznor.com/~aj/ajreznor.asc X-Spam_Prevention.: http://www.reznor.com/~aj/no-spam.html X-Message-Flag: Thank you for using Windows (tm)(c) Your soul belongs to us. Status: RO Content-Length: 13973 Lines: 332 (Note: I have openly CC'd the other cats involved in our April Fool's gag, as well as my sometimes-attorney and legal-pundit-who-sometimes-enjoys-my-antics Jennifer Granick. I'm pointing this out because I expect your genius self to miss it.) Well, let's see.... on the 20th, I said I'd give myself until midnight Saturday to replace the contents of cissp.txt. For those keeping score at home, that would have been the 23rd. I do believe, as is listed in the mail below, that I said what I stated above, which was: "...I'll give myself to pull something together and place inside cissp.txt ." No where did I said I'd remove it, but I agreed to remove the contents. Now, if ISC2 is going to go so far as to claim right to everything and anything with "cissp" in it, including the name of a now-benign textfile on my server, they can officially go pound sound up their collective asses. You've officially become as lame as Volkswagen, who tried to sue any website with the letters V and W consecutive in their names regardless of if they were automotive in nature. Of course, ISC2 is about as relevant as VW when it comes to security anways. See, I'm wondering *why* you're asking me about removing this file.... If you're really hot to trot on any file with the letters C, I, S and P in a particular pattern, you're fucking nuts. Maybe, though, the fucking genius that coded the search module is the same one that came up with some script you use to see if that file is on my (or any) server. THAT could explain why you're getting an error code of 0 which tells you the file exists. Ignorant of the contents, you see it's still there, and assume I've done nothing. You could have also checked the date and time on the file, or the filesize, which also would've shown a drastic change as well (on the order of almost 300,000k vs. 600k). Genius. But, see, now it gets interesting, moreso. The mail you send me is dated as shown below, Saturday, May 14th (a full three weeks after my own self imposted deadline, mind you) at 1806 -0500. Looking in my server logs for any hits to cissp.txt at or before then, I get: 1 hit on the 13th, from an Inktomi spider, which got a 302, 3 hits on the 11th, from Hong Kong, 1 hit from RI, looking for a CISSP in Anaheim (by the way, we should be charging ISC2 for the free advertising, since apparently our list has helped more people find the CISSP they were searching for than your site) Any hits prior to that are well before the mail you sent me. So, other than possibly the Inktomi query which generated a 302, I don't see where you could have a jackass-generated script hitting my server. Maaaaaaybe you used your browser and didn't think to hit Refresh (the little arrows chasing each other, or, you know, ^R or the F5 key typically) and you got a cached version. I was wondering if maybe this was a huge joke back on us. Checking the headers from the mail below, I see: Received: (qmail 3174 invoked from network); 14 May 2005 23:07:07 -0000 Received: from unknown (HELO mail.isc2.org) (216.12.146.112) by reznor.com with SMTP; 14 May 2005 23:07:07 -0000 Received: from UNAVAILABLE [68.221.219.161] by mail.isc2.org with ESMTP (SMTPD-8.20) id A47F0268; Sat, 14 May 2005 19:06:39 -0400 Received: from UNAVAILABLE by UNAVAILABLE (PGP Universal service); Sat, 14 May 2005 18:06:39 -0600 X-PGP-Universal: processed; by UNAVAILABLE on Sat, 14 May 2005 18:06:39 -0600 Reply-To: dmorrow@isc2.org From: "Dorsey Morrow, CISSP" To: aj@reznor.com Subject: Re: List of CISSPs Date: Sat, 14 May 2005 18:06:38 -0500 Organization: (ISC)2, Inc. MIME-Version: 1.0 X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-index: AcVY2ZRM6kvgu7OuTQWAc7j1XWawZw== X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: 8bit X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Message-Id: <200505141906963.SM03268@UNAVAILABLE> Checking your previous mails, I see: Received: (qmail 18094 invoked from network); 19 Apr 2005 01:18:44 -0000 Received: from unknown (HELO reznor.com) (aj@127.0.0.1) by reznor.com with SMTP; 19 Apr 2005 01:18:44 -0000 Old-Delivered-To: aj@reznor.com Received: (qmail 17890 invoked from network); 19 Apr 2005 01:12:51 -0000 Received: from unknown (HELO mail.isc2.org) (216.12.146.112) by reznor.com with SMTP; 19 Apr 2005 01:12:51 -0000 Received: from UNAVAILABLE [66.157.148.206] by mail.isc2.org with ESMTP (SMTPD32-8.15) id AAF8A22008A; Mon, 18 Apr 2005 21:12:24 -0400 Reply-To: dmorrow@isc2.org From: "Dorsey Morrow, CISSP" To: aj@reznor.com Subject: List of CISSPs Date: Mon, 18 Apr 2005 20:11:20 -0500 Organization: (ISC)2, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcVEfCSnCszotUFXQLyWRw3s4dCgSw== Message-Id: <200504182112401.SM02532@UNAVAILABLE> X-TMDA-Confirmed: Mon Apr 18 18:18:43 PDT 2005 Interesting, both IPs you mailed from aren't in May's server logs at all. True, you may be uber-tricky and using Firefox and a host of proxies, but I'm not going to give you that much credit. The combination of General Counsel and >gack< CISSP doesn't give you much credit, especially after the mail I'm dealing with currently. Your IP of 66.157.148.206 does show in April's logs, and does show Firefox, but you're... you know, running it on Windows, so that doesn't really count anyways. By the way, where do I send the bill and to whose attention for my time for having to explain such rudimentary shit to you? Moving on, it's worth pointing out that your attempts at obfuscating your database... um, really suck. What say you go ahead and post to CISSP-L an announcement that ISC2 has *still* done nothing to "protect" the identities of people who opted-in to a publicly searchable database? It's silly that people opt in to such a DB and expect privacy, and it's even sillier that ISC2 has taken steps to "secure" it which are litterally security through obscurity. While STO may be a nice dash of pepper to throw into the security salad it's hardly the lettuce one would use to base a salad on. So, rather than continuing to toss the salad and expect your minions to not notice that presenting datafields as .png's is useless, how about someone over there swallow a big, healthy slice of humble pie, mea culpa, and publicly apologize to the frantic masses for just plain fucking up? Or, would you like me to? (Rhetorical. See below.) I'll leave you with this: "A perl script security does not make". I said that, please give full credit, and post only with the context of this entire message. I don't want anyone misreading it, now, ya hear? Oh, by the way, since I had agreed to something I didn't even have to in the first place (mind you, we weren't harvesting for spam purposes, which is what your little warning concerned, and we created something which is technically satire and possibly farce and well falls into "fair use") and now I receive this notice from you, I deem this to be harassment and hereby notify you that any further contact from you will be considered willful and aggressive harassment and will result in me having to escalate this matter. If the above isn't clear: Leave me the fuck alone. Same goes for the others listed in our April Fools gag (BTW, you folks have no fucking sense of humour). Don't bother mailing anyone, don't ask anyone to take their lists down. It's a public database, you have no copyright over it. To quote aempirei: "Disclaimer I don't steal music, pirate software, or program any code, I simply cat /dev/urandom and my data just happens to pop out. It's not my fault that it coincidentially matches your large integer number that you call prior art. All the whole numbers already exist, you didnt invent that one." To quote your own webpage: (ISC)² Public Directory As a service to the general public and (ISC)² members, (ISC)² publishes, on the public side of its website, a public directory listing of certificate holders. Listing in this directory is entirely voluntary. Those who elect to be listed should be aware that when they voluntarily disclose personally identifiable information (e.g., user name, email address) on the CISSP or SSCP Directory for the (ISC)² sites, such information, along with any substantive information disclosed in the directory, can be collected and correlated and used by third parties and may result in unsolicited messages from other posters or third parties. Such activities are beyond the control of (ISC)². So what's the big deal then, anyways? (Again, don't reply, talk to the hand, etc. Go back to tossing the salad.) -aj. On Sat, May 14, 2005 at 06:06:38PM -0500, Dorsey Morrow, CISSP was known to say: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > AJ, > > Just wanted to follow up on your time line for removing cissp.txt. > > Thanks again! > > Best regards, > > Dorsey Morrow, CISSP-ISSMP > (ISC)?? General Counsel > > > 05/14/2005 18:05:50 > > **-----Original Message----- > **From: aj@reznor.com [mailto:aj@reznor.com] > **Sent: Wednesday, April 20, 2005 3:53 PM > **To: Dorsey Morrow, CISSP > **Subject: Re: List of CISSPs > ** > **On Mon, Apr 18, 2005 at 08:11:20PM -0500, Dorsey Morrow, *CISSP > * was known to say: > **> AJ, > **> > **> Felicitous greetings. > **> > **> I serve as general counsel with (ISC)?, the certifying **organization of > CISSPs. > **> It was brought to my attention that the listing of CISSPs *from our *> > public directory had made it to your website as *part of the "April *> Fool's" > news release by Vmyths. Rob had *graciously agreed to take *> down the list and > replaced it *with our correspondence. I *would merely ask, as a personal > *favor, the same from you. > **> No legal bluster or threats. Just a request that I would **consider as *> a > personal favor to me. If not, that is *certainly your *choice and you *> will > not hear back from me. > **> > **> Regardless of your decision, I wish you the best in your endeavors. > ** > **Dorsey, > ** > **I had planned a huge, rollicking response here with a most **ingenious > greeting and mildly amusing flow to respond. The **beginnings would have looked > something like "Well hello, **Dorsey. We've been expecting you. You look a > little weary... > **please, have a seat." However, work's left me mentally **depleted the past > three weeks, so you'll get barebones and a **little twist from a hedging > migraine. > **No charge for my typos today. > ** > ** > **I initially was going to point out a ton of things about the **publication *as > well as presentation of the list and go so *far as to suggest you (as *in ISC2, > not you personally) count *your blessings we only went *as far as *we did, as > fair use *for satire allows a very wide space to *play in. So, *we *"could > have" done a complete and utter spoof of ISC2, but took *the *gentler approach > :) Mind you, may of us have "hacked" > *our own sites on *occasions (April Fools, and others) to draw *attention to > *security issues. > ** > ** > **Additionally, as you're well aware, we didn't 'harvest' any **addresses at > all, *not a single one, and I know at least two *of the other *gentlemen > involved in our *endeavor are as *vehemently anti-spam as I myself am, > *personally. Basically, *no *Terms were violated, and browser-based "terms" > hold really **about as much legal *water as shrinkwrap EULAs (and we all *see > where those have *gone lately). I'd *likely also prod *hard on the fact that > perhaps a handful (two, > **likely) of CISSPs > **actually review the site and the code behind it as this could **have been > prevented *easily if the site was built well. > *Merely obfuscating data *("security through > **obscurity") isn't the best way to go, historical perspective **backing this. > ** > ** > **Now, I almost was going to resist any and all attempts by you *because *of the > combination of "personal favor" combined with *your title of *"legal counsel". > If you know anything about me *(there's tons *of material *out there) you'd know > that me and *"legal counsel" are tenuous *bedbuddies *at best, me viewing *"your > type" as a necessary evil more than *anything, a *need *which is spawned solely > through the lower, more evil and *base *qualities *of the human condition. If > everyone strove harder *to be *better, "legal counsel" > **would be rendered moot. Yay for humanity, tho, eh? :) Again, **this is the > *generality and no reflection upon you or your *character, so *please don't > *interpret this as any sort of *personal attack. I'm rambling. > **I know I'm > **rambling and I could easily go back and edit this, but *hopefully you'll *get > a smirk reading this close in size to *the one I have writing it. > ** > ** > **Anyways, it's well known that you do catch more bees with *honey than > *vinegar. Or was it flys? I'm sure they'd both *behave about the same, *so > I'll honor your request if you *could please give me another *day or three *to > find something *suitable to put in its place. End of week (midnight > **Saturday) is the deadline I'll give myself to pull something **together and > *place inside cissp.txt . > ** > ** > **Thoughts/comments/etc are alwasy welcome. > ** > ** > **-- > ** > ** > **-aj. > ** > ** > ** > ** > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.0.0 (Build 2001) > > iQA/AwUBQoaEf7glKxKoE67mEQJt5gCffaNIVte4iXoe11i2xgZ0YuiGNAQAoIGI > I9ch/JINAx3btSpRn4/JuM2f > =PPam > -----END PGP SIGNATURE----- -- -aj.