Simon Smith is arguably one of InfoSec’s most prominent charlatans to appear in 2016/2017. Even veterans of the industry still question if he is an elaborate troll or a person doing business in the security industry. He appears to scam people under the guise of protecting people from the scams that he himself may perpetrate. He recently deleted/deactivated his and , only to reactivate one again shortly after. One thing seems certain; emotion and anger seem to be a driving influence in his life.
Simon Smith’s Vulnerable Software
Mr. Smith has written a variety of software, primarily apps for Android and iOS that have appeared in the official app stores for each. Unfortunately for his users, many of his applications contain pedestrian vulnerabilities that could put the users at risk. While it is easily forgiven for a vendor to have a vulnerability, it happens to everyone, it is more important to see how a vendor responds to such reports. For Simon, it involves sending legal threats, coercing web hosts to remove the disclosure, and denying that the vulnerabilities ever existed.
eVestigator.com.au Web Site / Real-Time Windows Cyberwall Suite - Reflected XSS #1 (2017-07-22)
eVestigator.com.au Web Site / Real-Time Windows Cyberwall Suite - Reflected XSS #3 (2017-06-21)
It is clear that it is not safe to run any code written by Simon Smith on your systems or devices. Simon Smith currently markets multiple products to consumers and businesses and does not appear to have audited them in any fashion. Every piece of software written by Simon Smith that was audited by third parties contained serious vulnerabilities that could compromise the devices that they are running on or the privacy of the user.
Smith’s Certifications, Allegedly
One thing Mr. Smith is proud of is his laundry list of certifications and appears to think it establishes him as a competent professional. Unfortunately, a lot of them are not so much ‘certifications’ in the context that most in our industry use them, and some of them are questionable. For example, Simon claims to hold a CCIE which our industry knows as the “Cisco Certified Internetwork Expert”, a difficult achievement. His CCIE certification is something different (a “Certified Cyber Investigative Expert” by McAfee). Further, listing ‘CISO’, ‘CEO’, and ‘CIO’ as “certifications” is just absurd, especially when those are self-appointed titles based on a position in a company he created. As time permits, several security professionals plan to research these claimed credentials.
Cases where Mr. Smith resorts to using legal threats to try to silence critics, especially around vulnerability disclosures and social media. While most in the Information Security industry appreciate and respect the law, Simon resorting to legal threats and calling legitimate opinions and protected free speech a crime does not help anyone, and only puts more of a burden on law enforcement and the courts. Ultimately, these actions show a severe disregard for the law.
Simon’s lawyer sends a to Bryan Onel claiming defamation, seeks $14,500AU. (2017-08-14)
Smith posts a letter on his site addressed to the Australian Federal Police where he accuses Bryan Onel of being a terrorist and makes numerous other allegations directed towards him. He claims it will cost him his life if Bryan is not arrested. (2017-08-11)
Smith writes a rambling LinkedIn article in the same style of this site, “exposing” Intern0t while not substantiating his claims. (2017-07-13)
Smith reports people who disagree with him to their domain registrars in an (2017-07-13)
Smith files a over Intern0t’s video demonstrating a vulnerability in one of his apps. (2017-07-05)
Smith files a over a vulnerability report in one of his apps. (2017-07-05)
Smith files a over Intern0t’s video demonstrating a vulnerability in one of his apps. (2017-07-04)
Other Bits of Interest
Various links, stories, and observations about Mr. Smith’s behavior. These also include debunking wild claims made by Simon as he tried to promote himself.
Simon Smith nominated for a Pwnie award for “Lamest Vendor Response” at BlackHat Briefings 2017. He did not win. (2017-07-26)
Only has approximately 400 hours of training, most of which is from his own training company. This calls into question many of his certification and position claims. (2017-07-12)
Believes accessing “/?go=fuckyourself” on his website is , tries to get OSCP certification revoked. (2017-06-11)
Claims to have identified the authors of a WannaCrypt variant as from “XYZ Country”, apparently forgetting to replace it with a specific country name. (2017-06-01)
Claims to have identified the WannaCrypt authors as “European or American” after previously identifying them as from “India or Spain.” (Coincidentally, he confirms in this press release that he owns the domain “qweuio.com” where the racist email mentioned above was sent from.) (2017-05-17)
Wants to patch EternalBlue by exploiting vulnerable systems, which he doesn’t seem to realize is criminal activity and therefore illegal. (2017-05-15)
Smith added to Ripoff Report for “not [completing] job, will keep asking for more and more money”, appears to have posted several fake rebuttals to help hide the negative review (2016-03-30)
