Lessons from LIGATT

Ben Rothke, CISSP, CISA

I have been writing book reviews on information security and technology books for quite a

while. Topics such as authentication, security design, operational resilience, biometrics and

security policy are rather tame and most of the reviews don’t generate a huge amount of

controversy.

In fact, before June 2010, no book review I wrote ever lead to being interviewed by a major

network for an expose of theirs, or a personal attack by the author (including being called a

racist and a stock basher) against myself, Chris John Riley, Sam Bowne and others. These

critiques by aforementioned and others were never a personal issue, and this article is simply a

record of lessons learned.

Writing book reviews is something I do as a pastime, and with that, I generally refrain from

writing negative book reviews. But occasionally, some books are so problematic that one can’t

remain silent.

That is what lead to my June 2010 review of How to be the World’s #1 Hacker, written by

Gregory D. Evans of LIGATT Security International (and SPOOFEM.COM and High Tech Crime

Solutions Inc.). I demonstrated (as did Brian Baskin) that significant amounts of the book were

plagiarized. This was based on the use of the iThenticate service. iThenticate is one of the

leading plagiarism detection services that provides impartial content analysis. I published the

book review and thought that was the end of it.

For those who need a briefing on the LIGATT saga, Attrition notes that Evans describes himself

as a hi-tech hustler, The World’s No. 1 Hacker and a convicted felon. Attrition further writes

that Evans has invented himself as some form of hacker with the ability to break into anything

and spin that supposed knowledge into advising companies on security.

It is the common opinion of industry experts that Evans and his company have little real

knowledge beyond pedestrian hacking techniques found in plagiarized books and beginner

hacking texts. LIGATT offers products that are simply bloated version of common tools such as

ping and nmap.

Due to a variety of unexpected events that took place, my book review did not simply end

there. I ultimately learned a considerable amount about a number of topics, from fair use to

securities law and more, and met a lot of smart people along the way. I would like to share

those lessons with you.

Twitter is a powerhouse for action

Details

From as early as 2009, the use of Twitter for organized student protests significantly changed

the dynamics of mass communications. In 2011, we saw the use of Twitter to overthrow the

corrupt Tunisian government and fight the oppressive Syrian regime. Twitter is indeed a

powerhouse for action.

Twitter and other social media outlets are changing the way business and marketing are done.

Lesson

While Fox, Bloomberg and other media outlets had Evans on their show, Twitter was often the

medium for those that did not view Evans as the number 1 security expert to get the word out

via the #Ligatt hash tag. People and organizations such as Attrition, 0ph3lia, Sam Bowne,

Marcus Carey, Chris John Riley and krypt3ia used the #LIGATT hashtag to get their message

across.

Self-publishing

Details

Indie movies came about due to the frequent inability for smaller movie producers to get the

attention of the major studios. When it comes to books, self-publishing is often a great way to

bypass traditional publishers and quickly get a book into print.

But with that ability, many authors will self-publish; bypassing the editing, fact checking and

rigorous plagiarism checking that a traditional publishing house will typically perform.

Rich O’Hanley, publisher at Auerbach Publications and CRC Press, notes that plagiarism

continues to plague both his firm and the entire industry, thanks to the self-publishing and the

web, and its ethos that information should be free. The reality is that it is far too easy for

authors to use whatever is available.

O’Hanley is not sure if the motivation to plagiarize is driven by ignorance of copyright rules, or

simply the perception that they won’t be caught. Even authors whose careers predate the web,

fall victim to this and use material they can cut-and-paste that they likely wouldn’t use if they

had to retype it. CRC Press has tightened the whole permissions process, but it’s still a matter

of trusting the author and his or her attestations.

Lesson

Had How to be the World’s #1 Hacker been sent to a traditional publisher, it likely would have

been flagged immediately and never allowed into print.

Evans has claimed in interviews and self-made YouTube videos to have had permission from the

sources he used. But as of July 2011, he has yet to show a single document, email or contract

that entitled him to re-publish the works of others.

Fair use

Details

The US judicial system (see 17 U.S.C. § 106 and 17 U.S.C. § 106A) allows for the fair use of

copyrighted content. While there is no definitive level of where fair use ends and plagiarism

begins, How to be the World’s #1 Hacker crosses the line according to a reasonable assessment

of what fair use is.

In An Independent Plagiarism Review of How to Become the World's No. 1 Hacker, Brian Baskin

noted that you will find that many of the references are from NMRC; a site run by Simple

Nomad. Simple Nomad developed the basic structure that Evans used to plan his table of

contents, as well as originally developed the material used by Evans in his book. This was

excellently written material, but is dated originally from 2000.

What Evans also did was modify some of the text that Simple Nomad wrote, to make it look like

he was in fact the true author.

Ron Coleman, Partner, Head of Intellectual Property Department at Goetz Fitzpatrick LLP and

general counsel of the Media Bloggers Association, notes that even seasoned attorneys are

often at sea about where a quotation crosses the line from fair use to copyright infringement.

Coleman observed that “fair use is a very fact-specific inquiry, where courts are often asked to

weigh a lot of factors at the same time. The tricky part is that while judges are making very

subjective decisions about liability, the copyright statute is designed -- with mandatory awards

of attorneys’ fees and in some cases of statutory damages -- to punish every infringer as if he

knew in advance how that equation would come out. In the close cases, that's simply

impossible.”

Lesson:

Before I wrote my review, I was not aware of the fine details of fair use. With How to be the

World’s #1 Hacker, objective analysis demonstrated that there was lot of use, and very little of

it fair.

Copyrights

Details

A copyright is a set of exclusive rights granted by a state to the creator of an original work or

their assignee for a limited period of time in exchange for public disclosure of the work. This

includes the right to copy, distribute and adapt the work.

Without copyright protection, most artists and authors would not create music or books, if their

works could not be protected. With that, copyright owners have the exclusive statutory right to

exercise control over copying and other exploitation of the works for a specific period of time,

after which the work is said to enter the public domain. Uses covered under limitations and

exceptions to copyright, such as fair use, do not require permission from the copyright owner.

All other uses require permission.

The notion of a copyright has its roots in the United States Constitution; where it states in

Article I, Section 8, Clause 8 (known as the Copyright Clause) that empowers the United States

Congress to “promote the Progress of Science and useful Arts, by securing for limited Times to

Authors and Inventors the exclusive Right to their respective Writings and Discoveries”.

Lesson

As detailed in Gregory D. Evans, Copyright Violations for Over a Year, Evans has been

plagiarizing content for his Twitter feed and associated web sites, here and here

The copyright violations are that the LIGATT sites scrape entire news articles, including the

graphics, without permission. While LIGATT ultimately gave give credit to the original source at

the end of the article; that does not justify what he is doing or make it legal. Reproducing an

entire piece of work without permission is a copyright violation.

One site LIGATT scraped a significant amount of content from is the Krypt3ia blog. Note that

the following statement on the blog site leaves little room for ambiguity: All content of this site

is copyright of Krypt3ia (Scot A. Terban) and not to be copied unless express consent is given in

writing by its author. LIGATT never received permission to use the content.

Blog owner Scot Terban observed that “it seems to be the standard of practice on the LIGATT

sites that no original content is ever posted by Mr. Evans. There are quite a few PR pieces and

links to interviews he has done in the past. But as far as his own original content, there is none.

Instead, there is an overabundance of scraped content from well-known information security

web sites and noted authors; many of whom likely don’t know that their content has been

copied”.

Penny stocks

Much of the spam you get is around weight loss and various schemes to make money. Rarely

will a day go by that you won’t receive numerous spam emails touting a hot stock tip.

Often these emails are used in pump-and-dump schemes (P&D). The US Securities and

Exchange Commission (SEC) define P&D as “the touting of a company's stock (typically

microcap companies) through false and misleading statements to the marketplace. After

pumping the stock, fraudsters make huge profits by selling their cheap stock into the market”.

Since most of these companies being pumped are listed on the Pink Sheet (an unregulated

market), a stock moving up just one cent (since these companies have as many as 5 billion

shares of stock or more) can bring significant money to those pumping it, when they finally

dump it.

How to Identify a Pump and Dump Stock Scam notes that if the stock trades on the OTC (Over

The Counter) or Pink Sheet Exchanges, it is often an indicator of a scam. Stocks traded on these

exchanges do not fulfill the rigorous requirements of the NYSE, NASDAQ, or American Stock

Exchanges.

In Tips To Identify Pump And Dump Schemes at Motley Fool, a few quick tips to help identify

P&D schemes are to:

• look at the structure of the company

• examine the trading and price history

• take a close look at the founders of the company (previous experience, background,

etc.)

• look at the percentage ownership of the company (insider, retail, institutional)

• look at any VC investors that have made investments in the company

Harry Domash writes in Beware of pump-and-dump stocks that promoters pump the stock by

issuing copious media releases announcing the firm’s entry into a variety of promising

businesses.

Domash notes that in truth, it is relatively easy to spot these risky stocks and lists six checks you

can use to quickly rule out dangerous stocks, whether pump-and-dumpers or just bad ideas. He

suggests ruling out any stock that fails to meet the following:

1. Last price above 50 cents

2. Last-quarter sales at least $10 million

3. Market capitalization at least $50 million.

4. Institutional ownership at least 15%

5. Debt/equity ratio less than 3

6. Maximum price/book ratio of 30

Ryk Edelstein, veteran entrepreneur and CEO at Cicada Security Technology has seen the dark

side of P&D, having observed a well-intentioned business owner partner with less well

intentioned partners who offered a promise of riches and success by simply letting them take

the company public. To those in the high tech sector, there is no shortage of charlatans who

will approach unsuspecting business owners, stoking their egos, and appealing to greed.

Consequently, as in the case of the well intentioned business owner, at the end of his partner’s

cycle of P&D, he was left sucked dry holding a valueless corporate shell, debt, and facing the

prospect of serious legal repercussions.

Lesson

Like many companies listed on the pink sheets, LIGATT (while not necessarily a P&D stock)

seemed to consistently use myriad press releases as a method of garnering attention to the

company, which would ostensibly serve to increase the perceived value of the company.

LIGATT press releases are somewhat unique in that many of them are unidirectional; in that the

other party does not issue a corresponding press release.

One of countless examples of bidirectional press releases is the June 2011 strategic partnership

of Juniper Networks and OnLive under which Juniper will be the exclusive networking provider

for OnLive's network infrastructure. This was announced on both Juniper’s web site and

correspondingly on OnLive’s web site.

When it comes to LIGATT, I could not find a company or organization mentioned in their press

releases that has reciprocated with a similar press release.

Notice the following:

• LIGATT Security International's President and CEO Turns Internet Controversy into Profit

– In this press release, LIGATT announces they are to star in their own reality show,

which would be the first cybersecurity company reality show in the history of television.

Yet with all the fanfare, no network ever announced they have such a show in their

lineup, and LIGATT does not say who will produce or what network will air it.

• Gregory D. Evans Proves to be the Most Recognized Computer Security Consultant –

This comes from LIGATT, but of all the media outlets and periodicals they quote, none of

them issues a corresponding press release.

• LIGATT Security International Signs Contract With One of the Largest Billion Dollar

Online Retailers, PC Mall – while this is nothing more than a reseller agreement, if the

issue was that significant, one would think that PC Mall would find the time to issue

their own release.

• LIGATT Security International: The Official Cyber Security Provider for Philips Arena, the

NBA Atlanta Hawks and NHL - Not only was there not a corresponding press release -

Tracy White, Chief Sales Officer and Senior VP of Sales and Marketing for Atlanta Spirit

LLC, the parent company of the Atlanta Thrashers, stated that “LIGATT doesn’t provide

(nor have they ever provided) services for the Hawks, Thrashers or Philips Arena.”

Regulation has its limits

Details

Even with SOX, GLBA and other regulations, the consumer and investor ultimately can’t be fully

protected. The finance system and financial markets in this country are so complex, with so

many layers and with so many interrelated parts, that it is ripe for abuse.

Even with the SEC in place to regulate such entities, publicly traded companies on the Pink OTC

Markets (Pink Sheets) are lower priority for investigations, for many reasons.

Even the Food and Drug Administration (FDA) often finds itself limited, even with its regulatory

powers. As I wrote in New York News Radio, the Voice Of Bad Science, for the consumer,

whenever they hear the following mandated FDA disclaimer, they should immediately be

suspicious: These statements have not been evaluated by the Food and Drug Administration.

This product is not intended to diagnose, treat, cure or prevent any disease. After such a

disclaimer, an able person should ask himself or herself, if the product is not intended to

diagnose, treat, cure or prevent any disease, why use it? Nonetheless, even such regulatory

disclaimers seem to go in one ear and out the other of most consumers.

Part of the reason regulation won’t work is that an investor with an insatiable appetite for

profits, often finds that their ability to reason is occluded. Combine this with the flash of mega-

gains that the P&D maker’s supply and people will invariably find themselves on the losing end

of the deal, with no recourse in which to recoup their losses.

Corresponding to what Ryk Edelstein observed earlier about the well-intentioned business

owner; there are many entities required to make a P&D work; from lawyers, securities

underwriters, transfer agents and much more. Any regulation that would encompass all of the

myriad entities would have to be so draconian as to stop all market activities. And such a thing

will never happen.

Lesson:

Even with the many LIGATT lawsuits, including many frivolous cases filed by Evans, the most

recent case on April 11, 2011,the legal case LIGATT filed was thrown out of court and the firm

ordered to pay over $29,000 in legal costs to the other party.

With all of this, as of July 2011, the SEC has not announced any sort of investigation against

LIGATT. Nor have any securities lawyers I consulted said they expect any investigation against

the firm any time soon.

Pink sheets are not for girls’ beds

While there is the NYSE, NASDAQ and other reputable exchanges, it should be noted that the

Pink Sheets is not a stock exchange. In fact, firms have very little requirements in order to be

quoted in the Pink Sheets. Since many of these firms do not submit timely financial statements,

nor perform third-party audits, it makes it difficult for the investor to really understand what

they are getting into.

It is questionable why any novice investor would want to invest in a firm that can’t afford or

won’t submit an audited financial statement. It is for these reasons and more, that Pink Sheet

firms are extremely risky. Read: a place where naïve investors can lose their entire investment

quickly and effortlessly.

This does not mean to imply that all Pink Sheet stocks should be avoided, as there are certainly

many legitimate Pink Sheet companies. Many are smaller firms with legitimate intentions of

starting small and growing big. But given there are so many that are not like that, the novice

investor in the Pink Sheet market is going down a road fraught with financial risk.

Much of the hype of some of these Pink Sheet companies is often based on the charisma and

hyperbole of the financial people and executives at the companies. Uneducated and

unsophisticated investors, who lack the most basic financial wherewithal and fail to perform

due diligence, become victims to these charlatans.

As noted in the previous paragraph, the very nature of Pink Sheets means they can never be

fully and properly regulated. With that lack of common financial sense of basic investors, and

Barnum’s observations, those people are for the most part doomed to losing their investment.

Investors who are not comfortable with the underlying mechanics of how the financial markets

operate should consider the pink sheet market just like a Vegas Casino; where the odds are

stacked against them from the start.

A market maker who works in the pink sheet world succinctly told me that “these stocks are

garbage. You buy a stock for a half a cent and hope if goes to a penny”.

Lesson:

LIGATT (LGTT.PK) is a pink sheet stock, better known as a penny stock. As to LIGATT and Pink

Sheets, the following screen shot says it all:

Media needs content

Details:

On any given day, hundreds of media outlets need content to fill their airwaves. Radio stations,

newspapers, periodicals and a never ending supply of cable channels need people they can

interview on the air to use for external expertise.

Over the last year, LIGATT PR solicited numerous media outlets, who in turn had Evans appear

as an expert and provide commentary. Just a few weeks ago, their PR department sent the

following email to many media outlets:

Lesson

Numerous media outlets had Evans on air, irrespective of his false associations (Atlanta Hawks,

Atlanta Thrashers, Los Angeles Clippers, Phillips Arena and more), false certifications, and

authorship of plagiarized books to make him seem like he was indeed the “worlds #1 hacker”.

With that, one can pose the question – if the major media outlets such as Fox, CNN,

Bloomberg, et al, can’t get it right with a guest on technology, what does that say about their

approach for foreign policy, investment news and more pressing concerns.

While the major media players ignored Evan’s qualifications, it is worth noting that the smaller

media outlets such as The Register, Tech Herald and CBS Atlanta affiliate did run exposes about

the firm and its titular #1 hacker.

Racism in the USA

Not a Miley Cyrus song, but racism is a serious transgression. It wasn’t that long ago that an

African American couldn’t use a public restroom or drinking fountain in this country. These

racist inequalities were the driving force behind the establishment of the NAACP and other such

organizations.

In the 100 years since the founding of the NAACP, a lot has changed. Take a look at the former

Secretary of State, the current President and Attorney General; it is clear that state-sponsored

racism is no longer an issue.

Perhaps fighting racism is no longer the raison d'être of the NAACP. To a degree, the

organization has been reduced to a business that produces the NAACP Image Awards.

The irony is that in March of this year, the NAACP had its image tarnished, as it found itself on

the receiving end of a boycott, since Kid Rock received the NAACP Great Expectations award at

the Detroit NAACP gala.

This award caused a dispute by some who believe that he should not have received the award.

Their opinion is that he is an inappropriate choice given his affiliation with the Civil War-era

Confederate Army flag, which has been adopted by white supremacists, and have irked many

civil rights activists. In fact, some supporters of the civil rights organization boycotted the

annual fundraiser on May 1 because of the issue.

The singer has argued that the flag stands as a symbol of southern rock and roll, but many

protesters don’t quite see it that way. Dr. Boyce Watkins, Professor at Syracuse University

writes that if anyone ever wants to understand why so many in the black community have lost

faith in certain elements of the NAACP, you need to look no further than this incident. He notes

that It’s one thing for the NAACP to remain quiet about Kid Rock’s use of one of the most

traumatic symbols in American history, but quite another for them to step up and give him an

award for it.

Lesson

The NAACP presented Evans with its NAACP humanitarian award in 2002.

But LIGATT used press releases to accuse respected professionals who did deeper investigations

and analysis into its activities of having a racist agenda and being some of the world’s worst

cyberbullies. Some examples include a blog posting in June 2010, How Can Computer Nerds Be

Racist, where LIGATT accused this author and Chris John Riley of being racist, and emphasized

the claims that criticism leveled at Evans' and LIGATT are all racially motivated.

For a full account, see Security firm fights racism in InfoSec while apparently profiting from it

and World's No. 1 hacker' tome rocks security world - Plagiarism, racism, and fake Mitnickism

alleged.

LIGATT even accused CBS Atlanta of having a racist agenda when they ran an expose against the

firm. While CBS Atlanta posted the response from LIGATT, it was somewhat ironic that portions

of the response had to be redacted because of racially offensive language from LIGATT

themselves.

Yet when his charges of racism where brought to the attention of the NAACP, they did not

seem receptive to the issue, nor did they revoke the award. Furthermore, despites our

attempts to contact them they never return a phone call or replied to email.

Despite numerous emails, phone calls, conversations with the executive assistant to the

president of the NAACP, or messages directly to the President of the organization would be

invoke even the gesture of a courtesy reply.

But big organizations have politics and bureaucracies like the best of them. As for the NAACP, I

was disappointed to see the organization ignore a complaint about one of their award winners

making baseless accusations of racism.

Conclusion

I am currently writing a review on a book about cloud computing. Something tells me (and I

certainly hope) that it won’t be as much as an adventure as this review was. On the upside, I

learned a lot more by writing the review than by reading Evans’ book.

Ben Rothke CISSP, CISA (@benrothke) works in the information security field, writes the

Security Reading Room blog and is the author of Computer Security: 20 Things Every Employee

Should Know (McGraw-Hill).