Plagiarism and the State of Infosec Publishing | InfoSec Reviews Blog

I’ve been looking with interest into the plagiarism phenomenon introduced by Ben Rothke in his articleon the RSA Conference website (14th June 2010) regarding the “World’s No. 1 Hacker” book and its blatant reproduction of text from various Internet sources, most of which Rothke was able to identify using one of the industry leading anti-plagiarism tools, called iThenticate.

Author, Gregory D. Evans, basically copied a vast amount of content from 3rd party resources, reproducing them in his own book without citation or reference, effectively stealing this copyrighted material. Very naughty indeed!

However, the question that immediately springs to mind is, if Gregory D. Evans knew he was publishing a book full of plagiarised material, was he really naïve enough to think he’d not get caught?

Was he dumb enough to think that publishing a book on a topic that attracts so much attention from the scientific/technical community would not be ripped apart and shown for what it really was?

Also, did his publishing contract with Cyber Crime Media not tell him that this was against the law; and where was the governance from the editorial and business board in Cyber Crime Media anyway? In fact, who the hell is Cyber Crime Media anyway?

What’s interesting is the perfect storm this particular book created, with dozens of mentions across various news websites, such as the coverage on 22 June 2010 in The Register (http://www.theregister.co.uk/2010/06/22/worlds_no_1_hacker/), where the reporter additionally discredited claims that Gregory D. Evans had mentored infamous hacker, Kevin Mitnick while in prison; a claim that Mitnick vociferously denies, calling him a “hustler,” and, “a grifter.”

Nevertheless, aside from this case, where the author is a blatant charlatan, it’s right to question the value of published material. In an age where self-publishing and self-promotion is rife, who do we really trust? I think the answer lies in understanding which party has the most to lose?

If one author self-publishes a book and does a crappy job, ok, he loses out at his own expense, maybe gets a few bad reviews on Amazon and doesn’t sell a lot of copies, but in a world where many books are not even printed, then shelling out $2.99 for a crappy e-book is the least of our worries; we often just read it, delete it, then move on.

That author probably won’t sell many more books, unless he uses an alias – and if he’s lucky a small wave of media publicity will probably erupt, as it did with the ‘World’s No. 1 Hacker’. So, on the grand scheme of things, this is not so important, right?

However, a more worrying account entitled, “When Hacks Attack: The Computer Security Plagiarism Epidemic,” (http://www.fastcompany.com/1769244/plagiarism-professionals) (Penenberg, 2011), discusses how one of the editors of Attrittion.org has, ‘found that an alarmingly high number of books written by computer security experts are nearly 100% copied from other sources.’

Looking on the Attrition.org website, it lists a series of authors who have ‘plagiarised’ other people’s content in their own books to a lesser or greater degree. Take a look at http://attrition.org/errata/plagiarism/.

What’s interesting in this list is that the publishers (not the authors) were almost entirely unknown, except for one that really stands out: “Dissecting the Hack”, by Dustin L. Fritz, published by none other than Syngress, probably the most prolific publisher of information security books today.

However, when I looked at the quotation from the author, who turned out not to be the author, rather a ‘technical editor’, of this book, I think this is more of an error in judgement than an intentional act of plagiarism:

‘This was an honest mistake and I sincerely apologize for any miscommunication. I hope that the correct and proper citations can be added soon and that all questions regarding copyright and plagiarism issues can be resolved. I hope the book can still be enjoyed as a valuable contribution to the information security community and I hope it will go on to fulfill its objective in reaching anyone who desires to learn more about hacking and security. I want to specifically apologize to Jayson, Kent, Syngress, Rachel, Angelina, all the readers, reviewers, and others who have taken offense. I want to fix this and I sincerely appreciate everyone’s positive support!’  (http://www.mcgrewsecurity.com/2009/10/16/amending-my-f0rb1dd3n-network-review/). 

To their credit, Syngress has published a new edition of this book and significantly improved it, so saving face and proving their worth as a publisher. So, this technical editor was called out by Attrition.org and publicly apologised – which was great, good for you Attrition.org – however, why did this happen in the first place?

I understand that a lot of books mentioned on this site are self-published, either directly by the author, such as in the case of Ali Jahangiri’s book, “Live Hacking”, (also published by Ali Jahangiri), or through a personal publishing imprint set up by themselves (as in the case of Gregory D. Evans and Cyber Crime Media – this is my assumption as I have not been able to confirm, however, the point is still the same irrespective of the relationship Evans has to CCM).

Ali Jahangiri’s book is an interesting case as the quality of the editorial waxes and wanes throughout, and Jericho (from Attrition.org) writes, “Page 183 on MAC Filtering appears to have original content, but is desperately in need of an editor.

“Rouge Access Point Attack” would clearly pass a spell check, but should not pass a technical editor. Dr. Jahangiri also gets points for quoting parts of the BackTrack manual in his book on LiveHacking, after maintaining that LiveHacking is a better distribution.”

So, in “Live Hacking”, where there is original content the editorial standard is low, however, where there is plagiarised material it is as high-quality as the source. This is one indication of the overall book’s quality, provenance and ultimately value for money (as this is what it all boils down to).

Interestingly, I reviewed the entire Live Hacking book by Jahangiri some months ago and it really is woefully bad, apprearing more as a high school project than a professionally published book, so if I saw it on the bookshelf in a bookstore there is no way it would end up being exchanged for hard earned money.

The Syngress case, however, is a different beast altogether. Syngress has a good reputation for being the primary information security publisher in today’s market. This is an imprint that has dozens of new infosec titles coming out each year, covering a vast array of topics: from penetration testing to governance & risk; from cyber crime to malware analysis; and in most cases they do a pretty good job.

Now, I have worked myself for various publishers over the years, even acting in the capacity of ‘acquisitions editor’ for one of the larger technical publishers, so I know the pressure these businesses are facing from their internal management/publishing teams.

Often the checks and balances editors should apply to their individual publishing projects get shortcutted when business imperatives take over. This can lead to typos, grammatical inaccuracies, maybe technical problems with code not working properly (or maybe not being tested on all platforms, for example), through to more serious errors, such as in this case where the Syngress team did not educate their technical editor, Dustin L. Fritz, in how the sources being cited or copied from were required to be referenced.

I doubt this was malicious on the part of Syngress as the company has so much to lose from being discredited; their entire business relies on their providing fresh, high-quality material that adds value to the information security community.

Nevertheless, this accident, or error in judgement, should make publishers stand up and be accountable for the material they publish, as often the business leaders that press for financial results don’t think strategically enough to see beyond a book’s initial time-to-market.

Dustin L. Fritz might have only been given three months to create the entire text of this book (something that 10 years ago he’d have been given 12 months to create), and if he was given 6 months he might well have come up with a very different text; however, with pressure to ‘publish and be damned’, in this case Dustin L. Fritz was damned the day the book went to press. He may never recover, at least in professional publishing circles.

In conclusion, book publishers need to up their game in terms of their quality assurance processes in order to demonstrate their true worth to their customers, something that the charlatans, such as Gregory D. Evans and Ali Jahangiri, will always fail to deliver upon – since these guys are not publishers.

Once publishers realise that strategic publishing (for the generation of long-tail, sustainable revenues) is a better approach than tactical publishing, especially in scientific fields, such as information security, it will be better for all of us, otherwise we risk the outcome being that the Gregory D. Evanses of this world will find themselves batting at the same level as Wiley, Syngress and McGraw-Hill, and once that happens the publishing will be well and truly dead.

Tony

This article was first published on InfoSec Island on 17th August 2011 – www.infosecisland.com