matthewhughes.co.uk

Preamble

When I interviewed Greg for my podcast, I let him have his say without his views being misrepresented. I’ve wanted to write about the current furore for a while now, but I couldn’t decide on the best way to do it. I was in the process of writing a somewhat facetious limerick poem about the drama, but I decided instead to simply write and explain what happened. This is largely because of two reasons; nothing rhymes all that well with plagiarism and that it’s a genuinely serious subject. People have been falsely accused of racism and have been sent threats of violence for talking about LIGATT, and I ought to approach the subject with the seriousness that it deserves.

Besides a discussion on the subject on the next Student Hacker Information Technology Podcast episode, this will be the last time I talk about the subject (provided that Greg doesn’t do/say anything really stupid). Greg is just a troll, and you should never feed the trolls.

Introduction

Danny Kaye is regarded to be one of the best actors of all time. One of his most famous films was called ‘The Secret Life of Walter Mitty’. It featured a dreamer and fantasist called Walter Mitty, who imagined himself in fantastic scenarios and adventures that simply weren’t true. We can make parallels between the character of Walter Mitty and Gregory D Evans, the CEO of LIGATT security international, who in recent weeks has caused an outburst of unprecedented anger in the information security industry on account of the fantastic and ultimately false stories he has woven about his own history and expertise in computer hacking; plagiarism of copyrighted texts without the consent of the authors; threats of violence to well established computer security professionals and false allegations of racism towards a number of prominent people in the computer security industry.

Greg Evans

Greg Evans is a fantastic story teller. Not unlike Walter Mittys fantasies of protecting priceless treasures and fighting Nazi’s, Greg has imagined himself as a former expert cracker gone good. Whilst it’s true that Greg Evans was sentenced to 24 months in jail along with a $9,000,000 fine for wire fraud and conspiracy against AT+t and MCI, much of his story doesn’t add up. He talks about developing a close friendship with Kevin Mitnik in jail, and advising him to take federal plea bargains, a claim that Kevin Mitnik flatly denies. Kevin, on a post on the popular micro blogging website, Twitter, says that he did not discuss hacking or his case with him, only his family and his lawyer.

Upon release from prison, Evans started a new company called LIGATT security, which currently trades for a fraction of a cent per share on the notoriously risky ‘pink sheet’ bulletin boards. Here, he offers a number of products which are aimed at making cyber security easier, or making online law enforcement easier. He also wrote a number of books that have had limited commercial success and has supposedly purchased a number of information security portals, one of which is called National Cyber Security and will be discussed later in the blog post.

How To Be The Worlds Number One Hacker

Greg Evans markets himself as the worlds greatest hacker. He has made youtube videos to the same extent which feature a montage of pictures of him in national and regional press to a backdrop of bad music. His book is titled How To Be The Worlds Number One Hacker, and has met mixed reviews. The book is written in the name of Gregory Evans, and does not mention any other authors or contributors than Gregory Evans. Unfortunately, it has received fierce criticism as a work of unmitigated plagiarism, with some sections of the book containing no original content whatsoever.

When I interviewed Greg Evans for the Student Hacker Information Technology Podcast, I asked him if his book contained sections that were plagiarized. He responded that he had paid for the sections that were not his own. Unfortunately, that has been flatly denied by the people whose content was plagiarized. It has certainly caused a great deal of uproar in the information security community, a tight knit community where people take care of each other and academic honesty is valued above all else.

National Cyber Security

National Cyber Security (which is not to be mistaken for National Cyber Security Division, a section of the US Government Department for Homeland Security, nor the National Cyber Security Alliance, nor the National Cyber Security Center), is a web portal for information security news owned by LIGATT Security International. It has faced severe criticism for plagiarism and unauthorized reproduction of content not owned by themselves. It’s important to note that the plagiarism in the LIGATT articles aren’t simply a paragraph here or there, but wholesale lifting of articles from other news sites.

It’s also important to note that NSC had what can best be described as ‘phantom reporters’. Seria Mullen, one of the supposed contributors to the blog happened to look an awful lot like Chloe White Kennedy, a reporter for Knox News. Another reporter, Grey McKenzie is virtually unknown other for his posts on NSS, and a virtually unmaintained twiter feed.

When the infosec community discovered the level of unauthorised appropriation, LIGATT went in to damage control mode, removing content and shutting down the website for periods at a time. Unfortunately for Greg the damage was done. National Cyber Security was exposed as a fraud, plain and simple.

Greg Strikes Back

Greg has been accused of sending death threats towards prominent podcaster, writer and computer security professional Chris John Riley. Whilst Chris was trying to arrange an interview with Greg for the Eurotrash Security Podcast, he raised the ire of Greg, causing him to leave a threat of violence on his blog post. It goes without saying that threats of violence are simply not acceptable in polite company, especially not in the computer security industry where ideas and knowledge is king. Hackers don’t threaten each other with violence. We share ideas in a public forum and then scrutinize them, just like a scientist shares data for others to peer review it.

Not content with threats of violence, he has also resorted to sullying the reputations of Ben Rothke and Chris John Riley with accusations of racism. Racism has no place within our society, and accusations of racism are serious indeed, and have the capacity to damage anybody’s reputation and career. Racism is nasty and damaging, and throwing around groundless accusations of racism is not only an insult to the genuine victims of racial prejudice,  it also places in jeopardy the careers and personal standing of the people accused of it.

With this in mind, it’s important to note that the two people accused of racism by Greg Evans are Ben Rothke and Chris John Riley, who are critics of LIGATT security and are most definitely not racist. Literary criticism is not synonymous with racism.

Greg Evans’ book was not criticised because of any prejudice against African Americans. Indeed, on the internet, race is irrelevant. If the internet was a country, it’d certainly be one of the least homogenous countries in the world. How To Be The Worlds Number One Hacker was criticised simply because it was filled with other people’s content, not to mention a boatload of grammatical and spelling errors.

For Greg Evans to make a press release accusing Chris John Riley and Ben Rothke of racism is not only an insult to the many people who have to live with racism as a day to day reality. It is also most certainly slander, and one can hope that one day, Greg sees the error of his ways and releases a full retraction and makes a sincere apology to those who have been affected by his lies.

Conclusion

Greg Evans is a charismatic, intelligent guy who certainly knows how to market effectively. He genuinely could do a lot of good, as he knows how to engage the media and market effectively. He could do a lot to enhance awareness of cyber security issues, instead of releasing shoddy books that were built on other people’s hard work and making threats of violence and false accusations of racism. Greg needs to repair the bridges he burned with his general silliness with a sincere, frank apology and restitution to those whose content he ripped off.

In The Secret Life Of Walter Mitty, things work out in the end for Walter. It’s up to Greg Evans to decide how this saga ends.

Belgium has Brucon. Ireland has AppSec. Barcelona has Black Hat. The UK has around 15 universities doing courses in ethical hacking and information security, and most universities offer a computer forensics class. As a nation, we’re one of the most IT powered in the world, with almost ubiquitous usage of technology in government, services and enterprise. Unfortunately, the UK has not had a single computer security and hacking conference since Brumcon 2006, excepting the smaller OWASP and 2600 meetups.

The UK really is the prime place for a hacking conference. We have a level of enthusiasm and expertise in the computer security fields that parallels most other Western countries. Newcastle also is a prime location for a computer security conference, with an expansive public transport network, an international airport and amazing nightlife (I speak from experience). It also has a top-50 university which does a well respected Ethical Hacking course. Surely then, Newcastle is an ideal city for a con. Despite all this, nobody has run a convention in the Newcastle area.

I’ve always been enthusiastic about computers and security, to the level that I chose to study computer security at degree level. I read about it constantly, and hacking conferences have always fascinated me. In a moment of inspiration, I decided to buy a domain name, and investigate the possibility of a sub-small-scale security conference in Newcastle, where ticket prices were affordable and it allowed younger talents to showcase their projects, ideas and skills to their peers and potential employers and investors.

Let it be said that I think the likelihood of a security conference emerging from this late night fit of inspiration to be very, very slim, for a number of reasons which I will list in detail below. I also don’t think that if a security convention did emerge, it would be by any means successful, be it fiscally, personally or with regards to its aims.

The first reason why is that I am honestly the worst person imaginable for hosting a security convention, on a number of levels. The first reason is that despite my enthusiasm for the subject, and constant desire to learn more, my level of expertise is virtually negligible compared to the many people my age who know a lot more than me, when it comes to computer security. Whenever I am doing anything with regards to computer security, I always approach it with a degree of humility, because I’ve got a lot to learn. This, despite not disqualifying me from running a con, probably suggests that it’s not the best idea.

The second reason is that conventions are notoriously difficult to run, according to… Well… People who have ran conventions before. You’ve got to book speakers, book a room to host it, get interest in the actual convention itself. This is a hefty amount of work. On top of this, you have to ensure that things run smoothly and there are no hickups. Which brings me on to my next point…

I study ethical hacking at great expense because I enjoy it and want to make a career out of it. To do that, I need to work incredibly hard. I’m doing an incredibly intensive course where you can’t really be abstract. You have to be incredibly precise and know your stuff. This means you have to study insanely hard. It’d be nigh on impossible to maintain a decent social life, study hard and manage a convention at the same time. From what I understand, it’s a real timesuck, which wouldn’t bode well for my studies.

There are other, smaller, but still important issues that put me off hosting a’ con. The first is the issue of liability. I wouldn’t want to be held responsible for any stupidity that goes on that breaches a law, or gets me in trouble with my university. It’d be a bit of a pain, cobbling together the early investment. Function rooms and speakers aren’t cheap. I also don’t really have that many contacts within the computer security industry to help garner enthusiasm for the event.

Conversely, a short, affordable number of presentations relating to computer security would be potentially a good thing. It would undoubtedly generate and enhance enthusiasm, awareness and knowledge of the field of computer security in people who normally wouldn’t be able to make it to one of the larger, and more expensive, conventions.

It also gives a staging ground to display locally developed projects and knowledge by people, predominantly students, who normally wouldn’t have access to the decision makers in computer security.

If I was to realize my aspiration of launching a ‘con in the North East, it’d be simple. Just a one day, or half day event with speakers making presentations on computer security in a function room, or in a small lecture room. It’d be straight to the point, affordable and would be open to anyone with a good idea, or something cool to show or teach.

I want to say that I’ve not decided anything regarding a potential Newcastle based convention (which, I’ve named GeordieCon). I’ve registered a domain name (geordiecon.co.uk), but nothing more, and if nothing becomes of this project, I won’t be too upset. Honestly, I’m just investigating the potential of launching a convention in the North of England. Admittedly, I’d like to launch one, but in the real world, you can’t always have what you’d like, and it’s much more sensible to approach this with a cautious, investigative eye.

If anyone has looked in to launching a ‘con before, or has actually done one, or even runs regular technology meetups, feel free to comment on this post and give advice or feedback. Like I said, I’m just investigating the possibility of a convention in the North of England. Nothing has been decided yet, despite how much I’d like to make this a reality.

Matthew Hughes

Facebook is a pretty cool site. Around 400 million people use it to share videos and photos, talk with friends and family and play games. However, Facebook as an entity has shown a blatant disregard for the privacy of its end users. A new website called Openbook shows the pitfalls of Facebook privacy settings by making a search engine that shows what facebook users are posting in real time. As you can expect that with 400,000,000 users, some will mistakenly make some status updates that they’d rather keep private, but end up on the openbook search engine.

What a delightful specimin of humanity. I, for one, are glad that people like the above are our next generation of doctors, lawyers, teach… Oh wait. Never mind.

(On an unrelated note, the garbage she is talking about refers to where someone attached England flags to property that didn’t belong to them, and they were cut down and returned to the owner. Nothing as sensational as a blanket ban on the England flag.)

I… Uh… Don’t think that’s how politics works, dude.

Yeah, you probably shouldn’t post a status like that Eric. Especially with open privacy settings…

Whilst it’s almost inevitable that the likes of 4chan and other internet riff raff will use a tool like Openbook to get as many people fired from their jobs as possible, it serves a purpose to educate people that Facebook isn’t the best place to post ill informed diatribes or rants about your employer.

If anyone takes anything from this blog post, it’s that you should really, really make your Facebook privacy settings the most strict that you can (or even better, delete your facebook account). What you post on Facebook isn’t private. If you post something potentially embarassing on the site, and it becomes viral, there’s nothing you can do about it. Whenever you post a status update, or upload a photo, just think ‘is this a good idea?’

Food for thought, anyway.

Leonardo Botelho, a Brazilian FreeBSD and computer security enthusiast is a greatly valued member and contributor to the SecurityBSD project. One of his personal, older projects accomplishes some of the goals of SecurityBSD, with an emphasis on eusability.

All in all, it’s all pretty cool. Screenshots below.

It was announced today that the first non-latin website addresses will go live. In Saudi Arabia, The United Arab Emirates and Egypt, web users will be able to type Arabic script to reach websites, rather than typing in latin script.

As a modern, progressive web user, I see this diversity as a positive thing, and I encourage and applaud the relevant local web authorities for making such a bold move and enabling this move to take place. I do, nonetheless, have some concerns.

The first will be related to similarities between characters in various scripts and the hazard that can pose for legitimate web businesses with regards to domain squatting. The most memorable example involves google.com and the similar sounding domain name goggle.com. One is a search engine, the other is a malicious website which specializes in filling your computer with the most nefarous, nasty pieces of spyware on the internet. It was so nasty, McAffee built an entire marketing campaign for their safesearch package of browser plugins based upon the dangers of this one website!
My concern is that when we allow other characters other than in a single standardized script in be used in domain names, we will see a whole new avenue for attack with regards to phishers and other internet criminals.

If we take, for example, the cyrillic script, there are characters which look similar to, although not exactly like latin characters. The character ? looks somewhat like the letter N. Likewise, the letter ? looks like the letter B. My concern is that these characters could be used in phishing scams and other cybercrime in the same fashion that people use reflected cross site scripting. These characters can be mixed with characters from other scripts in order to make domains that look like legitimate ones, but point to fraudulent websites. With just the above two characters, we can make the following bogus, yet legitimate looking domains.

• E?ay.com
• ?aidu.com
• ?eopets.com
• amazo?.com

Note: Unfortunately, Wordpress isn’t playing nice with my cyrillic characters and is displaying them as question marks. For the sake of clarity, I intended to use the Russian character which resembles N and sounds like ‘p’ as in ‘pet’ and the character which resembles the letter ‘b’ and sounds like the ‘e’ in ‘roses’ or the ‘i’ in ’silly’.

This could result in legitimate businesses spending hundreds, if not thousands each year in order to register all possible domain names which resemble their own, in order to protect their reputation and more importantly, their clients. ICANN have to seriously consider how they execute the lexical diversification of domain names, lest they endanger web users.

One of the perennial problems that web application designers face is adding functionality without decreasing security. Recently, the feature to embed tweets in to a website was added to twitter. The process of embedding tweets is pretty simple. First, you find the tweet you want to embed. Let’s say, this tweet from the Conservative party:

http://twitter.com/Conservatives/status/13491382682

You would then load up your web browser and go to the Blackbird Pie website and paste in the tweet which you want to embed. HTML code is then generated, which looks like this;

<!-- http://twitter.com/Conservatives/status/13491382682 --> <style type='text/css'>.bbpBox{background:url(http://a3.twimg.com/profile_background_images/98780873/twitter_newbg.jpg) #FFFFFF;padding:20px;}p.bbpTweet{background:#fff;padding:10px 12px 10px 12px;margin:0;min-height:48px;color:#000;font-size:18px !important;line-height:22px;-moz-border-radius:5px;-webkit-border-radius:5px}p.bbpTweet span.metadata{display:block;width:100%;clear:both;margin-top:8px;padding-top:12px;height:40px;border-top:1px solid #fff;border-top:1px solid #e6e6e6}p.bbpTweet span.metadata span.author{line-height:19px}p.bbpTweet span.metadata span.author img{float:left;margin:0 7px 0 0px;width:38px;height:38px}p.bbpTweet a:hover{text-decoration:underline}p.bbpTweet span.timestamp{font-size:12px;display:block}</style> <div class='bbpBox'><p class='bbpTweet'>Vote Conservative today, get change tomorrow - watch David Cameron's exclusive video message on polling day: <a href="http://bit.ly/aex7QW" rel="nofollow">http://bit.ly/aex7QW</a><span class='timestamp'><a title='Thu May 06 14:50:46 +0000 2010' href='http://twitter.com/Conservatives/status/13491382682'>less than a minute ago</a> via <a href="http://www.echofon.com/" rel="nofollow">Echofon</a></span><span class='metadata'><span class='author'><a href='http://twitter.com/Conservatives'><img src='http://a1.twimg.com/profile_images/876654150/vfc_today_04_normal.jpg' /></a><strong><a href='http://twitter.com/Conservatives'>Conservatives</a></strong><br/>Conservatives</span></span></p></div> <!-- end of tweet -->

Note the syntax highlighted in yellow above. Here, we can edit the content of the tweet with whatever our hearts desire. Being the sophmoric students we are, I’m going to embed a rickroll video in the above code. The end result is this:

I like Twitter, but the execution of this tool has been poorly thought out. It’s rife to abuse, and thoroughly needs to change from its current incarnation (a HTML remake of the original tweet) to something more secure, ideally based upon API calls.

At the start of the first year of University, I decided that it would be a good idea to make some money by doing basic computer repair and maintenance work. Upgrades, installing Windows, data recovery. That kind of thing. One of the guys in my university accommodation wanted to partner up with me, and I consented because I thought the guy knew enough to manage what we were looking to do. What happened next was a horrifying exercise in wasted money and frustrating. I write this blog post not to bash the guy who I worked with, but to share the lessons I learned in the hope that people don’t make the same mistakes I made.

1.) Make sure your partner knows what he’s talking about.

This seems obvious, but I made this fatal mistake. I thought my friend knew a fair bit about computers, how they work and basic computer diagnostic methods. Boy was I wrong. The guy didn’t understand that you have to boot into a CD to install Windows XP. He would constantly come out with ridiculous remarks about how he didn’t like open source software because it didn’t look professional (Somebody tell this guy about FreeBSD, Apache and Wordpress). His knowledge of computers fell down once he left the realm of  the online game Eve Online. He managed to convince me that he knew how to fix, build and maintain computers though. I didn’t ask him to demonstrate his supposed skills though, and that was a fundamental blunder on my behalf.

2.) Make sure you have access to the website control panel and CMS.

When we were setting up shop, I didn’t make sure that I had access to the CPanel. This ended up biting me on the arse, as he retained all creative control, and ended up making a website that didn’t give out the impression that we were a young, professional IT tech support team.

The website looks like a bad flashback from the Microsoft Frontpage days. Phrases like ‘Is your computer slow? Does your broadband connection feel like you’re still on dial-up? Are you worried that your computer might be infected with viruses and spyware? If you’re screaming “YES PLEASE HELP ME!” at the screen then you should probably bring your computer to us.‘ make me cringe. This monstrosity has my (old) phone number and name linked to it, and there’s nothing I can do to change it.

He chose the pricing model and the services offered. He also misspelled ‘Trojans’. Enough said. Also, what on earth is a ‘routekit’?

3.) Make sure that you and the other parties are as interested in your business as you are. This would seem obvious, but the guy who I was working with ended up giving up the project as a result of Eve Online induced apathy. This was after we had spent close to £200 on tools, equipment, mobile phones, web hosting and business cards! That’s a lot of money wasted.

Every experience is a learning experience, and I don’t want to be too harsh to my partner. The problems lay in his lack of desire to commit any time to the project, a lack of honesty when it came to declaring his computer skills (or lack of), and an inability to accept constructive criticism with regards to the development of the website.

I probably could have handled the entire situation a lot better, in retrospect. I should have demanded that I had cpanel access from day one and that we ran Wordpress as a CMS, rather than a website hand designed in Kompozer. I also should have made sure that I knew that my partner knew what he was talking about, and wouldn’t lose interest to play a video game. Still, I’ve learned lessons which I’ll apply when I start a business in later life.

Via Abstruse Goose

You might have noticed that all of my posts have disappeared. That’s because I decided to leave the Automattic ran hosting by Wordpress in favour of paid hosting. I felt a little bit restricted by Wordpress.com, and I figured that I might as well rent a bit of space on a shared server.

A few things to point out; If any of you subscribe to my posts via RSS, you’ll have to resubscribe. Sorry about that.

I’ll also try to post more regularly. The format of my posts is going to change a great deal. I plan to emphasise computer security as the subject with my posts, along with the occasional bit of personal stuff.

Thanks for reading!

All the best,

Matt