attrition.org Errata - Charlatans

Charlatans... the fakes in the industry. Below, we point out a few cases of fakes walking among us. Some of the groups or companies listed below don't fall so much into the 'charlatan' category, but are pointed out for other reasons. As humans, we all make mistakes. The issue isn't that these people made mistakes, it's that they won't own up to them, lie to attempt to cover their actions, or use it to further their personal agenda at the expense of the industry. Like many parts of the entire Errata page, this section is incomplete. Don't let a lack of bullets and references under a given name mislead you. They were put here for a reason, even if we haven't had time to fully document it in one place. Fred Cohen has written an interesting paper entitled "The Seedy Side of Security" that covers some of the concerns we share. Yes, there is some personal bias in this page. Being in the security industry in various capacities, these people make our lives more difficult and negatively impact our business and passionate hobbies. Read the material with a grain of salt; don't implicitly trust us. Make your own decisions based on all the facts you can find, not just what you read here.

A note on 'establishing a charlatan': the term charlatan is a bit subjective. There is no defined standard for using the word. To attrition.org, one of the key elements is intentionally misleading or deceiving people to promote oneself. Typically this is subtle, as a charlatan will begin to fudge and blur details over time; what used to be "five years" will slowly become "seven years" or "ten years". Charlatans do not like the idea of peer review and may hide behind varying degrees of secrecy ranging from fake clearance levels to non-disclosure agreements (NDAs) that don't exist. Any one event listed on these pages may be dismissed as an error or oversight, but when put together begin to paint a more accurate picture of a history of falsehoods and intentional deception. For others, they may be on the road and not realize it.

Security (Technical)

Journalists

Michelle Delio (Wired / Freelance) Michelle Delio wrote countless articles with anonymous sources and questionable quotes. After careful review by other journalists, it was quickly determined that she was fabricating sources and quotes. Additionally, one of her most oft-cited sources ended up being someone she was romantically involved with. [More information.] James Glave (Wired) Glave is not only a sub-par journalist, his ego blinds him to the ability to improve his work. Putting out a challenge to find errors in his articles was hopefully a wake-up call for him. [More information.]

Companies

EC-Council EC-Council, the company behind the 'Certified Ethical Hacker' (CEH) certification, has a tendancy to forgo ethics and profit off plagiarized content from other sources. [More information.] ICSA Labs ICSA Labs, formerly NCSA, now a Verizon Business under the Cybertrust blanket.. is "committed to .. meet or exceed our stakeholders' expectations", which begs the question of their testing methods and vendor neutrality among other things. [More information.] InfoSec Institute InfoSec Institute (ISI), a company offering security training, pen testing classes and more, routinely plagiarizes content for their classes, profiting heavily off it. [More information.] Hakin9 Hakin9 online magazine does not rely on ethical business practices to sell copy. [More information.] mi2g Limited If you ask them, mi2g Limited, a "security intelligence firm", will tell you they have been in the security industry as far back as 1995, at least "collecting data". In reality, mi2g only popped up in 1999 as a security outfit of any sort. Since then, the chain of absurd press releases, outlandish "research", and outright lies has been a plague on the security industry. [More information.]

Bogus 'Cyber Security' Crowd-funding Projects (via Security Snake Oil)

DataGateKeeper A product called DataGateKeeper (DGK) is looking for $25,000. Their claims are that it's anti-hacking software that provides encryption levels far more advanced than AES. [ Update #1 ] [ Update #2 ] Blindeagle Blindeagle is asking for money for a product, a product that promises private and secure communication with anyone over the internet and wants 90,000EUR to do it. Kiri Another person has decided that a Raspberry Pi and a seemingly stolen operating system is good enough to promote a KickStarter project that promises complete computer security. [ Update ]

Copyright 2008-2017 by Attrition.org. Permission is granted to quote, reprint or redistribute provided the text is not altered, and appropriate credit is given.