Maybe I should be certified…

…or at least put in a home for retired security pundits where someone can make sure I take my medication on time,  but I intend to go on blathering about security issues for a while yet. (At any rate as long as ESET continues to pay me to pontificate.)

Nevertheless, it’s officially the end of an era, though a very minor ripple on the surface of the Sea of Security. As of the end of August 2014, I will no longer be entitled to put the acronyms CISSP, FBCS, or CITP in my signature. (In fact, I haven’t been using those manifestations of alphabetti for quite a while now, in anticipation of this day. Or, more precisely, the 31st August.)

There’s nothing sinister about this: I haven’t been drummed out of (ISC)2 or the BCS Institute for conduct unbefitting a computer security guru: I’m simply dropping my annual subscriptions to those organizations. I’m still in sympathy with the general aims and ethics of both organizations. There are many otherwise rational people in the security business who are dismissive of any form of certification that results in an artificially lengthened signature, but I’m not one of them. These particular acronyms acknowledge many years of working to improve the security of the organizations for which I’ve worked since 1986 and the community as a whole: I’m honoured by that recognition of whatever I may have achieved in that time, and refuse to be ashamed of having been entitled to use them. So why am I letting them go?

First, let me save you anxiously searching the web for an explanation of all those acronyms:

  • CISSP = Certified Information Systems Security Professional: a certification awarded by (ISC)2 (formerly the International Information Systems Security Certification Consortium) to security professionals who meet the required criteria in terms of knowledge (as tested by a lengthy exam), relevant experience (at least 5 years), compliance with the ISC)2 code of ethics, endorsement by a member in good standing, and maintenance of your own good standing by earning at least 20 CPE (Continuing Professional Education) credits and keeping up to date with the subscription fee.
  • FBCS = Fellow of the BCS Institute (formerly the British Computing Society): to quote the Institute’s own criteria, Fellows “demonstrate leadership in the profession by influencing significant numbers of professionals and/or others to achieve common goals, understanding or views within the IT profession.” So maybe all those books do count for something, even if they didn’t benefit my bank balance much.
  • CITP = Chartered IT Professional: I was actually grandfathered into this certification, also awarded by the BCS Institute, because I met the requirements for acceptance as a Fellow. I’m not sure if BCS still does that: the normal certification process is quite stringent, and has in fact been made more demanding in recent years.

So, to answer the question “why am I dropping my subscriptions?”, I first have to make a confession. I didn’t maintain those subscriptions out of some purely altruistic desire to further the aims of (ISC)2 and the BCS, though of course I’m happy that my money went towards the attainment of goals that I’m generally in sympathy with. But – shock! horror! – my primary aim was to demonstrate that I have certifiable skills and acknowledged achievements that gave me credibility in the eyes of my peers and enhanced value in the job market. Like most people, even the good people who run (ISC)2 and the BCS (not to mention other organizations like ISACA and SANS), I have to make a living, though I’m fortunate in that I can do so by doing work that I enjoy and (I like to think) I have some ability. Over the last year, I’ve made a cost/benefit analysis (as all CISSPs are taught to do!), and while the cost of those subscriptions isn’t high, the benefits are not what they were:

  • I’m already past the age where I could, if I chose, be drawing my state pension. When either ESET – where I still hold the title Senior Research Fellow – or I choose to terminate our current arrangement, it’s unlikely that I’d look for another job. If I did, it probably wouldn’t be in security. And if it was in security, it certainly wouldn’t be the sort of managerial role where being a CISSP is sine qua non.
  • I haven’t been seriously engaging with BCS for some time, at any rate not at the level where being a Fellow matters. And I don’t see myself as a candidate for the sort of academic milieu where being FBCS might carry weight.
  • I no longer find it amusing to flaunt my alphabetti on those lists where it’s assumed that anyone with the letters CISSP after their name must be either a cheat or an idiot with delusions of grandeur and competence. Or, according to one person who commented on one of my articles for ESET, as compensation for underdeveloped genitalia. I can’t imagine how he knew. 😉
  • I actually have certifications that don’t entitle me to a string of acronyms. Not that I’m likely to look for work as a security auditor (for instance) at this stage, but perhaps it’s time to relegate all this stuff to my c.v., which I haven’t needed for a long time now and don’t anticipate needing much in the future. And wikipedia, maybe. 🙂

So from now on, I guess I’ll have to stand or fall by the quality (or lack of it) of my published work. But then, most of the time, I always have. And if I feel the need to expand my signature, I’ll have to fall back on my humble BA. (Now that’s a qualification I am proud of, having completed it under stressful circumstances: that is, as a new parent with a full-time job.)

I may well return to the topic of certifications, though. I addressed it at some length in a chapter in the AVIEN Guide, but maybe it would be a good topic to follow up on the ESET blog.

David Harley
Small Blue-Green World

Malicious Android: why the Birds are Angry

It’s no secret that trojans that misuse premium SMS services are one of the most prevalent problems in the mobile malware arena. However, the flood of “Lagostrod” and “Miriada” so-called free knock-offs of real games are peppered with code that sends text messages to premium services. Mikko Hypponen retweeted an estimate, based on comments to reddit, that the attackers could have made around $12,000,000.

According to Sophos’ Vanja Svajcer:

After more than a day on the market, the applications were pulled off by the Android Market security team. Google’s reaction has been quick, but not quick enough – at least ten thousand users downloaded one of the malicious apps from the list.

Much more information on the event in Vanja’s blog and in Sean’s blog for F-Secure.

I hope to see an apology from Chris DiBona for suggesting that anyone working for an AV company should be ashamed of themselves if they have a product for Android,  Blackberry or iOS, but won’t be holding my breath.

(Yes, this is the sort of stuff I usually post to Mac Virus, but it’s not really Apple-related, I guess, so I think I’ll probably do more of it here.)

Small Blue-Green World/AVIEN/Mac Virus
ESET Senior Research Fellow

Before you get to the blogs further down…

Welcome! Check out the links on the menu above to find out about Small Blue Green World. This is the gateway to the various blogs and bits and bobs that constitute the SBGW presence on the web.

Essentially, this is a consultancy offering services to the security industry, launched by David Harley in 2006 and with one main customer (ESET), so this particular page isn’t maintained very regularly: it has (currently) no commercial/advertising function, but it includes some papers/resources that may not be available elsewhere. The blogs linked here, however, especially those to which I contribute on ESET’s behalf, are maintained regularly.

The services I provide to ESET are quite wide-ranging, but they include blogging on the ESET blog page. I stopped contributing to SC Magazine’s Cybercrime Corner some time ago, and that page seems to have been removed. I’ll be looking back over my articles for that venue to see which might usefully be republished. Sometime…

I did write fairly regularly for Infosecurity Magazine, primarily on Mac issues, but haven’t done so for a while. Other authoring and editing includes conference papers, white papers and so on.

The ESET Threat Center and We Live Security pages include links to a range of resources. More specifically, the ESET resources page and includes white papers written specifically for ESET, papers for external conferences and workshops submitted on ESET’s behalf, links to articles written for outside publications and sites, again on ESET’s behalf, ESET’s monthly threat reports, for which I often provide articles and editing, while some of my conference presentations are available as slide decks here.

Some articles and conference papers can’t be posted on a commercial site for copyright-related reasons, so I tend to post them on this site instead. When I remember. Specifically, most of that stuff is now posted to Geek Peninsula.

AVIEN (formerly the Anti-Virus Information Exchange Network), which was run as an independent organization by myself and Andrew Lee (and before that by Robert Vibert), is still hosted on its own web site and has its own blog page hosted there, but I’m no longer heavily associated with the organization except as an occasional blogger there. I do maintain (intermittently) a phone scam resources page there.

I run several other specialist security blogs completely independently of ESET, and these include a blog focused on hoaxes, spam, scams and similar nuisances (thanks to ESET N. America CEO and long-time friend and colleague Andrew Lee, you can also access this as, and another that focuses (mostly) on Apple malware: essentially, it’s the current incarnation of the old Mac Virus web site originally founded by Susan Lesch, and sometimes includes contributions from Old Mac Bloggit, the well-known pseudonym.

We no longer host the AMTSO blog, and  I don’t do any administration on the main AMTSO site any more. I do, however, maintain an independent AV-testing blog/resource called, imaginatively, Anti-Malware Testing, and this archives most of the articles I originally posted on the old AMTSO blog – of course, they do not represent AMTSO’s official views. I also blog occasionally at other sites, include Infosecurity Magazine,  (ISC)2 and Securiteam. I used to flag current articles, papers, blogs and media coverage at The Geek Peninsula (most of this is also tweeted via but I was having trouble remembering to update it. I’m now using it as a repository for (most of) my papers, some of my articles, pointers to my current and past blogs, and so on.

If you find any broken links on this site please let us know so we can fix them and please use the contact page to get in touch. Thank you.

David Harley
Small Blue-Green World
ESET Senior Research Fellow