Lessons from LIGATT
Monday, July 11, 2011
I have been writing book reviews on information security and technology books for quite a while. Topics such as authentication, security design, operational resilience, biometrics and security policy are rather tame and most of the reviews don’t generate a huge amount of controversy.
In fact, before June 2010, no book review I wrote ever lead to being interviewed by a major network for an expose of theirs, or a personal attack by the author (including being called a racist and a stock basher) against myself, Chris John Riley, Sam Bowne and others. These critiques by aforementioned and others were never a personal issue, and this article is simply a record of lessons learned.
Writing book reviews is something I do as a pastime, and with that, I generally refrain from writing negative book reviews. But occasionally, some books are so problematic that one can’t remain silent.
That is what lead to my June 2010 review of How to be the World’s #1 Hacker, written by Gregory D. Evans of LIGATT Security International (and SPOOFEM.COM and High Tech Crime Solutions Inc.). I demonstrated (as did Brian Baskin) that significant amounts of the book were plagiarized. This was based on the use of the iThenticate service. iThenticate is one of the leading plagiarism detection services that provides impartial content analysis. I published the book review and thought that was the end of it.
For those who need a briefing on the LIGATT saga, Attrition notes that Evans describes himself as a hi-tech hustler, The World’s No. 1 Hacker and a convicted felon. Attrition further writes that Evans has invented himself as some form of hacker with the ability to break into anything and spin that supposed knowledge into advising companies on security.
It is the common opinion of industry experts that Evans and his company have little real knowledge beyond pedestrian hacking techniques found in plagiarized books and beginner hacking texts. LIGATT offers products that are simply bloated version of common tools such as ping and nmap.
Due to a variety of unexpected events that took place, my book review did not simply end there. I ultimately learned a considerable amount about a number of topics, from fair use to securities law and more, and met a lot of smart people along the way. I would like to share those lessons with you.
Twitter is a powerhouse for action
From as early as 2009, the use of Twitter for organized student protests significantly changed the dynamics of mass communications. In 2011, we saw the use of Twitter to overthrow the corrupt Tunisian government and fight the oppressive Syrian regime. Twitter is indeed a powerhouse for action.
Twitter and other social media outlets are changing the way business and marketing are done.
While Fox, Bloomberg and other media outlets had Evans on their show, Twitter was often the medium for those that did not view Evans as the number 1 security expert to get the word out via the #Ligatt hash tag. People and organizations such as Attrition, 0ph3lia, Sam Bowne, Marcus Carey, Chris John Riley and krypt3ia used the #LIGATT hashtag to get their message across.
Indie movies came about due to the frequent inability for smaller movie producers to get the attention of the major studios. When it comes to books, self-publishing is often a great way to bypass traditional publishers and quickly get a book into print.
But with that ability, many authors will self-publish; bypassing the editing, fact checking and rigorous plagiarism checking that a traditional publishing house will typically perform.
Rich O’Hanley, publisher at Auerbach Publications and CRC Press, notes that plagiarism continues to plague both his firm and the entire industry, thanks to the self-publishing and the web, and its ethos that information should be free. The reality is that it is far too easy for authors to use whatever is available.
O’Hanley is not sure if the motivation to plagiarize is driven by ignorance of copyright rules, or simply the perception that they won’t be caught. Even authors whose careers predate the web, fall victim to this and use material they can cut-and-paste that they likely wouldn’t use if they had to retype it. CRC Press has tightened the whole permissions process, but it’s still a matter of trusting the author and his or her attestations.
Had How to be the World’s #1 Hacker been sent to a traditional publisher, it likely would have been flagged immediately and never allowed into print.
Evans has claimed in interviews and self-made YouTube videos to have had permission from the sources he used. But as of July 2011, he has yet to show a single document, email or contract that entitled him to re-publish the works of others.
The US judicial system (see 17 U.S.C. § 106 and 17 U.S.C. § 106A) allows for the fair use of copyrighted content. While there is no definitive level of where fair use ends and plagiarism begins, How to be the World’s #1 Hacker crosses the line according to a reasonable assessment of what fair use is.
In An Independent Plagiarism Review of How to Become the World's No. 1 Hacker, Brian Baskin noted that you will find that many of the references are from NMRC; a site run by Simple Nomad. Simple Nomad developed the basic structure that Evans used to plan his table of contents, as well as originally developed the material used by Evans in his book. This was excellently written material, but is dated originally from 2000.
What Evans also did was modify some of the text that Simple Nomad wrote, to make it look like he was in fact the true author.
Ron Coleman, Partner, Head of Intellectual Property Department at Goetz Fitzpatrick LLP and general counsel of the Media Bloggers Association, notes that even seasoned attorneys are often at sea about where a quotation crosses the line from fair use to copyright infringement.
Coleman observed that “fair use is a very fact-specific inquiry, where courts are often asked to weigh a lot of factors at the same time. The tricky part is that while judges are making very subjective decisions about liability, the copyright statute is designed -- with mandatory awards of attorneys’ fees and in some cases of statutory damages -- to punish every infringer as if he knew in advance how that equation would come out. In the close cases, that's simply impossible.”
A copyright is a set of exclusive rights granted by a state to the creator of an original work or their assignee for a limited period of time in exchange for public disclosure of the work. This includes the right to copy, distribute and adapt the work.
Without copyright protection, most artists and authors would not create music or books, if their works could not be protected. With that, copyright owners have the exclusive statutory right to exercise control over copying and other exploitation of the works for a specific period of time, after which the work is said to enter the public domain. Uses covered under limitations and exceptions to copyright, such as fair use, do not require permission from the copyright owner. All other uses require permission.
The notion of a copyright has its roots in the United States Constitution; where it states in Article I, Section 8, Clause 8 (known as the Copyright Clause) that empowers the United States Congress to “promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries”.
As detailed in Gregory D. Evans, Copyright Violations for Over a Year, Evans has been plagiarizing content for his Twitter feed and associated web sites, here and here
The copyright violations are that the LIGATT sites scrape entire news articles, including the graphics, without permission. While LIGATT ultimately gave give credit to the original source at the end of the article; that does not justify what he is doing or make it legal. Reproducing an entire piece of work without permission is a copyright violation.
One site LIGATT scraped a significant amount of content from is the Krypt3ia blog. Note that the following statement on the blog site leaves little room for ambiguity: All content of this site is copyright of Krypt3ia (Scot A. Terban) and not to be copied unless express consent is given in writing by its author. LIGATT never received permission to use the content.
Blog owner Scot Terban observed that “it seems to be the standard of practice on the LIGATT sites that no original content is ever posted by Mr. Evans. There are quite a few PR pieces and links to interviews he has done in the past. But as far as his own original content, there is none. Instead, there is an overabundance of scraped content from well-known information security web sites and noted authors; many of whom likely don’t know that their content has been copied”.
Much of the spam you get is around weight loss and various schemes to make money. Rarely will a day go by that you won’t receive numerous spam emails touting a hot stock tip.
Often these emails are used in pump-and-dump schemes (P&D). The US Securities and Exchange Commission (SEC) define P&D as “the touting of a company's stock (typically microcap companies) through false and misleading statements to the marketplace. After pumping the stock, fraudsters make huge profits by selling their cheap stock into the market”.
Since most of these companies being pumped are listed on the Pink Sheet (an unregulated market), a stock moving up just one cent (since these companies have as many as 5 billion shares of stock or more) can bring significant money to those pumping it, when they finally dump it.
How to Identify a Pump and Dump Stock Scam notes that if the stock trades on the OTC (Over The Counter) or Pink Sheet Exchanges, it is often an indicator of a scam. Stocks traded on these exchanges do not fulfill the rigorous requirements of the NYSE, NASDAQ, or American Stock Exchanges.
- look at the structure of the company
- examine the trading and price history
- take a close look at the founders of the company (previous experience, background, etc.)
- look at the percentage ownership of the company (insider, retail, institutional)
- look at any VC investors that have made investments in the company
Harry Domash writes in Beware of pump-and-dump stocks that promoters pump the stock by issuing copious media releases announcing the firm’s entry into a variety of promising businesses.
Domash notes that in truth, it is relatively easy to spot these risky stocks and lists six checks you can use to quickly rule out dangerous stocks, whether pump-and-dumpers or just bad ideas. He suggests ruling out any stock that fails to meet the following:
- Last price above 50 cents
- Last-quarter sales at least $10 million
- Market capitalization at least $50 million.
- Institutional ownership at least 15%
- Debt/equity ratio less than 3
- Maximum price/book ratio of 30
Ryk Edelstein, veteran entrepreneur and CEO at Cicada Security Technology has seen the dark side of P&D, having observed a well-intentioned business owner partner with less well intentioned partners who offered a promise of riches and success by simply letting them take the company public. To those in the high tech sector, there is no shortage of charlatans who will approach unsuspecting business owners, stoking their egos, and appealing to greed.
Consequently, as in the case of the well intentioned business owner, at the end of his partner’s cycle of P&D, he was left sucked dry holding a valueless corporate shell, debt, and facing the prospect of serious legal repercussions.
Like many companies listed on the pink sheets, LIGATT (while not necessarily a P&D stock) seemed to consistently use myriad press releases as a method of garnering attention to the company, which would ostensibly serve to increase the perceived value of the company.
LIGATT press releases are somewhat unique in that many of them are unidirectional; in that the other party does not issue a corresponding press release.
One of countless examples of bidirectional press releases is the June 2011 strategic partnership of Juniper Networks and OnLive under which Juniper will be the exclusive networking provider for OnLive's network infrastructure. This was announced on both Juniper’s web site and correspondingly on OnLive’s web site.
When it comes to LIGATT, I could not find a company or organization mentioned in their press releases that has reciprocated with a similar press release.
Notice the following:
- LIGATT Security International's President and CEO Turns Internet Controversy into Profit – In this press release, LIGATT announces they are to star in their own reality show, which would be the first cybersecurity company reality show in the history of television. Yet with all the fanfare, no network ever announced they have such a show in their lineup, and LIGATT does not say who will produce or what network will air it.
- Gregory D. Evans Proves to be the Most Recognized Computer Security Consultant – This comes from LIGATT, but of all the media outlets and periodicals they quote, none of them issues a corresponding press release.
- LIGATT Security International Signs Contract With One of the Largest Billion Dollar Online Retailers, PC Mall – while this is nothing more than a reseller agreement, if the issue was that significant, one would think that PC Mall would find the time to issue their own release.
- LIGATT Security International: The Official Cyber Security Provider for Philips Arena, the NBA Atlanta Hawks and NHL - Not only was there not a corresponding press release - Tracy White, Chief Sales Officer and Senior VP of Sales and Marketing for Atlanta Spirit LLC, the parent company of the Atlanta Thrashers, stated that “LIGATT doesn’t provide (nor have they ever provided) services for the Hawks, Thrashers or Philips Arena.”
Regulation has its limits
Even with SOX, GLBA and other regulations, the consumer and investor ultimately can’t be fully protected. The finance system and financial markets in this country are so complex, with so many layers and with so many interrelated parts, that it is ripe for abuse.
Even with the SEC in place to regulate such entities, publicly traded companies on the Pink OTC Markets (Pink Sheets) are lower priority for investigations, for many reasons.
Even the Food and Drug Administration (FDA) often finds itself limited, even with its regulatory powers. As I wrote in New York News Radio, the Voice Of Bad Science, for the consumer, whenever they hear the following mandated FDA disclaimer, they should immediately be suspicious: These statements have not been evaluated by the Food and Drug Administration. This product is not intended to diagnose, treat, cure or prevent any disease. After such a disclaimer, an able person should ask himself or herself, if the product is not intended to diagnose, treat, cure or prevent any disease, why use it? Nonetheless, even such regulatory disclaimers seem to go in one ear and out the other of most consumers.
Part of the reason regulation won’t work is that an investor with an insatiable appetite for profits, often finds that their ability to reason is occluded. Combine this with the flash of mega-gains that the P&D maker’s supply and people will invariably find themselves on the losing end of the deal, with no recourse in which to recoup their losses.
Corresponding to what Ryk Edelstein observed earlier about the well-intentioned business owner; there are many entities required to make a P&D work; from lawyers, securities underwriters, transfer agents and much more. Any regulation that would encompass all of the myriad entities would have to be so draconian as to stop all market activities. And such a thing will never happen.
Even with the many LIGATT lawsuits, including many frivolous cases filed by Evans, the most recent case on April 11, 2011,the legal case LIGATT filed was thrown out of court and the firm ordered to pay over $29,000 in legal costs to the other party.
With all of this, as of July 2011, the SEC has not announced any sort of investigation against LIGATT. Nor have any securities lawyers I consulted said they expect any investigation against the firm any time soon.
Pink sheets are not for girls’ beds
While there is the NYSE, NASDAQ and other reputable exchanges, it should be noted that the Pink Sheets is not a stock exchange. In fact, firms have very little requirements in order to be quoted in the Pink Sheets. Since many of these firms do not submit timely financial statements, nor perform third-party audits, it makes it difficult for the investor to really understand what they are getting into.
It is questionable why any novice investor would want to invest in a firm that can’t afford or won’t submit an audited financial statement. It is for these reasons and more, that Pink Sheet firms are extremely risky. Read: a place where naïve investors can lose their entire investment quickly and effortlessly.
This does not mean to imply that all Pink Sheet stocks should be avoided, as there are certainly many legitimate Pink Sheet companies. Many are smaller firms with legitimate intentions of starting small and growing big. But given there are so many that are not like that, the novice investor in the Pink Sheet market is going down a road fraught with financial risk.
Much of the hype of some of these Pink Sheet companies is often based on the charisma and hyperbole of the financial people and executives at the companies. Uneducated and unsophisticated investors, who lack the most basic financial wherewithal and fail to perform due diligence, become victims to these charlatans.
As noted in the previous paragraph, the very nature of Pink Sheets means they can never be fully and properly regulated. With that lack of common financial sense of basic investors, and Barnum’s observations, those people are for the most part doomed to losing their investment.
Investors who are not comfortable with the underlying mechanics of how the financial markets operate should consider the pink sheet market just like a Vegas Casino; where the odds are stacked against them from the start.
A market maker who works in the pink sheet world succinctly told me that “these stocks are garbage. You buy a stock for a half a cent and hope if goes to a penny”.
On any given day, hundreds of media outlets need content to fill their airwaves. Radio stations, newspapers, periodicals and a never ending supply of cable channels need people they can interview on the air to use for external expertise.
Over the last year, LIGATT PR solicited numerous media outlets, who in turn had Evans appear as an expert and provide commentary. Just a few weeks ago, their PR department sent the following email to many media outlets (click image to enlarge):
Numerous media outlets had Evans on air, irrespective of his false associations (Atlanta Hawks, Atlanta Thrashers, Los Angeles Clippers, Phillips Arena and more), false certifications, and authorship of plagiarized books to make him seem like he was indeed the “worlds #1 hacker”.
With that, one can pose the question – if the major media outlets such as Fox, CNN, Bloomberg, et al, can’t get it right with a guest on technology, what does that say about their approach for foreign policy, investment news and more pressing concerns.
While the major media players ignored Evan’s qualifications, it is worth noting that the smaller media outlets such as The Register, Tech Herald and CBS Atlanta affiliate did run exposes about the firm and its titular #1 hacker.
Racism in the USA
Not a Miley Cyrus song, but racism is a serious transgression. It wasn’t that long ago that an African American couldn’t use a public restroom or drinking fountain in this country. These racist inequalities were the driving force behind the establishment of the NAACP and other such organizations.
In the 100 years since the founding of the NAACP, a lot has changed. Take a look at the former Secretary of State, the current President and Attorney General; it is clear that state-sponsored racism is no longer an issue.
Perhaps fighting racism is no longer the raison d'être of the NAACP. To a degree, the organization has been reduced to a business that produces the NAACP Image Awards.
The irony is that in March of this year, the NAACP had its image tarnished, as it found itself on the receiving end of a boycott, since Kid Rock received the NAACP Great Expectations award at the Detroit NAACP gala.
This award caused a dispute by some who believe that he should not have received the award. Their opinion is that he is an inappropriate choice given his affiliation with the Civil War-era Confederate Army flag, which has been adopted by white supremacists, and have irked many civil rights activists. In fact, some supporters of the civil rights organization boycotted the annual fundraiser on May 1 because of the issue.
The singer has argued that the flag stands as a symbol of southern rock and roll, but many protesters don’t quite see it that way. Dr. Boyce Watkins, Professor at Syracuse University writes that if anyone ever wants to understand why so many in the black community have lost faith in certain elements of the NAACP, you need to look no further than this incident. He notes that It’s one thing for the NAACP to remain quiet about Kid Rock’s use of one of the most traumatic symbols in American history, but quite another for them to step up and give him an award for it.
The NAACP presented Evans with its NAACP humanitarian award in 2002.
But LIGATT used press releases to accuse respected professionals who did deeper investigations and analysis into its activities of having a racist agenda and being some of the world’s worst cyberbullies. Some examples include a blog posting in June 2010, How Can Computer Nerds Be Racist, where LIGATT accused this author and Chris John Riley of being racist, and emphasized the claims that criticism leveled at Evans' and LIGATT are all racially motivated.
For a full account, see Security firm fights racism in InfoSec while apparently profiting from it and World's No. 1 hacker' tome rocks security world - Plagiarism, racism, and fake Mitnickism alleged.
LIGATT even accused CBS Atlanta of having a racist agenda when they ran an expose against the firm. While CBS Atlanta posted the response from LIGATT, it was somewhat ironic that portions of the response had to be redacted because of racially offensive language from LIGATT themselves.
Yet when his charges of racism where brought to the attention of the NAACP, they did not seem receptive to the issue, nor did they revoke the award. Furthermore, despites our attempts to contact them they never return a phone call or replied to email.
Despite numerous emails, phone calls, conversations with the executive assistant to the president of the NAACP, or messages directly to the President of the organization would be invoke even the gesture of a courtesy reply.
But big organizations have politics and bureaucracies like the best of them. As for the NAACP, I was disappointed to see the organization ignore a complaint about one of their award winners making baseless accusations of racism.
I am currently writing a review on a book about cloud computing. Something tells me (and I certainly hope) that it won’t be as much as an adventure as this review was. On the upside, I learned a lot more by writing the review than by reading Evans’ book.
Ben Rothke CISSP, CISA (@benrothke) works in the information security field, writes the Security Reading Room blog and is the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill).