For those of you unfamiliar with my opinion on the CISSP, I’m not a huge fan. It’s not that I’m against certification per se, it’s just that I question the value of the cert and I think ISC^2 is the wrong body to administrate such a cert. I think, for example, that a for-profit entity has an economic incentive to push as many people through the process as possible, thereby lowering the quality of the certification over time. Additionally, I’m of the opinion that CISSP doesn’t really do much for the public at large and doesn’t do much for practictioners like other professional certifications (CPA, license to practice medicine, etc.); unlike other professional certifications, it doesn’t prevent malpractice, it doesn’t provide recourse for individuals who have been burned by poor-quality security professionals, etc. At best it’s of questionable value; at worst it’s a cash-cow for the licensor.

In any event, given my feelings on the topic, I was interested to read that ISC(2) is under investigation for plagerism in the “Official” CISSP guide. Apparently, an entire chapter in that book has (allegedly) been copied and pasted verbatim into the book from a paper from the American Bar Association. There are (allegedly) additional materials “borrowed” from a number of other sources as well. For those unfamiliar with the CISSP, there is a mandatory code of ethics that accompanies the certification. The following are all entries from theISC^2 code of ethics:

-Act honorably, honestly, justly, responsibly, and legally.
-To discorage behavior such as… Associating or appearing to associate with criminals or criminal behavior.
-Tell the truth; make all stakeholders aware of your actions on a timely basis.
-Avoid conflicts of interest or the appearance thereof.
-Take care not to injure the reputation of other professionals through malice or indifference.

Is it me, or in the light of those aspects of the code, that this ISC^2 plagerism is particularly noxious. It’s not just the fact that they stole from others – it’s the hypocrisy of making other people swear to uphold the code that they violated in an official publication of theirs… on no less than 5 counts.

Well, Verisign has done it again. One of the bidders for the .net domain has gone on the record saying that there are factual issues in the published recommendation. The register, did some digging and found out that (surprise, surprise) there are serious conflicts of interest with several members of the evaluatory commitee. Pretty standard and transparent stuff, really. Evaluators with a monetary and/or personal interest in favoring their chosen pony and no compunction against slanting the evaluation criteria, ignoring technical experts, etc., etc. My question about this is, though: why is Verisign even allowed to bid?

Don’t people remember that time that Verisign tried to hijack DNS to make money on all our collective typos? Remember when ICANN had to strongarm Verisign and threaten them publicly in order to make them comply? Paul Twomey (ICANN president) said in a statement:

“…VeriSign