I saw today on Twitter a blog post about possible unethical behavior from the EC Council (and their response). As soon as I started to read it, my (admittedly hairy) eyebrows started to climb my forehead in shock. Jay Bavisi, the CEO of EC Council, responded personally and extemporaneously. This led to some problems, so Jay, here’s some unvarnished, independent, neutral advice.
- Professionalism in terms of grammar and courtesy will go a long way in assuring others of your uprightness. This is much like the need to speak correct English and dress appropriately when in front of others, such as a press conference.
- Attacking someone who has presented evidence on the basis of speculated motive does little to enhance how others see you.
- Respond to the substance of the allegations. Either explain the comments or explain why you don’t believe they came from an EC representative. Back this up with facts. State that you will look further into this and *follow through*.
- Citing pointless statistics about how you’ve developed your programs doesn’t give you any credibility or reputation among actual hackers, nor anyone else who stops to think about it. Surely you have brand surveys and other data that show you the extent of your brand problem.
- Don’t give some wishy-washy corporate answer. Answer in a friendly human voice. If you have every confidence that you’re right, show your ethics through kindness and magnanimity.
- It is not up to you to decide what is “permissible” in the court of public opinion, by definition. As you say, people are intelligent and will recognize what is right. That means we can consider second-hand information in context. And the context for the reputation of the CEH and similar certifications, at least in my professional and social circles, is quite damning. (It’s worse now due to the ham-handed response.)
So how would I have handled it?
First, thanks for noticing this issue. Clearly something is wrong, and we don’t like it any more than you do. We’re sorry for the mess here and want to help make things right. Rather than speculate on the identity of the spammer, we’re investigating to see what might have happened from our end. If you’d like to help us with your logs and data, we’d be willing to work with you in good faith. In the meantime, we’ll once again make it clear to our people that we do not accept this sort of behavior.
While I’m at it: are you certifying people’s hacking or ethics? Hint: answering questions right on an exam doesn’t tell you whether anyone’s ethical or not. It tells you whether they know what society expects of their ethical choices, but a piece of paper can never stand in for someone’s conscience. And if you’re certifying “hacking” skill, how do you certify the inquisitiveness that characterizes us? Hint #2: knowing how to use nmap, MSF, and nikto doesn’t make anyone a “hacker” any more than having read Sun Tzu makes somebody a “warrior”.
Anyway, Jay has gotten back in touch after apparently calming down and things are going much more smoothly for this particular incident.