This article of mine originally appeared at https://www.infosecisland.com/blogview/15064-Lessons-from-LIGATT.html

Lessons from LIGATT

I have been writing book reviews on information security and technology books for quite a while.  Topics such as authentication, security design, operational resilience, biometrics and security policy are rather tame and most of the reviews don’t generate a huge amount of controversy.

In fact, before June 2010, no book review I wrote ever lead to being interviewed by a major network for an expose of theirs, or a personal attack by the author (including being called a racist and a stock basher) against myself, Chris John Riley, Sam Bowne and others.  These critiques by aforementioned and others were never a personal issue, and this article is simply a record of lessons learned.

Writing book reviews is something I do as a pastime, and with that, I generally refrain from writing negative book reviews.  But occasionally, some books are so problematic that one can’t remain silent. 

That is what lead to my June 2010 review of How to be the World’s #1 Hacker, written by Gregory D. Evans of LIGATT Security International (and SPOOFEM.COM and High Tech Crime Solutions Inc.) for this blog. I demonstrated (as did Brian Baskin) that significant amounts of the book were plagiarized. This was based on the use of the iThenticate service.  iThenticate is one of the leading plagiarism detection services that provides impartial content analysis.  I published the book review and thought that was the end of it. 

For those who need a briefing on the LIGATT saga, Attrition notes that Evans describes himself as a hi-tech hustler, The World’s No. 1 Hacker and a convicted felon. Attrition further writes that Evans has invented himself as some form of hacker with the ability to break into anything and spin that supposed knowledge into advising companies on security.

It is the common opinion of industry experts that Evans and his company have little real knowledge beyond pedestrian hacking techniques found in plagiarized books and beginner hacking texts. LIGATT offers products that are simply bloated version of common tools such as ping and nmap.

Due to a variety of unexpected events that took place, my book review did not simply end there. I ultimately learned a considerable amount about a number of topics, from fair use to securities law and more, and met a lot of smart people along the way.  I would like to share those lessons with you.

Twitter is a powerhouse for action

Details

From as early as 2009, the use of Twitter for organized student protests significantly changed the dynamics of mass communications.  In 2011, we saw the use of Twitter to overthrow the corrupt Tunisian government and fight the oppressive Syrian regime.  Twitter is indeed a powerhouse for action. 

Twitter and other social media outlets are changing the way business and marketing are done.

Lesson

While Fox, Bloomberg and other media outlets had Evans on their show, Twitter was often the medium for those that did not view Evans as the number 1 security expert to get the word out via the #Ligatt hash tag.  People and organizations such as Attrition, 0ph3lia, Sam Bowne, Marcus Carey, Chris John Riley and krypt3ia used the #LIGATT hashtag to get their message across.

Self-publishing

Details

Indie movies came about due to the frequent inability for smaller movie producers to get the attention of the major studios. When it comes to books, self-publishing is often a great way to bypass traditional publishers and quickly get a book into print.

But with that ability, many authors will self-publish; bypassing the editing, fact checking and rigorous plagiarism checking that a traditional publishing house will typically perform.

Rich O’Hanley, publisher at Auerbach Publications and CRC Press, notes that plagiarism continues to plague both his firm and the entire industry, thanks to the self-publishing and the web, and its ethos that information should be free. The reality is that it is far too easy for authors to use whatever is available.

O’Hanley is not sure if the motivation to plagiarize is driven by ignorance of copyright rules, or simply the perception that they won’t be caught.  Even authors whose careers predate the web, fall victim to this and use material they can cut-and-paste that they likely wouldn’t use if they had to retype it.  CRC Press has tightened the whole permissions process, but it’s still a matter of trusting the author and his or her attestations.         

Lesson

Had How to be the World’s #1 Hacker been sent to a traditional publisher, it likely would have been flagged immediately and never allowed into print.

Evans has claimed in interviews and self-made YouTube videos to have had permission from the sources he used.  But as of July 2011, he has yet to show a single document, email or contract that entitled him to re-publish the works of others.

Fair use

Details

The US judicial system (see 17 U.S.C. § 106 and 17 U.S.C. § 106A) allows for the fair use of copyrighted content. While there is no definitive level of where fair use ends and plagiarism begins, How to be the World’s #1 Hacker crosses the line according to a reasonable assessment of what fair use is.

In An Independent Plagiarism Review of How to Become the World's No. 1 Hacker, Brian Baskin noted that you will find that many of the references are from NMRC; a site run by Simple Nomad. Simple Nomad developed the basic structure that Evans used to plan his table of contents, as well as originally developed the material used by Evans in his book. This was excellently written material, but is dated originally from 2000.

What Evans also did was modify some of the text that Simple Nomad wrote, to make it look like he was in fact the true author.

Ron Coleman, Partner, Head of Intellectual Property Department at Goetz Fitzpatrick LLP and general counsel of the Media Bloggers Association, notes that even seasoned attorneys are often at sea about where a quotation crosses the line from fair use to copyright infringement. 

Coleman observed that “fair use is a very fact-specific inquiry, where courts are often asked to weigh a lot of factors at the same time.  The tricky part is that while judges are making very subjective decisions about liability, the copyright statute is designed -- with mandatory awards of attorneys’ fees and in some cases of statutory damages -- to punish every infringer as if he knew in advance how that equation would come out.  In the close cases, that's simply impossible.”

Lesson:

Before I wrote my review, I was not aware of the fine details of fair use.  With How to be the World’s #1 Hacker, objective analysis demonstrated that there was lot of use, and very little of it fair.

Copyrights

Details

A copyright is a set of exclusive rights granted by a state to the creator of an original work or their assignee for a limited period of time in exchange for public disclosure of the work. This includes the right to copy, distribute and adapt the work. 

Without copyright protection, most artists and authors would not create music or books, if their works could not be protected. 

With that, copyright owners have the exclusive statutory right to exercise control over copying and other exploitation of the works for a specific period of time, after which the work is said to enter the public domain. Uses covered under limitations and exceptions to copyright, such as fair use, do not require permission from the copyright owner. All other uses require permission.

The notion of a copyright has its roots in the United States Constitution; where it states in Article I, Section 8, Clause 8 (known as the Copyright Clause) that empowers the United States Congress to “promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries”.

Lesson

As detailed in Gregory D. Evans, Copyright Violations for Over a Year, Evans has been plagiarizing content for his Twitter feed and associated web sites, here and here  

The copyright violations are that the LIGATT sites scrape entire news articles, including the graphics, without permission. While LIGATT ultimately gave give credit to the original source at the end of the article; that does not justify what he is doing or make it legal. Reproducing an entire piece of work without permission is a copyright violation.

One site LIGATT scraped a significant amount of content from is the Krypt3ia blog.  Note that the following statement on the blog site leaves little room for ambiguity:  All content of this site is copyright of Krypt3ia (Scot A. Terban) and not to be copied unless express consent is given in writing by its author.  LIGATT never received permission to use the content.

Blog owner Scot Terban observed that “it seems to be the standard of practice on the LIGATT sites that no original content is ever posted by Mr. Evans.  There are quite a few PR pieces and links to interviews he has done in the past.  But as far as his own original content, there is none.   Instead, there is an overabundance of scraped content from well-known information security web sites and noted authors; many of whom likely don’t know that their content has been copied”.

Penny stocks

Much of the spam you get is around weight loss and various schemes to make money.  Rarely will a day go by that you won’t receive numerous spam emails touting a hot stock tip.

Often these emails are used in pump-and-dump schemes (P&D).  The US Securities and Exchange Commission (SEC) define P&D as “the touting of a company's stock (typically microcap companies) through false and misleading statements to the marketplace. After pumping the stock, fraudsters make huge profits by selling their cheap stock into the market”.

Since most of these companies being pumped are listed on the Pink Sheet (an unregulated market), a stock moving up just one cent (since these companies have as many as 5 billion shares of stock or more) can bring significant money to those pumping it, when they finally dump it.

How to Identify a Pump and Dump Stock Scam notes that if the stock trades on the OTC (Over The Counter) or Pink Sheet Exchanges, it is often an indicator of a scam. Stocks traded on these exchanges do not fulfill the rigorous requirements of the NYSE, NASDAQ, or American Stock Exchanges.

In Tips To Identify Pump And Dump Schemes at Motley Fool, a few quick tips to help identify P&D schemes are to:

•          look at the structure of the company
•          examine the trading and price history
•          take a close look at the founders of the company (previous experience, background, etc.)
•          look at the percentage ownership of the company (insider, retail, institutional)
•          look at any VC investors that have made investments in the company

Harry Domash writes in Beware of pump-and-dump stocks that promoters pump the stock by issuing copious media releases announcing the firm’s entry into a variety of promising businesses.

Domash notes that in truth, it is relatively easy to spot these risky stocks and lists six checks you can use to quickly rule out dangerous stocks, whether pump-and-dumpers or just bad ideas. He suggests ruling out any stock that fails to meet the following:

• Last price above 50 cents
• Last-quarter sales at least $10 million
• Market capitalization at least $50 million.
• Institutional ownership at least 15%
• Debt/equity ratio less than 3
• Maximum price/book ratio of 30

Ryk Edelstein, veteran entrepreneur and CEO at Cicada Security Technology has seen the dark side of P&D, having observed a well-intentioned business owner partner with less well intentioned partners who offered a promise of riches and success by simply letting them take the company public. To those in the high tech sector, there is no shortage of charlatans who will approach unsuspecting business owners, stoking their egos, and appealing to greed.

Consequently, as in the case of the well intentioned business owner, at the end of his partner’s cycle of P&D, he was left sucked dry holding a valueless corporate shell, debt, and facing the prospect of serious legal repercussions.

Lesson

Like many companies listed on the pink sheets, LIGATT (while not necessarily a P&D stock) seemed to consistently use myriad press releases as a method of garnering attention to the company, which would ostensibly serve to increase the perceived value of the company.

LIGATT press releases are somewhat unique in that many of them are unidirectional; in that the other party does not issue a corresponding press release.

One of countless examples of bidirectional press releases is the June 2011 strategic partnership of Juniper Networks and OnLive under which Juniper will be the exclusive networking provider for OnLive's network infrastructure.  This was announced on both Juniper’s web site and correspondingly on OnLive’s web site.

When it comes to LIGATT, I could not find a company or organization mentioned in their press releases that has reciprocated with a similar press release.

Notice the following:

• LIGATT Security International's President and CEO Turns Internet Controversy into Profit – In this press release, LIGATT announces they are to star in their own reality show, which would be the first cybersecurity company reality show in the history of television.  Yet with all the fanfare, no network ever announced they have such a show in their lineup, and LIGATT does not say who will produce or what network will air it.
• Gregory D. Evans Proves to be the Most Recognized Computer Security Consultant – This comes from LIGATT, but of all the media outlets and periodicals they quote, none of them issues a corresponding press release.
•   LIGATT Security International Signs Contract With One of the Largest Billion Dollar Online Retailers, PC Mall – while this is nothing more than a reseller agreement, if the issue was that significant, one would think that PC Mall would find the time to issue their own release.
• LIGATT Security International: The Official Cyber Security Provider for Philips Arena, the NBA Atlanta Hawks and NHL - Not only was there not a corresponding press release - Tracy White, Chief Sales Officer and Senior VP of Sales and Marketing for Atlanta Spirit LLC, the parent company of the Atlanta  Thrashers, stated that “LIGATT doesn’t provide (nor have they ever provided) services for the Hawks, Thrashers or Philips Arena.”

Regulation has its limits

Details

Even with SOX, GLBA and other regulations, the consumer and investor ultimately can’t be fully protected. The finance system and financial markets in this country are so complex, with so many layers and with so many interrelated parts, that it is ripe for abuse.

Even with the SEC in place to regulate such entities, publicly traded companies on the Pink OTC Markets (Pink Sheets) are lower priority for investigations, for many reasons. 

Even the Food and Drug Administration (FDA) often finds itself limited, even with its regulatory powers.  As I wrote in New York News Radio, the Voice Of Bad Science, for the consumer, whenever they hear the following mandated FDA disclaimer, they should immediately be suspicious:  These statements have not been evaluated by the Food and Drug Administration. This product is not intended to diagnose, treat, cure or prevent any disease.  After such a disclaimer, an able person should ask himself or herself, if the product is not intended to diagnose, treat, cure or prevent any disease, why use it?  Nonetheless, even such regulatory disclaimers seem to go in one ear and out the other of most consumers.

Part of the reason regulation won’t work is that an investor with an insatiable appetite for profits, often finds that their ability to reason is occluded.  Combine this with the flash of mega-gains that the P&D maker’s supply and people will invariably find themselves on the losing end of the deal, with no recourse in which to recoup their losses.

Corresponding to what Ryk Edelstein observed earlier about the well-intentioned business owner; there are many entities required to make a P&D work; from lawyers, securities underwriters, transfer agents and much more.  Any regulation that would encompass all of the myriad entities would have to be so draconian as to stop all market activities.  And such a thing will never happen.

Lesson

Even with the many LIGATT lawsuits, including many frivolous cases filed by Evans, the most recent case on April 11, 2011,the legal case LIGATT filed was thrown out of court and the firm ordered to pay over $29,000 in legal costs to the other party. 

With all of this, as of July 2011, the SEC has not announced any sort of investigation against LIGATT.  Nor have any securities lawyers I consulted said they expect any investigation against the firm any time soon. 

Pink sheets are not for girls’ beds

While there is the NYSE, NASDAQ and other reputable exchanges, it should be noted that the Pink Sheets is not a stock exchange. In fact, firms have very little requirements in order to be quoted in the Pink Sheets.  Since many of these firms do not submit timely financial statements, nor perform third-party audits, it makes it difficult for the investor to really understand what they are getting into.

It is questionable why any novice investor would want to invest in a firm that can’t afford or won’t submit an audited financial statement. It is for these reasons and more, that Pink Sheet firms are extremely risky. Read: a place where naïve investors can lose their entire investment quickly and effortlessly.

This does not mean to imply that all Pink Sheet stocks should be avoided, as there are certainly many legitimate Pink Sheet companies.  Many are smaller firms with legitimate intentions of starting small and growing big.  But given there are so many that are not like that, the novice investor in the Pink Sheet market is going down a road fraught with financial risk.

Much of the hype of some of these Pink Sheet companies is often based on the charisma and hyperbole of the financial people and executives at the companies. Uneducated and unsophisticated investors, who lack the most basic financial wherewithal and fail to perform due diligence, become victims to these charlatans.

As noted in the previous paragraph, the very nature of Pink Sheets means they can never be fully and properly regulated. With that lack of common financial sense of basic investors, and Barnum’s observations, those people are for the most part doomed to losing their investment. 

Investors who are not comfortable with the underlying mechanics of how the financial markets operate should consider the pink sheet market just like a Vegas Casino; where the odds are stacked against them from the start. 

A market maker who works in the pink sheet world succinctly told me that “these stocks are garbage.  You buy a stock for a half a cent and hope if goes to a penny”.

Lesson:

LIGATT (LGTT.PK) is a pink sheet stock, better known as a penny stock. As to LIGATT and Pink Sheets, the following screen shot says it all.

Media needs content

Details

On any given day, hundreds of media outlets need content to fill their airwaves.  Radio stations, newspapers, periodicals and a never ending supply of cable channels need people they can interview on the air to use for external expertise.

Over the last year, LIGATT PR solicited numerous media outlets, who in turn had Evans appear as an expert and provide commentary.  Just a few weeks ago, their PR department sent the following email to many media outlets:

Lesson

Numerous media outlets had Evans on air, irrespective of his false associations (Atlanta Hawks, Atlanta Thrashers, Los Angeles Clippers, Phillips Arena and more), false certifications, and authorship of plagiarized books to make him seem like he was indeed the “worlds #1 hacker”.

With that, one can pose the question – if the  major media outlets such as Fox, CNN, Bloomberg, et al, can’t get it right with a guest on technology, what does that say about their approach for foreign policy, investment news and more pressing concerns.

While the major media players ignored Evan’s qualifications, it is worth noting that the smaller media outlets such as The Register, Tech Herald  and CBS Atlanta affiliate did run exposes about the firm and its titular #1 hacker.

Racism in the USA

Not a Miley Cyrus song, but racism is a serious transgression.  It wasn’t that long ago that an African American couldn’t use a public restroom or drinking fountain in this country.  These racist inequalities were the driving force behind the establishment of the NAACP and other such organizations. 

In the 100 years since the founding of the NAACP, a lot has changed.  Take a look at the former Secretary of State, the current President and Attorney General; it is clear that state-sponsored racism is no longer an issue.

Perhaps fighting racism is no longer the raison d'être of the NAACP.  To a degree, the organization has been reduced to a business that produces the NAACP Image Awards.

The irony is that in March of this year, the NAACP had its image tarnished, as it found itself on the receiving end of a boycott, since Kid Rock received the NAACP Great Expectations award at the Detroit NAACP gala.

This award caused a dispute by some who believe that he should not have received the award.  Their opinion is that he is an inappropriate choice given his affiliation with the Civil War-era Confederate Army flag, which has been adopted by white supremacists, and have irked many civil rights activists. In fact, some supporters of the civil rights organization boycotted the annual fundraiser on May 1 because of the issue.

The singer has argued that the flag stands as a symbol of southern rock and roll, but many protesters don’t quite see it that way.  Dr. Boyce Watkins, Professor at Syracuse University writes that if anyone ever wants to understand why so many in the black community have lost faith in certain elements of the NAACP, you need to look no further than this incident.  He notes that It’s one thing for the NAACP to remain quiet about Kid Rock’s use of one of the most traumatic symbols in American history, but quite another for them to step up and give him an award for it.

Lesson

The NAACP presented Evans with its NAACP humanitarian award in 2002.

But LIGATT used press releases to accuse respected professionals who did deeper investigations and analysis into its activities of having a racist agenda and being some of the world’s worst cyberbullies.  Some examples include a blog posting in June 2010, How Can Computer Nerds Be Racist, where LIGATT accused this author and Chris John Riley of being racist, and emphasized the claims that criticism leveled at Evans' and LIGATT are all racially motivated.  

For a full account, see Security firm fights racism in InfoSec while apparently profiting from it and World's No. 1 hacker' tome rocks security world - Plagiarism, racism, and fake Mitnickism alleged.

LIGATT even accused CBS Atlanta of having a racist agenda when they ran an expose against the firm.  While CBS Atlanta posted the response from LIGATT, it was somewhat ironic that portions of the response had to be redacted because of racially offensive language from LIGATT themselves.

Yet when his charges of racism where brought to the attention of the NAACP, they did not seem receptive to the issue, nor did they revoke the award.  Furthermore, despites our attempts to contact them they never return a phone call or replied to email.

Despite numerous emails, phone calls, conversations with the executive assistant to the president of the NAACP, or messages directly to the President of the organization would be invoke even the gesture of a courtesy reply. 

But big organizations have politics and bureaucracies like the best of them.  As for the NAACP, I was disappointed to see the organization ignore a complaint about one of their award winners making baseless accusations of racism.

Conclusion

I am currently writing a review on a book about cloud computing.  Something tells me (and I certainly hope) that it won’t be as much as an adventure as this review was. On the upside, I learned a lot more by writing the review than by reading Evans’ book.

Ben Rothke CISSP, CISA (@benrothke) works in the information security field, writes the Security Reading Room blog and is the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill).

In mid-August, I received a copy of The Security Policy Cookbook: A Guide for IT and Security Professionals.  As someone who has seen his fair share of information security policies and is on the Information Security Policy Expert Panel, my initial thought was that this is not an original work. 

Before I even got to the content, the author notes his acceptance into the Marquis Who’s Who is his bio.  I wrote in What's What with the Who's Who? that Marquis, like most who’s who firms accept nearly everyone who applies, including serial killers.  Most of the who’s who organizations are in it for the money with zero concern for the so-called honorees.  Security professionals looking to advance themselves will find no value in having their names in a who's who, and could in fact be showing their naiveté by promoting their inclusion.

In the book, various policies are detailed, yet lack a sense of cohesiveness.  It is as the policies were simply thrown together in a haphazard manner, which is indeed evident in this book.  Not the text of the policies are not ineffective, rather the cut and paste approach, which the author did, and advocates, is a surefire way to ensure that information policies won’t work.  Policy creation is just one part of an effective security policy project, and focusing strictly on the text of the policies is simply inadequate.

Of the books 32 chapters, 20 were direct copies from State of Texas Department of Information Resources (DIR) Guidelines, Checklists & Templates.  This book seems to follow the same course of action How To Become The Worlds No. 1 Hacker took, copy the content without attribution.  For a complete list of the chapters and sources, see the listing at Attrition.

The DIR wants their templates to be used for the greater good, but with attribution.  According to their Link Policy, “they shall not misinform users about the origin or ownership of DIR content. Certain information on DIR may be trademarked, service-marked, or otherwise protected as intellectual property. Protected intellectual property must be used in accordance with state and federal laws and must reflect the proper ownership of the intellectual property”.

The Security Policy Cookbook is proof that we live in an era where content is effortless to obtain.  Googling information security policy with filetype:pdf results in over 17,000 hits.  That is a lot of content in which to freely use.  The corollary is that those who try to claim such content as their own will just as easily be found.

Many people write books for the fame.  Yet that fame turns into infamy when it is discovered that the author is a plagiarist.

The Security Policy Cookbook and like it How To Become The Worlds No. 1 Hacker were both self-published, and therefore lack the editorial scrutiny which is to be expected from an established publishing house.

Richard O’Hanley, Publisher at CRC Press in the IT, Business & Security Group, notes that he has seen plagiarism as a steadily escalating problem. So much so, that they frequently run manuscripts through a plagiarism checker. O’Hanley said “it seems that just as people expect web content to be free, they expect to be able to use it freely as well, without concern for rights and attribution. The ease with which people can cut-and-paste from multiple sources only exacerbates the problem”.

For those that want to write books on security, there is plenty of opportunity and numerous publishing houses that desperately want good content.  Of course, such an approach takes time and effort.  But the industry does reward such efforts.

Attempting to bypass those practices via plagiarism, especially in an industry where ethics and trust are paramount, ultimately begs the question: what was he thinking?.

O'Reilly Media is one of the premier technology publishing companies, who like all serious publishing houses have strong policies and guidelines regarding plagiarism.  They also have a Missing Manuals series of books.  The goal of the Missing Manual series, is to “produce sterling, beautifully written manuals for popular consumer software and hardware products”

So with license, perhaps this post should be titled How To Become The World’s No. 1 Hacker – The Missing Bibliography.

In my initial review of How To Become The Worlds No. 1 Hacker, I noted that the author plagiarized most of his sources. 

Of the books 26 chapters, I used iThenticate plagiarism checker from iParadigms to check the 13 largest chapters.  Many of the smaller chapters were 1-2 pages in length, and were not analyzed.

The following iThenticate screen shot speaks for itself.  The report field is an overall similarity index for each submission.  This index determines the percentage of similarity between a submission and information existing in the iThenticate databases selected as search targets.

So how much can an author legitimately copy under the fair use doctrine?  As to the notion of fair use, the U.S. Copyright Office notes that the doctrine of fair use has developed through a substantial number of court decisions over the years and has been codified in section 107 of the copyright law. 

Section 107 contains a list of the various purposes for which the reproduction of a particular work may be considered fair, such as criticism, comment, news reporting, teaching, scholarship, and research. Section 107 also sets out four factors to be considered in determining whether or not a particular use is fair, namely the:

The distinction between fair use and infringement is not easily defined, and in fact, seems to almost defy definition. There is no specific number of words, lines, or notes that may safely be taken without permission. Anytime a specific number or percentage is used, that refers to general guidelines, not the copyright law.   

But even before the plagiarized text begins in the book, there is misrepresentation of the truth.  The following is a screen shot from page 24:

The author states that LIGATT is the official cyber security provider for the Phillps Arena, Atlanta Hawks basketball team, and Atlanta Thrashers hockey team.  The firm also noted this in a October 2009 press release, which was then picked up as a news story by the Atlanta Business Chronicle and Sports Business Journal. 

But no such deal ever took place.  Tracy White, Chief Sales Officer and Senior VP of Sales and Marketing for Atlanta Spirit LLC, the parent company of the Atlanta  Thrashers, stated that “LIGATT doesn’t provide (nor have they ever provided) services for the Hawks, Thrashers or Philips Arena.”

With that, the following are the sources copied in the book:

Ben Rothke, CISSP is the author of Computer Security: 20 Things Every Employee Should Know, and now knows more about section 107 of the copyright law than he would like to admit.

/