Lessons from LIGATT Ben Rothke, CISSP, CISAI have been writing book reviews on information security and technology books for quite awhile. Topics such as authentication, security design, operational resilience, biometrics andsecurity policy are rather tame and most of the reviews don’t generate a huge amount ofcontroversy.In fact, before June 2010, no book review I wrote ever lead to being interviewed by a majornetwork for an expose of theirs, or a personal attack by the author (including being called aracist and a stock basher) against myself, Chris John Riley, Sam Bowne and others. Thesecritiques by aforementioned and others were never a personal issue, and this article is simply arecord of lessons learned.Writing book reviews is something I do as a pastime, and with that, I generally refrain fromwriting negative book reviews. But occasionally, some books are so problematic that one can’tremain silent.That is what lead to my June 2010 review of How to be the World’s #1 Hacker, written byGregory D. Evans of LIGATT Security International (and SPOOFEM.COM and High Tech CrimeSolutions Inc.). I demonstrated (as did Brian Baskin) that significant amounts of the book wereplagiarized. This was based on the use of the iThenticate service. iThenticate is one of theleading plagiarism detection services that provides impartial content analysis. I published thebook review and thought that was the end of it.For those who need a briefing on the LIGATT saga, Attrition notes that Evans describes himselfas a hi-tech hustler, The World’s No. 1 Hacker and a convicted felon. Attrition further writesthat Evans has invented himself as some form of hacker with the ability to break into anythingand spin that supposed knowledge into advising companies on security.It is the common opinion of industry experts that Evans and his company have little realknowledge beyond pedestrian hacking techniques found in plagiarized books and beginnerhacking texts. LIGATT offers products that are simply bloated version of common tools such asping and nmap.Due to a variety of unexpected events that took place, my book review did not simply endthere. I ultimately learned a considerable amount about a number of topics, from fair use tosecurities law and more, and met a lot of smart people along the way. I would like to sharethose lessons with you.
Twitter is a powerhouse for actionDetailsFrom as early as 2009, the use of Twitter for organized student protests significantly changedthe dynamics of mass communications. In 2011, we saw the use of Twitter to overthrow thecorrupt Tunisian government and fight the oppressive Syrian regime. Twitter is indeed apowerhouse for action.Twitter and other social media outlets are changing the way business and marketing are done.LessonWhile Fox, Bloomberg and other media outlets had Evans on their show, Twitter was often themedium for those that did not view Evans as the number 1 security expert to get the word outvia the #Ligatt hash tag. People and organizations such as Attrition, 0ph3lia, Sam Bowne,Marcus Carey, Chris John Riley and krypt3ia used the #LIGATT hashtag to get their messageacross.Self-publishingDetailsIndie movies came about due to the frequent inability for smaller movie producers to get theattention of the major studios. When it comes to books, self-publishing is often a great way tobypass traditional publishers and quickly get a book into print.But with that ability, many authors will self-publish; bypassing the editing, fact checking andrigorous plagiarism checking that a traditional publishing house will typically perform.Rich O’Hanley, publisher at Auerbach Publications and CRC Press, notes that plagiarismcontinues to plague both his firm and the entire industry, thanks to the self-publishing and theweb, and its ethos that information should be free. The reality is that it is far too easy forauthors to use whatever is available.O’Hanley is not sure if the motivation to plagiarize is driven by ignorance of copyright rules, orsimply the perception that they won’t be caught. Even authors whose careers predate the web,fall victim to this and use material they can cut-and-paste that they likely wouldn’t use if theyhad to retype it. CRC Press has tightened the whole permissions process, but it’s still a matterof trusting the author and his or her attestations.Lesson
Had How to be the World’s #1 Hacker been sent to a traditional publisher, it likely would havebeen flagged immediately and never allowed into print.Evans has claimed in interviews and self-made YouTube videos to have had permission from thesources he used. But as of July 2011, he has yet to show a single document, email or contractthat entitled him to re-publish the works of others.Fair useDetailsThe US judicial system (see 17 U.S.C. § 106 and 17 U.S.C. § 106A) allows for the fair use ofcopyrighted content. While there is no definitive level of where fair use ends and plagiarismbegins, How to be the World’s #1 Hacker crosses the line according to a reasonable assessmentof what fair use is.In An Independent Plagiarism Review of How to Become the Worlds No. 1 Hacker, Brian Baskinnoted that you will find that many of the references are from NMRC; a site run by SimpleNomad. Simple Nomad developed the basic structure that Evans used to plan his table ofcontents, as well as originally developed the material used by Evans in his book. This wasexcellently written material, but is dated originally from 2000.What Evans also did was modify some of the text that Simple Nomad wrote, to make it look likehe was in fact the true author.Ron Coleman, Partner, Head of Intellectual Property Department at Goetz Fitzpatrick LLP andgeneral counsel of the Media Bloggers Association, notes that even seasoned attorneys areoften at sea about where a quotation crosses the line from fair use to copyright infringement.Coleman observed that “fair use is a very fact-specific inquiry, where courts are often asked toweigh a lot of factors at the same time. The tricky part is that while judges are making verysubjective decisions about liability, the copyright statute is designed -- with mandatory awardsof attorneys’ fees and in some cases of statutory damages -- to punish every infringer as if heknew in advance how that equation would come out. In the close cases, thats simplyimpossible.”Lesson:Before I wrote my review, I was not aware of the fine details of fair use. With How to be theWorld’s #1 Hacker, objective analysis demonstrated that there was lot of use, and very little ofit fair.
CopyrightsDetailsA copyright is a set of exclusive rights granted by a state to the creator of an original work ortheir assignee for a limited period of time in exchange for public disclosure of the work. Thisincludes the right to copy, distribute and adapt the work.Without copyright protection, most artists and authors would not create music or books, if theirworks could not be protected. With that, copyright owners have the exclusive statutory right toexercise control over copying and other exploitation of the works for a specific period of time,after which the work is said to enter the public domain. Uses covered under limitations andexceptions to copyright, such as fair use, do not require permission from the copyright owner.All other uses require permission.The notion of a copyright has its roots in the United States Constitution; where it states inArticle I, Section 8, Clause 8 (known as the Copyright Clause) that empowers the United StatesCongress to “promote the Progress of Science and useful Arts, by securing for limited Times toAuthors and Inventors the exclusive Right to their respective Writings and Discoveries”.LessonAs detailed in Gregory D. Evans, Copyright Violations for Over a Year, Evans has beenplagiarizing content for his Twitter feed and associated web sites, here and hereThe copyright violations are that the LIGATT sites scrape entire news articles, including thegraphics, without permission. While LIGATT ultimately gave give credit to the original source atthe end of the article; that does not justify what he is doing or make it legal. Reproducing anentire piece of work without permission is a copyright violation.One site LIGATT scraped a significant amount of content from is the Krypt3ia blog. Note thatthe following statement on the blog site leaves little room for ambiguity: All content of this siteis copyright of Krypt3ia (Scot A. Terban) and not to be copied unless express consent is given inwriting by its author. LIGATT never received permission to use the content.Blog owner Scot Terban observed that “it seems to be the standard of practice on the LIGATTsites that no original content is ever posted by Mr. Evans. There are quite a few PR pieces andlinks to interviews he has done in the past. But as far as his own original content, there is none.Instead, there is an overabundance of scraped content from well-known information securityweb sites and noted authors; many of whom likely don’t know that their content has beencopied”.
Penny stocksMuch of the spam you get is around weight loss and various schemes to make money. Rarelywill a day go by that you won’t receive numerous spam emails touting a hot stock tip.Often these emails are used in pump-and-dump schemes (P&D). The US Securities andExchange Commission (SEC) define P&D as “the touting of a companys stock (typicallymicrocap companies) through false and misleading statements to the marketplace. Afterpumping the stock, fraudsters make huge profits by selling their cheap stock into the market”.Since most of these companies being pumped are listed on the Pink Sheet (an unregulatedmarket), a stock moving up just one cent (since these companies have as many as 5 billionshares of stock or more) can bring significant money to those pumping it, when they finallydump it.How to Identify a Pump and Dump Stock Scam notes that if the stock trades on the OTC (OverThe Counter) or Pink Sheet Exchanges, it is often an indicator of a scam. Stocks traded on theseexchanges do not fulfill the rigorous requirements of the NYSE, NASDAQ, or American StockExchanges.In Tips To Identify Pump And Dump Schemes at Motley Fool, a few quick tips to help identifyP&D schemes are to: • look at the structure of the company • examine the trading and price history • take a close look at the founders of the company (previous experience, background, etc.) • look at the percentage ownership of the company (insider, retail, institutional) • look at any VC investors that have made investments in the companyHarry Domash writes in Beware of pump-and-dump stocks that promoters pump the stock byissuing copious media releases announcing the firm’s entry into a variety of promisingbusinesses.Domash notes that in truth, it is relatively easy to spot these risky stocks and lists six checks youcan use to quickly rule out dangerous stocks, whether pump-and-dumpers or just bad ideas. Hesuggests ruling out any stock that fails to meet the following: 1. Last price above 50 cents 2. Last-quarter sales at least $10 million 3. Market capitalization at least $50 million.
4. Institutional ownership at least 15% 5. Debt/equity ratio less than 3 6. Maximum price/book ratio of 30Ryk Edelstein, veteran entrepreneur and CEO at Cicada Security Technology has seen the darkside of P&D, having observed a well-intentioned business owner partner with less wellintentioned partners who offered a promise of riches and success by simply letting them takethe company public. To those in the high tech sector, there is no shortage of charlatans whowill approach unsuspecting business owners, stoking their egos, and appealing to greed.Consequently, as in the case of the well intentioned business owner, at the end of his partner’scycle of P&D, he was left sucked dry holding a valueless corporate shell, debt, and facing theprospect of serious legal repercussions.LessonLike many companies listed on the pink sheets, LIGATT (while not necessarily a P&D stock)seemed to consistently use myriad press releases as a method of garnering attention to thecompany, which would ostensibly serve to increase the perceived value of the company.LIGATT press releases are somewhat unique in that many of them are unidirectional; in that theother party does not issue a corresponding press release.One of countless examples of bidirectional press releases is the June 2011 strategic partnershipof Juniper Networks and OnLive under which Juniper will be the exclusive networking providerfor OnLives network infrastructure. This was announced on both Juniper’s web site andcorrespondingly on OnLive’s web site.When it comes to LIGATT, I could not find a company or organization mentioned in their pressreleases that has reciprocated with a similar press release.Notice the following: • LIGATT Security Internationals President and CEO Turns Internet Controversy into Profit – In this press release, LIGATT announces they are to star in their own reality show, which would be the first cybersecurity company reality show in the history of television. Yet with all the fanfare, no network ever announced they have such a show in their lineup, and LIGATT does not say who will produce or what network will air it. • Gregory D. Evans Proves to be the Most Recognized Computer Security Consultant – This comes from LIGATT, but of all the media outlets and periodicals they quote, none of them issues a corresponding press release.
• LIGATT Security International Signs Contract With One of the Largest Billion Dollar Online Retailers, PC Mall – while this is nothing more than a reseller agreement, if the issue was that significant, one would think that PC Mall would find the time to issue their own release. • LIGATT Security International: The Official Cyber Security Provider for Philips Arena, the NBA Atlanta Hawks and NHL - Not only was there not a corresponding press release - Tracy White, Chief Sales Officer and Senior VP of Sales and Marketing for Atlanta Spirit LLC, the parent company of the Atlanta Thrashers, stated that “LIGATT doesn’t provide (nor have they ever provided) services for the Hawks, Thrashers or Philips Arena.”Regulation has its limitsDetailsEven with SOX, GLBA and other regulations, the consumer and investor ultimately can’t be fullyprotected. The finance system and financial markets in this country are so complex, with somany layers and with so many interrelated parts, that it is ripe for abuse.Even with the SEC in place to regulate such entities, publicly traded companies on the Pink OTCMarkets (Pink Sheets) are lower priority for investigations, for many reasons.Even the Food and Drug Administration (FDA) often finds itself limited, even with its regulatorypowers. As I wrote in New York News Radio, the Voice Of Bad Science, for the consumer,whenever they hear the following mandated FDA disclaimer, they should immediately besuspicious: These statements have not been evaluated by the Food and Drug Administration.This product is not intended to diagnose, treat, cure or prevent any disease. After such adisclaimer, an able person should ask himself or herself, if the product is not intended todiagnose, treat, cure or prevent any disease, why use it? Nonetheless, even such regulatorydisclaimers seem to go in one ear and out the other of most consumers.Part of the reason regulation won’t work is that an investor with an insatiable appetite forprofits, often finds that their ability to reason is occluded. Combine this with the flash of mega-gains that the P&D maker’s supply and people will invariably find themselves on the losing endof the deal, with no recourse in which to recoup their losses.Corresponding to what Ryk Edelstein observed earlier about the well-intentioned businessowner; there are many entities required to make a P&D work; from lawyers, securitiesunderwriters, transfer agents and much more. Any regulation that would encompass all of themyriad entities would have to be so draconian as to stop all market activities. And such a thingwill never happen.Lesson:
Even with the many LIGATT lawsuits, including many frivolous cases filed by Evans, the mostrecent case on April 11, 2011,the legal case LIGATT filed was thrown out of court and the firmordered to pay over $29,000 in legal costs to the other party.With all of this, as of July 2011, the SEC has not announced any sort of investigation againstLIGATT. Nor have any securities lawyers I consulted said they expect any investigation againstthe firm any time soon.Pink sheets are not for girls’ bedsWhile there is the NYSE, NASDAQ and other reputable exchanges, it should be noted that thePink Sheets is not a stock exchange. In fact, firms have very little requirements in order to bequoted in the Pink Sheets. Since many of these firms do not submit timely financial statements,nor perform third-party audits, it makes it difficult for the investor to really understand whatthey are getting into.It is questionable why any novice investor would want to invest in a firm that can’t afford orwon’t submit an audited financial statement. It is for these reasons and more, that Pink Sheetfirms are extremely risky. Read: a place where naïve investors can lose their entire investmentquickly and effortlessly.This does not mean to imply that all Pink Sheet stocks should be avoided, as there are certainlymany legitimate Pink Sheet companies. Many are smaller firms with legitimate intentions ofstarting small and growing big. But given there are so many that are not like that, the noviceinvestor in the Pink Sheet market is going down a road fraught with financial risk.Much of the hype of some of these Pink Sheet companies is often based on the charisma andhyperbole of the financial people and executives at the companies. Uneducated andunsophisticated investors, who lack the most basic financial wherewithal and fail to performdue diligence, become victims to these charlatans.As noted in the previous paragraph, the very nature of Pink Sheets means they can never befully and properly regulated. With that lack of common financial sense of basic investors, andBarnum’s observations, those people are for the most part doomed to losing their investment.Investors who are not comfortable with the underlying mechanics of how the financial marketsoperate should consider the pink sheet market just like a Vegas Casino; where the odds arestacked against them from the start.A market maker who works in the pink sheet world succinctly told me that “these stocks aregarbage. You buy a stock for a half a cent and hope if goes to a penny”.
Lesson:LIGATT (LGTT.PK) is a pink sheet stock, better known as a penny stock. As to LIGATT and PinkSheets, the following screen shot says it all:Media needs contentDetails:On any given day, hundreds of media outlets need content to fill their airwaves. Radio stations,newspapers, periodicals and a never ending supply of cable channels need people they caninterview on the air to use for external expertise.Over the last year, LIGATT PR solicited numerous media outlets, who in turn had Evans appearas an expert and provide commentary. Just a few weeks ago, their PR department sent thefollowing email to many media outlets:
LessonNumerous media outlets had Evans on air, irrespective of his false associations (Atlanta Hawks,Atlanta Thrashers, Los Angeles Clippers, Phillips Arena and more), false certifications, andauthorship of plagiarized books to make him seem like he was indeed the “worlds #1 hacker”.With that, one can pose the question – if the major media outlets such as Fox, CNN,Bloomberg, et al, can’t get it right with a guest on technology, what does that say about theirapproach for foreign policy, investment news and more pressing concerns.While the major media players ignored Evan’s qualifications, it is worth noting that the smallermedia outlets such as The Register, Tech Herald and CBS Atlanta affiliate did run exposes aboutthe firm and its titular #1 hacker.Racism in the USANot a Miley Cyrus song, but racism is a serious transgression. It wasn’t that long ago that anAfrican American couldn’t use a public restroom or drinking fountain in this country. Theseracist inequalities were the driving force behind the establishment of the NAACP and other suchorganizations.
In the 100 years since the founding of the NAACP, a lot has changed. Take a look at the formerSecretary of State, the current President and Attorney General; it is clear that state-sponsoredracism is no longer an issue.Perhaps fighting racism is no longer the raison dêtre of the NAACP. To a degree, theorganization has been reduced to a business that produces the NAACP Image Awards.The irony is that in March of this year, the NAACP had its image tarnished, as it found itself onthe receiving end of a boycott, since Kid Rock received the NAACP Great Expectations award atthe Detroit NAACP gala.This award caused a dispute by some who believe that he should not have received the award.Their opinion is that he is an inappropriate choice given his affiliation with the Civil War-eraConfederate Army flag, which has been adopted by white supremacists, and have irked manycivil rights activists. In fact, some supporters of the civil rights organization boycotted theannual fundraiser on May 1 because of the issue.The singer has argued that the flag stands as a symbol of southern rock and roll, but manyprotesters don’t quite see it that way. Dr. Boyce Watkins, Professor at Syracuse Universitywrites that if anyone ever wants to understand why so many in the black community have lostfaith in certain elements of the NAACP, you need to look no further than this incident. He notesthat It’s one thing for the NAACP to remain quiet about Kid Rock’s use of one of the mosttraumatic symbols in American history, but quite another for them to step up and give him anaward for it.LessonThe NAACP presented Evans with its NAACP humanitarian award in 2002.But LIGATT used press releases to accuse respected professionals who did deeper investigationsand analysis into its activities of having a racist agenda and being some of the world’s worstcyberbullies. Some examples include a blog posting in June 2010, How Can Computer Nerds BeRacist, where LIGATT accused this author and Chris John Riley of being racist, and emphasizedthe claims that criticism leveled at Evans and LIGATT are all racially motivated.For a full account, see Security firm fights racism in InfoSec while apparently profiting from itand Worlds No. 1 hacker tome rocks security world - Plagiarism, racism, and fake Mitnickismalleged.LIGATT even accused CBS Atlanta of having a racist agenda when they ran an expose against thefirm. While CBS Atlanta posted the response from LIGATT, it was somewhat ironic that portions
of the response had to be redacted because of racially offensive language from LIGATTthemselves.Yet when his charges of racism where brought to the attention of the NAACP, they did notseem receptive to the issue, nor did they revoke the award. Furthermore, despites ourattempts to contact them they never return a phone call or replied to email.Despite numerous emails, phone calls, conversations with the executive assistant to thepresident of the NAACP, or messages directly to the President of the organization would beinvoke even the gesture of a courtesy reply.But big organizations have politics and bureaucracies like the best of them. As for the NAACP, Iwas disappointed to see the organization ignore a complaint about one of their award winnersmaking baseless accusations of racism.ConclusionI am currently writing a review on a book about cloud computing. Something tells me (and Icertainly hope) that it won’t be as much as an adventure as this review was. On the upside, Ilearned a lot more by writing the review than by reading Evans’ book.Ben Rothke CISSP, CISA (@benrothke) works in the information security field, writes theSecurity Reading Room blog and is the author of Computer Security: 20 Things Every EmployeeShould Know (McGraw-Hill).