29 June 2010

An Independent Plagiarism Review of How to Become the World's No. 1 Hacker

I won't beat the drum regarding Mr. Gregory D Evans and his infamous security company, LIGATT Security. That topic has been covered thoroughly elsewhere, such as on Attrition.org. I was surprised at the issue of plagiarism that came up earlier this month and decided to evaluate the book myself.

Ben Rothke did an excellent job at setting up the story with his plagiarism audit on his blog. 

What prompted me to do this audit was one major statement. In defense of his book, Mr. Evans spoke that "I wrote 60 percent of my book". (Source video, time marker 11:50). After reviewing Rothke's assessment again, there seems to be some grey area. In Rothke's assessment there was a total number of words copied from various other sources, but they weren't placed into the context of the total amount of content per chapter. 

Here, I tried to provide that. I went page by page, paragraph by paragraph, to see where the material originated. The following chart is a complete page breakdown of various items that shows, in sequence, where material came from. I'm alleging that the material was copied from these sources, but chances are they he may have found an identical source with the same text. These are the sources that I came up with in my own research and for some there were multiple results.

For those following along at home, the page references on the left refer to the physical page in the book.  To get the actual page number, subtract 30 from the reference shown here.

Want to follow along from home?  The Register has a link to the full PDF of the book on their related news article
World’s No. 1 Hacker
Standard book introduction material
Gregory Evans biography
References, screenshots, bona fides
Table of Contents
Preface (The first page and few paragraphs of the second, and the last few paragraphs are by Evans - 648 words. The "top 10 cyber crimes" was copied from UltimateCentre)
Toolkit (Written by Evans – 156 words)
Metasploit (copied from Wikipedia)
Wireshark (copied from Wikipedia)
Snort (copied from Wikipedia)
Cain & Able (sic) (copied from product page)
BackTrack (Copied from product tutorial)
VistaStumbler (Copied from Softpedia)
Kismet (Copied from Wikipedia)
Aircrack-ng (Copied from Wikipedia)
Airodump (Copied from product page)
NetStumbler (Copied from Wikipedia)
Nmap (Copied from Wikipedia)
2.1 “I have a client…” (Copied from Hacking for Dummies)

ETHICAL HACKING AGREEMENT (Copied from SecurityFocus mailing list)

Phase 1 – Reconnaissance (Copied with slight rewording from AthenaWebSecurity PDF) – In every few sentences is a slight rearrangement of words to fool plagiarism checks. For example, PDF reads:
“As an ethical hacker you must be aware of the tools and techniques that are deployed by attackers”
Evan’s book reads:
“As an ethnical (sic) hacker, you must be aware of the tools and techniques that attackers deploy”

“The first step…” (Copied from www.Tek-Tips.com). However, total text seems to be a copy from AuditMyPC.

Packet Sniffing (One original sentence from Evans, and rest copied from GRC.com)

2.7  (Copied from Cromwell-intl.com)

Blank Notes page

Account Basics (Entire chapter copied from NMRC)

Password Basics 4.1-4.9 (Copied from NMRC)

Password Basics 4.10 (Copied from Raymond.cc). Found by using Tineye on screenshots in book.

Password Basics 4.11 (Image and text copied from Raymond.cc)

“NEW SECTION PASSWORD CRACKING” (Copied from IBM.com) Some images were copied, some weren’t (defaced website, for example)

Password Basics 4.12 (Original content by Evans for intro regarding Tiger Woods and Kobe Bryant – 61 words. Rest copied from Sectools.org)

Password Basics 4.13 (Copied from GovernmentSecurity.org) Text was changed slightly to change download links to “www.ligatt.com”.

Password Basics 4.14 (Copied from Microsoft TechNet)

Original sentence by Evans at very end - 22 words.

Blank Notes page

Denial of Service (Entire chapter copied from NMRC)

Blank Notes page

Logging Basics (Entire chapter copied from NMRC)

Blank Notes page

Miscellaneous Basics 7.0 (First two chapters copied from NMRC, with edits made by Evans to reference his book)

Miscellaneous Basics 7.1 (Copied from TechTarget, written by Brien M. Posey) Use BugMeNot account to view article.

Miscellaneous Basics 7.2 (Copied from PacketStormSecurity.org)

Miscellaneous Basics 7.3-7.4 (Copied from NMRC)

Miscellaneous Basics 7.5 (Written by Evans to pitch IPSNITH program – 184 words)

Miscellaneous Basics 7.6 (Copied from Squidoo.com)

Spyware (Copied from Squidoo.com) Slight changes were made, including:
Original: To purchase Flexispy, go to www.flexispysoftware.com
New: To purchase Flexispy, go to www.SPOOFEM.COM.

“#3 Pick” – Here things change. The original article above listed “MobiStealth” here, but Evans changed it to Neo Call. This material was copied from HackYourLove.com

“The one product that I DO NOT…” Here it changes back to the original article two entries up. (Copied from Squidoo.com)

Spyware 8.1 (Copied from Squidoo.com) This text actually appears at the beginning of the article that Evans copied for the previous pages.

Spyware 8.2 (Found on various websites, but it’s a basic list so I’ll just label it as original by Evans – 17 words)

Spyware 8.3 (Found on various websites, one is Rafay Hacking Article). After the “Log Summary” line, and the following sentence, the plagiarism changes source, as shown in the next entry.

Spyware 8.3 (Rest of material copied from SpyPhoneGuy.com)

Spyware 8.4 (Copied, again, from Squidoo.com)

Spyware 8.5 (Copied from NMRC, and is in the wrong chapter J)

“Spyware overview” (Copied from Symantec.com)

Spyware 8.6 (Copied from Keyloggers2010.com)

“My Favorite” (One paragraph, appears to be originally written by Evans – 45 words)

SpectorSoft (Copied from Spectorsoft.com)

Web Browser As Attack Point 9.1-9.5 (Copied from NMRC)

Web Browser 9.6 (Errant, confusing paste from EthicalHacker.net)

Web Browser 9.7 (Copied from EthicalHacker.net, written by Chris Gates)

Web Browser 9.8 (Copied from dedoimedo.com)

Web Browser as Attack Tool (Entire chapter copied from NMRC)

The Basic Web Server 11.0 (Copied from NMRC)

“I am still confused about the Web server…” (Found on various sources, includingSecurityBasic.blogspot.com)

“Apache Risks” (Copied from SecurityBasic.blogspot.com)

“IIS Risks” (Copied from SecurityBasic.blogspot.com)

“Exploiting IIS” (Copied from SecurityBasic.blogspot.com)

“About Unicode” (Copied from SecurityBasic.blogspot.com)

Amusingly, on 180, the section ends with “, (…?)”, though the article has more material on another site (FreeHacking.net). Evans should have been more selective in his plagiarism.

Port Scanning 12.0 (Sections came from Hacking Exposed Sixth Edition, but were re-written to appear original). At least that’s what I found at first, and then I realized that someone else rewrote it and Evans just copied from him. Copied from SQLInjections.blogspot.com)
And, to add salt to a wound, he misspelled http://johnny.ihackstuff.co when copying the material.

Port Scanning 12.1 (Copied from NMRC)

Port Scanning 12.2 – I know what you’re thinking. It’s just an ad for LIGATT.com so it’s original. Nope. (Copied from NMRC)

Unix Accounts (Copied from NMRC)

Blank Notes page

Unix Passwords (Copied from NMRC)

Unix Local Attacks (Copied from NMRC)

Blank Notes page
Unix Remote Attacks (Copied from NMRC)
Blank Notes page
Unix Logging (Copied from NMRC)
Blank Notes page
SQL Injection (Copied from Hackers Center)
Amusingly, the last paragraph reads:
“Thank you all for reading and continue to show your support to Hackers Centre”
Blank Notes page
Packet Sniffing 19.0 (First paragraph seemingly copied from CovertSurfer.com, rest copied from Certified Ethical Hacker Exam Prep, as shown here) Updates were made to change “Ethereal” to “Wireshark”. Any web URLs were removed.
UPDATE: 21 Jul 10 - I noticed on 227 (197) "You might know that my name is Michael Gregg and because I'm the author of this book..." 
Blank Notes page
Spoofing and Hijacking (Copied likely from here, but some ultimately came from the C|EH Official Course Material). Small changes are made, such as adding “As we discussed earlier” to the beginning of 20.1, but it’s all the same copied content.
Blank Notes page
Social Engineering 21.0 (Copied from TechTarget.com)
Social Engineering 21.1 (Copied from Certified Ethical Hacker Exam Prep, as shownhere. Ultimately I believe Evans copied it from here)
Blank Notes page
Metasploit (Copied in verbatim from a Department of Defense FOUO (For Official Use Only) training course provided by the Defense Cyber Investigations Training Academy)
Blank Notes page
Cracking a Wireless (sic)  (Copied in verbatim from a Department of Defense FOUO (For Official Use Only) training course provided by the Defense Cyber Investigations Training Academy)
Eavesdropping on VoIP (Written by Marc-Andre Meloche, and copied from Hakin9).
Blank Notes page
Hacking Cell Phone Voicemails (Originally written by Evans – 634 words) Somewhat evidenced by horrendous grammar and spelling, and a sense of prose that does not flow.
How to Become a Hacker… (Originally written is hard to say here. Much was copied from LIGATT’s own website, and most is from a usage manual that is included with IPSNITCH and PORTSNITCH. However, for Evans’ sake, we’ll say it is original – 1,489 words).
Blank Notes page
Making Money as Hacker (sic) (Originally written, as evidenced by Mr. Evans’ insistent loathing of IT Managers – 382 words).
“Intelligently manage vulnerabilities” (Copied from Core-SDI.com)
Blank Notes page
Glossary (All terms copied from Webopedia and other online dictionary sources. 123456789, etc…)
LIGATT Graphical images
Blank Notes page
Back cover

You will find that many of the references are from NMRC.org, a site run by Simple Nomad. Simple Nomad developed the basic structure that Evans used to plan his table of contents, as well as originally developed the material used by Evans in his book. This was excellently written material, but is dated originally from 2000.

When all was said and done, I counted a total of 3,638 words that Evans had wrote in his own sections. This does not include rewriting of copied material.  This adds up to a total of about 15 pages, once you include the numerous images and screenshots. The book has a content-page count of 303 pages. That means that Evans wrote a total of 5% of his book, and that's being generous, with the 22 images in chapter 25 alone . And the vast majority of his content was how to use products that his company sells, which could've been written by anyone on his staff.

The grey areas left are pages 253-285 and 287-303, from which a source has not been identified, but seems out of place with the rest of Evans' work. If Evans announces that he wrote this material, it would take his content up to 21%. But, until he does so, it just does not fall in line with the work he's produced in the past.

UPDATE: 29 Jun 2010 1927 - I had a thought last night. Going by page count alone, Evans "wrote" about 15 pages of content. However, what if we judged him based on words themselves? Original thought and not graphical imagery. I grabbed a sample page that was all text to see how much content is in a single page in his publishing style. Page 36 (6) came up to 425 words. If we work off words alone, then Evans would have written approximately it comes up to approximately 8.5 pages of content. So, almost half of what I claimed above. But, again, we need to look at things in context. The entire book was 95,547 words. That means that Evans' 3,638 words is 3.8% of the book's content.

And I may even throw Mr. Evans a very small bone here. Although he said that he wrote 60% of the book and outsourced the last 40% (which we can now see that he outsourced 95%), he may have been under the assumption that the material given to him was unique and not copied. However, if you are going to hit up Craigslist to find hackers to give you original hacking material (Source video, time marker 11:58). Find a person desperate for money and tell them to give you content on XYZ, and they'll copy it from Wikipedia. A TRUE publishing company would know better. By having ghost writers you are willingly taking credit for other people's work, and they give up their rights for a small profit. However, that also means that you take the hit if you did not properly vet and verify the material given to you. You put your name on that content; you cannot pass the buck to a ghost writer.

UPDATE: 21 Jul 2010 1530 - Gregory Evans recently gave a phone interview with Stock Talk 101 Radio. In this interview (time marker 6:45) he stated "I wrote the book - I did not - I put the book together, but yet, all the people who are actually saying that I plagiarized the book never read the book. They don't have copies of the book. The only thing they have is what was said by one person where this whole thing actually started and even in the book we um, we did not even discuss that this book was written by Greg or authored by Greg or any of that. I think it comes that is um a publication of Gregory Evans. It's like you know a movie and you say you have an executive producer who pays for everything. It's more like that. Because everything I paid for, all the stories and chapters except for the stuff that I actually wrote, all is in the book. And it's in there legitimately. And, again, to this day I still have yet anyone to come back and say "Greg, you stole my stuff" and contacted their attorneys and try to file a new claim. "

I'll make no response to that. You can read this article, and read his statement above, and make your own determinations.

UPDATE: 4 Jan 2014 1700 - As I'm no longer with the organization, which has no interest in pursuing the issue, I've updated the page to note that some of the content was plagiarized from my old agency. At the Defense Cyber Crime Center (DC3) is the Defense Cyber Investigations Training Academy (DCITA) for which I was the Deputy Technical Lead as a contractor. Two chapters of the book were taken from training material that the agency provided at a training event.

The two chapters in question are both derived from Department of Defense documentation classified as For Official Use Only.

Cracking a Wireless (sic)

Of note is the paragraph on page 301:

"Evidence collection methods of wired and wireless devices are quite similar, but outside the scope of this course. DCITA offers courses about the collection of potential evidence from the witness devices."