It's not a surprise the #security industry is plagued with bad actors, grifters, fraudsters, and even criminals. It's easy to lie to people to follow bullshit because security and privacy are extremely easy concepts people can understand at a basic level, despite being extremely complex and requiring dedication to understand at a higher level. This is exactly the same way physical and mental health is also used to sell pseudoscience.
We're in a space that attracts the fearful and paranoid, and the cold and hard truth is these types of people are easy victims because they always doubt every action they take. Anyone who can't reflect and accept their own approach will make it hard to develop an approach to stay with. It is easy to tell such people that the way they are doing things are wrong and convince them to do something else. You can reference something obscure and that is enough for some people.
Pushing security nihilism that trying doesn't matter isn't helpful either. It's harmful. Giving up means you'll never have an attitude to protect.
Bad actors in the security community market exactly like scammers, with:
- A sense of urgency, by saying they are not safe,
- An appeal to authority, referencing famous people,
- Playing on their emotions, like their fear or paranoia,
- Offering of scarcity or exclusivity, that everyone else is missing out or trashing other projects without valid evidence, and
- Referencing current or past events, often with misinformation.
Why does GrapheneOS or other open source projects go on the offensive then? Because people like these aren't competitors, they're threats. In our case, mobile security is extremely plagued with such people, selling dubious feature phones or repackaged old, insecure devices pretending they are endgame security. Some groups make apps or operating systems that don't add security benefit or reduce security. They're threats because they endanger people into believing that they are safer when they really are not.
It wasn't long ago that the mobile security market had criminals that were selling dubious services bundled onto devices like EncroChat, SkyECC, Phantom Secure and more. They enabled violent criminals and likely also scammed ordinary people in the process with a false sense of security. Hundreds of thousands of people were affected by their takedowns. Companies that used to resell these now try and forget they ever had.
Certain actors in the security industry also don't try and innovate security or privacy for the benefit of the world, but to benefit authoritarian regimes and a powerful, abusive elite class willing to pay them for their skills or the power they could leverage. The security industry is meant to be transparent and collaborative, with an unspoken but understood code of ethics to protect and attack to benefit business clients and users. But, some big organisations don't follow it. Forensic firms like Cellebrite sell exploits to regimes to allow data exfiltration, while mercenaries like NSO selling cyber attacks for customers to commit unlawful espionage against their political opponents and those who dissent.
Oftentimes the people with money in the bank sell security and privacy to try and whitewash their past actions. For example, Unplugged is founded by Erik Prince, a war criminal and illegal arms dealer of Blackwater fame, who also employ NSO employees that sold spyware to target political opponents, journalists and dissidents. This isn't the first ex-Defence industry mobile security LARP product and it won't be the last. It is worse that these companies often steal work from open source developers (like Unplugged stealing from Element and DivestOS' Hypatia) and provide nothing in return.
I will not be complacent in having such people produce their rot in the space we dedicate our daily life to. We'd rather quit than collaborate with opposition and it wouldn't have been the first time GrapheneOS had to do this.