All that is wrong with the world…

October 11, 2009

Steve Gibson is a fraud

Filed under: Security — Tags: , , — allthatiswrong @ 7:46 pm

Steve Gibson has a reputation as a security expert and is someone that people who don’t know any better look up to. This article is an attempt to enlighten those people, and show that Steve Gibson is not any kind of security expert and should certainly not be considered any authority. Steve Gibson is a fraud. He has never made any meaningful contribution to the computer security field except to spread misinformation and cause panic. His actions and often vocal claims demonstrate beyond a doubt his lack of an understanding of the field he claims to be an expert in.

He claims to be a security researcher. He has never posted a messaged to the Bugtraq, FD, or any other mailing list. He has never attended a conference, published a paper, discovered a vulnerability or written proof of concept code. Indeed, any other high profile people in the industry consider him to have absolutely no credibility whatsoever. Here is what Fyodor, author of the nmap scanner thinks. To quote:

Gibson is a charlatan whose “research” is written for clueless media reporters (for press attention) and the teeming masses of internet newbies (to whom he sells various products). His “findings” are not new, are always filled with massive hyperbole, and are frequently completely false.

The website Vmyths also has a good collection of articles on him here.

He tried to claim that the WMF vulnerability was a deliberate backdoor, which was ridiculous. It was debunked by Mark Russinovich and Stephen Toulouse here and here. If you don’t know those names, look them up. There is also a good article from the Security Focus site here, to quote:

Gibson has a bad track record: a history of latching onto arcane issues that he doesn’t fully understand and can never prove, and converting his limited understanding into fodder for the next internet melt-down.

He even went so far as to declare AV software completely dead. In 1992. He went on to conclude that:

First, scanning for known viruses within executable program code is fundamentally a dead end.

Someone should probably let the AV companies know. This is a perfect example of the broad statements he tends to make, which only serve to showcase his ignorace. Unfortunately, many people who don’t know any better do actually take his word as that of an expert. Not only that, he wants system utilities to be unable to have direct filesystem access. Which, although limiting there usefulness as utilities, will(according to Gibson) result in 100% viral immunity.

by prohibiting the sorts of direct file system tampering performed by our current crop of system utilities, such operating systems will be able to provide their client programs with complete viral immunity

Upon the release of Windows XP, in massive red letters on his website, he proclaimed:

When those insecure and maliciously potent Windows XP machines are mated to high-bandwidth Internet connections, we are going to experience an escalation of Internet terrorism the likes of which has never been seen before.

This is also an excellent example demonstrating his appalling lack of knowledge. Raw sockets will hasten the end of the internet. Despite access to them being freely available to them in most operating systems for over 30 years. Despite the fact you don’t need raw sockets to pull of any of the attacks he describes. Right….. For an amusing read, you can read about his ordeal of being victimized by a 13 year old hacker here.

He decided to (badly) reinvent SYN Cookies, and then dared to call his approach “beautiful and perfect”. See here. Not only did he completely fail to solve most of the problems that called for such a solution, he failed to give credit where credit is due. The man is a fraud and a liar.

Then there is the whole SpinRite thing, which is, to put it simply, completely bunk. There is a good firsthand account from someone with personal experience here. That is not just picking at the use of marketing terms, it’s a detailed debunking of his idiotic claims.

When you have leading journalists in the field calling him out as a fraud and a know nothing, maybe it’s time to re-evaluate the mans credibility? Hopefully by now you have enough material to make your own informed decision, and (perhaps) refrain from recommending him to anyone. Ever. If nothing else, he serves as a perfect demonstration that you should always be wary of self proclaimed experts.

Update 1 – September 21st 2010
I noticed about a week ago this post was referenced on the Security Basics mailing list. In response, someone provided a link to the Steve Gibson entry on Attrition. It’s a much shorter page, but it’s still worth clicking on just to reinforce everything I have said above, and Attrition is a respectable source. Enjoy.

About these ads

7 Comments »

  1. So, all this time that I’ve spent listening to Security Now… has it been wasted? Can Steve’s explanations of topics be described as accurate?

    Comment by Adrian — March 20, 2014 @ 5:58 pm

  2. Hmm, typo in the first parigaph…

    Comment by billingsbookandbrew — April 9, 2014 @ 6:32 pm

  3. The author of this ludicrous and incorrect article is no more than a paid shill by those jealous of steve gibson whom even bill gates admits is a genius.”If spinrite cant fix it then throw it away” is as true now as it was in the early 90’s.The most brilliant HDD repair software ever created.The shill cant even progran in basic,knows nothing about raw sockets and is a typical skulking,frothing,bitter nerd whose overall significance amounts to that of flatulence within a hurricane.Steve Gibson youve proven yourself with flying colors while the shill has showcased his double digit IQ..lol

    Comment by imo kawasaki — June 28, 2014 @ 4:29 am

  4. I have read this article and, if it is correct or not I have no idea being a novice, but have one question to the Author.
    I am unable to see your name anywhere here, however I could be mistaken as I do not normally indulge in gutter journalism.
    If you don’t have the balls (or the other) to put your name to anything you publish, especially derogatory remarks regarding
    a person, then keep your comments to yourself, along with your IQ which appears to be the same as your hat size.
    My view is, if I am correct when stating the above, you are a gutless coward, that simple.

    Richard Young,
    Australia.
    AUTHOR MEMBER #141106 of THE COPYRIGHT AGENCY LIMITED AUSTRALIA® ABN: 53 001 228 797
    ———————————————————————————————————————————————————

    Comment by Richard Young — July 1, 2014 @ 11:17 pm

    • Just so you know, posting your real information on the internet is a big risk. Over here in the US we educate our kids to NOT use their real names at all on the internet. This (the internet) is an endless public forum made tiny by search engines and too many people will be dicks when they think no one can see them. Doxing is a real thing that happens to innocent people, usually in the most unexpected circumstances. Some of us are smart enough to keep our personal information out of view.

      https://en.wikipedia.org/wiki/Doxing

      Comment by OldGuy — July 20, 2014 @ 8:58 pm

  5. I saw these arguments a long time ago, and I have to agree with them. Gibson is an alarmist and really doesn’t know what he’s doing. The raw sockets incident really exemplifies how much he doesn’t know about security. Everyone but most desktop users had access to them at the time and there were no problems, no massive attacks. If a black hat hacker wanted to use them, the could have just gone and grabbed Linux. He is just an alarmist with some good sounding words.

    Comment by OldGuy — July 20, 2014 @ 8:53 pm

  6. I have been listening to SG for many years. I pick up some ideas and filter out the hyberbole. It’s a form of entertainment only. Re: Spinrite, I have used this 4 times and in all cases, it failed. I spent an equivalent amount on a recovery solution, and it worked 4 times. Spinrite had no value for me.

    Comment by Opinion — September 10, 2014 @ 9:21 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Silver is the New Black Theme. Create a free website or blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 74 other followers

%d bloggers like this: