attrition.org Errata - Charlatans

Charlatans Charlatans... the fakes in the industry. Below, we point out a few cases of fakes walking among us. Some of the groups or companies listed below don't fall so much into the 'charlatan' category, but are pointed out for other reasons. As humans, we all make mistakes. The issue isn't that these people made mistakes, it's that they won't own up to them, lie to attempt to cover their actions, or use it to further their personal agenda at the expense of the industry. Like many parts of the entire Errata page, this section is incomplete. Don't let a lack of bullets and references under a given name mislead you. They were put here for a reason, even if we haven't had time to fully document it in one place. Fred Cohen has written an interesting paper entitled "The Seedy Side of Security" that covers some of the concerns we share. Yes, there is some personal bias in this page. Being in the security industry in various capacities, these people make our lives more difficult and negatively impact our business and passionate hobbies. Read the material with a grain of salt; don't implicitly trust us. Make your own decisions based on all the facts you can find, not just what you read here.

A note on 'establishing a charlatan': the term charlatan is a bit subjective. There is no defined standard for using the word. To attrition.org, one of the key elements is intentionally misleading or deceiving people to promote oneself. Typically this is subtle, as a charlatan will begin to fudge and blur details over time; what used to be "five years" will slowly become "seven years" or "ten years". Charlatans do not like the idea of peer review and may hide behind varying degrees of secrecy ranging from fake clearance levels to non-disclosure agreements (NDAs) that don't exist. Any one event listed on these pages may be dismissed as an error or oversight, but when put together begin to paint a more accurate picture of a history of falsehoods and intentional deception. For others, they may be on the road and not realize it.



Security (Technical)


Frank W. Abagnale Jr. Self-described "master con" is actually one, but not in the manner he claims. His escapades that spawned a book and major motion picture were fabricated. His 30+ year career of claiming he was the #1 fugitive on the FBI's most wanted list, among other things, is the foundation of his actual con; outrageous speaking fees. Read more about his creepy and misogynistic behavior in addition to his claims of being a master con that that works with the FBI. [More information.]
Walter O'Brien Self-proclaimed genius, outlandish claims of computer wizardry, CEO of a supposed billion-dollar company, and the basis of the CBS TV show "Scorpion". In reality, basically every claim O'Brien has made does not stand up to any level of scrutiny. With the airing of the TV show, O'Brien is riding the publicity wave, still peddling his claims. [More information.]
Gregory D. Evans A supposed "hi-tech hustler", plagiarist and convicted criminal, Evans has invented himself as some form of hacker with the ability to break into anything and spin that supposed knowledge into advising companies on security. Now with 'LIGATT Security', he is leading their questionable campaign to increase stock value through press manipulation. [More information.]
Ankit Fadia Fadia is a self-claimed expert on computer security, shameless self-promoter, author of numerous books with plagiarism and has made numerous claims with little to no peer input as to his actual knowledge or skills. A (former) fifteen year old claiming to be an expert on computer or network security is absurd. [More information.]
Simon Joseph Smith Simon Smith is arguably one of InfoSec's most prominent charlatans to appear in 2016/2017. Some veterans of the industry still question if he is an elaborate troll or a person doing business in the security industry. [More information.]
Dr. Ali Jahangiri A questionable Sc.D holder and book plagiarizer, Jahangiri is a self-proclaimed information security expert with 14 years of experience. With a list of certifications and education bonafides that scream "career academic", his public offerings have been few and far between. [More information.]
Laura Callahan Laura Callahan is a former senior director at the United States Department of Homeland Security who resigned after an investigation revealed that she had obtained academic degrees from a diploma mill. She is also a former Deputy CIO of the US Department of Labor and former senior information technology manager at the White House. [More information.]
Dan Verton What started out as occasional articles in news outlets turned into a full-blown ego-laden pundit writing books and even testifying before Congress. A supposed expert on cyber-war, his primary ability is generating fear, uncertainty and doubt (FUD) rather than rational information. [More information.]
Dr. Bill Hancock "Dr." Hancock is enshrouded in lies and half-truths; his purchased educational degrees (including doctorate), lies about serving as a U.S. Navy Seal and obvious lies about work experience are the tip the iceberg. [More information.]
Kim Schmitz (aka Kimble) Schmitz, a convicted criminal, found a world of press ready and willing to bite on his stories of hacking, some of which are almost a direct rip-off another charlatan (se7en). This may be one of the better cases demonstrating that media outlets want sensationalism, not the truth. [More information.]
Ian Murphy (aka Captain Zap) Murphy, a convicted petty criminal, has lied about military service, government work, technical skills and everything between, forging a business based on lies and half-truths about his past 'hacking' experiences. [More information.]
Frank Jones (aka SpyKing) Jones, a felony-convicted scammer, had built a life based on selling fraudulent services and goods that were never delivered. Self-claimed as mentally insane to attempt to avoid conviction, he has continued to operate in the security and TSCM industry as best he can. [More information.]
Steven Gibson / GRC Perhaps the most "colorful" charlatan, a marketer by trade, Gibson has moved into the security industry telling us about software company conspiracies, re-inventing years-old security technologies and dishing out emotional manipulation as "facts". [More information.]
Ira Winkler Keep your distance, for this man can hack your company and steal a billion dollars! Where most security professionals operate based on fact and relevant experience, Winkler has made an entire career over an overhyped and questionable penetration test that he may not have actually participated in, and then let his ego run wild with it. [More information.]
Christian Valor (aka se7en) One of the earlier frauds in the industry, the only talent Valor ever displayed was manipulating the media and friends. His claims of hacking ability eroded as quickly as his claims of security knowledge. [More information.]
John Flowers Caught lying about his education to better solicit investments, Flowers' claims of past hacker activity is questionable and has not been verified by a third-party. [More information.]
Carolyn Meinel (aka HappyHacker) After at least seventeen distinct career changes, any notion that Meinel was a security expert or had any technical ability beyond Windows parlor tricks is misplaced. [More information.]
John "JP" Vranesevich Not only a fraud, Vranesevich's short lived "career" as a security expert was based on exploiting those around him, changing morals and ethics as it suited him, and walking all over the industry he claimed to be influential in. [More information.]


Journalists


Michelle Delio (Wired / Freelance) Michelle Delio wrote countless articles with anonymous sources and questionable quotes. After careful review by other journalists, it was quickly determined that she was fabricating sources and quotes. Additionally, one of her most oft-cited sources ended up being someone she was romantically involved with. [More information.]
James Glave (Wired) Glave is not only a sub-par journalist, his ego blinds him to the ability to improve his work. Putting out a challenge to find errors in his articles was hopefully a wake-up call for him. [More information.]


Companies


EC-Council EC-Council, the company behind the 'Certified Ethical Hacker' (CEH) certification, has a tendancy to forgo ethics and profit off plagiarized content from other sources. [More information.]
ICSA Labs ICSA Labs, formerly NCSA, now a Verizon Business under the Cybertrust blanket.. is "committed to .. meet or exceed our stakeholders' expectations", which begs the question of their testing methods and vendor neutrality among other things. [More information.]
InfoSec Institute InfoSec Institute (ISI), a company offering security training, pen testing classes and more, routinely plagiarizes content for their classes, profiting heavily off it. [More information.]
Hakin9 Hakin9 online magazine does not rely on ethical business practices to sell copy. [More information.]
mi2g Limited If you ask them, mi2g Limited, a "security intelligence firm", will tell you they have been in the security industry as far back as 1995, at least "collecting data". In reality, mi2g only popped up in 1999 as a security outfit of any sort. Since then, the chain of absurd press releases, outlandish "research", and outright lies has been a plague on the security industry. [More information.]


Bogus 'Cyber Security' Crowd-funding Projects (via Security Snake Oil)


DataGateKeeper A product called DataGateKeeper (DGK) is looking for $25,000. Their claims are that it's anti-hacking software that provides encryption levels far more advanced than AES. [Update #1] [Update #2]
Blindeagle Blindeagle is asking for money for a product, a product that promises private and secure communication with anyone over the internet and wants 90,000EUR to do it.
Kiri Another person has decided that a Raspberry Pi and a seemingly stolen operating system is good enough to promote a KickStarter project that promises complete computer security. [Update]


Copyright by Attrition.org. Permission is granted to quote, reprint or redistribute provided the text is not altered, and appropriate credit is given.


main page ATTRITION feedback