Stolen Tests Threaten IT Certifications

If you've scoped out storage IT certifications lately and are ready to take action in getting one or two, think about this: That certification could cost you your job.

In response to our recent feature on IT certification, a range of sources emerged with alarming news: A number of Websites are coming under fire for reportedly snaring customers into certification training that isn't authorized. As a result, some of these sites have been disgraced, and the certifications they offered revoked.

Called "braindumps," these sites are active businesses that often guarantee candidates a passing grade on certification tests on the first try. Trouble is, their materials are based on copies of tests or test answers stolen from vendors like EMC, HP, IBM, Microsoft, and VMware. Even SNIA certification materials are for sale on braindump sites.

In other, even shadier instances, so-called gunmen or hired hands will take tests for a fee simply in order to get the questions. Others, called cheaters, will sell test answers on eBay, or they'll volunteer as proxy test takers to take tests in place of a candidate seeking certification.

"Certification vendors, such as those you also mention in your article, have become increasingly aware of the problems those braindump sites are causing in the industry. Because of the problems caused, the vendors have started taking serious action against those illicit sites and are working towards having their content removed," wrote Robert Williams, CEO of CertGuard, in an email to Byte and Switch this week.Williams, a veteran of the U.S. Navy, founded CertGuard in 2006 after finding out that an instructor in his Cisco certification course was actually using pirated certification materials. "I quit the course and decided to devote my time to exposing the problem," he says.

Figure 1: Robert Williams, CEO, CertGuard Inc.

Just how widespread is the problem? Williams says it's enough to be troublesome: According to his research, between June 2007 and March 2008, 7 braindump sites have been closed; 7 gunman sites have been closed, and 54 individuals have been prosecuted for cheating on tests, falsifying test results, or being caught at a test facility where security issues arose.

Another company says the issue of stolen test results is epidemic when it comes to IT certifications. "The biggest problem are tests that are stolen and sold. That is devastating to a testing program and in the IT area, it's huge," says Don Sorensen, VP of marketing for Caveon, a five-year-old Utah firm that specializes in rooting out security problems in standardized tests. (More on Caveon momentarily.)

Vendors involved in certifications, however, don't seem as keen as Williams or Sorensen to nab suspects, even though CertGuard's research shows that several storage vendors are among the top 20 "most braindumped" certifiers, as per the list below:Table 1: The Top 20 Most 'Braindumped' Certifiers

So far, Microsoft has been the most aggressive certifying company in defending its legal case against braindumpers. In 2006, Redmond sued TestKing, a U.K.-based site that offers a range of certification tests. A court reportedly ruled that TestKing had to stop dealing in some Microsoft certification materials. However, the site continues to offer a wide range of certifications, including a full complement of SNIA certifications.

Some storage vendors don't seem to share the urgency of CertGuard or Caveon. "These sites are not a priority for us. And that is all I will add today," wrote Eric Brown, senior director of corporate relations at NetApp in an email to Byte and Switch.

An EMC spokesman was less reticent: "EMC is making a significant investment in protecting the integrity of our exams and EMC Proven Professional certification," wrote spokesman Colin Boroski in an email today. "EMC and others in the IT industry are pioneering ways to identify and take action against individuals who knowingly use stolen exam content to prepare for their exams."

Boroski adds that at a recent conference of the

Association of Test Publishers, over 150 individuals participated in a Test Security Summit on preventing exam fraud. "We can all benefit from recent advancements in this area," he says.Boroski cautions that before buying study materials or certification from a Web site, IT pros should contact the vendor whose certification they are seeking to make sure the site is legit.

A SNIA spokesman also warns would-be candidates to check things out. "We highly recommend that any IT professional researching and planning to take a certification exam start with trusted sources of information," says Vincent Franceschini, chairman of the Storage Networking Industry Association (SNIA). The SNIA Website offers a list of names and contacts for vendors certified to offer SNIA certifications, he says. Folk can also contact SNIA with questions on certification at [email protected].

To Page 2

Certification prospects also have the option of checking out sites like CertGuard's, where Robert Williams and his chief security officer Taylor S. Ripley have become self-appointed watchdogs of the IT certification market. Their site is filled with information about illicit certifications.

The house specialty is a search tool that verifies whether a URL leads to a braindump site. (Among those positively identified are TestKing.com, pass-guaranteed.com, and pass4sure.com.) Behind this free service is a database of hundreds of braindump sites, which Williams and Taylor have assembled over the last two years."By creating a search tool, I don't help promote the bad guys, but I can still alert people as to who they are," Williams says.

CertGuard makes money in advertising, but Williams and company are also hoping to work with vendors and test labs that turn up on their list as legitimate outfits. They will also do Internet research for certification companies on a per-hour basis, starting at a modest $75 to $100 per hour. The goal? To find all hints of certification fraud or stolen test materials for sale on the Web. The CertGuard team will also pass along its findings to lawyers with whom it has reference partnerships -- although CertGuard takes no cut for this. "Once we pass it to the lawyers, our job is done," Williams says.

Caveon also offers a "Web Patrol" service, in which it systematically searches the Web for test content. According to spokesman Don Sorensen, Caveon sleuths will buy the content, compare it against a vendor or group's actual tests, and then work with the vendor's internal legal department to try and get the content taken off the Web.

"Sometimes a simple cease-and-desist letter works, sometimes it takes a whole lot more," Sorensen says.

Caveon also offers services that use forensic data analysis to nab phony test takers -- often a hallmark of hired guns or proxy test takers. Caveon will sift test results from a specific company and flag warning signs.Some patterns that indicate a test-taker is up to something include taking tests in too short a time, answering everything correctly, or getting an odd balance between right and wrong answers that indicates the test-taker may really be simply taking a test to memorize or record the questions instead of having an interest in the score.

Caveon doesn't specialize only in IT certification, but extends its purview to cover clinical, educational, industrial, and organizational testing in any industry. But Sorensen says that IT certifications represent at least 20 percent of the firm's overall business.

Among Caveon's clients is Sun. "[Caveon's] Data Forensics [services] help us to see a clearer picture of what is really happening... giving us 'red flags' to help identify not only where unusual testing patterns are occurring, but who is involved," states Steve Moore, certification program manager at Sun, in a prepared statement.

Given the reported size and scope of the bogus certification problem, storage managers would do well to ensure they're not among those involved.

Neither TestKing nor pass-guaranteed.com had responded to requests for comment at press time.Have a comment on this story? Please click "Discuss" below. If you'd like to contact Byte and Switch's editors directly, send us a message.