Australian InfoSec Analysts Hit With Restraining OrdersDid Disagreements on Social Media Go Too Far?
What started as robust debates over social media among computer security professionals has turned into a drawn-out, bitter battle that has found its way into Australian courts. The disputes highlight how those who foresake polite debate for legal battles may find themselves being called to account.
At the center of this particular conflict is Simon Smith, who runs a computer forensics consultancy based in Melbourne called eVestigator. Smith describes himself as a world renowned cybersecurity expert with 21 years of experience and a strong record of investigating online schemes, ranging from fraud to dating scams to stalking.
Since August, Smith has applied for Personal Safety Intervention Orders in the state of Victoria against three men, two of whom actively work in cybersecurity roles and the other a network administrator who dabbles in IT security. A PSIO is essentially a restraining order that forbids certain kinds of contact with the applicant.
One of the men, Geoff Ellis of Brisbane, says he received a restraining order after finding security vulnerabilities in Smith's mobile apps. Fearing further legal problems, the second man declined to comment on his case, which revolves around social media interactions.
On Wednesday, however, an application filed by Smith for PSIO against a third man, George Stewart, a Canberra-based consultant, was withdrawn after consideration by the court. Stewart denies stalking or harassing Smith on social media.
"I'm glad it's over and I hope this can be the end of it," Stewart says. "I don't want to have anything to do with him [Smith]."
Observers of the conflict worry that the legal actions are designed to suppress free speech and unflattering security findings. But Smith contends he's been the victim of harassment and stalking. He says a group, which he terms "criminals," has sought to belittle him and damage his reputation.
"I have a right to defend myself," Smith tells Information Security Media Group. "I don't deserve what they're doing to me. It's immature and disgusting."
Social media can be a confrontational medium in information security, says Nick Carr, senior manager for security consulting and incident response for FireEye's Mandiant forensics unit.
"There is a lot of noise in our industry, and people will go after you if you are perceived as being inauthentic or misleading," says Carr, who has not been involved in conflicts with Smith.
Challenging a PSIO Is Expensive
It's free to apply for a PSIO, which is a civil order. But fighting an order typically means retaining a lawyer.
"There's very little downside for the person that's making the application," says Stewart, whose costs challenging the order ran into the thousands. "They don't have to pay."
The easiest and cheapest way to deal with it is to accept it and move on. Such cases don't progress to becoming criminal unless the applicant alleges the other party has violated an order, which the police are obliged to investigate. Violations can be punished by up to two years in prison.
Ellis, the network administrator, says that he was served with a PSIO in mid-September. He posted an article on June 22 on LinkedIn about two security vulnerabilities and a potential personal information leak he discovered in three mobile applications that Smith developed.
"I posted an article regarding these vulnerabilities, and a month later he started sending me legal threats," says Ellis, who blogged about the situation on Medium and launched a fundraising campaign for his legal defense.
Bug hunters have faced immense pressure from companies aiming to suppress their findings. But software vendors have largely given up suing security researchers due to negative publicity and instead encouraged responsible disclosure.
Veering from that course has had repercussions. In a famous blog post in 2015, Oracle CSO Mary Ann Davidson warned that reverse engineering Oracle's code to look for bugs violated licensing agreements. The company eventually took the blog post offline (see Oracle's Security Absurdity).
Social Media Spark
It's difficult to trace the exact spark that led to the latest turn of events with Smith. But it appeared to be a series of social media interactions in June.
Smith is very active on Twitter and LinkedIn, and his posts began to draw broader attention within the information security community, which dug into his background and conducted technical analysis of mobile applications he developed for Apple's and Google's marketplaces.
Ellis claimed he found authentication problems in three of Smith's apps: eVestigator Forensic PenTester, SKILLS.com.au Industry App and Virtual Postage Australia, or VPA.
About a week after Ellis published his vulnerability report, a penetration tester who goes by @InterN0T on Twitter published a report on a remote code execution via a man-in-the-middle vulnerability within eVestigator Forensic PenTester.
According to the bug report, InterN0T notified Smith on June 25 and then received "several threats of prosecution" the same day. The app was pulled from Google Play the next day.
The IT publication The Register published a story on July 3 about InterN0T's findings. The story, however, was taken offline. When contacted, The Register declined to say why the story was removed.
InterN0T, who works as a penetration tester, agreed to speak with ISMG on the condition he not be identified for fear of legal action. He stands by the vulnerability report.
"These vulnerabilities are quite common," InterN0T says. He alleges Smith subsequently threatened and belittled him, which caused him to publish his findings within a few days rather than give Smith 30 days to patch the problem.
Smith contends the mobile apps were just prototypes and contests InterN0T's findings. "InterN0T is a [expletive] liar," he says.
The kerfuffle over the security vulnerabilities and Smith's reactions drew more attention, including from Jake Williams. He's the founder of Rendition Infosec, a security consultancy based in Augusta, Georgia. He's also an instructor at the SANS Institute and a former operator with the NSA's Tailored Access Operations unit.
Williams contends that Smith has contravened a basic rule of civil discourse: Don't attack people who disagree with you. The relatively small information security community includes bright people with sharp opinions who get into occasional spats, he says.
But Williams says "you've crossed a different line when you take it to court." He says that real-world impact is being felt by the people Smith has filed PSIOs against.
"He's [Smith] hurting our field," Williams says. "There's no question about it. He's hurting the infosec field, and that's where I draw the line."
Williams says he engaged Smith after seeing some of his posts on LinkedIn about Marcus Hutchins, the researcher who stopped the WannaCry outbreak. Hutchins is facing computer hacking charges in the U.S. relating to banking malware (see Backstory on Arrest of Marcus Hutchins).
Williams says he disagreed with Smith's post about Hutchins and subsequently received a response. The response has now been deleted from LinkedIn but Williams captured a screenshot.
The last line reads: "Call yourself an instructor, you are the reason why cybersecurity is ruined because you destroyed the SDLC [Software Development Life Cycle] and testing with your lack of quality of process and dodgy short courses."
The SDLC is a process designed to securely develop applications. Williams says he's never taught SDLC courses and instead focuses on forensics, vulnerability assessment and penetration testing.
Smith denies attacking people who have opposing views. "Never ever do I care if anyone disagrees with me," he says. "I only care if they attack me."
Troy Hunt, a data breach and computer security expert, received two tweets from Smith on Sept. 10, one stating he'd "crossed the line" and another advising that he and four others had been sent a summons. Both tweets have been deleted.
"I'm perplexed as to how I've been dragged into this," Hunt says. "I've never had any interaction with Simon either before that threat or since. Certainly I haven't been served with anything. It's all a bit of a mystery to me."
Smith says he doesn't remember what caused him to send those tweets to Hunt. "There is a reason why I didn't litigate and that's because he [Hunt] probably only did it once or twice."
The sharpest exchanges have come between Smith and Bryan Onel, who runs Oneleet, an Amsterdam-based startup dedicated to helping junior penetration testers.
Onel's first contact with Smith was after he claimed to have found a cross-site scripting vulnerability in Smith's website. He wrote to Smith, who responded by saying Onel was in breach of the Australian Crimes Act of 1958.
"It became very obvious quite quickly that anyone who engages against Simon, Simon retaliates against," Onel tells ISMG.
To this day, the two have continued a charged back-and-forth on Twitter. Onel received a letter from a Sydney law firm, Neat Law, in August asking for AU$14,500 for damages Smith sustained related to loss of reputation and legal costs. Neat Law confirmed Tuesday it sent the letter to Onel.
Onel hasn't paid. While he says he's not backing down, Onel acknowledges the feud has become toxic and stressful for many.
"We're quite sad it has to be like this," Onel says. "What we want is that he either stops with his bullshit or tries to constructively take part in this community, and we are completely willing to help him with that."
Smith contends there's no room for mediation and that he will continue to pursue legal action against Onel.
"He's [Onel] off to jail," Smith says. "Bryan is probably the worst criminal I have ever met in my entire life. That's not me saying it. That's fact."
As Smith's social media postings drew more attention, he became a target for memes. One person posted on Twitter a photo of Smith with crudely drawn male genitalia drawn on it. Another meme likened him to Adolf Hitler.
Other memes have been more in jest. One was a photo posted on Twitter that merged Smith's face with that of U.S President Donald Trump, a jab at Smith's perceived litigious nature.
Stewart says he disagreed with Smith on Twitter about his handling of Intern0t's vulnerability report. He says he posted a link to a public photo of Smith in a Zumba dancing session with a sarcastic comment. Smith's application for a PSIO against Stewart was originally approved in September.
The Australian state of Victoria's parliament created the Personal Safety Intervention Order Act to separate domestic violence situations from the increasing number neighborhood disputes, says Nicholas Karanev, a Melbourne-based lawyer.
Harassment is defined in the act as conduct that is demeaning, derogatory or intimidating, or even assails someone's reputation. That applies if it comes through a third person, or a third venue - social media would appear to qualify, Kanarev says.
The debate in Victoria's Parliament prior to the Act's passing in 2010 never mentioned social media, Kanarev says. "But now, in the technological age, that has now been ramped up. You can now have those sort of principals applied to cyberspace."
The initial test for the court on whether to grant a PISO is subjective, focusing on how the victim feels. But Kanarev says a line has to be drawn between fair comment and offensive material intended to harm.
"The question is where do you draw the line, and that is something that the courts themselves are struggling to deal with," he says.
So What's Next?
It's unclear if the end of the conflict is in sight. More broadly, Hunt says that if it continues on the same course, it won't end well.
"Better for all just to move on and focus on positive things," Hunt says. "This industry needs smart people doing good work and debates like this aren't in anyone's best interest."
But Smith says he will continue to pursue legal action against people who allegedly stalk or harass him.
"I'm not backing down, and I will not back down to cybercriminals who instill fear and pressure people who have a right to defend themselves," he says.