On June 18, 2010, Matthew Hughes conducted an interview with Gregory D. Evans on the SHITcast Episode #7. There was initially a fair amount of uproar over some of the things Evans said. Due to the generous time spent by a volunteer (A.T.), we have a full transcript of the entire interview. The following excerpts from the interview are accurate to the best of our knowledge.
As with many Errata posts, some of the comments may seem like nitpicking, but it goes to demonstrate how someone like Evans tries to manipulate public perception. Dozens of small lies, cases of crafted wording or claims that cannot be verified help him paint the picture of a company he wants to run, but is far from the truth today.
Greg Evans: Well do you know what it is? Is this. One: We've had a lot of people go out there and say a lot of negative stuff about me stealin' other people's information. We're gonna cover that, but I just wanna let you know who these people are. One: Some of these people are disgruntles employees from in the past. I finally tracked two of 'em down today. Who go out, who may have been fired by me, who go out and post some of these articles, who are also security people too.
Regardless of his repeated and varying claims, Evans' plagiarism is straight-forward and inexcusable. The extensive plagiarism in "How To Become The Worlds No. 1 Hacker" has been well documented. It doesn't matter if Evans claims to have written it, hired ghost writers or purchased the content from unnamed third-parties that did not author the material (he has made each of these claims in different forums). His name is on the book as the only listed author, he is responsible for the content of the book. Attrition.org has confirmed with a majority of the authors that they did not give permission or sell the material to Evans.
Greg Evans: Two: We get some people who are in the IT industry. Now, they're not businessmen, they didn't write none o' these articles, but they're claiming that I plagiarized these articles. They don't call me up and ask me, how did I get the information like you did. They didn't call me up to do these interviews. They post them at blogs. Now these blogs that they're posting, when we go to these blogs and say hey, or my PR team does and ask them would you like to interview Greg so we can get the story straight, they say no, we don't wanna do an interview. But what they will do is, is allow these people to continue to post. So they don't wanna hear both sides of the story.
Just as Evans makes claims in his video podcasts to investors, and does not give anyone a chance to provide their side of the story. Despite his absurd claims, many of the people posting negative opinions of Evans / LIGATT are not only professional information security practicioners, they are businessmen.
Greg Evans: So here we go. Let me just make it real simple. One: On May 5th, before the book I was accused of plagiarizin', when we did a press release and a campaign saying that umm we will teach because we have this service "How to Become a Hacker in 15 Minutes". Now we said we would go on twitter and we will teach people a little about computer hacking every single day. Now, when we did this and we started posting things on twitter, we starting hearing "He's plagiarizing, he took this from this book or he took this from that book". Anything we do, they're tryin' to run it through some plagiarize system or online service that's seein' if you used the material. This is what we said in our, or in our release. We never said that we were using our material. We never said we were using any exclusive material or any intellectual property. What we did say is that we were teaching people "How to be a Hacker in 15 Minutes". Now, there's not too many books out there. I think I own every computer security book on the market. I've never read all of 'em. I would be lyin'. But, I have five different offices and,.. [..]
So. So with that bein' said, what we did was, when we sat down and come up with this campaign, we say: "Ok, what should we do? How can we do it"? So we went through our library pulled out our books and said: "Ok let's take this part o' the book. Let's take this out of this particular book. Let's take this one part out, talkin' about penetration testing. Let's take this one, talkin' about vulnerabilities. Let's take this one about exploits, and we'll tweet about that". Now, we took it from several different books and we posted it. Nowhere did we say that it was only ours. Good example or analogy is is if you go to school or when you went to school the teacher taught you out of a text book. History, math, science, whatever it is. Now, they didn't say all those books belong to me. The books that your teachers use, the teachers didn't write it. When you go to church and your pastor is standing up there preaching to you outta the bible, he didn't write the bible. So, when we say that we're gonna teach you how to be a hacker and we're gonna post these tweets, doesn't mean that we are writing 'em from a book that we wrote. And we never said that. But then, in the same situation we're about to talk about with my book, people are saying that you're plagiarizing. You can't teach people how to be a hacker and use somebody else's book. Says who?
It doesn't matter if you didn't claim it was exclusive material, the fact is Evans still plagiarizes. Not only with his latest book, but the "Hacker in 15 Minutes" Twitter campaign is almost entirely plagiarized from one book, not multiple like he characterizes in the interview.. Unfortunately, it doesn't stop there, as Evans is a serial plagiarizer. He has been caught plagiarizing material for a conference bio and hundreds of news articles for one of his web sites. His comparison to teachers or a pastor are irrelevant, because they do not claim the material as their own. This plagiarism was not a one time occurrence, this is repeated fraud.
Greg Evans: Here we go. Well, how can I put this? Here we go. I just did a interview on this right before, but here we go. When we wrote the book "How to be the World's #1 Hacker", short and simple: I wrote 60% of that book. Now, this book was not written overnight. Wasn't written in a month. I didn't go out on the internet and grab a whole bunch of people's stuff and put 'em in the book. Didn't do that. Cuz I'm too busy runnin' a multimillion dollar company.
LIGATT's public financial records show that it is not a multi-million dollar company, unless you count LIGATT's debt and Evans' personal debt. Their posted revenue puts them well below the one million dollar mark.
Greg Evans: What I did do, I over a year ago, is that we went out and we posted every, all these computer security websites, even on Craigslist, that we're writing a book, we're looking for some original material. So people would send me stacks and stacks of information. And I would go through and is hot and what is not, what is good and what is old, what is new. So what I did was, is is that everybody who sent me in something, and I used it, my attorneys, they then was called a release. And in this release it states that this information was written by you and that you own this information. And that you give Greg Evans and Cyber Secu.. and Cyber, umm Cyber Crime Media umm permission to use this in their book. And we do not have to give you any credit for your information but what we will do is write you a check, right now before we use your information. So everything that's in my book I paid for from the original author. What you have is some meathead named Ben that nobody really knows who went into my book went to a website typed in everything in the book and then went and said: "Well he used this from this person or this person or that person". What he doesn't realize is, I paid for that, from those people. They signed confidentiality agreements from those people. And what's very important is, most of the books that I've written, and I've written 8 books. My books are not geared towards the other computer security people. It's not geared towards the computer nerds or even the IT person. It's geared towards more the layman. That's the reason why I sell so many books. Most computer people when they write books, they're writin' these security books for who? Other security people. But the stuff in those books, other security people know about already. That?s why computer security books don't sell that much. Whereas with my books they sell. Because I write my books and market my books towards the layman. So the stuff that's in my books may not help you, or ben or so many other computer security people. But what it will do, is help that person out there who knows nothing about computer security.
This is entirely false. The authors of the material stolen by Evans did not sign agreements with, or sell their material to him. In extensive e-mail discussions, many of the original authors discussed a class action lawsuit against Evans, but determined the legal cost associated with such a lawsuit would be a pyrrhic victory at best. Evans would not issue a public apology, had no money to compensate the authors and would fight it every step of the way. Given Evans' history of legal proceedings, it simply didn't make sense to pursue. When Evans was challenged to publish the signed agreements, he could or would not.
Greg Evans: Let me say this to you. I've already tried to find out who it was who started this whole thing. Most o' these people have been using aliases. I had a guy who called up my office 7 times yesterday and spoke to my PR and marketing department claiming that he was the guy who wrote it, gave us a phone number to call him back on, which, on the caller id said he was calling from a payphone. But the number he gave us was a bogus number. So, we don't know who to start with. But i will tell you this. I spend over 6 figures a year, sometimes a month on attorneys.
I have big lawyers that will turn around and deal with this situation.
This is also false. Looking at the history of his legal proceedings, he consistantly represents himself or uses the services of John A. Moore, who practice in the areas of bankruptcy law, bankruptcy litigation, real estate law, real estate litigation and commercial litigation. When a lawyer representing the plagiarized authors contacted Evans, she was given the names of several firms as his representation. After a week or more of calls and e-mails, she was told by each firm that they did not represent Evans or LIGATT. This was one of several tactics used by Evans to stall the opposing lawyer and drive up plaintiff legal fees. Based on the public dockets, it appears that Evans' go-to lawyer is good at filing the case, but then both of them let the cases fall out of the court with no follow-up.
Greg Evans: Well first of all, I didn't say I did any business wit anybody in the NFL football team. What I did do, and we just did this on our video blog, and I'm gonna send these over to you probably in Skype when we hang up. Umm, some of these acquisati aquis ummm accusations that these people are giving, they're saying that Greg Evans never signed a deal with the Atlanta Hawks basketball, which is the NBA team or the Phillips Arena or the Altlanta Thrashers. So what I did do, and I will email a copy of over this to you, alright when we hang up, that on October 13th 2009 I have a contract in my hand where I signed a partnership letter of agreement with the Atlanta Hawks, Phillips and the Thrashers, which is all owned by the same group of people, to be their cyber security company. Now, I don't lie about this. Now, the agreement is finished. It's over with. Just like in back in 2001, I was also the cyber security company for the Los Angeles Clippers, which is another basketball team in Los Angeles, California. So, there's no reason, and this is very important, there is no reason for me to sit here and lie about something so big that can be verified. It, it's ridiculous, it's ludicrous.
Gregory D. Evans / LIGATT - False claims about clients, questionable spending deals with Evans claims regarding clients and links to the sources where he claims to have those clients. When challenged on this later, Evans posts a picture of a contract hoping no one will read the fine print. Rather than work with the big names, the deal is with a smaller company that provides merchandise for the teams. Big difference..
Greg Evans: What I was gonna s... What I was gonna say is. The problem comes in, is people like you, people like Ben, people like this meathead Chris whatever his name Reilley is. People don't know my background. They don't know how long I?ve been doing this. They don't realize I'm not some IT person. I don't even like IT people. I didn't just wake up one morning, and I was selling cars, and say: "I wanna get into cyber security". This is what I've been doing since the 7th grade. And in the 10th grade, when I hacked AT&T, my parents had to pay 30,000 dollars to AT&T so I wouldn't go get in trouble, go to jail for it. When I was in, in 1996, cuz one guy who's posted on his websites and been hittin? on the tweets, which was Chris, he posted on his website that in '96 he was just getting into computers and networking and he fell into security. In 1996 I was hacking AT&T, MCI, Sprint and WorldCom for over a million dollars a week, for a company called umm, Franklin Telecom. Now, in 1997, when one of my employees heard me wiring 5 million dollars of the money that I used to hack, from the Bahamas to the Cayman Islands and started blackmailing, when I stopped paying the blackmail, told AT&T, who then researched it because they thought she was lying, who then told the Feds and I was arrested, well I didn't get arrested, Feds came into my office, Januar... or July 24th 1997.
While Evans does have a history with this, his claims of "hacking" are more accurately described as "fraud". His conviction in 1998 was for wire fraud, aiding / abetting and causing an act to be done. Evans was essentially using non-technical means to sell misappropriated phone service to legitimate companies.
Greg Evans: What they don't realize is, when I got locked up for it or indicted by the FBI for it, I was in the same cell as Kevin Mitnick. So Kevin Mitnick and I were both in MDCLA, on the fifth floor in the south wing. We call it 5 south. When Kevin Mitnick decided to take a deal it was me, before he even, after he spoke to his lawyers, they, government offered him a deal he had already been in jail for 5 months. It was me who when we sat down at dinnertime in jail and ate and I told him to take the deal.
Kevin Mitnick has confirmed that while they were in the same jail, he had nothing more than casual greetings with Evans and certainly did not talk about his case. Mitnick took the deal based on advice from his legal counsel, not other inmates. Mitnick further commented that Evans didn't seem to have hacking skills.
Greg Evans: It was me that turned around and had to pay the government back 9.8 million dollars in my portion of my restitution. So when I say this to you, this isn't something that I'm new at. I am very good at what I do. The difference is I don't go out bragging about it.
Evans did not pay back the 9.8 million in restitution. In fact, a recent court case suggests that the government finally caught up to him and is garnishing his wages in a desperate attempt to recoup some of the money.
The notion that Evans "doesn't brag" is laughable, given his entire marketing campaign of being "the world's #1 hacker".
Greg Evans: So when people are trying to hack my website or people who are posting on their website how good they are and how bad I am, the time and energy that they can be using talking about me, they could be going out here making over literally over a million dollars a year in this business. The reason why is there's no competition, at all.
Evans' sites have a deplorable history of security vulnerabilities, some going almost six months without being fixed. Further, Attrition has seen evidence from multiple sources that suggest Evans' sites have been fully compromised.
Evans' claims that there is "no competition" shows that he is not familiar with the computer security industry in any fashion. There are hundreds, possibly thousands, of companies that offer information security services.
Greg Evans: Anybody can install antivirus on your machine. Everybody can, anybody can network a computer, nothing special about that. But can anybody just hack into a system where a person doesn't know you're hacking into. This is what we do here. And we do it very well. We have offices in L.A., we have offices in Atlanta, DC and New York. Now, by telling you this, it's not about bragging.
LIGATT has one office and one PO Box in Atlanta, a PO Box made to look like an office in Washington DC (3C) and no evidence of offices in L.A. or New York.
Greg Evans: What it's about is, is to let you know how deep into this that we are. And if we weren't so far into it we wouldn't be as good as we are. We wouldn't be in business. My payroll for one month is more than 1 person probably makes in a whole year. And my payroll in just one office.
An analysis of LIGATT's public financials tell a completely different story.
Greg Evans: If I was white I wouldn't be having this. If I was Kevin Mitnick and I came up with the same book the same way I did, I wouldn't be having this. When I was locked up I told Kevin Mitnick to his face, while we're sittin' at the table: "You're not a fucking hacker". This is what I told him. He's like: "What do you mean?" I was like: "You're a con-artist. You were able to convince somebody, con somebody, to give you their username and password. You did social engineering, which is nothing but conning a person". But over the years I've changed my thought about Kevin Mitnick. The reason why is because it doesn't matter how you access somebody's computer. If you access somebody's computer without their permission and you're able to get in, it's computer hacking. Doesn't matter if you use brute force. Doesn't matter if you use social engineering. Doesn't matter if you use spyware. Doesn't matter if you use the script. Either way you get in, when the b b... When the police come kicking your door they're gonna charge you with hacking. That's the bottom line. So with that being said, umm I have one of my programmers who writes some of our software right here and you can talk to him. You can talk to him bluntly. I won't interrupt and he will tell you if you wanna ask him what type of boss I am because I don't play. I don't have a problem firin' someone. He'll talk to you honestly and his name, we call him Quentin
Again, Evans was charged for Title 18: 1343. Wire Fraud, for his misappropriation of telecom services. That did not include 'hacking' in the context as it is typically used these days. Calling Mitnick a con-artist has an amusing level of irony.
Greg Evans: See, it's so... It's so funny that you see all of this, but they'd never turned around and called me, emailed me, emailed my team, saying that they're gonna challenge me. I don't want 50 percent. What I've told everybody out there, and this is the reason why I do it, if you are a true hacker, if you're as good as you say you are, then you should have the money to do it. If this guy owns a company he should have the money to do it. I am willing to put up one million dollars in cash, in cash, hand it to an attorney to put it into an escrow account, the competition can put up one million in cash, and put that into an escrow account. The winner of the group will then donate the money to charity. We dont even keep the money.
Despite repeated challenges (including the 1 million dollars) from several members of the InfoSec community, Evans would not participate.
Greg Evans: If I need to hack a system I don't turn around and just go hack. I'll pick up the phone. If it's an easy thing I?ll just walk down the hallway and tell one of the people in the office, check out this system real quick, or here's an IP address, see if you can get in. But if I needed to, I got 60 people that I can pick up the phone and call in Los Angeles, that will get into a person's system. Because that's what I do now. I'm more in management than I am a hacker. Period. I'm more of a consultant now than I am hacking now.
Despite these claims, there is no record on Facebook, LinkedIn or other sites demonstrating that he has (or had) more than two technical people. Attrition.org has found dozens of people that worked for LIGATT, and with the exception of two people, always in PR, marketing or an administrative role. We invite any technical employees of LIGATT to come forward and admit they worked for Evans.
Greg Evans: In order to be the best soccer team you have to have good talent. The guys who win the World Cup, win the World Cup because they have a great team put together. In order for me to be the #1 cyber security team out there, company out there, I have to have a good team. And I?ve recruited everybody, from a 13 year old kid, while he was 11 when he started, to a old man.
The "13 year old kid" that he "hired", was an actor he recruited for an advertisement campaign, and allegedly did not pay.
Greg Evans: Remember this. Now, since 2003, since I came home, I don't hack. I write checks. Literally. I make enough money that I go out and find talent, like you, and write a check. And if you have a great business, and I think I can make money with your business, I'll say forget it. Let me just buy your company. And just buy you out and write you a check for your company, and now I own it. That's what I do now.
Evans forgets that purchasing companies like this is public record, and the public records show that he does not go out and buy companies. He has formed several, purchased one (nationalcybersecurity.com) and nothing else.
Greg Evans: How many cyber security people do you know that gets invited to DC or gets invited to speak at, let?s say the FAA. the FAA, whatever the FAA, which is the Federal, what is it, Aviation Administration, their run all our airports in the United States, and the FAA basically controls all the airports around the world, because all the airports around the world go or are in line with what happens here in the United States, which I think is really messed up, that the United States has that much power. But, when they have conferences and they ask someone to come out and speak, they didn't ask the guy that you're talking about, they didn't ask any other hackers to come out and speak.
We know hundreds of security people that have been invited to government agencies to speak or train. Attrition.org staff has provided training to the NSA, FBI, NASA and other agencies. It really doesn't mean that much in the security world. The person he refers to, associated with Exotic Liability, has done speaking engagements for security conferences, government agencies and more.