Simon Smith is arguably one of InfoSec’s most prominent charlatans to appear in 2016/2017. Even veterans of the industry still question if he is an elaborate troll or a person doing business in the security industry. He appears to scam people under the guise of protecting people from the scams that he himself may perpetrate. He recently deleted/deactivated his Facebook and Twitter acount, only to reactivate one again shortly after. One thing seems certain; emotion and anger seem to be a driving influence in his life.
Mr. Smith has written a variety of software, primarily apps for Android and iOS that have appeared in the official app stores for each. Unfortunately for his users, many of his applications contain pedestrian vulnerabilities that could put the users at risk. While it is easily forgiven for a vendor to have a vulnerability, it happens to everyone, it is more important to see how a vendor responds to such reports. For Simon, it involves sending legal threats, coercing web hosts to remove the disclosure, and denying that the vulnerabilities ever existed.
It is clear that it is not safe to run any code written by Simon Smith on your systems or devices. Simon Smith currently markets multiple products to consumers and businesses and does not appear to have audited them in any fashion. Every piece of software written by Simon Smith that was audited by third parties contained serious vulnerabilities that could compromise the devices that they are running on or the privacy of the user.
One thing Mr. Smith is proud of is his laundry list of certifications and appears to think it establishes him as a competent professional. Unfortunately, a lot of them are not so much ‘certifications’ in the context that most in our industry use them, and some of them are questionable. For example, Simon claims to hold a CCIE which our industry knows as the “Cisco Certified Internetwork Expert”, a difficult achievement. His CCIE certification is something different (a “Certified Cyber Investigative Expert” by McAfee). Further, listing ‘CISO’, ‘CEO’, and ‘CIO’ as “certifications” is just absurd, especially when those are self-appointed titles based on a position in a company he created. As time permits, several security professionals plan to research these claimed credentials.
(GradCertDigEdu, GradCertITStrMan, GradCertITSust, GradDipProgMan, GradCertCertIES, GradDipALNL, GradDipPortMan, GradDipStrLdr, GradDipManEdu, GradDipFDR, AdvDipIntRiskMgt, AdvDipLdrMan, AdvDipProgMan, AdvDipGovWorInsInvFraud, CHFI, CCIE(not the Cisco one), CCSMIE, CEFI, CWTS, CCITE, CWHH, CCTA, CISO, CEO, CIO, VSCL, PI, FDRP, NAM, ISSA, MC, MCP, MCSD, PMP, MC, CPP, CCP, PSP, OCP, GDip, ML-PM-SL, GCer, ITSM-ITSu)
Formal articles or blogs that cover Mr. Smith, his business, or his actions in some manner.
Cases where Mr. Smith resorts to using legal threats to try to silence critics, especially around vulnerability disclosures and social media. While most in the Information Security industry appreciate and respect the law, Simon resorting to legal threats and calling legitimate opinions and protected free speech a crime does not help anyone, and only puts more of a burden on law enforcement and the courts. Ultimately, these actions show a severe disregard for the law.
Various links, stories, and observations about Mr. Smith’s behavior. These also include debunking wild claims made by Simon as he tried to promote himself.