lessons from ligatt
DESCRIPTION
Article ‘Lessons from LIGATT’ describes lessons learned from writing a review of a heavily plagiarized bookTRANSCRIPT
Lessons from LIGATT
Ben Rothke, CISSP, CISA
I have been writing book reviews on information security and technology books for quite a
while. Topics such as authentication, security design, operational resilience, biometrics and
security policy are rather tame and most of the reviews don’t generate a huge amount of
controversy.
In fact, before June 2010, no book review I wrote ever lead to being interviewed by a major
network for an expose of theirs, or a personal attack by the author (including being called a
racist and a stock basher) against myself, Chris John Riley, Sam Bowne and others. These
critiques by aforementioned and others were never a personal issue, and this article is simply a
record of lessons learned.
Writing book reviews is something I do as a pastime, and with that, I generally refrain from
writing negative book reviews. But occasionally, some books are so problematic that one can’t
remain silent.
That is what lead to my June 2010 review of How to be the World’s #1 Hacker, written by
Gregory D. Evans of LIGATT Security International (and SPOOFEM.COM and High Tech Crime
Solutions Inc.). I demonstrated (as did Brian Baskin) that significant amounts of the book were
plagiarized. This was based on the use of the iThenticate service. iThenticate is one of the
leading plagiarism detection services that provides impartial content analysis. I published the
book review and thought that was the end of it.
For those who need a briefing on the LIGATT saga, Attrition notes that Evans describes himself
as a hi-tech hustler, The World’s No. 1 Hacker and a convicted felon. Attrition further writes
that Evans has invented himself as some form of hacker with the ability to break into anything
and spin that supposed knowledge into advising companies on security.
It is the common opinion of industry experts that Evans and his company have little real
knowledge beyond pedestrian hacking techniques found in plagiarized books and beginner
hacking texts. LIGATT offers products that are simply bloated version of common tools such as
ping and nmap.
Due to a variety of unexpected events that took place, my book review did not simply end
there. I ultimately learned a considerable amount about a number of topics, from fair use to
securities law and more, and met a lot of smart people along the way. I would like to share
those lessons with you.
Twitter is a powerhouse for action
Details
From as early as 2009, the use of Twitter for organized student protests significantly changed
the dynamics of mass communications. In 2011, we saw the use of Twitter to overthrow the
corrupt Tunisian government and fight the oppressive Syrian regime. Twitter is indeed a
powerhouse for action.
Twitter and other social media outlets are changing the way business and marketing are done.
Lesson
While Fox, Bloomberg and other media outlets had Evans on their show, Twitter was often the
medium for those that did not view Evans as the number 1 security expert to get the word out
via the #Ligatt hash tag. People and organizations such as Attrition, 0ph3lia, Sam Bowne,
Marcus Carey, Chris John Riley and krypt3ia used the #LIGATT hashtag to get their message
across.
Self-publishing
Details
Indie movies came about due to the frequent inability for smaller movie producers to get the
attention of the major studios. When it comes to books, self-publishing is often a great way to
bypass traditional publishers and quickly get a book into print.
But with that ability, many authors will self-publish; bypassing the editing, fact checking and
rigorous plagiarism checking that a traditional publishing house will typically perform.
Rich O’Hanley, publisher at Auerbach Publications and CRC Press, notes that plagiarism
continues to plague both his firm and the entire industry, thanks to the self-publishing and the
web, and its ethos that information should be free. The reality is that it is far too easy for
authors to use whatever is available.
O’Hanley is not sure if the motivation to plagiarize is driven by ignorance of copyright rules, or
simply the perception that they won’t be caught. Even authors whose careers predate the web,
fall victim to this and use material they can cut-and-paste that they likely wouldn’t use if they
had to retype it. CRC Press has tightened the whole permissions process, but it’s still a matter
of trusting the author and his or her attestations.
Lesson
Had How to be the World’s #1 Hacker been sent to a traditional publisher, it likely would have
been flagged immediately and never allowed into print.
Evans has claimed in interviews and self-made YouTube videos to have had permission from the
sources he used. But as of July 2011, he has yet to show a single document, email or contract
that entitled him to re-publish the works of others.
Fair use
Details
The US judicial system (see 17 U.S.C. § 106 and 17 U.S.C. § 106A) allows for the fair use of
copyrighted content. While there is no definitive level of where fair use ends and plagiarism
begins, How to be the World’s #1 Hacker crosses the line according to a reasonable assessment
of what fair use is.
In An Independent Plagiarism Review of How to Become the World's No. 1 Hacker, Brian Baskin
noted that you will find that many of the references are from NMRC; a site run by Simple
Nomad. Simple Nomad developed the basic structure that Evans used to plan his table of
contents, as well as originally developed the material used by Evans in his book. This was
excellently written material, but is dated originally from 2000.
What Evans also did was modify some of the text that Simple Nomad wrote, to make it look like
he was in fact the true author.
Ron Coleman, Partner, Head of Intellectual Property Department at Goetz Fitzpatrick LLP and
general counsel of the Media Bloggers Association, notes that even seasoned attorneys are
often at sea about where a quotation crosses the line from fair use to copyright infringement.
Coleman observed that “fair use is a very fact-specific inquiry, where courts are often asked to
weigh a lot of factors at the same time. The tricky part is that while judges are making very
subjective decisions about liability, the copyright statute is designed -- with mandatory awards
of attorneys’ fees and in some cases of statutory damages -- to punish every infringer as if he
knew in advance how that equation would come out. In the close cases, that's simply
impossible.”
Lesson:
Before I wrote my review, I was not aware of the fine details of fair use. With How to be the
World’s #1 Hacker, objective analysis demonstrated that there was lot of use, and very little of
it fair.
Copyrights
Details
A copyright is a set of exclusive rights granted by a state to the creator of an original work or
their assignee for a limited period of time in exchange for public disclosure of the work. This
includes the right to copy, distribute and adapt the work.
Without copyright protection, most artists and authors would not create music or books, if their
works could not be protected. With that, copyright owners have the exclusive statutory right to
exercise control over copying and other exploitation of the works for a specific period of time,
after which the work is said to enter the public domain. Uses covered under limitations and
exceptions to copyright, such as fair use, do not require permission from the copyright owner.
All other uses require permission.
The notion of a copyright has its roots in the United States Constitution; where it states in
Article I, Section 8, Clause 8 (known as the Copyright Clause) that empowers the United States
Congress to “promote the Progress of Science and useful Arts, by securing for limited Times to
Authors and Inventors the exclusive Right to their respective Writings and Discoveries”.
Lesson
As detailed in Gregory D. Evans, Copyright Violations for Over a Year, Evans has been
plagiarizing content for his Twitter feed and associated web sites, here and here
The copyright violations are that the LIGATT sites scrape entire news articles, including the
graphics, without permission. While LIGATT ultimately gave give credit to the original source at
the end of the article; that does not justify what he is doing or make it legal. Reproducing an
entire piece of work without permission is a copyright violation.
One site LIGATT scraped a significant amount of content from is the Krypt3ia blog. Note that
the following statement on the blog site leaves little room for ambiguity: All content of this site
is copyright of Krypt3ia (Scot A. Terban) and not to be copied unless express consent is given in
writing by its author. LIGATT never received permission to use the content.
Blog owner Scot Terban observed that “it seems to be the standard of practice on the LIGATT
sites that no original content is ever posted by Mr. Evans. There are quite a few PR pieces and
links to interviews he has done in the past. But as far as his own original content, there is none.
Instead, there is an overabundance of scraped content from well-known information security
web sites and noted authors; many of whom likely don’t know that their content has been
copied”.
Penny stocks
Much of the spam you get is around weight loss and various schemes to make money. Rarely
will a day go by that you won’t receive numerous spam emails touting a hot stock tip.
Often these emails are used in pump-and-dump schemes (P&D). The US Securities and
Exchange Commission (SEC) define P&D as “the touting of a company's stock (typically
microcap companies) through false and misleading statements to the marketplace. After
pumping the stock, fraudsters make huge profits by selling their cheap stock into the market”.
Since most of these companies being pumped are listed on the Pink Sheet (an unregulated
market), a stock moving up just one cent (since these companies have as many as 5 billion
shares of stock or more) can bring significant money to those pumping it, when they finally
dump it.
How to Identify a Pump and Dump Stock Scam notes that if the stock trades on the OTC (Over
The Counter) or Pink Sheet Exchanges, it is often an indicator of a scam. Stocks traded on these
exchanges do not fulfill the rigorous requirements of the NYSE, NASDAQ, or American Stock
Exchanges.
In Tips To Identify Pump And Dump Schemes at Motley Fool, a few quick tips to help identify
P&D schemes are to:
• look at the structure of the company
• examine the trading and price history
• take a close look at the founders of the company (previous experience, background,
etc.)
• look at the percentage ownership of the company (insider, retail, institutional)
• look at any VC investors that have made investments in the company
Harry Domash writes in Beware of pump-and-dump stocks that promoters pump the stock by
issuing copious media releases announcing the firm’s entry into a variety of promising
businesses.
Domash notes that in truth, it is relatively easy to spot these risky stocks and lists six checks you
can use to quickly rule out dangerous stocks, whether pump-and-dumpers or just bad ideas. He
suggests ruling out any stock that fails to meet the following:
1. Last price above 50 cents
2. Last-quarter sales at least $10 million
3. Market capitalization at least $50 million.
4. Institutional ownership at least 15%
5. Debt/equity ratio less than 3
6. Maximum price/book ratio of 30
Ryk Edelstein, veteran entrepreneur and CEO at Cicada Security Technology has seen the dark
side of P&D, having observed a well-intentioned business owner partner with less well
intentioned partners who offered a promise of riches and success by simply letting them take
the company public. To those in the high tech sector, there is no shortage of charlatans who
will approach unsuspecting business owners, stoking their egos, and appealing to greed.
Consequently, as in the case of the well intentioned business owner, at the end of his partner’s
cycle of P&D, he was left sucked dry holding a valueless corporate shell, debt, and facing the
prospect of serious legal repercussions.
Lesson
Like many companies listed on the pink sheets, LIGATT (while not necessarily a P&D stock)
seemed to consistently use myriad press releases as a method of garnering attention to the
company, which would ostensibly serve to increase the perceived value of the company.
LIGATT press releases are somewhat unique in that many of them are unidirectional; in that the
other party does not issue a corresponding press release.
One of countless examples of bidirectional press releases is the June 2011 strategic partnership
of Juniper Networks and OnLive under which Juniper will be the exclusive networking provider
for OnLive's network infrastructure. This was announced on both Juniper’s web site and
correspondingly on OnLive’s web site.
When it comes to LIGATT, I could not find a company or organization mentioned in their press
releases that has reciprocated with a similar press release.
Notice the following:
• LIGATT Security International's President and CEO Turns Internet Controversy into Profit
– In this press release, LIGATT announces they are to star in their own reality show,
which would be the first cybersecurity company reality show in the history of television.
Yet with all the fanfare, no network ever announced they have such a show in their
lineup, and LIGATT does not say who will produce or what network will air it.
• Gregory D. Evans Proves to be the Most Recognized Computer Security Consultant –
This comes from LIGATT, but of all the media outlets and periodicals they quote, none of
them issues a corresponding press release.
• LIGATT Security International Signs Contract With One of the Largest Billion Dollar
Online Retailers, PC Mall – while this is nothing more than a reseller agreement, if the
issue was that significant, one would think that PC Mall would find the time to issue
their own release.
• LIGATT Security International: The Official Cyber Security Provider for Philips Arena, the
NBA Atlanta Hawks and NHL - Not only was there not a corresponding press release -
Tracy White, Chief Sales Officer and Senior VP of Sales and Marketing for Atlanta Spirit
LLC, the parent company of the Atlanta Thrashers, stated that “LIGATT doesn’t provide
(nor have they ever provided) services for the Hawks, Thrashers or Philips Arena.”
Regulation has its limits
Details
Even with SOX, GLBA and other regulations, the consumer and investor ultimately can’t be fully
protected. The finance system and financial markets in this country are so complex, with so
many layers and with so many interrelated parts, that it is ripe for abuse.
Even with the SEC in place to regulate such entities, publicly traded companies on the Pink OTC
Markets (Pink Sheets) are lower priority for investigations, for many reasons.
Even the Food and Drug Administration (FDA) often finds itself limited, even with its regulatory
powers. As I wrote in New York News Radio, the Voice Of Bad Science, for the consumer,
whenever they hear the following mandated FDA disclaimer, they should immediately be
suspicious: These statements have not been evaluated by the Food and Drug Administration.
This product is not intended to diagnose, treat, cure or prevent any disease. After such a
disclaimer, an able person should ask himself or herself, if the product is not intended to
diagnose, treat, cure or prevent any disease, why use it? Nonetheless, even such regulatory
disclaimers seem to go in one ear and out the other of most consumers.
Part of the reason regulation won’t work is that an investor with an insatiable appetite for
profits, often finds that their ability to reason is occluded. Combine this with the flash of mega-
gains that the P&D maker’s supply and people will invariably find themselves on the losing end
of the deal, with no recourse in which to recoup their losses.
Corresponding to what Ryk Edelstein observed earlier about the well-intentioned business
owner; there are many entities required to make a P&D work; from lawyers, securities
underwriters, transfer agents and much more. Any regulation that would encompass all of the
myriad entities would have to be so draconian as to stop all market activities. And such a thing
will never happen.
Lesson:
Even with the many LIGATT lawsuits, including many frivolous cases filed by Evans, the most
recent case on April 11, 2011,the legal case LIGATT filed was thrown out of court and the firm
ordered to pay over $29,000 in legal costs to the other party.
With all of this, as of July 2011, the SEC has not announced any sort of investigation against
LIGATT. Nor have any securities lawyers I consulted said they expect any investigation against
the firm any time soon.
Pink sheets are not for girls’ beds
While there is the NYSE, NASDAQ and other reputable exchanges, it should be noted that the
Pink Sheets is not a stock exchange. In fact, firms have very little requirements in order to be
quoted in the Pink Sheets. Since many of these firms do not submit timely financial statements,
nor perform third-party audits, it makes it difficult for the investor to really understand what
they are getting into.
It is questionable why any novice investor would want to invest in a firm that can’t afford or
won’t submit an audited financial statement. It is for these reasons and more, that Pink Sheet
firms are extremely risky. Read: a place where naïve investors can lose their entire investment
quickly and effortlessly.
This does not mean to imply that all Pink Sheet stocks should be avoided, as there are certainly
many legitimate Pink Sheet companies. Many are smaller firms with legitimate intentions of
starting small and growing big. But given there are so many that are not like that, the novice
investor in the Pink Sheet market is going down a road fraught with financial risk.
Much of the hype of some of these Pink Sheet companies is often based on the charisma and
hyperbole of the financial people and executives at the companies. Uneducated and
unsophisticated investors, who lack the most basic financial wherewithal and fail to perform
due diligence, become victims to these charlatans.
As noted in the previous paragraph, the very nature of Pink Sheets means they can never be
fully and properly regulated. With that lack of common financial sense of basic investors, and
Barnum’s observations, those people are for the most part doomed to losing their investment.
Investors who are not comfortable with the underlying mechanics of how the financial markets
operate should consider the pink sheet market just like a Vegas Casino; where the odds are
stacked against them from the start.
A market maker who works in the pink sheet world succinctly told me that “these stocks are
garbage. You buy a stock for a half a cent and hope if goes to a penny”.
Lesson:
LIGATT (LGTT.PK) is a pink sheet stock, better known as a penny stock. As to LIGATT and Pink
Sheets, the following screen shot says it all:
Media needs content
Details:
On any given day, hundreds of media outlets need content to fill their airwaves. Radio stations,
newspapers, periodicals and a never ending supply of cable channels need people they can
interview on the air to use for external expertise.
Over the last year, LIGATT PR solicited numerous media outlets, who in turn had Evans appear
as an expert and provide commentary. Just a few weeks ago, their PR department sent the
following email to many media outlets:
Lesson
Numerous media outlets had Evans on air, irrespective of his false associations (Atlanta Hawks,
Atlanta Thrashers, Los Angeles Clippers, Phillips Arena and more), false certifications, and
authorship of plagiarized books to make him seem like he was indeed the “worlds #1 hacker”.
With that, one can pose the question – if the major media outlets such as Fox, CNN,
Bloomberg, et al, can’t get it right with a guest on technology, what does that say about their
approach for foreign policy, investment news and more pressing concerns.
While the major media players ignored Evan’s qualifications, it is worth noting that the smaller
media outlets such as The Register, Tech Herald and CBS Atlanta affiliate did run exposes about
the firm and its titular #1 hacker.
Racism in the USA
Not a Miley Cyrus song, but racism is a serious transgression. It wasn’t that long ago that an
African American couldn’t use a public restroom or drinking fountain in this country. These
racist inequalities were the driving force behind the establishment of the NAACP and other such
organizations.
In the 100 years since the founding of the NAACP, a lot has changed. Take a look at the former
Secretary of State, the current President and Attorney General; it is clear that state-sponsored
racism is no longer an issue.
Perhaps fighting racism is no longer the raison d'être of the NAACP. To a degree, the
organization has been reduced to a business that produces the NAACP Image Awards.
The irony is that in March of this year, the NAACP had its image tarnished, as it found itself on
the receiving end of a boycott, since Kid Rock received the NAACP Great Expectations award at
the Detroit NAACP gala.
This award caused a dispute by some who believe that he should not have received the award.
Their opinion is that he is an inappropriate choice given his affiliation with the Civil War-era
Confederate Army flag, which has been adopted by white supremacists, and have irked many
civil rights activists. In fact, some supporters of the civil rights organization boycotted the
annual fundraiser on May 1 because of the issue.
The singer has argued that the flag stands as a symbol of southern rock and roll, but many
protesters don’t quite see it that way. Dr. Boyce Watkins, Professor at Syracuse University
writes that if anyone ever wants to understand why so many in the black community have lost
faith in certain elements of the NAACP, you need to look no further than this incident. He notes
that It’s one thing for the NAACP to remain quiet about Kid Rock’s use of one of the most
traumatic symbols in American history, but quite another for them to step up and give him an
award for it.
Lesson
The NAACP presented Evans with its NAACP humanitarian award in 2002.
But LIGATT used press releases to accuse respected professionals who did deeper investigations
and analysis into its activities of having a racist agenda and being some of the world’s worst
cyberbullies. Some examples include a blog posting in June 2010, How Can Computer Nerds Be
Racist, where LIGATT accused this author and Chris John Riley of being racist, and emphasized
the claims that criticism leveled at Evans' and LIGATT are all racially motivated.
For a full account, see Security firm fights racism in InfoSec while apparently profiting from it
and World's No. 1 hacker' tome rocks security world - Plagiarism, racism, and fake Mitnickism
alleged.
LIGATT even accused CBS Atlanta of having a racist agenda when they ran an expose against the
firm. While CBS Atlanta posted the response from LIGATT, it was somewhat ironic that portions
of the response had to be redacted because of racially offensive language from LIGATT
themselves.
Yet when his charges of racism where brought to the attention of the NAACP, they did not
seem receptive to the issue, nor did they revoke the award. Furthermore, despites our
attempts to contact them they never return a phone call or replied to email.
Despite numerous emails, phone calls, conversations with the executive assistant to the
president of the NAACP, or messages directly to the President of the organization would be
invoke even the gesture of a courtesy reply.
But big organizations have politics and bureaucracies like the best of them. As for the NAACP, I
was disappointed to see the organization ignore a complaint about one of their award winners
making baseless accusations of racism.
Conclusion
I am currently writing a review on a book about cloud computing. Something tells me (and I
certainly hope) that it won’t be as much as an adventure as this review was. On the upside, I
learned a lot more by writing the review than by reading Evans’ book.
Ben Rothke CISSP, CISA (@benrothke) works in the information security field, writes the
Security Reading Room blog and is the author of Computer Security: 20 Things Every Employee
Should Know (McGraw-Hill).