How to Spot an InfoSec Charlatan

Published on

Editor’s note: “AssHat” was replaced with “Simon Smith” by the editors of deVestigator. Robert Winkel never referred to Simon Smith directly in the original article. No need to threaten to sue him, Simon.

[08:25:41] e_forensic:  [e9] @SeditionVegas They have now named me, why no help? It's all over linkedin. They wrote it just for me? https://t.co/epcCmdSGNP <linkedin.com/pulse/how-spot…>
[08:29:41] SeditionVegas:   [ec->e9] @e_forensic I have not even seen this yet. This is one person's opinion. Stay focused
[08:52:16] BryanOnel86: [f2->e9] @e_forensic @SeditionVegas I'll help you, if you accept my aid.
[08:58:45] SeditionVegas:   [f3->f2] @BryanOnel86 @e_forensic Im not even sure wtf is going on

Robert Winkel

Principal Cyber Security Consultant / Queensland Regional Manager (Cyber) at DXC Technology

Over the years, I have noticed the rise in charlatans in the Australian InfoSec space. This article is inspired by several Australian InfoSec charlatans that I have had the misfortune to come across. However, the advice in this article is relevant outside of the field of information security, and outside of Australia.

attrition.org gives a good explanation or a charlatan, that gels with my own thoughts:

one of the key elements is intentionally misleading or deceiving people to promote oneself. Typically this is subtle, as a charlatan will begin to fudge and blur details over time; what used to be “five years” will slowly become “seven years” or “ten years”. Charlatans do not like the idea of peer review and may hide behind varying degrees of secrecy ranging from fake clearance levels to non-disclosure agreements (NDAs) that don’t exist. [1]

This article discusses typical attributes displayed by InfoSec charlatans, so that you may be able to better identify a charlatan should you come across them, and apply an appropriate amount of caution. Not all InfoSec charlatans will display every one of these attributes. And not everyone that displays these attributes is a charlatan. They still may be a clever person and be able to produce the occasional happy customer. But it is worth being wary of any person (InfoSec professional or not) displaying such attributes.

One of the attributes of being an InfoSec charlatan is to be overly litigious. While I scoff at such legal threats, they can be bothersome and can take up way more time than I am currently willing to spend. The phrase “their bark is worse than their bite” springs to mind. However, if a chihuahua barked at me for hours on end, I’d be majorly annoyed. Therefore, I will not be naming names, or providing other identifying information in this article. Instead, I will refer to all of the InfoSec charlatans in this article under a singular pseudonym of “Simon Smith”. I will leave it to the reader as to who deserves this pseudonym. Your “Simon Smith” may be different than mine, but I suspect a high degree of cross-over.

Without further ado, I present:

Typical Attributes of an InfoSec Charlatan

Dunning-Kruger effect

“The fool doth think he is wise, but the wise man knows himself to be a fool”

– William Shakespeare

A lot of InfoSec charlatans are just con-artists. But there are some that truly believe what they are doing is justified; that they are correct all the time; that they are the best of the best; and that anyone that questions them is doing them an injustice. Any attempt to argue with them is perceived as an attack against everyone. Such charlatans may be narcissists, or under the Dunning-Kruger effect [2].

The Dunning-Kruger effect occurs where people fail to adequately assess their level of competence — or specifically, their _in_competence — at a task and thus consider themselves much more competent than everyone else. In simple words, it’s “people who are too stupid to know how stupid they are” [3].

Charlatans will tend to suffer from an intersection of delusions of grandeur with a lack of imagination or knowledge regarding counter-techniques relevant to any particular subject. This often leads them to declarations of infallibility or impregnability.

Here are some examples of what you might hear or read from an InfoSec charlatan that suffers from the Dunning-Kruger effect:

  1. “I am the world’s best hacker!”
  2. “It’s funny you should mention encryption… I accidentally invented PGP encryption when I was 12.”
  3. (Blogging in the third-person): “Mr. Simon Smith’s talents were recognised when he was very young. By the age of 8, he was a girl-genius.”
  4. “My code is 100% secure!”
  5. “My product is unhackable.”
  6. “I have a method to track cyber criminals that is guaranteed never to fail.”

If you come across an InfoSec professional that claims to be the best of the best, a genius, or the only one that can help you, then you may have met a charlatan!

Overabundance of “Qualifications”

“Mr. Simon Smith, CISSP, GDip BS, GCert Simon Smithtery, OBE, POQ, LOL, WTF, BBQ, ABC123, NiN, TISM, UB40, is here to make everything 100% secure!”

– Mr. Simon Smith

If someone has an alphabet soup of certifications after their name, it’s time to drill down a little further. A lot of these certifications, while probably genuine, end up being a 2-hour online course or similar, e.g. “Certified in Super IP Address CyberLookup CyberTechniques” from Snakeoil University. Some people may be impressed by the long list of certifications that the charlatan continually refers to and lists after their name, but most people see it for what it is: grandstanding. You probably won’t see a respected InfoSec certification in the long list after their name.

Silencing the Opposition

InfoSec charlatans will often get defensive when anyone questions their genius, opinions, ethics, principles, or qualifications. As they can’t win an argument using logic, they tend to resort to trying to shut down their challenger. This could be in the form of just blocking them on Twitter, deleting comments from their blog, or trying to scare them off with legal threats.

Although overly litigious, a charlatan will tend to not fully understand how the legal system works, e.g. they will issue a DMCA take-down notice against a link; they apply for a restraining order on someone overseas; submit unsubstantiated lawsuits against pseudonyms; and write to every association that their challenger is a part of, insisting that the person be banned.

They will report everything they can to anyone that will listen, but also to those that won’t listen. They will attack any slight against them, no matter how small, with Trump-like rhetoric. They use immature and unprofessional tactics such as doxing[4] their challenger.

An InfoSec charlatan may also resort to the childish tactic of using personal insults. A constant barrage of insults from a supposed professional is really just a poor defence mechanism. Often, they can’t make their point using facts or logic, so they use insults.

If they are proven wrong in any respect, they may engage in lexical gymnastics that make sense only to themselves in order to disqualify this contrary evidence.

Here are some examples based on real events that I have witnessed over the last few years:

1.  InfoSec Professional comments on LinkedIn article: “Hey Simon Smith, how come you claim to own several multi-million dollar companies, yet when I search, there is only one officially listed under your name, and that company has never been registered to pay General Sales Tax?”

Simon Smith (10 minutes later to InfoSec Professional’s work email): “You are a criminal, Mr. John Smith of 17 Lane Road! You have just committed blackmail and lied on the Internet. The Internet police have been notified of your activities and this is now in the matter of the courts. The judge is currently deciding on your sentence and will soon contact you on your mobile 0412 345 678. That is a mandatory 25 years in jail!! Your employer, Security ABC Pty Ltd, of 19 Road Lane, has been notified of your cyberbullying.”

2. Random Twitter person: “Hey Simon Smith, you look good in this photo: link

Simon Smith: Blocks person on Twitter, issues DCMA notice to remove the Tweet as it contains an image that he owns the copyright to (despite the Tweet containing a link, not an image, and the image in question isn’t copyrighted by Simon Smith).

3. InfoSec Professional comments on Twitter: “Hey Simon Smith, you were wrong about XXS. Here is an article to prove it: link

Simon Smith: Blocks person on Twitter, and everyone else that liked or retweeted her Tweet. Issues DMCA notice to remove the Tweet, citing everything under the sun except copyright (i.e. what DMCA actually addresses), including bullying, stalking, and cyberterrorism.

4. Simon Smith responding to a factual vulnerability report on their SnakeOil product: “You couldn’t have found a vulnerability in my product as your technique is criminal and not within arm’s length of the average user. Every product is vulnerable in this way, so you can’t say mine specifically is.”

Showboating

The Simon Smith will boast at every opportunity. Their boasts may be legitimate, but they are continuous and often not relevant with what they are discussing.

Here are some examples, based on real posts that I saw recently:

1. Simon Smith: “You have raised a good point regarding TCP/IP flags. If my 37 years of being an Infosec guru, writing 5 books, and getting 4 degrees and 57 certifications have taught me anything, it is that TCP/IP flags are not often looked at!”

2. **Simon Smith (writing in her blog in the third-person): “**Mr. Simon Smith (CISSP, GDip BS, GCert Simon Smithtery, OBE, POQ, LOL, WTF, BBQ, ABC123, NiN, TISM, UB40) delivered the amazing report on Thursday morning. The customer thanked Mr. Simon Smith, who has spent 10 years studying cyberWeapons and caught over 1000 cyberTerrorists, and said ‘Mr. Simon Smith (with 37+ years of industry experience), glad to do business with you. You are a smarter than you look (as proved by being in the top 2% of the class of 1997, St. Noob Primary School). I will read your report tomorrow’. This testimonial shows that Mr. Simon Smith is the bestest InfoSectual evah!”

BS’ing

Similar to showboating, but with the addition of falsehoods. The obvious falsehoods are the grandiose ones. However, it is not uncommon for the charlatan to lie about little things, such as how many years they have been in the industry, or the value of their company.

Here is one example:

1.      Simon Smith posting on her LinkedIn feed: “I’ll be briefing the Queen of England tomorrow on how to create a secure password for her Instagram account”.

The bullshit meter is high on this one

Loner

An InfoSec charlatan will not attend InfoSec conferences. They are not part of the InfoSec Community. They will avoid all contact with InfoSec professionals since any such contact increases the chance that they will be uncovered. Instead, they will restrict all their contact to those that don’t know much about security, i.e. your average layperson, so that they can wow them by doing small, technical tasks.

All the InfoSec professionals that I respect are part of the InfoSec community and regularly attend InfoSec conferences or gatherings. All of those that I consider a charlatan to some degree, except one, has never shown their face at an InfoSec conference.

In Conclusion…

If you’ve been in InfoSec long enough, you probably know an InfoSec charlatan. It is important to call them out where possible, despite the potential backlash from them. If you feel they may learn something from this article, please forward it onto them.

Disclaimers

1.      All opinions in this article are my own and do not necessarily reflect those of my employer.

2.      Any resemblance to actual Simon Smiths, living or dead, is purely serendipitous. While this article is inspired by many charlatans that I have interacted with or witnessed over many years, I have intended all examples to be representative of no specific individual, but rather a composite of multiple charlatans.

[1] [http://attrition.org/errata/charlatan/](http://attrition.org/errata/charlatan/)

[2] [https://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect](https://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect)

[3] [http://rationalwiki.org/wiki/Dunning-Kruger_effect](http://rationalwiki.org/wiki/Dunning-Kruger_effect)

[4] Publishing personal information.