I still catch a lot of grief from my former colleagues and old friends for retiring. I do a little consulting occasionally, but I didn’t take on another job. I could pick up extra retirement cash by working at Walmart or Lowe’s, but that’s not retiring; it’s just a career change. “Why don’t you get on some Boards of Directors, attend/speak at conferences, and consult for a cybersecurity vendor?” they ask. Well, because that’s not retiring.
After this conversation, we are prone to laugh as we recall some of the heyday of what hadn’t even emerged yet to be cybersecurity. Most of my peers remember the crazy times in the distant 80s and 90s. Those times gave birth to some colorful characters that defined our professional era: none probably more so than petty crook Frank Abagnale, who became the subject of Steven Spielberg’s 2002 movie “Catch Me If You Can,” which is still sadly listed as biographical. There’s one minor problem with the movie plot and the mystique surrounding Mr. Abagnale: most of it is completely fabricated nonsense made up by Frank himself. It took decades for the truth to finally come out, and no one cares.
I worked for a security technology company back in the day that was happy to embrace his BeeEss and bought a pallet load of his books while paying him tens of thousands of dollars to preach from the podium at conferences and even internal corporate gatherings. In fairness to the marketing and corporate comms folks, he did draw an audience, but for all the wrong reasons. He was simply a petty criminal with an overactive imagination. The “greatest conman’s” greatest con was to sell himself as something he wasn’t, but desperately wanted to be. He made a fortune.
Frank wasn’t the only one to see the monetary potential of the computer security grift. There was Carolyn Meinel (The Happy Hacker), Ian Murphy (Captain Zap), John Draper (Captain Crunch), and a host of others with shady experiences and a gift for hyperbolic public relations. What made them so successful in selling this tripe was an industry machine that not only accepted their claims at face value but actually promoted them in the form of generous speaking and consulting fees. They were building off a gullible, if not totally complicit, national media who also pumped up the hype to get eyes on their articles.
I had an old colleague who had a minor role in one of the early penetration tests of a large banking application. A month later, I saw him on the dais claiming he could steal billions of dollars and wreak havoc in the world’s financial systems. “Surely,” I thought, “that’s a bit overblown. Perhaps it will come back to haunt him.”
Instead, the next time I saw him on cable news, he made even more outrageous claims of his technology prowess to wipe out global financial systems. It was all a bit much, but he gained a lot of press and most likely enhanced his employment prospects at the time.
For over a decade, I worked at one of the big antivirus vendors of the '90s-00s. My relatives always asked me how to protect their credit card numbers online. I asked them, “Why bother?” They would reply because the hackers can use them to buy anything they want. I then explained all they had to do was watch the card balance carefully and report any unauthorized use. That was all. The issuer bears the risk. “But, the newspaper said…,” they would reply.
Once, while I was still working there, a colleague built a graph that tracked the stock share price of my employer. The graph of virus scare reports in the media overlaid this graph. It looked like a perfect sine wave. You could be forgiven for asking who was writing and deploying those “dangerous” viruses.
Even at my most recent professional gig, I was still to encounter the seedy underside of cybersecurity publicity hounds. My employer had been paying a monthly fee to a “think tank” that promised to promote our brand. Their website lists dozens of books and articles by one of their cofounders who billed himself as a computer security rockstar. I searched my memory for any mention of him over my 30-year professional and academic career and couldn’t even recall one instance. How could I have overlooked such a prolific author and security expert?
So, I downloaded some of his authored materials and ran them through a plagiarism checker I used for my graduate program. Bingo. Almost every sentence in the articles I grabbed had been copy/pasted from other publications and websites. Some further digging showed this was not his first experience posing as an expert. He had been chased out of a previous professional capacity amid charges of plagiarism, embezzlement, and bilking clients for exotic vacations, fine liquors, cigars, and even tattoos.
But those were the good, old days, right? Maybe. But maybe the charlatans are still with us.
