Charlatans.. the fakes in the industry. Below, we point out a few cases of fakes walking among us. Some of the groups or companies listed below don't fall so much into the 'charlatan' category, but are pointed out for other reasons. As humans, we all make mistakes. The issue isn't that these people made mistakes, it's that they won't own up to them, lie to attempt to cover their actions, or use it to further their personal agenda at the expense of the industry. Like many parts of the entire Errata page, this section is incomplete. Don't let a lack of bullets and references under a given name mislead you. They were put here for a reason, even if we haven't had time to fully document it in one place. Fred Cohen has written an interesting paper entitled "The Seedy Side of Security" which covers some of the concerns we share. Yes, there is some personal bias in this page. Being in the security industry in various capacities, these people make our lives more difficult and negatively impact our business and passionate hobbies. Read the material with a grain of salt, don't implicitly trust us. Make your own decisions based on all the facts, not just what you read here.
Ankit Fadia, "young hacker" and author
Ankit Fadia is a typical charlatan who gets published in one article and rides the wave of not only poor journalism but also his own hype. For years, he has been quoted in low end online publications in India (his home country). Each time he is referenced as an 'expert' despite having no skills or accomplishments other than being quoted in these articles. No matter how bright this kid is, how much of a "prodigy" he is, he simply cannot be considered an 'expert' in security, especially with his FUD-based statements about "computer security" and "terrorism."
mi2g "security intelligence" firm
If you ask them, mi2g Limited will tell you they have been in the security industry as far back as 1995, at least "collecting data". In reality, mi2g only popped up in 1999 as a security outfit of any sort. Before that, they operated a web site dedicated to selling automobile information which magically morphed into the Middle East Information Database Search (MIDAS) which then morphed again into an e-commerce development company. Since then, mi2g has been a glorified mouth piece spouting a combination of fear, unscertainty and doubt with a clear goal of profiting from it. For a better idea of where mi2g came from, read more about the "Questionable History of mi2g".
Dan Verton - "security expert"
What started out as occasional articles in news outlets turned into a full blow ego laden pundit writing books and even testifying before congress. As his reputation grew, so did his boasting of his past in the intelligence circles as an analyst. Fortunately for us, he isn't an analyst giving input to decision makers. If his current style of fear ridden writing were presented in an official capacity, we no doubt would have experienced an interweb meltdown due to polymorphing tactical strikeback malware viruses, and life as we know it would most certainly be over.
Kim Schmitz/Kimble/kill.net/YIHAT
Out of nowhere, Kim Schmitz (aka Kimble) finds a world of press ready and willing to bite on his stories of hacking, some of which are almost a direct rip off another charlatan (se7en). This may be one of the better cases demonstrating that media outlets want sensationalism, not the truth.
The renowned/infamous hacker/phreaker Christian Valor/se7en, blah blah. se7en is a new breed of hacker. One that thrives on media attention, mostly based on lies. I have warned se7en many times that lying to people, especially his friends, was not a good thing. Despite these warnings, he continued to do it until he had alienated himself completely. Because of his continued lies to me (and about me), I thought the truth should be known. se7en is NOT a hacker with seventeen years under his belt. In fact, he barely knows the first thing about phones or hacking. The one thing he is *exceptional* at is social engineering.
One of the first things you see when visiting the ICSA Labs web page is their claim that they are "committed to .. meet or exceed our stakeholders' expectations", which is a refreshing case of the truth. They care about stakeholders, not customers or the security industry.
CERT (Computer Emergency Response Team)
The rant that could ensue about CERT will be time consuming. Look for it down the road. Your tax dollars have been helping fund this organization for almost 20 years now. Too bad we haven't gotten our money's worth.
One of the more entertaining and lively charlatans, his tales of technology are certainly colorful and fun. That isn't really a compliment. For an entire site dedicated to exposing this charlatan, check out the GRC Sucks web site (now defunct).
Ira Winkler is better than you are, more qualified, more trustworthy, and all around a better person. Just ask him! Or don't, odds are he will tell you if given the chance. For those of us that have been in the security industry for a year or more, we're a bit tired of him finding a new reporter ready to buy into the Winkler line and writing a new version of the same article. We know he thinks most hackers are like trained monkeys.. we know he can steal a billion-jillion dollars from any company in the world. Get over it.
More and more companies are getting into the security business. With that, more are deciding to do "penetration testing" (ie: remotely breaking into your system to test it). Two kinds of charlatans emerge: 1) Companies using off-the-shelf products that anyone can run while passing off the automatically generated reports as their own, and 2) Companies trying to convince you that they "don't hire hackers", and only utilize "security professionals" or "white-hat" hackers. Sorry, but is that really a good test? Is it the truth? Please consider this quick description of the issue as well.
Another rising trend in security articles is the concept of "strike back" servers or technology. The idea being that software or corporate security officers are hacking back. Some are supposedly claiming they are going one step farther and physically visiting their attackers. Aside from the obvious illegality of this, common sense kicks in.
Normally I wouldn't include a journalist in this category, but Mr. Glave stands out in his field. One of the reasons he deserves this attention is that on top of several errors in his stories, he openly challenged a mail list to find any factual errors in his pieces. On Sunday, 29 Mar 1998, Mr. Glave posted to the dc-stuff mailing list and said: "As for your allegations, I invite you to find a factual error in any Wired News story to back them up." Obviously, we took the challenge. The notion that he or Wired is infallable is a joke. Read his mail on Jan 30, 1999 and we can see why these errors creep into his articles.
Barry Schlossberg, aka Lou Cipher
This is one of many cases where we wish we could publish everything we knew, even the rumors and bar room discussions with people close to him. We only hope that his whole story becomes more clear and more public.
John Flowers, "erstwhile hacker, business entrepreneur"