The Curious Case of Simon Smith — eVestigator

In case this is your first-time hearing about Simon Smith, you will be surprised that he is the “Number #1” expert in Australia, and anyone that disagrees with him is either a kiddie or an old man. By searching on Twitter, LinkedIn, or Google, you should be able to find references to this. But beware, he is notoriously known for making harsh remarks about people, subsequently deleting those remarks, and then calling people “cyber bullies”, while, threatening to sue them and even file criminal charges. I am sure he will send us another email after reading this, and, threaten to sue us once more.

Vulnerability Disclosure:

Let’s talk about the “eVestigator Forensic PenTester v1” Android app, that until recently it was still available on Google Play. On the 25th of June 2017, Simon Smith was notified of a vulnerability in it. Within 24 hours, Simon Smith had sent us four emails. In addition to that, he also sent The Exploit Database (www.exploit-db.com) several emails where some of them were threats. The emails are as follows:

As an “expert”, you would think that Simon Smith knows:

Instead of fixing the vulnerabilities, the vendor decided to threaten to sue us, and file criminal charges. Additionally, in the process, also ignored anyone that had previously installed the app. These users could still be vulnerable, but as Simon Smith does not acknowledge the validity of these bugs, then these users will continue to be vulnerable until the app(s) are removed from the affected devices. In all of the advisories sent to the vendor, remediation advice was included.

Full Advisories

Below is a list of current advisories that we have sent to the vendor (Simon Smith) that he has failed to acknowledge, and instead tried to take them down from every website where they have been published to. * eVestigator Forensic PenTester v1 — Remote Code Execution via MITM: evestigatorpent-adv.txt * BestSafe Browser FREE NoAds — Remote Code Execution: bestsafebrowser-adv.txt * Australian Education App — Remote Code Execution: auseducationapp-adv.txt

Please note that most or maybe all of the video links have either been removed by us, or taken down by Simon Smith as part of his massive video report abuse on YouTube. This is to avoid getting too many “copyright strikes”, even though all of our content is compliant with fair use and our freedom of speech.

Of course, to protect our freedom of speech we have uploaded the videos elsewhere, as the public has a right to know:

In case you want to host the videos yourself, here is a link to the archive: lulz.tar.gz

After notifying Simon Smith of the vulnerabilities in those two other apps on the 29th of June, we received the following email:

Shortly after we posted the preview videos on YouTube, with redacted proof of concept code, as these were more serious vulnerabilities that did not require Man-In-The-Middle (MITM) attacks at the time of publishing.

Within 24 hours, Simon Smith reported all three videos as follows: * Privacy issue (Stop abusing the video report system? There are no privacy issues in those videos.) * Copyright issue (One video got taken down by YouTube, we deleted another video as a precaution to prevent Simon Smith from abusing the video reporting system.) * Trademark issue (eVestigator video will be investigated by Google soon. We’re going to let Google decide on that one.)

After this happened, we uploaded our videos to several websites. We also tweeted about them and guess what? Simon Smith reported them for copyrighted content too.

Last but not least, we also received the following email today:

Conclusion

Simon Smith will send abuse/complaint reports everywhere, to any person/website/service that criticizes his work in any manner. He will also threaten to sue them and file criminal charges.

It will be an interesting experiment to see how long this blog post will last, until Simon Smith manages to convince Medium that we’re violating his “copyright” somehow by highlighting these genuine issues. If it manages to stay alive, he will definitely report the ghostbins and videos.

In addition to the above, Simon Smith has also threatened other companies and individuals in multiple countries in the past and also quite recently. The evidence of this will be released very soon.

Best regards,

InterN0T