Home IT-security The IT-security maverick scoring system (IMSS)

The IT-security maverick scoring system (IMSS)

The IT-security maverick scoring system (IMSS)
attrition.org’s mean squirrel. The site has been an amusing source of laughter for me a number of times. And some of their stories has been inspiration for this list as well.

(2021-08-06 – Just started this page. Will add more lines, shortly!)

Inspired by John Baez “The Crackpot index“.

Right, we can all screw up or say stuff that is wrong. But we learn and we strive to correct ourselves. But among us walks the IT-security mavericks that don’t abide by common rules such as making their statements possible to test or that you actually must accept critisism without calling the other person names.

They commonly sell stuff, software and ideas that may or may not work, actually exist, improve security at all or just plain do anything at all. So, no, they’re not necessary incompetent. They may be snake-oil salesmen or just have a pompous ego and no idea as to the mind set and spirit of the IT-security field.

Score someone you want to understand and remember: racking up points is not a good thing. Above all, enjoy!

  1. They start at -5 points for calling themselves an “IT-security expert” or something like that. We’re currently cautiously optimistic as we need more people in this field. Then add:
  2. 1 point for every statement that’s widely believed to be false.
  3. 1 point for every time a statement is wrong, that should have had been easy to actually verify before stating it.
  4. 1 point for every statement that sounds about right until actually someone checks it up.
  5. 2 points for every “as everyone knows” that actually is something that no one really believes or that is incorrect.
  6. 5 points for complaining about this list and feeling it attacks them personally or refers to something they wrote or said (Most likely it did not).
  7. 5 points for calling everyone who disagrees with them “Orthodox thinkers”, “Troglodytes”, “Unimaginative”, “Sheeple” or just plain “idiots”.
  8. 10 points for writing articles/books/posts that are basically stolen from others and then badly rewritten to obscure this fact.
  9. 10 points for spraying the speech/articles with every abbreviation, initialism and acronym known to mankind as long as they (may) relate to the IT-security field.
  10. 10 point for taking a pride in inventing new language as a selling point. “armor clad security shielding”, “cloaking mode”, “security arbitration” and “synergi-based security tracking”. (Ok, I made those up. Or did I?)
  11. 10 points for getting “original research” stamped on contributions on Wikipedia.
  12. 20 points for whole Wikipedia-articles written getting removed.
  13. … an additional point for every “WTF” comment on their articles in the “Talk” section.
  14. 10 points for taunting their “exceptionally high IQ”, “extreme skills”, “Hacked the global liberation army”, “being trusted by NSA/CIA/MUST/GRU/Whatever” or anything else you have no way of actually verifying.
  15. 10 points per work experience they state that is not possible to check or that is purposefully vaguely written. E.g., “20 years of experience with IT-security research in the intelligence community”.
  16. 20 points for pointing to other experts “supporting” what they’re stating/selling/proposing, when said expert’s statements are taken out of context or is not applicable.
  17. 20 points for adding buzz words and claiming to use/support/provide/understand “Artificial intelligence”, “Heuristic analysis”, “Data lakes” when it isn’t clear that those technologies even would make sense in that context. E.g., “Our firewall features artificial intelligence based search engine optimization to provide synergy between the total cost of ownership and the customer experience”.
  18. 20 points for claiming to have big companies as customers, while ignoring to mention that they just got them to accept a sales pitch and then never called back.
  19. 20 points for ridiculous statements that makes you wonder how much they actually understand. “It was a command-driven movement on the Internet”, “Plugged the hard disk into the Internet”, “Our firewalls cannot be hacked”, “Since this cannot happen, it really didn’t”.
  20. 20 points for suggesting “Security by obscurity” as a main security design. (E.g., setting a service to listen to an uncommon port)
  21. 20 points for every year passing after the promised solution’s/product’s initial release date.
  22. 20 points for predictions that a vulnerability they found “will bring down the Internet”.
  23. 20 points for using sales lingo to pitch their research like “It’s beautiful and perfect” or “It will change the whole world”.
  24. 20 points for invoking Godwin’s on anyone opposing them.
  25. 40 points for comparing themselves to any historically or currently oppressed people and thus losing all contact with reality.
  26. 40 points for inventing their own cryptography without disclosing how it works.
  27. 30 more points for stating that “it can’t be expressed as an algorithm”, “doesn’t use common mathematical rules” or “is based on quantum physics”.
  28. 40 points for going full mad scientist “YOU WILL ALL SEE WHEN THE INTERNET CRASHES! You will regret not listening to me! And not buying my super-perfect software!”
  29. 50 points for vaguely suggesting you invented/were instrumental in the development of a famous protocol/software/system. Points will not be “awarded” if it’s actually true (It never is!).


The list is a mix of things I’ve heard a number of people say, commonly said stuff that boggles my mind, proof of a mind set that totally misses the target and a few I’ve done myself over the years (not telling you which!).

The original “crackpot-list” does not tell you what score you need to be seen as a crackpot. I don’t know when you become an “IT-security Maverick” either. It’s more a list for some laughs than anything.

Big whoop! Wanna fight about it? ... Or maybe... you know... just leave a nice comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.