When Do The Ends Justify The Means?

Since my last story, I find myself puzzled by the lack of inaction by an industry who characterizes trust, ethics, and morals as the foundation to which its entire profession touts, stands, and is built upon. Bold statements such as “Integrity is a fundamental standard in ethical cyber security”, “Cyber ethics encapsulates common courtesy, trust, and legal considerations”, “Cybersecurity is guided by ethical principles and values, such as confidentiality, integrity, availability, non-maleficence, beneficence, justice, and respect for autonomy. These principles and values help define what is right and wrong in cybersecurity, and what are the duties and obligations of cybersecurity professionals.” and “Act honorably, honestly, justly, responsibly, and legally” are found across a multitude of blogs and websites.

There is more than sufficient evidence out there provided there is a proper venue for victims to share in a manner that would protect the multitude of victims, including those who have attempted to come forward in good faith. These individuals, while not perfect by any means, have shared concerns privately to protect the reputation of an industry and to solve a common problem.

A reader recently forwarded vBTruth a letter sent by the ISSA-LA President Richard Greenberg to the reader asking for a character reference sent January 2024. We were able to authenticate the email as a legitimate email.

I am being targeted by a misinformation campaign by a few unethical people. I would be most appreciative if you could write a character reference for me, mentioning the work that I have done for ISSA-LA and your speaking engagements with us. I have been building the programs, including personally inviting speakers, for the annual ISSA-LA Security Summits, Women in Security Forums, and CISO Forums. I created and chaired the CISO Forums and Women in Security Forums.

Please feel free to reach out if you need more information or have any questions.

This email sent by the ISSA-LA President raises several questions including:

  1. How many individuals has the ISSA-LA President sent this email to?
  2. How many victims has the ISSA-LA President mischaracterized and flat out lied as “unethical” as part of this email campaign?
  3. How many victims has had their reputations tarnished and possibly destroyed when individuals reached out to the ISSA-LA President for “more information” or “have questions”?
  4. How many individuals have written character references and possibly have inadvertently tarnished their reputations personally and professionally?

Since vBTruth first published our original piece, we have been working tirelessly behind the scenes on fact checking, finding credible sources of information. Under California’s Public Record Act, we requested the City of Santa Monica produce documents. The City of Santa Monica oversees the Annenberg Beach House and its associated operations.

Over the last several months, we have been slowly combing through the 2000+ pages produced by the City of Santa Monica. We still expect additional documents to come in the weeks ahead. Among the documents produced were several invoices and permits.

On several occasions, we observed ISSA-LA’s name co-existing with Layer 8 Masters and/or Planet Cyber across multiple documents. We also observed Layer 8 using ISSA-LA’s resources such as the Post Office Box across multiple documents.

Our public records request review has raised numerous questions, including:

  • Is there confusion between ISSA-LA and these for-profit conference events?
  • How severe is brand confusion between ISSA-LA and the private for-profit conference company?
  • Did the ISSA-LA President and Vice-President receive non-profit discounts for their for-profit conference, potentially defrauding taxpayers?
  • Are potential attendees being diverted to a private, for-profit conference?
  • Are potential revenue sources from attendees, and from sponsors being redirected away from ISSA-LA members and into the pockets of the ISSA-LA President and Vice-President?
  • In the process of searching for sponsors, is the ISSA-LA President and Vice-President having first pick at sponsors for their conference and leaving scraps for ISSA-LA?
  • What ISSA-LA resources are the ISSA-LA President and ISSA-LA Vice-President using beyond the Post Office Box? Did the ISSA-LA board know and/or approve the usage of the ISSA-LA Post Office Box?
  • Are the ISSA-LA President and Vice-President using ISSA-LA members’ money to fund and pay for their personal, private, for-profit conference? Are they treating ISSA-LA’s like their own private bank?

vBTruth spoke to one nonprofit attorney about accessing financial records and minutes. Members of a non-profit association have rights to inspect financial records and minutes. Under California Law, a member can inspect:

  • Articles, bylaws, and all amendments to articles and bylaws (5160, 7160)
  • Adequate and correct books and records of account (6320(a)(1), 8320(a)(1))
  • Minutes of all board, committee and member meetings (6320(a)(2), 8320(a)(2))
  • Member lists (6320(a)(3), 8320(a)(3))

At least one individual, who we understand is still an ISSA-LA member, has publicly stated they demanded to inspect financial records and minutes on November 19, 2023. On December 5, 2023, they have not received access to any financial records and minutes.

Ten business days passed as stated by this individual, and no financial records or minutes were provided by ISSA-LA. Why would ISSA-LA not simply open the financial books and minutes? Do they have something to hide? All of these questions are significant, especially if the ISSA-LA President and Vice-President are using ISSA-LA as their own private bank.

All of these questions are sufficient to wonder whether any character references written on behalf of the ISSA-LA President is worth the paper it is printed on.

Since no financial records were permitted to be inspected, it raises question such as “Are there financial irregularities? The lack of transparency creates the perception that the ‘books were cooked’ because the default position was to hide. Invoices and permits produced by the City of Santa Monica suggest this could be happening given the co-mingling of the brands. Plus, these invoices are no small dollar amounts. We are talking about potentially tens of thousands of dollars per event.

The fact is there is no misinformation campaign. Just individuals trying to raise concerns. In this case, something is clearly rotten because official government records show several significant irregularities that should concern members, leaders, and anyone who is part of this profession. These official government records show that resources of ISSA-LA are being used. These official government records show that there is clear brand confusion that makes it challenging for some individuals, companies, organizations, and sponsors to differentiate whether an event is ISSA-LA organized or is a personal, private, for-profit event.

Psychologist, educator, management consultant and author Saul Gellerman proposed four commonly held rationalizations for unethical behavior:

  • People tell themselves that their behavior is not unethical.
  • People think that their behavior is acceptable because it is in the favor of the business.
  • People think that no one will come to know about their unethical behavior.
  • People think that they will be protected even after doing something unethical.

In this specific instance, the ends do not justify the means. These men are not Robin Hood and his band of merry men.

What troubles this reporter is the lack of response, the lack of any action for over a year, and the rationalization of such behavior.

The essence of ethical integrity lies in consistency across all areas of behavior. Commendable contributions should not serve as a shield for unethical practices nor be viewed to offset misconduct. The true measure of an individual’s ethical stance is reflected not only in their capacity to contribute positively to society but in their adherence to ethical principles in professional and personal dealings.

People rationalizing their participation, attendance, and engagement in any event organized by the ISSA-LA President and ISSA-LA Vice President and has conscious knowledge of what is happening is endorsing, encouraging, and excusing this despicable, unethical, immoral, and possibly illegal behavior.

It makes you wonder if the values of trust, ethics, and morals are only upheld by individuals when it is convenient. It speaks volumes about an individual’s character when considering classic sayings such as “Guilt by association” and “Birds of a feather”.

This entire incident has many similarities and hallmarks to a similar case involving former Adelphia CEO John Rigas. It does not matter what an individual has done in the past or what they can do for you. It matters whether they see the error of their ways, and are willing to ask for forgiveness, rectify, and show remorse. I will never advocate for a cancellation; I will advocate for a resolution that hopefully all stakeholders will find acceptable.

In the words of Russian anti-corruption campaigner, Alex Nalvany, who reportedly died in a Russian prison yesterday:

“All that is needed for the triumph of evil is for good people to do nothing.”

Alex Nalvany

ISSA-International – Complicit, Complacent, or Cowards?

ISSA-International stood by doing nothing for over six months

There are few things more dangerous than a mixture of power, arrogance, and incompetence.

Bob Herbert, American Journalist

Information Systems Security Association (ISSA) Members are starting to turn on ISSA-International, its Board of Directors, and its Ethics Committee for its inaction and standing by watching as members were forsaken. The charges?

  • Dereliction of duty.
  • Ineffective leadership.
  • Abandoning their responsibilities.
  • Breach of fiduciary responsibility.
  • Absence of due care.
  • No confidence in the leadership.

The list of charges continues to grow as more victims have come forward to share their stories with vBTruth. The most surprising part of these charges – there is extremely strong evidence to suggest these charges have merit.

Several members have told this publication they will not be renewing their membership after their ISSA membership lapses and will not be participating in the association in any capacity. One member has shared they regretted their vote in the recent June 2023 ISSA-International Board election. If given the opportunity, another member would censure the ISSA-International Board and bring before all ISSA members a “motion of no confidence” to remove members of the ISSA-International Board.

From the multiple victims we have interviewed, ISSA-International was aware of these ethical issues for at least half a year. Multiple credible sources have stated that ISSA-International has known about these ethical issues, or was warned about impending ethical issues for at least a year, if not possibly longer. At least one source has claimed they warned ISSA-International over a year ago of an impending ethics submission related to fraud, corruption, conflicts of interests, and breach of fiduciary responsibility, however, they were unable to provide concrete evidence to support their claim.

One set of documents provided to vBTruth shows that ISSA-International received an incriminating complaint in March 2023 and acknowledged receipt of it, along with the subsequent artifacts supporting the allegation of fraud, corruption, conflicts of interest, and breach of fiduciary responsibility. Several of the same artifacts that were provided to ISSA-International are identical to what was provided in our original article during this investigation.

Multiple victims shared their concerns at the highest levels, including the current ISSA-International President, Shawn P. Murray, and the current ISSA-International Executive Director Marc Thompson. Multiple individuals have alleged they shared concerns as early as March, April or May 2023.

Our Analysis

Reviewing all available documents made available to us by one victim’s attorney, multiple complaints were lodged and stalled procedurally because the victim’s name must be disclosed to the perpetrator. Consistently, multiple victims discussed and raised concerns to the appropriate parties, including the current ISSA-International President and the Ethics Committee that they fear physical and defamatory retaliation from the current ISSA-LA President Richard Greenberg. There are repeating response themes from ISSA-International that the victim must disclose their identity and become a target of continued malice, slander, and libel.

As we wrote earlier, Arlene Yetnikoff wrote on LinkedIn that ISSA-International was not taking anonymous complaints that were detailed and factual because “Several fear, with justification, physical and defamatory reprisals for speaking out.” (emphasis added)

Multiple victims have told this publication that they refused to file ethics complaints, escalate or raise the matter because they have justified fears of escalating tensions. Several victims expressed deep frustrations with ISSA-International to enable whistleblowers to come forward anonymously or confidentially. To come forward would mean their identity would be known to the ISSA-LA President, thus escalating tensions. These victims were seeking to de-escalate and resolve these pressing ethical issues. Not escalate.

A Series of Unfortunate Missteps and Poor Leadership?

There appear to be several missteps that have led to the perfect storm where grievances exploding into the public spotlight on November 30, 2023 on LinkedIn.

The first misstep appears to be the lack of a whistleblower policy. Since its 2007 tax filing, ISSA-International reported to the IRS on its Form 990s tax filings that they did not have a whistleblower policy. For almost twenty years, ISSA-International decided not to implement a whistleblower policy. A nonprofit organization is not required to establish a whistleblower policy to maintain its tax-exempt status. However, the IRS regards the implementation of such a policy as a sound governance practice. This measure serves to guarantee that the organization’s assets are utilized following its exempt purposes, promoting transparency and responsible management. Organizations such as OWASP have whistleblower policies that enable employees, members, and volunteers to blow the whistle and remain anonymous. Those policies appear to have worked as Richard Greenberg, David Wettenstein, and Haral Tsitsivas are no longer in a leadership capacity at OWASP-LA and OWASP-OC.

The second misstep appears to be the lack of foresight, failure to grasp the severity of the situation and emotional intelligence. Instead of promptly consolidating numerous complaints into a comprehensive investigation, there seems to be a reluctance to address the issue discreetly and privately. The unwillingness to make a one-time exception, allowing whistleblowers to maintain anonymity or confidentiality to expedite ISSA-International’s resolution of the matter, reflects a failure to grasp the severity of the situation. The ongoing approach risks have continued to escalate the number of casualties each month and threaten to tarnish the brand and reputation of ISSA and its members.

The last major misstep appears to be the lack of wisdom to prepare for this ethical debacle. One individual we interviewed said they warned of an impending ethics complaint. Rather than prepare, the time was squandered away. No whistleblower policy was authored. No revised ethics policy was authored. It appeared that the status quo remained. The time appears to be spent congratulating the ISSA-LA Chapter President for being inducted into the ISSA Hall of Fame and the ISSA-LA Chapter winning “Chapter of the Year” in August 2023.

It does raise a question – why was the ISSA-LA President awarded Hall of Fame and ISSA-LA awarded Chapter of the Year when there were multiple complaints and allegations of misconduct? Especially when multiple ISSA-International leaders have conscious knowledge of ongoing fraud and malfeasance since the first half of 2023.

Complicit, Complacent, or Cowards?

Is ISSA-International Complicit, Complacent, Cowards, or all of the above?

Complicit

In our opinion, ISSA-International is complicit.

  • ISSA-International is knowingly putting individuals in harm’s way by requiring disclosure of their identities to a perpetrator.
  • ISSA-International is knowingly letting the number of victims grow, damaging their reputations. Many victims are leaving the Association.
  • ISSA-International’s silence and inaction only serve to enable and endorse the actions of a dictator and his cronies in a banana republic. It has escalated to where the ISSA-LA President is presently in the process of stealing the election.
  • Two of ISSA-International’s Board Members spoke at PlanetCyberSec on December 6, 2022.

Complacent

In our opinion, ISSA-International is complacent.

  • ISSA-International awarded “Chapter of the Year” despite knowing there are outstanding ethical complaints against chapter leadership, specifically Chapter President and Chapter Vice President
  • ISSA-International awarded “Hall of Fame” to a leader who has outstanding ethical complaints and clear conflicts of interest.
  • ISSA-International abandoned its fiduciary responsibility to do what is in the best of ISSA and its members.
  • ISSA-International has failed to protect the ISSA brand, and its chapters utilizing the ISSA brand, thereby indirectly harming its members.

Cowards

In our opinion, ISSA-International leaders are cowards. Those who are in the power of authority lack the courage to make hard decisions and act. It was easier to put the burden of responsibility on multiple victims. It was easier to pass the buck.

President Harry S. Truman had a sign on his desk that read “The Buck Stops Here.” Where does the buck stop at ISSA-International and who bears ultimate responsibility for ISSA-International’s lack of leadership and its continued series of failures?

The Current International President.

ISC(2) Board of Directors, General Counsel and Assistant General Counsel refusing to act on Ethics Complaint

Information Systems Security Association (ISSA) is not the only organization failing to act and protect people

Arlene Yetnikoff wrote on LinkedIn that ISSA-International was not taking anonymous complaints that were detailed and factual because “Several fear, with justification, physical and defamatory reprisals for speaking out.” (emphasis added)

On November 12, 2023, we broke the initial story that the current ISSA-LA Chapter President, Richard Greenberg, CISSP, was Accused of Fraud, Malfeasance, and Breach of Fiduciary Responsibility. We also wrote that several organizations were notified of this fraudulent and unethical behavior. Several organizations refused to act on detailed and factual complaints, including the organization International Information System Security Certification Consortium because the submissions were anonymous.

International Information System Security Certification Consortium better known as ISC(2) is the organization behind the industry certification Certified Information Systems Security Professional or CISSP. The CISSP is marketed as “the gold-standard information security certification.”

We at vBTruth interviewed one individual in early November and reviewed months of email correspondence from one individual begging both ISC(2) and ISSA to act. Despite ISC(2) and ISSA being told in writing, that they have “fear of reprisal, retaliation, retribution, duress, intimidation, malice”, the concerns were shut down and caught in procedural technicalities that centered on the need to disclosure the victim’s identity to the perpetrator, despite the fears being shared and justified. This article focuses on ISC(2).

Months Long Ordeal

On August 31, 2023, ISC(2)’s Ethics Committee received a whistleblower email sharing concerns about ethics and compliance violations, citing violations of the ethical rules to “acting honorably, honestly justly, responsibly, and legally”. The whistleblower email included a comprehensive, detailed description of the victim’s concerns, including several artifacts such as legal filings and screenshots.

ISC(2) declared in multiple Internal Revenue Service (IRS) Form 990s tax filings that they do have a whistleblower policy. vBTruth was unable to locate such a policy online and appears there were similar requests made in the past by other individuals.

On September 5, 2023, Assistant General Counsel Alex Rosenfeld responded to the victim that they must submit a signed, notarized complaint and that they intend to disclose the victim’s identity to the ISSA-LA Chapter President despite being informed of the fear of retaliation. Unusually, Assistant General Counsel Rosenfeld asked for evidence despite previously being provided the evidence in the August 31, 2023 whistleblower email.

On September 6, 2023, the victim responded to Assistant General Counsel Rosenfeld that they were seeking another process because the ISC(2) policies do not protect their identity. They cited the confidentiality agreement on ISC(2)’s website does not adequately protect them:

The board and its agents undertake to keep the identity of the complainant and respondent in any complaint confidential from the general public. While disclosure of the identity of the complainant will be avoided where possible, upon filing a complaint, the complainant implies consent to disclose (their) identity to the respondent (perpetrator), where the board or its agents deem it necessary for due process. Actions of the board may be published at its discretion. Parties are encouraged to maintain confidentiality and certificate holders are reminded of their obligation to protect the profession.

The victim was unwilling to put their livelihood at risk because the concern of reprisals was too great. They immediately asked for an exception to the policy and asked to remain anonymous.

The emails between the victim and Assistant General Counsel Rosenfeld continued throughout the month of September negotiating with the victim. It appears Assistant General Counsel Rosenfeld had multiple conversations with members of the ISC(2) Ethics Committee, comprised of ISC(2) Board of Directors Samara Moore, Laurie-Anne Bourdain, Dan Houser, and Edward Farrell.

Starting on September 18, 2023, Samara Moore, Chair of the Ethics Committee at ISC(2) was included in the email conversation by the victim, urging, and begging for ISC(2) to resolve the impasse of mandating the disclosure of their identity.

In an email on September 18, 2023 to both Assistant General Counsel Rosenfeld and Ethics Chairwoman Samara Moore, the victim writes “If ISC(2) accidentally discloses my name or identity against my direct or indirect wishes, it will be very detrimental to my career. I very much doubt ISC(2) will be offering me a six-figure salary and a career at ISC(2) for the remainder of my life.

On September 26, 2023, the discussion focused on “not disclosing the victim’s identity without their consent”, however, the responses do not appear to allay the concerns of the victim.

On September 27, 2023, Assistant General Counsel Rosenfeld wrote to the victim, “…as previously communicated, we undertake to keep the identity of the complainant and respondent in any complaint confidential from the general public. While disclosure of your identity will be avoided where possible, where/if the Committee deems it necessary for due process, we will reach back out to you for your consent to share your details. If you choose not to allow us to use your name, the committee will determine whether it can proceed with the available information with the necessary redactions.

When we interviewed the victim asking why that was not satisfactory, the victim was concerned that their understanding of ISC(2)’s position was that the Committee would very likely need to disclose their identity as part of due process. They would need the victim’s name and a signed/sword affidavit. Given their unwillingness to disclose their identity, the whole endeavor would be a mere exercise in futility. ISC(2) would have the sole power to dictate terms to the victim.

On September 29, 2023, the victim appealed directly to the ISC(2) Board of Directors and requested that they remain an anonymous whistleblower and grant any exception to the policies at ISC(2). In the email to the Board of Directors, the victim writes:

I continue to express concern that the confidentiality policy and process being proposed is insufficient because the accidental, intentional, or unintentional disclosure of my identity would be detrimental to my career.

The victim also expressed that “The individual I am reporting shall and will view this as a great affront, escalate the situation, retaliate, and seek retribution” and that “Similar individuals who share similar concerns on this CISSP certification holder and ISC(2) member have unanimously agreed that to proceed with a signed affidavit and full disclosure of my identity …would effectively paint a target on me.

The victim also expressed (emphasis added) that they “have a genuine fear and concern that should my identity be disclosed, there would potentially be a physical confrontation, altercation, and my physical life safety would be placed at risk.

The email was sent to all members of the board, however, based on the emails we reviewed, only ISC(2) Board of Directors James Packer, Laurie-Anne Bourdain, Dan Houser, Rachel Guinto, Samara Moore, and Guy Ngambeket received the email because several emails were guessed and there was no list of emails published on the ISC(2) website. We observed a series of emails that show several emails were not properly delivered. Reasonably, six out of twelve Board of Directors received the appeal asking for a board consideration on anonymity and whistleblower status, three of which sit on the Ethics Committee.

On October 12, 2023, ISC(2) General Counsel Graham Jackson emailed the victim to schedule a call with the victim and discuss the nature of their concerns. Based on our conversation in early November 2023 with the victim, the victim felt there was some positive progress on their phone conversation on October 21, 2023, however, they still felt they did not have the necessary assurances their identity would be protected despite being assured their identity would not be disclosed without permission by ISC(2) General Counsel.

While the victim respects and understands the procedural hurdles to maintain integrity on the ethics process so that there is not a deluge of false ethical complaints, the victim still felt the hurdles were extremely advantageous to the perpetrator and not balanced.

Our Analysis and Thoughts

When we reviewed months of emails between the victim, the two attorneys, and subsequent conversations that included Ethics Chairwoman Samara Moore, and a direct appeal to the Board of Directors, one quote the victim wrote struck me deeply:

If ISC(2) does not act, chooses not to act, or fails to act, it puts our certifications at risk because the very core tenet of our profession is ethical behavior. To continue to not act means all holders of ISC(2) certifications will face devaluation of the certification because it now raises questions of integrity of all ISC(2) members. ISC(2) can no longer guarantee that its members are ethical.

While it is not mandatory for a nonprofit organization to possess a whistleblower policy to maintain its tax-exempt status, the IRS views the adoption of such a policy as a commendable governance measure. This practice aids in safeguarding the organization’s assets, ensuring their consistent utilization in alignment with its exempt purposes. The whistleblower policy can include volunteers and members.

Despite the Form 990s we reviewed stating there is a whistleblower policy, our impressions is there is no whistleblower policy. The response by ISC(2) is insensitive and callous at best, and seems to set the stage for a physical altercation and harm at worst.

It would seem ISC(2)’s Board of Directors, Assistant General Counsel, and General Counsel are holding steadfast to a process despite having a whistleblower policy. They seem unwilling to find a reasonable means to protect the victim’s identity while getting to the bottom of fraud, corruption, breaking the law, and clear ethics violations. The General Counsel, the Assistant General Counsel, and members of the Board of Directors seem unwilling to consider, let alone grant an exception despite being presented with overwhelming evidence. Even without the affidavit, it seems reasonable in this reporter’s eyes that given so much independently verifiable evidence, the Ethics Committee could move forward to evaluate the matter at hand. The emails we reviewed suggest that both the ISC(2) Ethics Committee and Board of Directors are choosing to ignore the matter on a procedural technicality because they must know the identity of the victim despite being presented with overwhelming evidence.

The victim is also directly telling ISC(2)’s Board of Directors and General Counsel they feared being harmed physically and losing their livelihood during tough, challenging, economic times should their identity be disclosed. The victim is forced to pick between filing an ethics complaint and losing their career, a tarnished reputation, unemployed, unemployable, and hungry on the streets. Adding insult to injury is the possibility of spending months healing from their physical wounds and emotional distress from potential assault and battery.

Any reasonable individual would pick their personal welfare over an ethics complaint because the ethics complaint yields no real tangible benefits, personal or professional.

The CISSP states the first priority is life safety. Human safety. Life Security has precedence and priority over above all else. That includes written policies.

Perhaps these ISC(2) Board of Directors who hold a CISSP need to be reminded of the importance of life safety?

OWASP-LA withdraws from upcoming ISSA-LA Holiday Party

In an update to our article: Someone Being Naughty before the ISSA-LA Holiday Party?, we were informed today that the Eventbrite pages for sponsorship and registration for the upcoming ISSA-LA Holiday Party no longer lists OWASP-LA as one of the non-profits participating in the upcoming event.

That makes three non-profits who have had their names removed. Interesting enough, the respective Eventbrite pages for registration and sponsorship has language stating “four” non-profits are participating.

We will share additional updates as they become available.

Allegations of Election Fraud at Information Systems Security Association Los Angeles

Credible Claims of Election Fraud turns Information Systems Security Association Los Angeles into a Banana Republic

Reporter’s Note: If one had told me I would be doing a story on election fraud and a stolen election, I would have mocked one for suggesting such preposterous ideas. I very likely owe some colleagues in the industry a case or two of merlot and an apology.

On Thursday, November 30, accusations of election irregularities, election interference, and election fraud were made public on LinkedIn and that the election currently in progress at Information Systems Security Association Los Angeles (ISSA-LA) is being stolen.

Arlene Yetnikoff, a former ISSA-LA Advisory Board Member, wrote an open letter urging people to “ask questions as to how this happened and the reasons why.” Karen Worstell, author, a current ISSA fellow, the former ISSA-Puget Sound Chapter President and founder of the ISSA-Rainier Chapter, backed Arlene’s concerns of election irregularities in LinkedIn comments that several “qualified nominees” she submitted did not appear on the ISSA-LA ballot. In a now deleted comment, Karen Worstell hinted that an ethics complaint was in motion, however, there is no definitive proof an ethics complaint was filed, what the contents of the ethics complaint was, and when it was submitted.

Rafal Los commented that, “Given what I’ve personally witnessed in my many trips out to LA, I’m not surprised it’s come to that. When professional organizations become more about personal gain and money to be made, it’s a recipe for this exact outcome.”

Our Analysis

When the news first broke out, our initial review of the claim was that this was highly irregular, suspicious, and could possibly be false. A copy ballot was posted on Friday, December 1 by Joshua Chin potentially validating the claims there are potential election irregularities. No one from vBTruth saw the actual election ballot, however, all indications suggest the ballot is legitimate.

We reviewed a copy of the ballot posted on LinkedIn, and there is only one candidate listed in each category, except for one category: Education Director. There is no option to write in any candidate in any category.

Over two days, additional information surfaced, including the platform being used was Election Runner, which has support for Write-In candidates.

Karen Worstell has gone on the record on LinkedIn stating that the bylaws “are not being followed” and the “election is engineered”. Potentially two candidates if not more candidates running for the 2024 board that appear on the ballot have not attended six-chapter meetings, board meetings, or conferences organized by ISSA-LA, however there is no definitive evidence.

Among the “qualified nominees” that were properly nominated by Karen Worstell are former board members and former advisory board members of ISSA-LA. They were all blocked from running and appearing on the ballot. One qualified individual was nominated to be President of ISSA-LA, according to Joshua Chin via Karen Worstell through LinkedIn comments. It would seem to indicate that the election is engineered for the current President to maintain his presidential powers.

For the purposes of giving the current ISSA-LA President the benefit of the doubt, and we look at actions at face value, there is still evidence that the ISSA-LA President is abusing and clinging to power. The Ballot has not one, but two empty positions: The Education Director and the Executive Director. The Executive Director position does not even appear on the election ballot. Neither position has the ability for one to write in a candidate.

The inability to write in a candidate for two clearly vacant positions and writing in alternative candidates deprives ISSA-LA members of their due process of voting and selecting their board members. After the election closes, who gets to fill those vacant spots? Per the ISSA-LA bylaws – the current President.

Where is ISSA-International in this process? At least one board member, David Vaughn, was tagged on the comments of Arlene Yetnikoff’s post, however, ISSA-International is strangely silent in this process – which could be interpreted as a strong endorsement of the current ISSA-LA board’s action. The lack of any action in this continuing saga, in this reporter’s opinion, could indicate that ISSA-International has abandoned its responsibilities and could be in breach of their fiduciary responsibilities.

Let us call a spade a spade. The entire ISSA-LA election process is fraught with irregularities and has potentially several ineligible candidates. The ballot is setup in a manner to enable the current President to win and maintain his power.

The ISSA-LA chapter is a banana republic – run by a dictator and his cronies.

Someone Being Naughty before the ISSA-LA Holiday Party?

This story is part two into a several months-long investigation conducted by vBTruth. During the investigation on the accusations of fraud, malfeasance, conflicts of interest, and breach of fiduciary responsibility, we at vBTruth ultimately felt this story warranted coming out of retirement and sharing these individuals’ combined stories. vBTruth is continuing its investigation and will report subsequent updates as new evidence is uncovered.

…We have not given approval to include our name in the Eventbrite invitation and I was surprised to see it in the (Eventbrite)… I wasn’t even aware tickets were already on sale for it.

― Shannon Brewster, ISC2 LA President

As part of our ongoing, months long investigation into accusations of fraud, malfeasance, conflicts of interest, and breach of fiduciary responsibility at ISSA-LA. vBTruth recently observed an upcoming joint holiday party on Eventbrite, allegedly hosted by ISSA-LA, Women’s Society of Cyberjutsu, Open Worldwide Application Security Project (OWASP), Association of Information Technology Professionals – Los Angeles (AITP-LA), the Southern California (SoCal) Chapter of the Cloud Security Alliance and ISC2 Los Angeles.

vBTruth reached out a few of these organizations to confirm their participation and attempted to obtain copies of any agreements.

More than one organization was surprised that they were included in the holiday party because they did not give consent. Even more surprised was the fact that their respective organizations were featured as one of “six” non-profits hosting the holiday party – on both the ticket sales page and separate, sponsorship sales pages. Both ISC2 LA and Cloud Security Alliance stated that the use of their names on were unauthorized.

ISC2 LA leadership had some informal discussions over email with ISSA-LA’s board regarding a joint holiday party. They reached out a few weeks ago and invited us to participate but we had not made a final decision. We were waiting on a written proposal and an agreement that disclosed the expected costs and responsibilities.

Given that nothing has been finalized, we have not given approval to include our name in the Eventbrite invitation and I was surprised to see it in the (Eventbrite)… I wasn’t even aware tickets were already on sale for it.” Shannon Brewster, ISC2 LA President wrote to vBTruth.

An anonymous source familiar with the matter at Cloud Security Alliance told vBTruth that “they never agreed to participate at the holiday party and were extremely disappointed in the attempt to obligate the SoCal chapter in(to) participating and the unnecessary deception to the (security) community at large.

Both Cloud Security Alliance and ISC2 LA have issued demands to have their names removed from any promotional material or website stating their participation in the holiday party. Both have stated they will not be participating in this year’s holiday party. At one point, the sponsorship Eventbrite page stated five non-profit organizations. It was further updated to remove ISC2 LA.

Both Eventbrite pages have been updated since the demands were made by Cloud Security Alliance and ISC2 LA.

Another recent significant update was the keynote speaker at the holiday party. On November 2, 2023, the website featured Bryan Hurd, Chief of Office, Aon Cyber Solutions (Stroz Friedberg). Fast forward to November 10, Bryan Hurd has been removed from the website and replaced with Demetrios Lazarikos (Laz).

The question we have not been able to answer is: “Why was Bryan Hurd replaced one month before the holiday party?” The only two logical conclusions were:

  • Schedule Conflicts
  • Unauthorized Use of Name/Attempt to Obligate

An analysis of both claims would lead us to believe at vBTruth that it was an attempt to obligate Mr. Hurd as the keynote speaker of the holiday party without his consent.

First, we have not one, but two attempts in a single event to obligate, maybe force, two independent organizations to participate in the ISSA-LA holiday party. Both organizations have issued statements to vBTruth, stating they never agreed to participate.

Next, we can assume it was not a ‘mistake’ per se, but intentional. Two Eventbrite webpages listed all organizations allegedly hosting the holiday party. It also listed the actual names and the actual number count of organizations participating. To list and name a number organizations, including two organizations who did not agree to participate, on two different Eventbrite webpages and with both having a precise count of non-profit organizations participating on both Eventbrite webpages, one must conclude that this was intentional.

Lastly, keynote speakers are typically booked months in advance. To cancel at the last minute usually means a change of schedule, or something personal is occurring. It is highly unlikely a schedule conflict occurred to force Mr. Hurd to withdraw because it is a holiday party and holiday party usually have large turnouts and a keynote speaker would set the necessary time aside and block calendars.

That leaves the last option: Unauthorized use of name and attempt to obligate. There are already two documented instances in this one event to obligate two other organizations. It is certainly not unreasonable to assume that more attempts occurred without the general public’s knowledge.

“There’s an old saying in Tennessee — I know it’s in Texas, probably in Tennessee — that says, fool me once, shame on — shame on you. Fool me — you can’t get fooled again.”

― President George W. Bush, 43rd President of the United States of America

Regardless of what happened with Mr. Hurd, it does not change the fact that ISSA-LA falsely published two organization’s participation and tried to potentially strongarm and obligate their entire organization and their respective leaders. Marketing this event to both potential attendees and sponsors of participation by organizations who did not agree to participate is duplicitous, dishonest and fraudulent behavior.

Those reasons alone puts ISSA-LA and its leaders on the naughty list and rightfully earning all of them lumps of coal this holiday season.

ISSA-LA Chapter President Accused of Fraud, Malfeasance and Breach of Fiduciary Responsibility

This story is part one into a several months-long investigation conducted by vBTruth. During the investigation on the accusations of fraud, malfeasance, conflicts of interest, and breach of fiduciary responsibility, we at vBTruth ultimately felt this story warranted coming out of retirement and sharing these individuals’ combined stories. vBTruth is continuing its investigation and will report subsequent updates as new evidence is uncovered.

Sunlight is the best disinfectant. This mantra of transparency still remains true today. After several months of attempting to resolve concerns of fraud, conflicts of interest, self-dealing, breach of fiduciary responsibility and malfeasance behind closed doors with no resolution, individuals are finally coming forward and shining a light.

Multiple individuals, including several current and past members of the ISSA-LA Chapter, have accused the current sitting ISSA-LA Chapter President and now the former OWASP-LA Chapter President Richard Greenberg and the current sitting ISSA-LA Chapter Vice President and now former OWASP-LA Chapter Vice President David Wettenstein of fraud, conflicts of interest, self-dealing, breach of fiduciary responsibility and malfeasance. The accusations of malfeasance and breach of fiduciary responsibility are starting to extend to the current sitting ISSA-LA chapter board for turning a blind eye to conflicts of interests by the current Chapter President and Vice President, failure to enforce the bylaws of the chapter, and failure to remove the Chapter President and Vice President. The number of individuals making accusations appears to be growing more and louder by the day. The number of victims continues to grow with each passing moment, and the number of causalities in this journey towards finding a resolution continue to rise.

On March 25, 2021, ISSA-LA Chapter President Richard Greenberg filed articles of organization with the Wyoming Secretary of State’s office, forming a new limited liability company: Layer 8 Masters. Legal business filings were obtained from both the Wyoming Secretary of State’s Office and California Secretary of State’s Office. Listed in these business filings were Richard Greenberg, Haral Tsitsivas, David Wettenstein, and Alexander Braehler – members of the limited liability company. The purpose of the business is to host cyber security educational events under the brand “Planet Cyber Sec Conference”.

Since September 2021, Planet Cyber Sec has held 11 cyber security conferences throughout Southern California, including CIO/CISO Forums, AppSec SoCal, and other security conferences and events.

ISSA-LA, a 501(c)(3) nonprofit charity, is operated by a volunteer group of individuals who make up the leadership and board of ISSA-LA. These same volunteers have a primary place of employment in which they derive income from for expenses.

While it is not unethical to hold a primary place of employment and serve concurrently on a 501(c)(3) nonprofit board, nor is it unethical to directly compete against the nonprofit, it is questionable to start a brand new business that competes in the same industry, the same vertical, the same geographic area, and space (security conferences) that offers nearly identical services, and where the same for profit company and nonprofit obtains the vast majority of its income – while concurrently led by identical sitting leaders of both the for profit organization and nonprofit organization.

It is clearly unethical, and a clear conflict of interest to be using the ISSA-LA member’s money, the ISSA-LA’s non-profit resources, and to be profiting from their position as leaders in the non-profit for a for-profit organization, especially one directly owned by the ISSA-LA Chapter President and Chapter Vice President. The Chapter President and Chapter Vice-President has been using member’s money, using member owned resources, have a conflict of interests, and are potentially profiting from sponsorships and revenue from ticket sales at their for-profit enterprise while potentially leaving ISSA-LA members holding the bill on indirect expenses. Multiple individuals have raised these concerns privately and quietly, often having lengthy conversations and sharing their concerns.

Multiple newsletters sent by ISSA-LA share a consistent repeating theme of offering an ISSA-LA member discount to attend Planet Cyber Sec events. Each email lacks any notification and disclosure to anyone reading the newsletter that the current Chapter President and Vice President were owners of Planet Cyber Sec and had an equity and financial stake in the success of Planet Cyber Sec. Effectively the lack of transparency, how each email is phrased, could be perceived, and interpreted by any reasonable individual “Planet Cyber Sec” is an ISSA-LA organized event. vBTruth was able to obtain copies of newsletters and verify their authenticity.

One individual interviewed by vBTruth, on condition of anonymity, because this individual had concerns about a reoccurrence of being harassed, defamed, and slandered by the Chapter President, witnessed firsthand at the brand confusion, promoting, and selling Planet Cyber Sec at other local events. Representatives from ISSA-LA gave away tickets, selling it as “ISSA-LA is giving away two tickets to Planet Cyber Sec”. There was no disclosure to potential speakers, and potential sponsors that Planet Cyber Sec is directly owned by the ISSA-LA Chapter President and Vice President.

The list of concerns continues, ranging from inappropriate use of chapter resources such as mailing lists, chapter intellectual property, multiple social media accounts across multiple platforms owned by ISSA-LA. vBTruth has independently verified that select social media owned by ISSA-LA does indeed promote Planet Cyber Sec. In all instances, there are no disclosures the Chapter President or Vice President are owners of Planet Cyber Sec.

This individual further alleges there was never any chapter board approvals given to Planet Cyber Sec or its owners to promote Planet Cyber Sec, to use chapter social media, and other chapter assets in the manner it was used for Planet Cyber Sec. The same individual alleged that Richard Greenberg sent Planet Cyber Sec information across all multiple marketing channels – all done without permission and a vote by the chapter boards, effectively bypassing chapter board approval not once, but multiple times.

One individual vBTruth interviewed, on condition of anonymity because they feared retaliation and physical harm from the Chapter President, stated they had serious misgivings and concerns not just over the use of chapter resources, but chapter member’s money. According to the individual, the Chapter President spent member’s money on himself on lavish, all-expense paid trips to RSA Conference, in San Francisco, CA, and BlackHat USA in Las Vegas, NV. These trips were completely paid for by ISSA-LA members. These trips are not cheap. Hotels can easily run over a thousand dollars a night during RSA Conference and BlackHat USA, according to this individual. These board approved trips were intended to raise the profile of ISSA-LA and build relationships with potential speakers and sponsors.

However, this individual alleged that the Chapter President was no where to be found during RSA Conference and BlackHat USA. This individual never ran into the Chapter President at the RSA Conference or BlackHat USA exhibit halls. Several other individuals with ties to the Chapter President never encountered the Chapter President on the exhibit hall floor. vBTruth was unable to verify the claim, however the individual was able to provide multiple receipts and credit card bills showing their presence at RSA Conference and BlackHat USA. vBTruth was also able to find photos on social media indicative and aligning to what this individual alleges, including one photo where the Planet Cyber Sec logo is clearly visible on a polo shirt worn by the ISSA-LA Chapter President while on ISSA-LA member’s money.

At the same time, there were serious questions whether the time and money spent on these trips or utilization of LinkedIn was for the Chapter President’s personal gain, his personal business, or for the Chapter. As one individual pointed out, “It is very hard to distinguish whether Richard was doing things to build his business or for ISSA-LA as they are all comingled together.” This pattern mixing utilization of chapter funded resources for personal gain extends to LinkedIn as well, as ISSA-LA is paying for the Chapter President’s LinkedIn Premium account.

The concerns of unethical behavior, using member’s money, using chapter resources, creating brand confusion, self-dealing, and the lack of transparency and reasonable disclosure have created various degrees of confusion. It is believed that more than one exhibitor thought they were sponsoring and giving money to ISSA-LA and not Richard’s Planet Cyber Sec. There has been at least one accusation that the President and Vice President was redirecting and diverting potential sponsors, money (through sponsorships and ticket sales) and speakers away from ISSA-LA events and towards Planet Cyber Sec while lining the Chapter President’s and Vice President’s own pockets.

The concerns have triggered a wave of resignations at ISSA-LA, with at least one confirmed resignation was in protest to the unethical behavior by the Chapter President and Vice President. Based on information that vBTruth has been able to assemble, the board turnover at ISSA-LA has been extreme. Since May 2022, at least eight ISSA-LA chapter board members have resigned or have chosen to not continue on the board. Their roles range from Chapter Secretaries, Chapter Treasurers, and multiple Directors. That is at least an 80% board turnover in 18 months on a ten-seat chapter board, or a 67% board turnover on a twelve seat chapter board. Several individuals appear to have held board positions multiple years and abruptly quit with no public reason given. Additionally, starting August 2023, six advisory board members also abruptly resigned over a short period of two months. Yet the President and Vice President continues to remain in power ten plus years later.

At least two board positions remain vacant to this day, in violation of the ISSA-LA bylaws: the Executive Director and Social Media Director positions. In the upcoming 2024 board elections for ISSA-LA being held December 2023, the position of Technology Director is unfilled, and the Executive Director and Social Media Director are mysteriously not on the ballot nor being advertised as vacant.

Citing these concerns, multiple individuals have privately raised numerous questions, concerns, and complaints to numerous organizations including, ISSA-LA, ISSA International, OWASP International, International Information System Security Certification Consortium, and other organizations regarding the founders of Layer 8 Masters and Planet Cyber Sec.

At least one individual has expressed their concerns to one organization’s general counsel because they fear potential physical harm by the Chapter President, as well as slander as they have been the confirmed victims of slander by the Chapter President.

They also expressed no confidence or independence in the ISSA-LA board. They firmly believed that any action brought by the members would not lead to any action because not enough victims or individuals would be willing to come forward and confront and challenge the Chapter President and Vice President in a meeting as written in the ISSA-LA bylaws. They have concerns that those frustrated members and victims have chosen not to renew their memberships, refuse to get involve and have tried to move on, or transferred as members to another chapter as to keep distance between themselves and the current Chapter President and Vice President. They also firmly believed that the board lacks independence because Richard Greenberg, Chapter President of ISSA-LA and face of Planet Cyber Sec can appoint and fill vacant ISSA-LA board positions, per the ISSA-LA bylaws. They reasonably believe the board is now filled with the Chapter President’s cronies.

OWASP International appears to be the only organization who has conducted any investigation of the complaints and examination of the evidence to date on the unethical behavior of Planet Cyber Sec founders. It appears that OWASP International found the complaints valid as Richard Greenberg, Haral Tsitsivas, and David Wettenstein are no longer listed as leaders of OWASP-LA and OWASP-OC. vBTruth did not reach out to OWASP International to verify because their website cites confidentiality related to these types of issues.

Tensions, frustrations, and anger have reached a breaking point with multiple victims and individuals. Many are suffering from emotional exhaustion. They want to close the chapter on this saga.

Other than OWASP, these victims and individuals believe more than one organization has turned a blind eye. These organizations are refusing to take any actions and refusing to move forward due to procedural semantics because their policies do not allow whistleblower and anonymous submissions. Often these victims find themselves having to defend their positions to remain anonymous because of a deep fear of retribution. Multiple individuals have expressed similar concerns, including potentially physical altercation, physical intimidation, defamation, slander, harassment, or libel between themselves and Richard Greenberg.

One question remains: Who actually cares about these ethics violations and will take action to stand up to these clear infractions and violations? An individual lamented that this has been a frustrating, disheartening, and discouraging multiyear process.

These victims feel abandoned. Alone. Exhausted. The very ethics, and the upstanding principals spoken throughout the security industry ring hollow. These organizations are no where to be found when confronted with overwhelming evidence that something is amiss.

What lies ahead for each remains to be seen. And yet there are those who continue to champion the ethics, the morals, and the principals that so many have seem to have conveniently forgotten.

vBTruth will be continuing its investigation into this story. Stay tuned for additional updates, including a Part 2 to this story.

Early Lessons Learned from Capital One Data Breach

Capital One, one of the nation’s largest financial institutions announced that one of its employees has gone rogue and was responsible for stealing information from consumers, and small businesses.

This information included personal information Capital One collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:

  • Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

Approximately 140,000 Social Security numbers and 80,000 linked bank account numbers were also compromised as part of the theft. 1 million Canadian Social Insurance Numbers were compromised as well.

Capital One stored consumer and small business information on S3, a cloud storage offered by Amazon.com.The court complaints detail the investigation conducted by the FBI that enabled an attacker to access download data from Amazon S3 from up to 700 different S3 Buckets.

There have been a number of different data breaches related to improper security controls at various organizations using Amazon S3.

Something as simple as a misconfiguration can have huge consequences to an organization’s reputation. With a growing number of data breaches from medical records to how one purchases, it is starting to paint a comprehensive picture on the average individual. With any technology implementation, due diligence must be performed to reduce the likelihood of a cyber breach.

 

Cloud Computing does not outsource risk and security

Cloud computing is simply borrowing someone’s computer. By no means does it equate to transferring the risk and security responsibilities to that entity. Risk and threat models need to reflect the change of ownership of computers, and where data lives on a day to day basis. At the end of the day, it is on executive management and senior management to understand and accept that risks and security burdens are still on the organization but appears differently operationally. Cloud is not the silver bullet to your security challenges.

Regular Reviews

We are all human. We make mistakes. No one is perfect. It is the reality of being mortal. It is important that assessments, audits, penetration tests, and red team engagements are performed on a regular basis. It is even more important that the mantra of trying to “pass” these engagements by any means possible be put behind us. Achieving a passing score is an important metric but achieving it by any means possible sets an entire organization back because it does not allow the necessary resources to be allocated to address gaps identified during these reviews. When sick, we do not get better unless we disclose all the symptoms to a doctor can assess and prescribe the correct medicine.

Soft Skills

Technologists, practitioners, subject matter expects, and management need better soft skills. The days of assume that management understands everything is long gone. The days in which technologists and practitioners staying in their cubicles or digital walled gardens is no longer possible. Technical experts need to improve their abilities in communicating risks of adopting technology. Management needs to press upon their technical experts to due proper due diligence to identify risks.

Audit, Logging, Monitoring, and Acting Upon Them

A huge saving grace for Capital One was the level of detail the logs enabled them to reconstruct the series of unfortunate events. Organizations should have robust logging and controls in place to protect those logs. However, despite Capital One having these logs, the data breach went undetected for close to four months. Consistent active monitoring and knowing what to look for is essential to identifying anomalies quickly and rapidly. Your threat hunters are looking for needles in ever growing haystacks.

This data breach joins the long line of many. We can not accept that data breaches are the new norm. As we learn more from this insider attack, more lessons we should learn to minimize the likelihood of another data breach of this magnitude. We must be vigilant to protect our stakeholders who entrust us to protect our data, our identity, and our livelihood at all times.

Repost of: “No, You Really Can’t” by Mary Ann Davidson

This is a copy of a recently deleted blog entry by Oracle Chief Security Officer (CSO) Mary Ann Davidson. It was some of the best writing we have seen in quite sometime that we felt it was worthwhile to post a copy on this blog for posterity. A more formal reply will be composed after we stop laughing hysterically.

No, You Really Can’t – by Mary Ann Davidson

I have been doing a lot of writing recently. Some of my writing has been with my sister, with whom I write murder mysteries using the nom-de-plume Maddi Davidson. Recently, we’ve been working on short stories, developing a lot of fun new ideas for dispatching people (literarily speaking, though I think about practical applications occasionally when someone tailgates me).

Writing mysteries is a lot more fun than the other type of writing I’ve been doing. Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. <Insert big sigh here.> This is why I’ve been writing a lot of letters to customers that start with “hi, howzit, aloha” but end with “please comply with your license agreement and stop reverse engineering our code, already.”

I can understand that in a world where it seems almost every day someone else had a data breach and lost umpteen gazillion records to unnamed intruders who may have been working at the behest of a hostile nation-state, people want to go the extra mile to secure their systems. That said, you would think that before gearing up to run that extra mile, customers would already have ensured they’ve identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down – in short, the usual security hygiene – before they attempt to find zero day vulnerabilities in the products they are using. And in fact, there are a lot of data breaches that would be prevented by doing all that stuff, as unsexy as it is, instead of hyperventilating that the Big Bad Advanced Persistent Threat using a zero-day is out to get me! Whether you are running your own IT show or a cloud provider is running it for you, there are a host of good security practices that are well worth doing.

Even if you want to have reasonable certainty that suppliers take reasonable care in how they build their products – and there is so much more to assurance than running a scanning tool – there are a lot of things a customer can do like, gosh, actually talking to suppliers about their assurance programs or checking certifications for products for which there are Good Housekeeping seals for (or “good code” seals) like Common Criteria certifications or FIPS-140 certifications. Most vendors – at least, most of the large-ish ones I know – have fairly robust assurance programs now (we know this because we all compare notes at conferences). That’s all well and good, is appropriate customer due diligence and stops well short of “hey, I think I will do the vendor’s job for him/her/it and look for problems in source code myself,” even though:

  • A customer can’t analyze the code to see whether there is a control that prevents the attack the scanning tool is screaming about (which is most likely a false positive)
  • A customer can’t produce a patch for the problem – only the vendor can do that
  • A customer is almost certainly violating the license agreement by using a tool that does static analysis (which operates against source code)

I should state at the outset that in some cases I think the customers doing reverse engineering are not always aware of what is happening because the actual work is being done by a consultant, who runs a tool that reverse engineers the code, gets a big fat printout, drops it on the customer, who then sends it to us. Now, I should note that we don’t just accept scan reports as “proof that there is a there, there,” in part because whether you are talking static or dynamic analysis, a scan report is not proof of an actual vulnerability. Often, they are not much more than a pile of steaming … FUD. (That is what I planned on saying all along: FUD.) This is why we require customers to log a service request for each alleged issue (not just hand us a report) and provide a proof of concept (which some tools can generate).

If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, “static analysis of Oracle XXXXXX”), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf – reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already. (In legalese, of course. The Oracle license agreement has a provision such as: “Customer may not reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code of the Programs…” which we quote in our missive to the customer.) Oh, and we require customers/consultants to destroy the results of such reverse engineering and confirm they have done so.

Why am I bringing this up? The main reason is that, when I see a spike in X, I try to get ahead of it. I don’t want more rounds of “you broke the license agreement,” “no, we didn’t,” yes, you did,” “no, we didn’t.” I’d rather spend my time, and my team’s time, working on helping development improve our code than argue with people about where the license agreement lines are.

Now is a good time to reiterate that I’m not beating people up over this merely because of the license agreement. More like, “I do not need you to analyze the code since we already do that, it’s our job to do that, we are pretty good at it, we can – unlike a third party or a tool – actually analyze the code to determine what’s happening and at any rate most of these tools have a close to 100% false positive rate so please do not waste our time on reporting little green men in our code.” I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying, and mutually-time wasting exercise.

For this reason, I want to explain what Oracle’s purpose is in enforcing our license agreement (as it pertains to reverse engineering) and, in a reasonably precise yet hand-wavy way, explain “where the line is you can’t cross or you will get a strongly-worded letter from us.” Caveat: I am not a lawyer, even if I can use words like stare decisis in random conversations. (Except with my dog, because he only understands Hawaiian, not Latin.) Ergo, when in doubt, refer to your Oracle license agreement, which trumps anything I say herein!

With that in mind, a few FAQ-ish explanations:

Question: What is reverse engineering?
Answer: Generally, our code is shipped in compiled (executable) form (yes, I know that some code is interpreted). Customers get code that runs, not the code “as written.” That is for multiple reasons such as users generally only need to run code, not understand how it all gets put together, and the fact that our source code is highly valuable intellectual property (which is why we have a lot of restrictions on who accesses it and protections around it). The Oracle license agreement limits what you can do with the as-shipped code and that limitation includes the fact that you aren’t allowed to de-compile, dis-assemble, de-obfuscate or otherwise try to get source code back from executable code. There are a few caveats around that prohibition but there isn’t an “out” for “unless you are looking for security vulnerabilities in which case, no problem-o, mon!”

If you are trying to get the code in a different form from the way we shipped it to you – as in, the way we wrote it before we did something to it to get it in the form you are executing, you are probably reverse engineering. Don’t. Just – don’t.

Question: What is Oracle’s policy in regards to the submission of security vulnerabilities (found by tools or not)?
Answer: We require customers to open a service request (one per vulnerability) and provide a test case to verify that the alleged vulnerability is exploitable. The purpose of this policy is to try to weed out the very large number of inaccurate findings by security tools (false positives).

Question: Why are you going after consultants the customer hired? The consultant didn’t sign the license agreement!
Answer: The customer signed the Oracle license agreement, and the consultant hired by the customer is thus bound by the customer’s signed license agreement. Otherwise everyone would hire a consultant to say (legal terms follow) “Nanny, nanny boo boo, big bad consultant can do X even if the customer can’t!”

Question: What does Oracle do if there is an actual security vulnerability?
Answer: I almost hate to answer this question because I want to reiterate that customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem – that would be a disservice to our customers. We will, however, fix it to protect all our customers, meaning everybody will get the fix at the same time. However, we will not give a customer reporting such an issue (that they found through reverse engineering) a special (one-off) patch for the problem. We will also not provide credit in any advisories we might issue. You can’t really expect us to say “thank you for breaking the license agreement.”

Question: But the tools that decompile products are getting better and easier to use, so reverse engineering will be OK in the future, right?
Answer: Ah, no. The point of our prohibition against reverse engineering is intellectual property protection, not “how can we cleverly prevent customers from finding security vulnerabilities – bwahahahaha – so we never have to fix them – bwahahahaha.” Customers are welcome to use tools that operate on executable code but that do not reverse engineer code. To that point, customers using a third party tool or service offering would be well-served by asking questions of the tool (or tool service) provider as to a) how their tool works and b) whether they perform reverse engineering to “do what they do.” An ounce of discussion is worth a pound of “no we didn’t,” “yes you did,” “didn’t,” “did” arguments. *

Question: “But I hired a really cool code consultant/third party code scanner/whatever. Why won’t mean old Oracle accept my scan results and analyze all 400 pages of the scan report?”
Answer: Hoo-boy. I think I have repeated this so much it should be a song chorus in a really annoying hip hop piece but here goes: Oracle runs static analysis tools ourselves (heck, we make them), many of these goldurn tools are ridiculously inaccurate (sometimes the false positive rate is 100% or close to it), running a tool is nothing, the ability to analyze results is everything, and so on and so forth. We put the burden on customers or their consultants to prove there is a There, There because otherwise, we waste a boatload of time analyzing – nothing** – when we could be spending those resources, say, fixing actual security vulnerabilities.

Question: But one of the issues I found was an actual security vulnerability so that justifies reverse engineering, right?
Answer: Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked. I’d like to tell you that we run every tool ever developed against every line of code we ever wrote, but that’s not true. We do require development teams (on premises, cloud and internal development organizations) to use security vulnerability-finding tools, we’ve had a significant uptick in tools usage over the last few years (our metrics show this) and we do track tools usage as part of Oracle Software Security Assurance program. We beat up – I mean, “require” – development teams to use tools because it is very much in our interests (and customers’ interests) to find and fix problems earlier rather than later.

That said, no tool finds everything. No two tools find everything. We don’t claim to find everything. That fact still doesn’t justify a customer reverse engineering our code to attempt to find vulnerabilities, especially when the key to whether a suspected vulnerability is an actual vulnerability is the capability to analyze the actual source code, which – frankly – hardly any third party will be able to do, another reason not to accept random scan reports that resulted from reverse engineering at face value, as if we needed one.

Question: Hey, I’ve got an idea, why not do a bug bounty? Pay third parties to find this stuff!
Answer: <Bigger sigh.> Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers. (Small digression: I was busting my buttons today when I found out that a well-known security researcher in a particular area of technology reported a bunch of alleged security issues to us except – we had already found all of them and we were already working on or had fixes. Woo hoo!)

I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on. This is one of those “full immersion baptism” or “sprinkle water over the forehead” issues – we will allow for different religious traditions and do it OUR way – and others can do it THEIR way. Pax vobiscum.

Question: If you don’t let customers reverse engineer code, they won’t buy anything else from you.
Answer: I actually heard this from a customer. It was ironic because in order for them to buy more products from us (or use a cloud service offering), they’d have to sign – a license agreement! With the same terms that the customer had already admitted violating. “Honey, if you won’t let me cheat on you again, our marriage is through.” “Ah, er, you already violated the ‘forsaking all others’ part of the marriage vow so I think the marriage is already over.”

The better discussion to have with a customer —and I always offer this — is for us to explain what we do to build assurance into our products, including how we use vulnerability finding tools. I want customers to have confidence in our products and services, not just drop a letter on them.

Question: Surely the bad guys and some nations do reverse engineer Oracle’s code and don’t care about your licensing agreement, so why would you try to restrict the behavior of customers with good motives?
Answer: Oracle’s license agreement exists to protect our intellectual property. “Good motives” – and given the errata of third party attempts to scan code the quotation marks are quite apropos – are not an acceptable excuse for violating an agreement willingly entered into. Any more than “but everybody else is cheating on his or her spouse” is an acceptable excuse for violating “forsaking all others” if you said it in front of witnesses.

At this point, I think I am beating a dead – or should I say, decompiled – horse. We ask that customers not reverse engineer our code to find suspected security issues: we have source code, we run tools against the source code (as well as against executable code), it’s actually our job to do that, we don’t need or want a customer or random third party to reverse engineer our code to find security vulnerabilities. And last, but really first, the Oracle license agreement prohibits it. Please don’t go there.

* I suspect at least part of the anger of customers in these back-and-forth discussions is because the customer had already paid a security consultant to do the work. They are angry with us for having been sold a bill of goods by their consultant (where the consultant broke the license agreement).

** The only analogy I can come up with is – my bookshelf. Someone convinced that I had a prurient interest in pornography could look at the titles on my bookshelf, conclude they are salacious, and demand an explanation from me as to why I have a collection of steamy books. For example (these are all real titles on my shelf):

 

    1. Thunder Below! (“whoo boy, must be hot stuff!”)
    2. Naked Economics (“nude Keynesians!”)***
    3. Inferno (“even hotter stuff!”)
    4. At Dawn We Slept (“you must be exhausted from your, ah, nighttime activities…”)

My response is that I don’t have to explain my book tastes or respond to baseless FUD. (If anybody is interested, the actual book subjects are, in order, 1) the exploits of WWII submarine skipper and Congressional Medal of Honor recipient CAPT Eugene Fluckey, USN 2) a book on economics 3) a book about the European theater in WWII and 4) the definitive work concerning the attack on Pearl Harbor. )

*** Absolutely not, I loathe Keynes. There are more extant dodos than actual Keynesian multipliers. Although “dodos” and “true believers in Keynesian multipliers” are interchangeable terms as far as I am concerned.

**** I might be exaggerating here. But maybe not.

#1YearToGo and Brazil Launches Corruption Probe in Olympics Scandal

Members of a local rowing club practice among floating dead fish at the Rodrigo de Freitas Lagoon that will host rowing and canoeing events during Rio 2016 Olympic Games. (Yasuyishi Chiba/AFP/Getty Images)
Members of a local rowing club practice among floating dead fish at the Rodrigo de Freitas Lagoon that will host rowing and canoeing events during Rio 2016 Olympic Games. (Yasuyishi Chiba/AFP/Getty Images)

One of our readers sent in a couple of news tip about how the Brazilian Government is launching a massive investigation into the corruption associated with the 2016 Olympic Games.

Here are a couple of highlights from the main article that caught my attention

  • Rio’s city government is at times being forced to act like a bank, lending companies money to prevent a slowdown in construction
  • OAS, one of Brazil’s biggest construction firms, filed for bankruptcy protection in March after its credit lines dried up. OAS is part of the group that is behind the very much delayed Deodoro Sports Complex.
  • Mendes Junior SA backed out of a contract to fix the drainage around the Maracana soccer stadium set to host Olympic matches.
  • Rio has admitted it will fail to make good on promises it made in its Olympics bid to improve the sewage system and reduce water pollution in the Guanabara bay by 80 percent.

Forgive me, but the fact that the Rio government is bailing out construction companies is quite concerning. Moreover, it appears the Government too itself is at fault for not paying these construction companies in time so they can complete payroll and pay operational costs. Combine that with the recent discovery that Glanders disease was discovered at Rio Olympic Sites, we have a disaster beyond our imagination waiting to happen. Even Ganders is recognized by the Center for Disease Control as something that could potentially infect humans, despite it normally affecting animals.

 

What we have here ladies and gentlemen, is a diseased ridden country, with corruption that’s touched all corners of the Rio government that it can’t even pay its own vendors on time. Moreover its these same vendors who are caught in a massive investigation on accusations of bribery and corruption.

We are ONE YEAR AWAY from RIO and we’re just barely dealing with this? I walk away in disbelief in this article that two construction firms are in massive trouble, with one of Brazil’s largest firms about to go under because of the sheer crushing volume of debt and another one who’s broken contractual agreements (likely because of the lack of payments from the Brazilian government). That’s two construction companies who are likely not operating or assisting in construction.

We also have two means of infectious diseases impacting guests and athletes of the 2016 Olympic Games: From contaminated water and sewage impacting the Guanabara Bay AND now Glanders impacting horses, trainers, vets, and countless others.

The 2016 Olympic Games is becoming a death trap. There are no backup plans for ANY of the venues, and right now, both animal and humans lives are at risk.

If I was an athlete, I would say no to Rio. If I was a coach, I would be demanding the IOC move the 2016 Summer Olympic Games right now.

It’s clear that no amount of money thrown at these problems will correct these problems in a manner that would be safe for both spectators and athletes. The most valuable currency the Rio and Brazilian Government needs is time, and it is something they do not have enough of.

It is after all one year until the 2016 Summer Olympic Games.