Charlatans... the fakes in the industry. Below, we point out a few cases of fakes walking among us. Some of the groups or companies listed below don't fall so much into the 'charlatan' category, but are pointed out for other reasons. As humans, we all make mistakes. The issue isn't that these people made mistakes, it's that they won't own up to them, lie to attempt to cover their actions, or use it to further their personal agenda at the expense of the industry. Like many parts of the entire Errata page, this section is incomplete. Don't let a lack of bullets and references under a given name mislead you. They were put here for a reason, even if we haven't had time to fully document it in one place. Fred Cohen has written an interesting paper entitled "The Seedy Side of Security" that covers some of the concerns we share. Yes, there is some personal bias in this page. Being in the security industry in various capacities, these people make our lives more difficult and negatively impact our business and passionate hobbies. Read the material with a grain of salt; don't implicitly trust us. Make your own decisions based on all the facts you can find, not just what you read here.
A note on 'establishing a charlatan': the term charlatan is a bit subjective. There is no defined standard for using the word. To attrition.org, one of the key elements is intentionally misleading or deceiving people to promote oneself. Typically this is subtle, as a charlatan will begin to fudge and blur details over time; what used to be "five years" will slowly become "seven years" or "ten years". Charlatans do not like the idea of peer review and may hide behind varying degrees of secrecy ranging from fake clearance levels to non-disclosure agreements (NDAs) that don't exist. Any one event listed on these pages may be dismissed as an error or oversight, but when put together begin to paint a more accurate picture of a history of falsehoods and intentional deception. For others, they may be on the road and not realize it.
|Gregory D. Evans||A supposed "hi-tech hustler", plagiarist and convicted criminal, Evans has invented himself as some form of hacker with the ability to break into anything and spin that supposed knowledge into advising companies on security. Now with 'LIGATT Security', he is leading their questionable campaign to increase stock value through press manipulation.|
|Ankit Fadia||Fadia is a self-claimed expert on computer security, shameless self-promoter, author of numerous books with plagiarism and has made numerous claims with little to no peer input as to his actual knowledge or skills. A (former) fifteen year old claiming to be an expert on computer or network security is absurd.|
|Dr. Ali Jahangiri||A questionable Sc.D holder and book plagiarizer, Jahangiri is a self-proclaimed information security expert with 14 years of experience. With a list of certifications and education bonafides that scream "career academic", his public offerings have been few and far between.|
|Laura Callahan||Laura Callahan is a former senior director at the United States Department of Homeland Security who resigned after an investigation revealed that she had obtained academic degrees from a diploma mill. She is also a former Deputy CIO of the US Department of Labor and former senior information technology manager at the White House.|
|Dan Verton||What started out as occasional articles in news outlets turned into a full-blown ego-laden pundit writing books and even testifying before Congress. A supposed expert on cyber-war, his primary ability is generating fear, uncertainty and doubt (FUD) rather than rational information.|
|Dr. Bill Hancock||"Dr." Hancock is enshrouded in lies and half-truths; his purchased educational degrees (including doctorate), lies about serving as a U.S. Navy Seal and obvious lies about work experience are the tip the iceberg.|
|Kim Schmitz (aka Kimble)||Schmitz, a convicted criminal, found a world of press ready and willing to bite on his stories of hacking, some of which are almost a direct rip-off another charlatan (se7en). This may be one of the better cases demonstrating that media outlets want sensationalism, not the truth.|
|Ian Murphy (aka Captain Zap)||Murphy, a convicted petty criminal, has lied about military service, government work, technical skills and everything between, forging a business based on lies and half-truths about his past 'hacking' experiences.|
|Frank Jones (aka SpyKing)||Jones, a felony-convicted scammer, had built a life based on selling fraudulent services and goods that were never delivered. Self-claimed as mentally insane to attempt to avoid conviction, he has continued to operate in the security and TSCM industry as best he can.|
|Steven Gibson / GRC||Perhaps the most "colorful" charlatan, a marketer by trade, Gibson has moved into the security industry telling us about software company conspiracies, re-inventing years-old security technologies and dishing out emotional manipulation as "facts".|
|Ira Winkler||Keep your distance, for this man can hack your company and steal a billion dollars! Where most security professionals operate based on fact and relevant experience, Winkler has made an entire career over an overhyped and questionable penetration test that he may not have actually participated in, and then let his ego run wild with it.|
|Christian Valor (aka se7en)||One of the earlier frauds in the industry, the only talent Valor ever displayed was manipulating the media and friends. His claims of hacking ability eroded as quickly as his claims of security knowledge.|
|John Flowers||Caught lying about his education to better solicit investments, Flowers' claims of past hacker activity is questionable and has not been verified by a third-party.|
|Carolyn Meinel (aka HappyHacker)||After at least seventeen distinct career changes, any notion that Meinel was a security expert or had any technical ability beyond Windows parlor tricks is misplaced.|
|John "JP" Vranesevich||Not only a fraud, Vranesevich's short lived "career" as a security expert was based on exploiting those around him, changing morals and ethics as it suited him and walking all over the industry he claimed to be influential in.|
|Michelle Delio (Wired / Freelance)||Michelle Delio wrote countless articles with anonymous sources and questionable quotes. After careful review by other journalists, it was quickly determined that she was fabricating sources and quotes. Additionally, one of her most oft-cited sources ended up being someone she was romantically involved with.|
|James Glave (Wired)||Glave is not only a sub-par journalist, his ego blinds him to the ability to improve his work. Putting out a challenge to find errors in his articles was hopefully a wake-up call for him.|
|EC-Council||EC-Council, the company behind the 'Certified Ethical Hacker' (CEH) certification, has a tendancy to forgo ethics and profit off plagiarized content from other sources.|
|ICSA Labs||ICSA Labs, formerly NCSA, now a Verizon Business under the Cybertrust blanket.. is "committed to .. meet or exceed our stakeholders' expectations", which begs the question of their testing methods and vendor neutrality among other things.|
|InfoSec Institute||InfoSec Institute (ISI), a company offering security training, pen testing classes and more, routinely plagiarizes content for their classes, profiting heavily off it.|
|mi2g Limited||If you ask them, mi2g Limited, a "security intelligence firm", will tell you they have been in the security industry as far back as 1995, at least "collecting data". In reality, mi2g only popped up in 1999 as a security outfit of any sort. Since then, the chain of absurd press releases, outlandish "research" and outright lies has been a plague on the security industry.|
Copyright 2008-2012 by Attrition.org. Permission is granted to quote, reprint or redistribute provided the text is not altered, and appropriate credit is given.