A while back, I was intrigued by the then-impending release of Gregory Evans’ book, How To Become the World’s No. 1 Hacker. I realized that, even as a self-published book, it would get a lot of attention from people getting started in security, if for no other reason than it’s “extreme” (and promising!) title. I put in a request for a review copy so that I could give some sort of recommendation one way or the other to students taking security classes here, and others that might stumble across this blog.

The review copy arrived, and I immediately got the same feeling as I got when I took a careful look at the original revision of Dissecting the Hack: that the listed authors of the book did not create the content they were presenting as their own. Googling random samples of the text throughout the book confirmed my suspicions. I switched gears and began documenting all the instances of plagiarism, much as I did for Dissecting.

A few chapters in, I was rescued from this drudgery (and no small amount of drama) by Ben Rothke, who wrote a short series of excellent posts exposing the plagiarism in Gregory’s book. He did a great job of documenting it, and hopefully it will inform potential purchasers/readers.

Ben has now done it again with a review of Ali Jahangiri’s The Security Policy Cookbook: A Guide for IT and Security Professionals.  His post is titled Is 2010 the year of the plagiarized security book?, and Ben not only exposes the large amount of unattributed material in this book, but also explains the problems with copy-and-paste security policy design.

With three books in the past year having a significant amount of plagiarism, I figured this would be a good time to share a little bit of my own commentary on the situation. This is a collection of thoughts, observations, and opinions that I’ve expressed in other formats (Twitter, email, in person) with various members of the security community, gathered up into this one post.

What is plagiarism?

Plagiarism is the act of representing another’s work as your own, without attribution to the original source. This sounds very simple, but once one accuses the other of it, the excuses and arguments get twisted very quickly. The litmus test should be: would a reader be reasonable in assuming that the listed author wrote this material? The only place where this gets sticky is in the case of legitimate (and more importantly, willing) ghost writers, which is not really an issue in any of these security books (though it was claimed for one).

Plagiarism is, on the surface, related to legal issues of copyright, intellectual property, and fair use. It is, however, a different issue. One may be within the boundaries of the law in the case of public domain and other very-loosely-licensed material, and yet still be deceptive and dishonest towards the readers who shell out money and time on a book.

This is not a matter of “standing on the shoulders of giants”, basing your work off of others’ and expanding upon it with your own commentary and research. This is about the wholesale copying, pasting, and laying claim to others’ work.

Why is this a problem?

I touched on this a bit in the previous question. The victims of plagiarism are the readers, who are being deceived by the plagiarists, and the original content creators, who get no credit for their original work.

Readers purchase books with the intention of getting the author’s take, or presentation, of a subject.  A reader might decide that it’s okay to buy a book that contains material from another book (legit example: No Tech Hacking), or that contains material that’s freely available online.   If your book presents its material as being created by the listed author, but it wasn’t, then you’ve robbed the reader of being able to make that decision.

The purpose of a book is not only to provide information and/or entertainment to the reader, but also to serve as a testament to the author’s expertise, ability to communicate, and respect in their chosen field. Even those who don’t read the books will be able to verify that an individual is at least well-versed enough on a subject to have written a book on it. This helps a lot with self-promotion and recognition. It’s easy to see that book authors are held in high esteem in the security community. A plagiarist cheats their way into this position by assuming the title of “author” without putting in the effort normally needed to create the content. At the same time, the original author of the content is not seeing this esteem or status that would normally be associated with having their work in print.

Is this a serious problem with security books?

Good question. The three examples discussed above are the only ones that I am aware of. They’re huge, egregious examples, but it’s possible that smaller instances exist and haven’t been noticed. Has anyone else noticed more?

The motive is there. Name recognition is very important/sought-after in the security community. It’s tempting to take the shortcut.

Opportunity? Two out of the three above examples are self-published, in which case: who’s going to stop them from trying. Dissecting was from an actual publisher, Syngress, though it revealed a failure in the editing process that is unlikely to happen again, now that they have been burned once.

After the community’s negative reaction to Gregory Evans’ book, it would seem that most would think twice about pulling the same stunt. Then again, many that would are likely new to security or not connected to the community of twitterers, bloggers, conference attendees, etc. While Evans was on some folk’s radar prior to these events, he wasn’t as widely known before as he is now. It may be the case that some people underestimate the ability of the community to identify and react to misrepresentation. As with Evans, this appears to be the case with Ali Jahangiri.

Who is Responsible?

In at least two of the prior cases of plagiarism in security books, blame was passed along to other people responsible for the content.  Regardless of who committed the act, those who have their name on the book and see/approve it before it goes to print or the shelves are ultimately the ones who are responsible for the content.  The editors and publishers (if there are any) are also responsible.

Conclusion

As a reader, keep a critical and skeptical eye when reading a book if it seems suspicious. Investigate and document what you find. Expose what you feel is not right. If you want to avoid getting duped, try to find reviews from sources you trust before buying.

As an content creator, do what you can, or at least can afford, to protect your material. Legal action may be expensive in both time and money, but you can at least request that your material be pulled or attributed (and document that correspondence). It will also deflate the plagiarist’s excuses if you come forward and publicly state that you never consented to that use of your material.

I’m not sure how much of a problem it will be going forward, but it’s definitely something to keep an eye on.

The Security Policy Cookbook: A Guide for IT and Security Professionals

© 2012 McGrew Security Suffusion theme by Sayontan Sinha