Better call Serge

When shady and reviled Italian surveillance malware vendor Hacking Team got hacked and doxed in July 2015, its emails were made public. Many emails stood out for egregious wrongdoing. But one exchange in particular from January about a product demo revealed the malware company to have a nearly-comedic level of reckless incompetency -- which is why it became infosec's favorite meme of 2015.

Hacking Team had assured prospective clients that its surveillance malware was undetectable ... but during Lorenzo Invernizzi's live demo of an "invisibility test" to prove it, "an AVG popup warned about a trojan detection" on the screen. Invernizzi wrote in his post-demo email, "I closed the popup in time" while Serge Woon, who at the time was in charge of Hacking Team's pre-sales, distracted the clients from looking at the screen.

This was after the demo had already gotten off to a bad start. The first thing Hacking Team's supposedly stealthy malware did was freeze the customer's computer. Luckily, Invernizzi tried turning it off and on again, saying he then ran a silent installer "while Serge was distracting the customer."

But wait, there's more. In the same meeting, Hacking Team's demo of another "invisibility test" failed as his company's illicit spyware was "detected at each logon and at each synchronization" by Norton Antivirus. His boy Serge must have been practicing his naked juggling skills at that point, because Invernizzi wrote that the customer "got distracted by Serge, while I added the scout to the Norton's whitelist."

Immediately after the email surfaced, "Your Boy Serge" became shorthand on Twitter for the guy whose job it was to save your bacon, because he'd shoot bottle rockets out his butt if it meant he could distract people from seeing your failures.

When #YourBoySerge has a smoke break in the middle of the "cyber threats" demo. pic.twitter.com/L9kdg81A4Q — the grugq (@thegrugq) September 25, 2015

#YourBoySerge was soon appended to every .jpg and .gif synonymous with someone screaming LOOK SHINY while something went horribly wrong in the business of hacking -- especially if the image subjects are in twinsies-style matching outfits. Alive and well after five months, the #YourBoySerge meme has started to cross over into non-IT humor ... and let's just hope that both the legend, and the man, are not forgotten.

A cyberthreat in your butt

The annual RSA conference, attended by a combination of government and enterprise security professionals, is often where new cyber-threat companies try to make a splashy debut. But last April, no one expected Threatbutt. Parodying every inch of the already-farcical cybersecurity landscape, Threatbutt promised "maximum protection from threatening threaty threats" and gleefully mocked pretty much everyone and everything angling to make a buck off "cyber".

With a razor-sharp wit and hack-savvy sarcasm that comes only from people who dwell in the trenches of infosec, Threatbutt sized up an industry that had taken itself so seriously it was in danger of becoming a parody of itself.

"By leveraging our patented Clown Strike technology we are able to harness the raw power of private, hybrid, public and cumulus cloud system to bring Viking grade threat intelligence to any enterprise.

Our global platform, hosted in China, is able to detect all local attackers, APT, and even Advanced APT Threats, coming from countries you "heard once in some report" were bad. We guarantee our attribution is accurate as we paid for the more expensive MaxMinds GeoIP database, so can pin-point any IoC to a more specific part of Iran, China or North Korea, or whatever your CEO needs.

We don't rely on tired, out of date lists of IoCs, we wrote our own, groundbreaking, Big Data backed Sticking-a-pin-in-map-of-about-eight-countries platform. Which blows away the competition at just a fraction more of the price."

Selling itself as a global threat detection platform with mysterious products in eternal private beta, Threatbutt tweeted its presence at the conference while making liberal use of on-the-scene photos. Notably, the company photoshopped its logo and product images into conference stills to cultivate an image of hitting the big time ... Sorta.

Stop by our #RSAC booth to learn more about Threatbutt & get an advanced peak at our upcoming API! #cybersecurity pic.twitter.com/RXCUV0yTej — Threatbutt (@threatbutt) April 22, 2015

The dry-as-dust RSA conference never knew what hit it. Threatbutt bragged about winning the (nonexistent) Best RSA Vendor Award. It soon announced its own bug bounty, launched a data visualization called the Threatbutt Internet Hacking Attack Attribution Map (or Viking Pew Pew Map), and bragged about its new, "needlessly verbose" enterprise suite. Threatbutt was an instant hit, and stickers of its slightly NSFW logo -- a mascot named "APTy" -- started to appear around different hacker scenes on laptops and hacker gear. Threatbutt was an instant hit that became synonymous with just how impossibly dumb cybersecurity companies' self-styled mythologies are.

As America's hacker conference season continued, Threatbutt's popularity grew as its "product reach" expanded. Meaning, the same logo and product images were added to photos of vendor booths and t-shirts at Black Hat and DEFCON, and shared on Twitter for maximum lulz.

Perhaps it was just a matter of time before the "threaty threat" company got its first industry endorsement. Vulnerability management and bug bounty platform HackerOne's Chief Policy Officer sports a Threatbutt sticker on her phone with a wink and a nudge. Where some cybersecurity companies have responsible disclosure policies, HackerOne has included the Threatbutt Irresponsible Disclosure Policy on its website.

"Following the recent unpleasantries with our approximately near equal peer, FireEye, Threatbutt would like to make its position murky clear on its security posture and how it cooperates with security researchers.

Threatbutt inc takes all reports of security issues comically and we do our best to share them around numerous IRC backchannels for all of us to have a giggle at. We believe in the following hilarious irresponsible disclosure policy, assuming you can't sell your bug to the highest bidder in Italy unless they use PGP."

Like all good memes and parodies, the magic of Threatbutt is spreading in unexpected ways. Now on CrunchBase, its profile explains, "Threatbutt leverages their patented Clown Strike technology to harness the raw power of private, hybrid, public and cumulus cloud system to bring Viking grade threat intelligence to any enterprise."

Threatbutt shows no signs of slowing down. It looks like RSA 2016 better put seat belts on its vendor tables because Threatbutt may just give it the ride of its life.