I hate to continue it as well, but there's a few points I think need
consideration...

        Lets remember that Kevin's case was hardly a model for fair and
equal justice. Being held for four years without being brought up on
charges, and denied even a hearing to have a bail set would not exactly make
for a fair trial. Its obvious the DOJ held him because they never would have
had a conviction if he hadn't been coerced into pleading guilty. Its a bold
statement but I'm sticking to it. Its relevant here because without the
conviction, would Kevin have had any trouble getting the certification? If
not, then its hardly fair to deny Kevin offhand for a conviction for which
he could offer no contest.... legally and ethically this argument is much
more complex than that of a simple conviction.

and...

        Only felons who admit their record are even subjected to approval
for the certification. No background or criminal record check is performed
by the ISC2 from what I've been told, and so everyone is taken on their word
regarding the validity of their disclosures. It hardly seems a valid way to
ensure that the certification is protected. If its important to protect,
then its important to ensure protection; Trust but verify. Since that's not
happening, then its only the famous hackers and honest former-criminals that
would be subjected to a board's approval based on their criminal record. How
ironic is it that a security certification body uses a control which is
bypassed on a whim to protect the certification's reputation? Given the
choice between picking an honest and admitted former-criminal or a dishonest
and clandestine former-criminal for an important security position, its an
easy choice. What is really being accomplished by this control? Like the
compulsory promise to uphold ISC2'd ethics, no guarantee is expressed or
implied.

and...

        Kevin Mitnick wouldn't adversely affect the CISSP's reputation to
the point of ruining it for us all. I find widespread damnation of Kevin
very tiring. He's socially engineered and hacked his way into a number of
systems and I'm sure is responsible for more than his share of ulcers in the
world, but that was then, not now. His debt to society has been paid, and
notwithstanding touching a computer or voting, he deserves the same status
as everyone else. I'm very tired of people, especially in America, believing
that a criminal record is some hideous and permanent black mark which
dictates a person's place in society through exposing their incorrigible
roguish demeanor. Just because you broke a law, got caught, and served time,
doesn't mean you're a vampire, or an incarnation of the dark side of the
force, and people really shouldn't be judged on that basis. More
importantly, just because didn't, didn't, and didn't, doesn't mean you
aren't, aren't, and should. If 70% of financial losses from computer crimes
each year are due to attacks from the inside (which compose 30% of all
incidents), and assuming the vast majority of felons are disqualified from
employment, then how effective is mitigating these crimes by avoiding the
known criminals?

        I think that people have been too quick to judge the rights and
wrongs of this case based on their preconceived notions about it. There are
a lot of merits to Kevin's hypothetical CISSP certification. Obviously he
thinks outside the box, and understands risks and vulnerabilities uncommonly
well. Obviously Kevin is knowledgeable about computer security. Obviously he
is well connected within the security community. I don't know him
personally, perhaps he is a rabid hellhound harbinger of some cyber
apocalypse, held in check only by the terms of his probation. Barring that,
then what's to say that his uncommon amount of knowledge and experience
isn't valuable, despite his past. The CISSP certification wouldn't
necessarily suffer for his certification. A few might think, upon hearing
Kevin is now a CISSP, "Thats it! Its the province of the criminal element,
surely the ala mode fashion accessory for the underworld's sig files! Fire
our CSO! He has one!" , but I think mostly it would just give the CISSP some
press.
 
        This of course flies in the face of the ISC2 notion of a computer
security professional. But then the real world often does. If security
professionals only fit the ISC2 mold, then the Lopht would never have
brought full disclosure into practice by releasing Lophtcrack, and we'd all
be happily passing Lanman hash protected passwords around the network. Wait
a minute. If RFP had never discovered the Microsoft Jet vulnerability, then
I'm sure someone would have written a virus to exploit it. Hey! At the very
least, we wouldn't have had the opportunity to watch George Guninski fire
off early disclosure advisory after advisory at Microsoft's feet while
screaming "Dance! Dance!", at least, thats what it looked like to me.

        Never mind that. The point is, there are reasons for Kevin to be
thinking what he's thinking, and maybe they're good ones. Maybe its ISC2 and
ourselves who can benefit from rethinking things.

-----Original Message-----
From: Tony Howlett [mailto:thowlett@netsecuritysvcs.com]
Sent: Wednesday, January 16, 2002 8:31 AM
To: Ryan Russell
Cc: cisspstudy@securityfocus.com
Subject: Re: [Summary] Prior conviction and CISSP qualifications

I hate to continue this thread but i just have to ask.
"What was Kevin thinking!!!!!"

I mean for ISC2 to approve him taking the test would be the surest way to
brand it as a Hakor certification and ruin it for everyone who has the
credential. Did he really think they would let him? I mean, Im sure
ISC2 might have some flexibility for some individuals but comon, Kevin is
the poster child for hackers all around the world (remember "free
kevin"?). It would be akin to letting a multiple convicted DWI felon take
the commercial drivers test and drive a tour bus. Im sure Kevin is
totally reformed this time (all of us in the security business hope) but
that doesn't mean we have to validate his status.

I'm not being a kevin basher here, ive actually followed his 'career' for
some time out of professional curiosity and Im sure it sucks being him
right now. However hes made his bed (multiple times mind you) and now hes
going to have to sleep in it.

Some career advice for Kevin: If he is ever going to get hired in this
business, it will be purely on the basis of his celebrity, having
credentials isnt going to mean a thing one way or the other. Hes probably
better of writing a book or getting a gig on techTV or something like
that. Keep him away from working directly with computers for his sake and
ours.

Best of luck to him and you.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]