29 June 2010

An Independent Plagiarism Review of How to Become the World's No. 1 Hacker

I won't beat the drum regarding Mr. Gregory D Evans and his infamous security company, LIGATT Security. That topic has been covered thoroughly elsewhere, such as on Attrition.org. I was surprised at the issue of plagiarism that came up earlier this month and decided to evaluate the book myself.

Ben Rothke did an excellent job at setting up the story with his plagiarism audit on his blog. 

What prompted me to do this audit was one major statement. In defense of his book, Mr. Evans spoke that "I wrote 60 percent of my book". (Source video, time marker 11:50). After reviewing Rothke's assessment again, there seems to be some grey area. In Rothke's assessment there was a total number of words copied from various other sources, but they weren't placed into the context of the total amount of content per chapter. 

Here, I tried to provide that. I went page by page, paragraph by paragraph, to see where the material originated. The following chart is a complete page breakdown of various items that shows, in sequence, where material came from. I'm alleging that the material was copied from these sources, but chances are they he may have found an identical source with the same text. These are the sources that I came up with in my own research and for some there were multiple results.

For those following along at home, the page references on the left refer to the physical page in the book.  To get the actual page number, subtract 30 from the reference shown here.

Want to follow along from home?  The Register has a link to the full PDF of the book on their related news article
  
World’s No. 1 Hacker
Source
1-4
Standard book introduction material
5-9
Gregory Evans biography
10-24
References, screenshots, bona fides
25-30
Table of Contents
31-34
Preface (The first page and few paragraphs of the second, and the last few paragraphs are by Evans - 648 words. The "top 10 cyber crimes" was copied from UltimateCentre)
35
Toolkit (Written by Evans – 156 words)
35-36
Metasploit (copied from Wikipedia)
36
Wireshark (copied from Wikipedia)
36
Snort (copied from Wikipedia)
36
Cain & Able (sic) (copied from product page)
37
BackTrack (Copied from product tutorial)
37
VistaStumbler (Copied from Softpedia)
37
Kismet (Copied from Wikipedia)
37
Aircrack-ng (Copied from Wikipedia)
38
Airodump (Copied from product page)
38
NetStumbler (Copied from Wikipedia)
38
Nmap (Copied from Wikipedia)
38-39
2.1 “I have a client…” (Copied from Hacking for Dummies)
39-42

ETHICAL HACKING AGREEMENT (Copied from SecurityFocus mailing list)
43-46

Phase 1 – Reconnaissance (Copied with slight rewording from AthenaWebSecurity PDF) – In every few sentences is a slight rearrangement of words to fool plagiarism checks. For example, PDF reads:
“As an ethical hacker you must be aware of the tools and techniques that are deployed by attackers”
Evan’s book reads:
“As an ethnical (sic) hacker, you must be aware of the tools and techniques that attackers deploy”
46-50

“The first step…” (Copied from www.Tek-Tips.com). However, total text seems to be a copy from AuditMyPC.
50-53

Packet Sniffing (One original sentence from Evans, and rest copied from GRC.com)
53-57

2.7  (Copied from Cromwell-intl.com)
58

Blank Notes page
59-60

Account Basics (Entire chapter copied from NMRC)
61-64

Password Basics 4.1-4.9 (Copied from NMRC)
65-67

Password Basics 4.10 (Copied from Raymond.cc). Found by using Tineye on screenshots in book.
67-68

Password Basics 4.11 (Image and text copied from Raymond.cc)
68-75

“NEW SECTION PASSWORD CRACKING” (Copied from IBM.com) Some images were copied, some weren’t (defaced website, for example)
75-78

Password Basics 4.12 (Original content by Evans for intro regarding Tiger Woods and Kobe Bryant – 61 words. Rest copied from Sectools.org)
78-85

Password Basics 4.13 (Copied from GovernmentSecurity.org) Text was changed slightly to change download links to “www.ligatt.com”.
85

Password Basics 4.14 (Copied from Microsoft TechNet)
85

Original sentence by Evans at very end - 22 words.
86

Blank Notes page
87-89

Denial of Service (Entire chapter copied from NMRC)
90

Blank Notes page
91

Logging Basics (Entire chapter copied from NMRC)
92

Blank Notes page
93

Miscellaneous Basics 7.0 (First two chapters copied from NMRC, with edits made by Evans to reference his book)
93-94

Miscellaneous Basics 7.1 (Copied from TechTarget, written by Brien M. Posey) Use BugMeNot account to view article.
95-106

Miscellaneous Basics 7.2 (Copied from PacketStormSecurity.org)
106-107

Miscellaneous Basics 7.3-7.4 (Copied from NMRC)
107

Miscellaneous Basics 7.5 (Written by Evans to pitch IPSNITH program – 184 words)
107-108

Miscellaneous Basics 7.6 (Copied from Squidoo.com)
109-113

Spyware (Copied from Squidoo.com) Slight changes were made, including:
Original: To purchase Flexispy, go to www.flexispysoftware.com
New: To purchase Flexispy, go to www.SPOOFEM.COM.
113-114

“#3 Pick” – Here things change. The original article above listed “MobiStealth” here, but Evans changed it to Neo Call. This material was copied from HackYourLove.com
114-117

“The one product that I DO NOT…” Here it changes back to the original article two entries up. (Copied from Squidoo.com)
117

Spyware 8.1 (Copied from Squidoo.com) This text actually appears at the beginning of the article that Evans copied for the previous pages.
117

Spyware 8.2 (Found on various websites, but it’s a basic list so I’ll just label it as original by Evans – 17 words)
117

Spyware 8.3 (Found on various websites, one is Rafay Hacking Article). After the “Log Summary” line, and the following sentence, the plagiarism changes source, as shown in the next entry.
117-119

Spyware 8.3 (Rest of material copied from SpyPhoneGuy.com)
119

Spyware 8.4 (Copied, again, from Squidoo.com)
119-120

Spyware 8.5 (Copied from NMRC, and is in the wrong chapter J)
120-126

“Spyware overview” (Copied from Symantec.com)
127-129

Spyware 8.6 (Copied from Keyloggers2010.com)
129

“My Favorite” (One paragraph, appears to be originally written by Evans – 45 words)
129-132

SpectorSoft (Copied from Spectorsoft.com)
133-139

Web Browser As Attack Point 9.1-9.5 (Copied from NMRC)
139

Web Browser 9.6 (Errant, confusing paste from EthicalHacker.net)
139-154

Web Browser 9.7 (Copied from EthicalHacker.net, written by Chris Gates)
154-160

Web Browser 9.8 (Copied from dedoimedo.com)
161-168

Web Browser as Attack Tool (Entire chapter copied from NMRC)
169-174

The Basic Web Server 11.0 (Copied from NMRC)
174-175

“I am still confused about the Web server…” (Found on various sources, includingSecurityBasic.blogspot.com)
175-176

“Apache Risks” (Copied from SecurityBasic.blogspot.com)
176-177

“IIS Risks” (Copied from SecurityBasic.blogspot.com)
177-178

“Exploiting IIS” (Copied from SecurityBasic.blogspot.com)
178-180

“About Unicode” (Copied from SecurityBasic.blogspot.com)

Amusingly, on 180, the section ends with “, (…?)”, though the article has more material on another site (FreeHacking.net). Evans should have been more selective in his plagiarism.
181-195

Port Scanning 12.0 (Sections came from Hacking Exposed Sixth Edition, but were re-written to appear original). At least that’s what I found at first, and then I realized that someone else rewrote it and Evans just copied from him. Copied from SQLInjections.blogspot.com)
And, to add salt to a wound, he misspelled http://johnny.ihackstuff.co when copying the material.
196

Port Scanning 12.1 (Copied from NMRC)
196

Port Scanning 12.2 – I know what you’re thinking. It’s just an ad for LIGATT.com so it’s original. Nope. (Copied from NMRC)
197-199

Unix Accounts (Copied from NMRC)
200

Blank Notes page
201-206

Unix Passwords (Copied from NMRC)
207-209

Unix Local Attacks (Copied from NMRC)
210

Blank Notes page
211
Unix Remote Attacks (Copied from NMRC)
212
Blank Notes page
213
Unix Logging (Copied from NMRC)
214
Blank Notes page
215-223
SQL Injection (Copied from Hackers Center)
Amusingly, the last paragraph reads:
“Thank you all for reading and continue to show your support to Hackers Centre”
224
Blank Notes page
225-229
Packet Sniffing 19.0 (First paragraph seemingly copied from CovertSurfer.com, rest copied from Certified Ethical Hacker Exam Prep, as shown here) Updates were made to change “Ethereal” to “Wireshark”. Any web URLs were removed.
UPDATE: 21 Jul 10 - I noticed on 227 (197) "You might know that my name is Michael Gregg and because I'm the author of this book..." 
230
Blank Notes page
231-239
Spoofing and Hijacking (Copied likely from here, but some ultimately came from the C|EH Official Course Material). Small changes are made, such as adding “As we discussed earlier” to the beginning of 20.1, but it’s all the same copied content.
240
Blank Notes page
241
Social Engineering 21.0 (Copied from TechTarget.com)
242-251
Social Engineering 21.1 (Copied from Certified Ethical Hacker Exam Prep, as shownhere. Ultimately I believe Evans copied it from here)
252
Blank Notes page
253-285
Metasploit (Copied in verbatim from a Department of Defense FOUO (For Official Use Only) training course provided by the Defense Cyber Investigations Training Academy)
286
Blank Notes page
287-303
Cracking a Wireless (sic)  (Copied in verbatim from a Department of Defense FOUO (For Official Use Only) training course provided by the Defense Cyber Investigations Training Academy)
304-309
Eavesdropping on VoIP (Written by Marc-Andre Meloche, and copied from Hakin9).
310
Blank Notes page
311-312
Hacking Cell Phone Voicemails (Originally written by Evans – 634 words) Somewhat evidenced by horrendous grammar and spelling, and a sense of prose that does not flow.
313-321
How to Become a Hacker… (Originally written is hard to say here. Much was copied from LIGATT’s own website, and most is from a usage manual that is included with IPSNITCH and PORTSNITCH. However, for Evans’ sake, we’ll say it is original – 1,489 words).
322
Blank Notes page
323
Making Money as Hacker (sic) (Originally written, as evidenced by Mr. Evans’ insistent loathing of IT Managers – 382 words).
324-325
“Intelligently manage vulnerabilities” (Copied from Core-SDI.com)
326
Blank Notes page
327-333
Glossary (All terms copied from Webopedia and other online dictionary sources. 123456789, etc…)
334
LIGATT Graphical images
335-341
Blank Notes page
342
Back cover

You will find that many of the references are from NMRC.org, a site run by Simple Nomad. Simple Nomad developed the basic structure that Evans used to plan his table of contents, as well as originally developed the material used by Evans in his book. This was excellently written material, but is dated originally from 2000.


When all was said and done, I counted a total of 3,638 words that Evans had wrote in his own sections. This does not include rewriting of copied material.  This adds up to a total of about 15 pages, once you include the numerous images and screenshots. The book has a content-page count of 303 pages. That means that Evans wrote a total of 5% of his book, and that's being generous, with the 22 images in chapter 25 alone . And the vast majority of his content was how to use products that his company sells, which could've been written by anyone on his staff.


The grey areas left are pages 253-285 and 287-303, from which a source has not been identified, but seems out of place with the rest of Evans' work. If Evans announces that he wrote this material, it would take his content up to 21%. But, until he does so, it just does not fall in line with the work he's produced in the past.

UPDATE: 29 Jun 2010 1927 - I had a thought last night. Going by page count alone, Evans "wrote" about 15 pages of content. However, what if we judged him based on words themselves? Original thought and not graphical imagery. I grabbed a sample page that was all text to see how much content is in a single page in his publishing style. Page 36 (6) came up to 425 words. If we work off words alone, then Evans would have written approximately it comes up to approximately 8.5 pages of content. So, almost half of what I claimed above. But, again, we need to look at things in context. The entire book was 95,547 words. That means that Evans' 3,638 words is 3.8% of the book's content.

And I may even throw Mr. Evans a very small bone here. Although he said that he wrote 60% of the book and outsourced the last 40% (which we can now see that he outsourced 95%), he may have been under the assumption that the material given to him was unique and not copied. However, if you are going to hit up Craigslist to find hackers to give you original hacking material (Source video, time marker 11:58). Find a person desperate for money and tell them to give you content on XYZ, and they'll copy it from Wikipedia. A TRUE publishing company would know better. By having ghost writers you are willingly taking credit for other people's work, and they give up their rights for a small profit. However, that also means that you take the hit if you did not properly vet and verify the material given to you. You put your name on that content; you cannot pass the buck to a ghost writer.

UPDATE: 21 Jul 2010 1530 - Gregory Evans recently gave a phone interview with Stock Talk 101 Radio. In this interview (time marker 6:45) he stated "I wrote the book - I did not - I put the book together, but yet, all the people who are actually saying that I plagiarized the book never read the book. They don't have copies of the book. The only thing they have is what was said by one person where this whole thing actually started and even in the book we um, we did not even discuss that this book was written by Greg or authored by Greg or any of that. I think it comes that is um a publication of Gregory Evans. It's like you know a movie and you say you have an executive producer who pays for everything. It's more like that. Because everything I paid for, all the stories and chapters except for the stuff that I actually wrote, all is in the book. And it's in there legitimately. And, again, to this day I still have yet anyone to come back and say "Greg, you stole my stuff" and contacted their attorneys and try to file a new claim. "

I'll make no response to that. You can read this article, and read his statement above, and make your own determinations.

UPDATE: 4 Jan 2014 1700 - As I'm no longer with the organization, which has no interest in pursuing the issue, I've updated the page to note that some of the content was plagiarized from my old agency. At the Defense Cyber Crime Center (DC3) is the Defense Cyber Investigations Training Academy (DCITA) for which I was the Deputy Technical Lead as a contractor. Two chapters of the book were taken from training material that the agency provided at a training event.

The two chapters in question are both derived from Department of Defense documentation classified as For Official Use Only.


253-285
Metasploit
287-303
Cracking a Wireless (sic)


Of note is the paragraph on page 301:

"Evidence collection methods of wired and wireless devices are quite similar, but outside the scope of this course. DCITA offers courses about the collection of potential evidence from the witness devices."