All that is wrong with the world…

October 11, 2009

Steve Gibson is a fraud

Filed under: Security — Tags: , , — allthatiswrong @ 7:46 pm

Steve Gibson has a reputation as a security expert and is someone that people who don’t know any better look up to. This article is an attempt to enlighten those people, and show that Steve Gibson is not any kind of security expert and should certainly not be considered any authority. Steve Gibson is a fraud. He has never made any meaningful contribution to the computer security field except to spread misinformation and cause panic. His actions and often vocal claims demonstrate beyond a doubt his lack of an understanding of the field he claims to be an expert in.

He claims to be a security researcher. He has never posted a messaged to the Bugtraq, FD, or any other mailing list. He has never attended a conference, published a paper, discovered a vulnerability or written proof of concept code. Indeed, any other high profile people in the industry consider him to have absolutely no credibility whatsoever. Here is what Fyodor, author of the nmap scanner thinks. To quote:

Gibson is a charlatan whose “research” is written for clueless media reporters (for press attention) and the teeming masses of internet newbies (to whom he sells various products). His “findings” are not new, are always filled with massive hyperbole, and are frequently completely false.

The website Vmyths also has a good collection of articles on him here.

He tried to claim that the WMF vulnerability was a deliberate backdoor, which was ridiculous. It was debunked by Mark Russinovich and Stephen Toulouse here and here. If you don’t know those names, look them up. There is also a good article from the Security Focus site here, to quote:

Gibson has a bad track record: a history of latching onto arcane issues that he doesn’t fully understand and can never prove, and converting his limited understanding into fodder for the next internet melt-down.

He even went so far as to declare AV software completely dead. In 1992. He went on to conclude that:

First, scanning for known viruses within executable program code is fundamentally a dead end.

Someone should probably let the AV companies know. This is a perfect example of the broad statements he tends to make, which only serve to showcase his ignorace. Unfortunately, many people who don’t know any better do actually take his word as that of an expert. Not only that, he wants system utilities to be unable to have direct filesystem access. Which, although limiting there usefulness as utilities, will(according to Gibson) result in 100% viral immunity.

by prohibiting the sorts of direct file system tampering performed by our current crop of system utilities, such operating systems will be able to provide their client programs with complete viral immunity

Upon the release of Windows XP, in massive red letters on his website, he proclaimed:

When those insecure and maliciously potent Windows XP machines are mated to high-bandwidth Internet connections, we are going to experience an escalation of Internet terrorism the likes of which has never been seen before.

This is also an excellent example demonstrating his appalling lack of knowledge. Raw sockets will hasten the end of the internet. Despite access to them being freely available to them in most operating systems for over 30 years. Despite the fact you don’t need raw sockets to pull of any of the attacks he describes. Right….. For an amusing read, you can read about his ordeal of being victimized by a 13 year old hacker here.

He decided to (badly) reinvent SYN Cookies, and then dared to call his approach “beautiful and perfect”. See here. Not only did he completely fail to solve most of the problems that called for such a solution, he failed to give credit where credit is due. The man is a fraud and a liar.

Then there is the whole SpinRite thing, which is, to put it simply, completely bunk. There is a good firsthand account from someone with personal experience here. That is not just picking at the use of marketing terms, it’s a detailed debunking of his idiotic claims.

When you have leading journalists in the field calling him out as a fraud and a know nothing, maybe it’s time to re-evaluate the mans credibility? Hopefully by now you have enough material to make your own informed decision, and (perhaps) refrain from recommending him to anyone. Ever. If nothing else, he serves as a perfect demonstration that you should always be wary of self proclaimed experts.

Update 1 – September 21st 2010
I noticed about a week ago this post was referenced on the Security Basics mailing list. In response, someone provided a link to the Steve Gibson entry on Attrition. It’s a much shorter page, but it’s still worth clicking on just to reinforce everything I have said above, and Attrition is a respectable source. Enjoy.


  1. So, all this time that I’ve spent listening to Security Now… has it been wasted? Can Steve’s explanations of topics be described as accurate?

    Comment by Adrian — March 20, 2014 @ 5:58 pm

  2. Hmm, typo in the first parigaph…

    Comment by billingsbookandbrew — April 9, 2014 @ 6:32 pm

  3. The author of this ludicrous and incorrect article is no more than a paid shill by those jealous of steve gibson whom even bill gates admits is a genius.”If spinrite cant fix it then throw it away” is as true now as it was in the early 90’s.The most brilliant HDD repair software ever created.The shill cant even progran in basic,knows nothing about raw sockets and is a typical skulking,frothing,bitter nerd whose overall significance amounts to that of flatulence within a hurricane.Steve Gibson youve proven yourself with flying colors while the shill has showcased his double digit

    Comment by imo kawasaki — June 28, 2014 @ 4:29 am

  4. I have read this article and, if it is correct or not I have no idea being a novice, but have one question to the Author.
    I am unable to see your name anywhere here, however I could be mistaken as I do not normally indulge in gutter journalism.
    If you don’t have the balls (or the other) to put your name to anything you publish, especially derogatory remarks regarding
    a person, then keep your comments to yourself, along with your IQ which appears to be the same as your hat size.
    My view is, if I am correct when stating the above, you are a gutless coward, that simple.

    Richard Young,

    Comment by Richard Young — July 1, 2014 @ 11:17 pm

    • Another example of an ignorant Australian. I don’t put my name on this blog because I am posting things that could jeopardize my personal life. Anonymity is not synonymous with cowardice.

      Comment by allthatiswrong — October 12, 2014 @ 7:51 pm

      • Anonymity is not synonymous with cowardice. YES IT IS

        Comment by robert smith — June 9, 2015 @ 7:49 am

  5. I saw these arguments a long time ago, and I have to agree with them. Gibson is an alarmist and really doesn’t know what he’s doing. The raw sockets incident really exemplifies how much he doesn’t know about security. Everyone but most desktop users had access to them at the time and there were no problems, no massive attacks. If a black hat hacker wanted to use them, the could have just gone and grabbed Linux. He is just an alarmist with some good sounding words.

    Comment by OldGuy — July 20, 2014 @ 8:53 pm

  6. I have been listening to SG for many years. I pick up some ideas and filter out the hyberbole. It’s a form of entertainment only. Re: Spinrite, I have used this 4 times and in all cases, it failed. I spent an equivalent amount on a recovery solution, and it worked 4 times. Spinrite had no value for me.

    Comment by Opinion — September 10, 2014 @ 9:21 pm

    • What software? You guys who write this crap are a joke. Name the software that worked when Spinrite failed, or as far as I am concerned your just one more bigmouth insecure jackle who cowares behind aninimity

      Comment by joe howard — February 12, 2015 @ 1:01 pm

  7. It’s funny to read that people that come here to defend Gibson do it in the very same emotional way as he does. Do they not have the brain to read through the given references and think for themselves? Why don’t they cite references instead of childish bash-down offenses? Are they astroturfing? Have they no ability to rationally debate? Or have they no real IT expertise?

    By the way, my personal years-long experience with spinrite is a nothing special. I’m glad I’ve pirated it as *for me* it’s not worth a penny.
    One laptop I have had the hdd always clicking for some time, being slow and having the Linux console printing out read errors. Spinrite reported for several runs that the drive was flawless… In time, the drive fixed itself.
    Another hdd was given to me already as dead. 7 years ago! Regular maintenance with spinrite has done nothing, it only showed a lot of seek errors. Once or twice a year the drive starts to create *massive* amounts of read errors. Spinrite corrects zee-ro of them and marks them as uncorrectable, saving NO data whatsoever. When this happens, I boot Windows and run a diskpart clean all on the disk. After this, I run spinrite again and, apart of all the seek errors, there are *no* bad sectors…
    I restore the OS onto the drive and store no documents on it whatsoever, and it will run ok again for months, although there are a lot of relocated sector counts and the BIOS always warns the disk as ready to die at every boot.
    Also I have ran spinrite on two computers this week and was presented with red crash errors with no user friendly descriptions…
    Paying for spinrite? Not for my bacon!

    Just adding one more piece of wood into the fire…
    Why would a so-called security guru still be using Windows XP SP2 (claiming his machine would not survive the update to SP3) years after Windows 7 was out? Has he tried downloading and injecting SP3 onto his SP2 installation and then installed it? (there is no more info to make judgments here)
    He is definitely a *very* intelligent person… So why isn’t he using Linux!? (I’m not bothering restarting the old war about the security comparison between Windows and Linux…)

    Thank you so much for your public service, Author!

    Comment by John — October 10, 2014 @ 3:04 am

  8. Very harsh review of Steve Gibson. And like Richard Young – I have a major concern. What is “THE NAME” of the person writing this page? I always want to know who I am addressing & who is addressing me.

    And if you want to write about something important? Why not write about the issues found in this FaceBook document?
    …. That would show me you have true virtue and moxy.

    Comment by CA Jeffo — March 19, 2015 @ 4:18 am

  9. I purchased a copy of Spinrite and it has repaired or at least made cloneable more drives than I can count.

    Comment by Adam — April 22, 2015 @ 9:03 am

  10. Just found this. This author seems to have some kind of axe to grind. Gibson ain’t my uncle, but I just don’t see much basis for these attacks. I don’t understand the motivation, but it wouldn’t necessarily appear to be recourse to facts. Gibson may at points have been guilty of hyperbole–I truly don’t know, but let’s say yes–but I’m pretty sure most the things mentioned here actually favor Gibson’s analysis. XP’s initial release was KIND OF a disaster. There were a rash of worms and attacks. Raw sockets WERE a problem. I mean, I’m glad they work fine for you, pal, being the unappreciated Linux power-user that you are, but the market and the attack surface for Windows was a wee bit different. I wax indignant the more I think about this…. While AV sales DO continue to flourish, that’s not necessarily evidence of their effectiveness. A recent study describes the differences in beliefs and habits of normal users and security professionals, and the greatest delta is for the use of AVs. Look it up! The pros put little stock in them. Finally, I would probably classify Gibson as more of a computer science communicator than a computer scientist, at least at this point in his career. But then again…I’d say SQRL counts as a contribution to the field, wouldn’t you? I know this post was written years before SQRL–I don’t care. I’m ready to rule: this is whiny nonsense. And yes, I own SpinRite and have personally reaped its benefits. The placebo effect didn’t fix my hard drive.

    Comment by Matthew Care — November 3, 2015 @ 7:29 am

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Silver is the New Black Theme. Blog at


Get every new post delivered to your Inbox.

Join 79 other followers

%d bloggers like this: