From: Rob Rosenberger Sent: Friday, 1 April 2005 2:03 PM To: Dorsey Morrow, CISSP Subject: Re: Six information security luminaries receive CISSP certification Thanks for the email & phone call, sir. My shyster can't fit me into his schedule today, but I really do want to demonstrate good faith. Per our conversation, I'll replace the file with your email (and my reply). I also want to thank you for displaying such a cordial attitude when we spoke. I honestly expected a threatening tone. Be careful, you'll give lawyers a good name! :-) >>Your website states that it is "about computer virus myths, hoaxes, >>urban legends, hysteria, and the implications if you believe in >>them." We fully support this mission, yet this posting seems to be >>nothing more than a fabrication by your website. Something rather >>contrary to your mission. Vmyths draws a distinct line between humor and hoax. But I'll be the first to admit the line blurs on April Fool's Day. Check out http://Vmyths.com/rant.cfm?id=566&page=4 if you want to see the column I wrote last year. (FYI, Symantec admits they supply offensive virus technology to hostile nations, so I played off it with a warranty registration card.) Humor is not "rather contrary" to our mission -- it is in fact an essential aspect of our mission! We've used humor for years as a WEAPON to dispel all aspects of computer security hysteria, from virus hoaxes to sky-is-falling CISSPs. Our weekly newsletter has a very popular "Humor Control" section where we take aim and poke fun at computer security fearmongers. We even published an all-humor newsletter dated today. >>it is within your rights to post what is clearly satirical >>content, if that is your intent. Yes. Everyone who helped write the April Fool's press release did so in the name of satire. >>Our Website Access Policy clearly prohibits the harvesting of >>any names from our directory and, at the top of our directory >>is the following post in large, bold letters: >> >>"Pursuant to the Computer Fraud and Abuse Act (18 USCA 1030) >>and EF Cultural Travel BV et al. v. Zefer Corporation, 318 F.3d >>58, C.A.1 (Mass.) 2003, it is illegal to access this website for >>the purpose of obtaining e-mail addresses to send unsolicited >>commercial e-mail. For further information see our Website >>Access Policy." As I said over the phone, we did not access your website "for the purpose of obtaining e-mail addresses to send unsolicited commercial e-mail." We made no effort to convert your graphic renditions of email addresses to text. Your current "Website Access Policy" forbids any program that collects information for any purpose other than indexing of search engines. For the record, I used no collector/harvester program. I just typed each vowel (a,e,i,o,u,y) by hand into your search page and then I stripped the duplicates. >>it is still in violation of our Website Access Policy and >>could result in someone using the list to send unsolicited >>commercial e-mail. We didn't include email addresses in the text file. How can someone use it to send UCE? Spammers would be better off typing a,e,i,o,u,y into your search page. They could then harvest your CISSPs' email addresses with any OCR program. >>Failure to remove this list (not the satirical news release) >>will result in (ISC)² considering all legal remedies available >>to it. No need! Vmyths cofounder Eric Robichaud will gladly sell the entire website -- lock, stock, and barrel -- for a few hundred grand. My very best to you, sir. Thank you again for the cordial phone call and for not attacking the April Fool press release itself. Rob Rosenberger, editor Truth about computer security hysteria http://Vmyths.com (319) 646-2800 Are you a whistleblower or industry insider? Got a scoop or some dirt on the computer security industry? Email it to Whisper@SecurityCritics.org, or call Rob Rosenberger at (319) 646-2800, or mail it to P.O. Box 50, Wellman IA 52356. ALL sources will remain confidential. -----Original Message----- From: Dorsey Morrow, CISSP Sent: Friday, 1 April 2005 9:05 AM To: Rob@Vmyths.com; us@kumite.com Subject: Six information security luminaries receive CISSP certification Rob, As General Counsel for the International Information Systems Security Certification Consortium, Inc., also known as (ISC)², your posting has been brought to my attention - http://vmyths.com/rant.cfm?id=720&page=4. Your website states that it is "about computer virus myths, hoaxes, urban legends, hysteria, and the implications if you believe in them." We fully support this mission, yet this posting seems to be nothing more than a fabrication by your website. Something rather contrary to your mission. We have not found such an e-mail circulating, but we understand it is within your rights to post what is clearly satirical content, if that is your intent. However, what is troublesome, and potentially a criminal matter, is the posting of names from our public directory. Our Website Access Policy clearly prohibits the harvesting of any names from our directory and, at the top of our directory is the following post in large, bold letters: "Pursuant to the Computer Fraud and Abuse Act (18 USCA 1030) and EF Cultural Travel BV et al. v. Zefer Corporation, 318 F.3d 58, C.A.1 (Mass.) 2003, it is illegal to access this website for the purpose of obtaining e-mail addresses to send unsolicited commercial e-mail. For further information see our Website Access Policy." Rob, I am requesting that you remove the listing of names found at http://vmyths.com/mm/whisper/2005/0401/cissp.txt. While you have not harvested the names to send unsolicited commercial e-mail, it is still in violation of our Website Access Policy and could result in someone using the list to send unsolicited commercial e-mail. Failure to remove this list (not the satirical news release) will result in (ISC)² considering all legal remedies available to it. Respectfully, Dorsey Morrow, CISSP-ISSMP (ISC)² General Counsel