Ethical wisdom is relative
I saw today on Twitter a blog post about possible unethical behavior from the EC Council (and their response). As soon as I started to read it, my (admittedly hairy) eyebrows started to climb my forehead in shock. Jay Bavisi, the CEO of EC Council, responded personally and extemporaneously. This led to some problems, so Jay, here’s some unvarnished, independent, neutral advice.
- Professionalism in terms of grammar and courtesy will go a long way in assuring others of your uprightness. This is much like the need to speak correct English and dress appropriately when in front of others, such as a press conference.
- Attacking someone who has presented evidence on the basis of speculated motive does little to enhance how others see you.
- Respond to the substance of the allegations. Either explain the comments or explain why you don’t believe they came from an EC representative. Back this up with facts. State that you will look further into this and *follow through*.
- Citing pointless statistics about how you’ve developed your programs doesn’t give you any credibility or reputation among actual hackers, nor anyone else who stops to think about it. Surely you have brand surveys and other data that show you the extent of your brand problem.
- Don’t give some wishy-washy corporate answer. Answer in a friendly human voice. If you have every confidence that you’re right, show your ethics through kindness and magnanimity.
- It is not up to you to decide what is “permissible” in the court of public opinion, by definition. As you say, people are intelligent and will recognize what is right. That means we can consider second-hand information in context. And the context for the reputation of the CEH and similar certifications, at least in my professional and social circles, is quite damning. (It’s worse now due to the ham-handed response.)
So how would I have handled it?
First, thanks for noticing this issue. Clearly something is wrong, and we don’t like it any more than you do. We’re sorry for the mess here and want to help make things right. Rather than speculate on the identity of the spammer, we’re investigating to see what might have happened from our end. If you’d like to help us with your logs and data, we’d be willing to work with you in good faith. In the meantime, we’ll once again make it clear to our people that we do not accept this sort of behavior.
While I’m at it: are you certifying people’s hacking or ethics? Hint: answering questions right on an exam doesn’t tell you whether anyone’s ethical or not. It tells you whether they know what society expects of their ethical choices, but a piece of paper can never stand in for someone’s conscience. And if you’re certifying “hacking” skill, how do you certify the inquisitiveness that characterizes us? Hint #2: knowing how to use nmap, MSF, and nikto doesn’t make anyone a “hacker” any more than having read Sun Tzu makes somebody a “warrior”.
Anyway, Jay has gotten back in touch after apparently calming down and things are going much more smoothly for this particular incident.
You nailed it on the head there at the end. I continue to have issue with C|EH not because of the material or content, but because of the words ‘Certified Ethical’ Hacker. It can be interpreted many ways, and it implies many — positive OR negative — things, depending on the perspective of the audience. I’ve not taken the test nor studied the material closely, so I cannot say how “good” it is, IMHO. I know a few holders of the certification, and I will say that they seem to have the rudimentary basics of Security down. But their ethics have nothing to do with this personal assessment.
I’ve known a lot of folks who hold the CEH and their expertise runs the gamut from “kinda knows what he’s doing” to “Jedi master”. And in most cases, they were ethical, stand-up guys – but I knew a lot of them pre-certification and already knew that about them.