Steve Gibson has a reputation as a security expert, and is someone that people who don’t know any better look up to. This articles is an attempt to enlighten those people, and show that Steve Gibson is not any kind of security expert, and should certainly not be considered any authority on the subject. Steve Gibson is a fraud. He has never made any meaningful contribution to the computer security field except to spread misinformation and cause panic. His actions and often vocal claims demonstrate beyond a doubt his lack of an understanding of the field he claims to be an expert in.
He claims to be a security researcher. He has never posted a messaged to the Bugtraq, FD, or any other mailing list. He has never attended a conference, published a paper, discovered a vulnerability or written proof of concept code. Indeed, any other high profile people in the industry consider him to have absolutely no credibility whatsoever. Here is what Fyodor, author of the nmap scanner thinks. To quote:
Gibson is a charlatan whose “research” is written for clueless media reporters (for press attention) and the teeming masses of internet newbies (to whom he sells various products). His “findings” are not new, are always filled with massive hyperbole, and are frequently completely false.
The website Vmyths also has a good collection of articles on him here.
He tried to claim that the WMF vulnerability was a deliberate backdoor, which was ridiculous. It was debunked by Mark Russinovich and Stephen Toulouse here and here. If you don’t know those names, look them up. There is also a good article from the Security Focus site here, to quote:
Gibson has a bad track record: a history of latching onto arcane issues that he doesn’t fully understand and can never prove, and converting his limited understanding into fodder for the next internet melt-down.
He even went so far as to declare AV software completely dead. In 1992. He went on to conclude that:
First, scanning for known viruses within executable program code is fundamentally a dead end.
Someone should probably let the AV companies know. This is a perfect example of the broad statements he tends to make, which only serve to showcase his ignorace. Unfortunately, many people who don’t know any better do actually take his word as that of an expert. Not only that, he wants system utilities to be unable to have direct filesystem access. Which, although limiting there usefulness as utilities, will(according to Gibson) result in 100% viral immunity.
by prohibiting the sorts of direct file system tampering performed by our current crop of system utilities, such operating systems will be able to provide their client programs with complete viral immunity
Upon the release of Windows XP, in massive red letters on his website, he proclaimed:
When those insecure and maliciously potent Windows XP machines are mated to high-bandwidth Internet connections, we are going to experience an escalation of Internet terrorism the likes of which has never been seen before.
This is also an excellent example demonstrating his appalling lack of knowledge. Raw sockets will hasten the end of the internet. Despite access to them being freely available to them in most operating systems for over 30 years. Despite the fact you don’t need raw sockets to pull of any of the attacks he describes. Right….. For an amusing read, you can read about his ordeal of being victimized by a 13 year old hacker here.
He decided to (badly) reinvent SYN Cookies, and then dared to call his approach “beautiful and perfect”. See here. Not only did he completely fail to solve most of the problems that called for such a solution, he failed to give credit where credit is due. The man is a fraud and a liar.
Then there is the whole SpinRite thing, which is, to put it simply, completely bunk. There is a good firsthand account from someone with personal experience here. That is not just picking at the use of marketing terms, it’s a detailed debunking of his idiotic claims.
When you have leading journalists in the field calling him out as a fraud and a know nothing, maybe it’s time to re-evaluate the mans credibility? Hopefully by now you have enough material to make your own informed decision, and (perhaps) refrain from recommending him to anyone. Ever. If nothing else, he serves as a perfect demonstration that you should always be wary of self proclaimed experts.
Update 1 – September 21st 2010
I noticed about a week ago this post was referenced on the Security Basics mailing list. In response, someone provided a link to the Steve Gibson entry on Attrition. It’s a much shorter page, but it’s still worth clicking on just to reinforce everything I have said above, and Attrition is a respectable source. Enjoy.