The Problem with Overnight Experts

Today's Example: Robert 'Bobby' Siciliano

Jericho

Mon Nov 12 17:55:42 CST 2012


The term "expert" does not have a strict definition. There is no precise time frame or point in time where one moves from layperson to expert. According to Merriam-Webster, an expert is someone "having, involving, or displaying special skill or knowledge derived from training or experience". Of course, "special" in that context does not have a strict definition either. Turning to Wikipedia, the site begins by defining an expert as "someone widely recognized as a reliable source of technique or skill whose faculty for judging or deciding rightly, justly, or wisely is accorded authority and status by their peers or the public in a specific well-distinguished domain". That is a little more descriptive and allows us to set criteria for the word.

Personally, I have never liked the term expert, because it is entirely too subjective. Someone with 5 years of experience will look like an expert compared to a 2 year rookie. Both will look like rookies to a person with 20 years of experience and training. That said, I do know an expert when I interact with one in the right setting. A person becomes an expert in a field through having an inherent ability to learn and sufficient time and exposure to the field to do that learning. As someone who has contributed heavily to the Errata project's charlatan page, I am fairly well versed at spotting people who are not experts. A frequent tell-tale sign of someone who may claim to be an expert but is not, is the 'overnight' phenomenon. One day they are flipping burgers, the next they are a counter-terrorism expert.

We've seen this in the past, not only with individuals, but companies. For example, the company mi2g claimed to be a security intelligence firm at one point, when their history was centered around running a forum on automobiles. Today's example of an overnight expert comes in the form of one individual, Robert Siciliano. You can read his Wikipedia page for some background and links to his sites. Robert, or Bobby as we have affectionately called him for years, has a very unclear start date for his involvement in any form of professional security. Based on his bio and some emails many years back, he appears to have been the victim of identity theft, and then overnight became an expert on identity theft, ultimately on protecting yourself from it. I qualify that because Bobby's expertise also suffers from expertise creep. He morphs from personal security, to identity theft, to computer security over the last 7 years, all the while saying he isn't an expert in some aspects of security. Comparing his bio on various sites, you begin to see this expertise creep:

"Robert Siciliano is a personal security and identity theft expert with more than 25 years of experience in security work, white-collar crime prevention, and self-defense. He is a television news correspondent, security analyst, Certified Identity Theft Risk Management Specialist, CEO of..." - examiner.com

"Siciliano was motivated to enter the personal security field over two decades ago upon being a victim of theft and violence and seeing crime all around him." - robertsiciliano.com

"Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media." - nextadvisor.com

"Robert Siciliano is an expert on business security, personal safety and identity theft. With 25 years of experience, Mr. Siciliano has been researching and keeping in tune on how to avoid assaults and prevent fraud." - securityforsmallbusiness.com

Expert on personal security, identity theft, social media, startups, and even quoted as a 'computer security expert' recently. This goes back to the definition of 'expert' though; in one bio, he says he has "25 years of security training as a member of the American Society of Industrial Security". There is a difference between 25 years of training, and 25 years of working in an industry. I also have serious doubts if that 'society' taught all the disciplines mentioned above. Even better, we get a real glimpse into this amazing morphing and expertise creep from the bio on his own site:

"Siciliano has been surrounded by fraud throughout his entire life. Growing up in Boston provided numerous options for 'earning' through fraudulent scams. However committing criminal acts never interested him. What has always had Robert's attention is how brilliant the criminal "hackers" or more appropriately termed "crackers" are who perpetrate those crimes."

Huh?! Growing up in Boston, he had numerous options for 'earning' through fraudulent scams. This sounds like the stereotypical Boston southie kid who had few options other than running street scams and hustling. Yet he immediately turns this around and calls that fraud, or directly associates it with, the activity carried out by 'hackers' or 'crackers'. There is a considerable gap between running a game of Three-Card Monte and stealing someone's identity by hacking a web site.

More Insight into Bobby's History

As mentioned above, several attrition.org staff members have contacted Bobby over the years. Originally, it was because he seemed like a good guy, but misguided on the entire computer security thing. Rather than immediately publish an article crying 'fraud', the mails were designed to steer him in the right direction. Despite him being nominated as a possible charlatan as far back as 2006, we wanted to give him a fair shot to learn and grow. For several years, it seemed like he took that to heart, and walked a wobbly line that occasionally brought him close to the 'fraud' status. Some of this history may seem unfair at first; we all know journalists can get things wrong. However, keep this in mind as you read further and ultimately see the same excuse applied to mistakes for the last 7 years.

In October, 2006, a Douglas Dispatch article quoted Bobby as a "former FBI agent" and "former government agent". This was one of the first times we interacted with him. In response to our mails sent shortly after the article was published, Bobby said "... this is a false statement by a reporter who was misinformed. I'm not a former fbi agent or government agent. My clients sponsor introduced me as that." We wrote this off as an honest mistake, based on first-hand experience with journalists. In the dialogue that continued with Bobby, he made several other points that are relevant to this article:

I know a few more things than most regarding information security and basic computer security that allows me to pass the information on in a responsible manner.

[..>

I have 20 years in numerous professions regarding personal security. I've been surrounded by rape victims since I was 13. And at 17 years old when 5 guys drop you to the ground and kick you till your shit rolls up your back and you spend the rest of your life preventing that from happening to anyone else and it becomes your every thought and breath, then, yes, after you write 3 books on it, in some circles you are considered a "national personal security expert"

[..>

I'm not selling crap. I'm not inflating my qualifications. I'm not claiming anything I'm not qualified too. And I'm not hurting or deceiving anyone. The last thing I want is conflict with you or anyone. I appreciate you being a "watch dog", We're on the same team. I fight for truth every day.

This seems like a pretty honest and well-intentioned desire. We took him at his word and moved on. He later told us that the FBI reference came from a previous misunderstanding, that was not his fault:

When I began my presentation the person introducing me, introduced me as former FBI, when she did, I hadn't actually gone on stage due to an audio visual issue, I was initially shocked by her comment, but again, there was a 2-3 minute delay before I actually went on stage. By that time I forgot she said it and I didn't offer clarification, which I should have. The whole beginning of my program was a cluster F due to a miscommunication in my start time. I was scheduled to start at 8:30 and I walked in at 8am to set up and everyone was waiting for me to start at 8am. My contract says start 8:30.

Not his fault, got it? Months later, in March, 2007, we ran across another article quoting Bobby that got our attention. The article goes on to say "Siciliano bills himself as an unofficial spokesman of MyLaptopGPS, a Stillwater, Okla.-based company that sells laptop-tracking software which allows users to remotely track and remove sensitive data when the stolen laptop connects to the Internet". We asked him about the 'unofficial spokesman' bit, since that was very specific and not something that a journalist would likely come up with on their own. Once again, this was not Bobby's fault:

I've not billed myself unofficial spokesman. Those are not my words. [attrition] you must know the one reported on doesn't have control of the reporter. We can manage what we say, but not what is printed.

See, it's the reporter's fault again. In October, 2006, Bobby specifically told us "I've never uttered the words or claimed being and [sic] expert publicly or privately in the field of 'computer related information security'". Very clear, on that day, he specifically said he was not a computer security expert. Jump to June, 2007, and we see a different story, as Bobby is specifically quoted on 'computer security'. Eight whole months passed before he became a 'computer security' expert.

Between the overnight phenomenon and the expertise creep, it is clear that Bobby does excel at social media to some degree (not counting his very lame attempt at justifying Twitter follower purchases). He has a knack for getting quoted in the media, including making appearances on Fox and other TV outlets.

The Latest and Greatest

Why now? Why write this rant some six years after our first encounter with him? Because Bobby has done it yet again, and it isn't his fault, he will most certainly pinkie swear. The problem is that while he is foaming at the mouth saying it isn't his fault, he is completely missing the point. First, he doesn't know shit about computer security despite his claims. Second, while he is pawning blame on his 'assistant', he doesn't see the three years of the exact same thing being done as an issue. When I say the exact same thing, I mean the exact same article that he has regurgitated ad nauseum.

Earlier today, an article appeared on InfosecIsland by Bobby, titled "SQL Injection Attacks Targeting Small Business" (now 404, screenshot). If you read the article, you will immediately see serious flaws if you aren't rolling on the ground gasping for breath. SQL injection is not a virus, SQLi attacks are still primarily used for stealing data, and updating your operating system will do absolutely nothing to protect you from these attacks. It is abundantly clear that Robert Siciliano is not an expert on computer security. When challenged on this article, Bobby promptly replied blaming someone else:


To better frame this reply and rant, and to be absolutely clear, Bobby says his 'admin' somehow mixed two posts and accidentally posted this article. Got it? Good!

This is 100%, absolute BULLSHIT. Bobby is lying to me, and to a dozen others, and it is trivial to prove. This exact same article, word for word, appears in other places months prior:

When I challenged Bobby on this point, asking if this same 'administrative error' led to it being done on more than one site, over the span of three months, he once again blamed someone else, and chalked it up to his "well oiled machine":

Mon Nov 12 18:30:04 +0000 2012 @RobertSiciliano Robert Siciliano says: @attritionorg yes. and the post was repeated improperly. the hazzards of a "well oiled machine"

If for some bizarre reason you still think Bobby is not at fault, simply Google for the 'SQL injection is a virus' quote and skim back. You can quickly see that he was using this exact same line, as well as a considerable amount of the same text in this article as far back as 2009:

Bobby; SQL injection is not a virus in any form of the word. It is a bug, that is more specifically referred to as a vulnerability, kudos to getting that part right. Like your expertise creep, your article also creeps from SQL injection to 'drive-by' attacks, which SQL injection is not. You say "The unsuspecting PC user surfs an infected site and bam, code is injected onto their PC and they are infected." No, that is not how SQL injection works, at all. Who will you blame for this glaring fuckup? Hint: check your local mirror.

The biggest point here Bobby, is that it is completely irrelevant who posted the article. Even if it did get 'mashed together', you clearly wrote incredibly naive and inaccurate statements and posted them as far back as 2009. You have since posted the same article, and same inaccurate statements a dozen times over. In three years, if this was truly an 'administrative error', you would have caught it. The fact that no reader left you feedback about the accuracy of your article emphasizes just how dangerous you are. Despite your noble intentions of educating people, you are talking to end users who don't know the difference between a hard drive and malware. You are not doing them a service, you are hurting them.


Copyright 2012 by Jericho. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included.

Should you feel generous, please donate a couple of bucks to any 501(c)(3) non-profit that benefits animals or computer security on my behalf.


main page ATTRITION feedback