His name is Mud

Security Strategies Alert By M. E. Kabay , Network World , 10/28/2008

This story deals with lying, theft, social networking, law, mystery, and an uncertain outcome. My longtime friend and colleague, the distinguished security-awareness expert K Rudolph of Native Intelligence tells a tale of horror and mayhem suitable for Hallowe'en reading.

* * *

It was a dark and stormy night, or it should have been. Tuesday night, Sept. 23, 2008, around 7 p.m., I visited the (ISC)2 Cyber Exchange Web site established to celebrate the upcoming National Cyber Security Awareness Month. I wanted to help make the world cyber safer by entering awareness materials in the (ISC)2 annual contest. In addition to use in the contest, (ISC)2 makes the submitted materials available for download as useful awareness tools and as the contest voting mechanism. The contest submission downloaded the most for each category (posters, brochures, presentations, and videos) wins the submitter fame and fortune - well, $1,000, anyway.

I chose a poster to enter and wanted to see how it compared with what had already been entered.

The loud “ka-clunk” that you might have heard about 7:15 that Tuesday was my jaw hitting the floor when I discovered that someone had already entered the poster that I was planning to enter - a poster I developed and for which I hold the copyright. He entered it with my copyright notice removed and he claimed ownership of the work. He entered it under his own name, which I will refer to as “Mud.”

Mud had chosen well, but not wisely. He entered the Dumpster Diver poster. Created in 2001, the Dumpster Diver was one of the first posters my company developed. This poster didn’t originate in a computer; it was drawn by hand, inked, scanned into electronic versions, colored, and finalized. Our professional cartoonist, Charles Filius, created that poster. I have copies of the original pencil sketches and ink drawings. Charles has the originals.

I googled for Mud and found that he had studied law for several years. Mud had worked for a famous high technology firm for nearly a decade as an information security manager. Mud listed ethical hacking as one of his skills. His profile showed that he claims three certifications: CEH (Certified Ethical Hacker), OSCP (Offensive Security Certified Professional), and surprisingly, the CISSP (Certified Information System Security Professional). [I have deliberately obscured the details to prevent anyone from homing in on Mud’s real name through data aggregation.]

CISSPs agree to abide by a code of ethics with four canons, and the second canon says that members must “Act honorably, honestly, justly, responsibly, and legally.” To enter the contest,  Mud had to agree that: “By submitting your work… you agree that you own all copyright in the work posted, unless otherwise indicated and properly attributed in the work.” Apparently Mud hadn’t read either the CISSP code of ethics or the contest requirements - or he felt that they didn’t apply to him.

The rot thickens.

I went back to the (ISC)2 Web site for a closer look. Mud hadn’t just stolen one image; he’d stolen 11 of my images. He’d entered my images 12 times (he entered one of the images twice). Mud had even taken one poster with a photograph that I took while in Las Vegas when I was speaking at the CSI SX Conference this past April. Taking one poster might be a mistake but 12 was enemy action.

* * *

In part 2 of this series, K Rudolph tells us about her response to the blatant theft of her intellectual property.

* * *

K Rudolph, CISSP, is the founder and chief inspiration officer of Native Intelligence, Inc.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.