Borrowing code is standard operating procedure for those who work with software. All modern computer program languages use what is known as an "object oriented" model, which means code is designed to be modular--like swappable, repeatable, spawning objects. Over time standards have emerged, with programs often inheriting code from third-party libraries. Many popular open source packages like Drupal or Wordpress are not only composed of contributions and "borrowings" of thousands of developers and sources, but are architected to be customized by copying parts to be "overridden." In other words, copying is required, and there are a variety of licenses that specifically allow for it, provided credit is given. Code is a bit like a message in a bottle floating in the ocean... it could end up anywhere. If someone doesn't want you taking his code, it would be cloaked with encryption.
This "information wants to be free," the credo of programmers everywhere, is a far cry from American copyright law and tradition, which discourages unfettered copying. This difference in ethos may explain why so many computer security books appear to be plagiarized. Indeed, entire tomes--written by an array of self-proclaimed computer security experts--seem to have been copied and pasted from other sources without attribution, their authors not even bothering to conjure up a single original adverb, as if they were just grabbing code from another website.
I first became aware of this plagiarism-palooza from Brian Martin, a computer security professional who, under his handle "Jericho," is a founding member of Attrition.org, a popular computer security web site that has as its mission (he calls it a "crusade") "to expose industry frauds and inform the public about incorrect information in computer security articles." He has spent months plugging phrases from these books into Google in an attempt to locate the original source material.
The project, he says, was a
"nasty side effect" of investigating "charlatans"--those who thrive on
deceit to promote themselves--when a fan pointed out a book review that had found rampant plagiarism
in a popular computer security book. From there it snowballed, and since
many of these authors have written multiple books, he has no shortage
of material. Lately he's noticed more and more plagiarism and copyright
violation (wholesale scraping of content) in the security world.
Jericho does it, he says, because "integrity is a fundamental principal" behind computer security. "If a published author showed a lack of integrity in the creation of their book, the industry needs to know about it. If he lied, cheated or stole to get there, it begs the question: What else does he lie about?"
The amount of plagiarism is shocking. Jericho found that 99.3% of the words in Spyware Reference & Study Guide, by Gregory D. Evans, are plagiarized--that's 320 out of 322 pages, with the author copying up to 100 straight pages at a time--as is 95% of Evans's How to Become the World's No. 1 Hacker. Half the words in Ankit Fadia and Manu Zacharia's Network Intrusion Alert were gleaned from other sources as were a third of another book Fadia published, Unofficial Guide to Ethical Hacking. Dr. Ali Jahangiri has penned three books and all three appear rife with plagiarism; Attrition calculated that 98% of The Security Policy Cookbook and 97.8% of Computer Networking Handbook were taken virtually word-for-word from other published sources. Hackers and Crackers, by Sahil Khan, is 99.35% plagiarized. Nine out of every 10 words of Cy83r Terror, by Vaidehi Sachin, a former lawyer and the lone journalist of the group, come from other sources.
Jericho lists each author and offers scrupulously detailed examples of material lifted from sources as diverse as Wikipedia, PC World, Techdirt, an Earthlink press release, PCPitstop.com, security conference PowerPoint and slideshows, and other books--and that's just for one title: Gregory Evans' "Spyware Reference & Study Guide." In other instances the site runs side-by-side comparisons of passages from these books with virtually identical original source material.
Attrition dedicates an entire section of the site to Evans, who in 2002 pleaded guilty to conspiracy and wire fraud against AT&T and MCI, ordered to pay $9 million in restitution and sentenced to two years in prison. Jericho accuses Evans of crimes well beyond plagiarism: from lying about his teaching credentials and being a licensed private investigator to forging his signature on stock documents, ignoring equal opportunity laws, engaging in legal harassment with bogus lawsuits and subpoena requests, claiming "hacking" skills far beyond his capabilities, and plagiarizing content on his Twitter feed.
Jericho isn't the only one to note Evans' widespread word theft. He got wind of it from a book review by Ben Rothke, an information security manager for Wyndham Worldwide, who ran text from How to Become the World's No. 1 Hacker through the iThenticate plagiarism scanner and found thousands of words from other sources. The Register, a British tech publication, also reported on the wholesale plagiarism, pointing out that Evans included screenshots that cited the original author. In addition, it questioned other Evans utterances, including his claim that he acted as a mentor to hacker Kevin Mitnick while they were both in prison. Mitnick denied it, calling him a "hustler, a grifter."
Evans did not respond to requests for comment, nor did the other authors, except Vaidehi Sachin, who admitted plagiarizing her work, calling it "a mistake." Sachin told Jericho the publicity he's given her led to people asking to buy the book, which had been pulled from shelves "for various reasons." She claimed she sold the book individually and donated the money so a 13-year-old HIV-positive orphan could receive treatment. Meanwhile she has promised to rewrite the material and publish the revamped book next month.
In the past, Evans has chalked up criticism of his work as being racially motivated because "he is an African American male dominating a predominantly Caucasian industry." Recently, though, he found time to email some 200 tech journalists a grammar- and punctuation-challenged note to say that he would "love to serve as a computer expert for you." There was a tinge of desperation to the message, ending with "Please contact me anytime to set up an interview with Evans… We will be happy to meet your needs at anytime. Thanks for you time and I look forward to hearing from you soon."
Apparently it worked. Over the last month Evans has been quoted in the Wall Street Journal, Sacramento Bee, Hollywood Reporter, and Marketing Week. None of the articles mentions plagiarism--nor any of Evans' other questionable activities. On the other hand, Jericho claims that CNN, after taking heat, performed some due diligence and has stopped inviting Evans to appear on camera.
To him this inability to police one of their own undermines the entire security industry, whose foundation is based on ensuring integrity. "It calls into question if we can really provide such services to paying clients," Jericho says.
Adam L. Penenberg is a journalism professor at NYU and a contributing writer to Fast Company. Follow him on Twitter: @penenberg.
[Image: Flickr user avatar-1]