Mourad Ben Lakhoua - Cloud Security Rules Contributed Chapter 90% Plagiarized

Mon Oct 24 02:50:26 CDT 2011

"The Cloud Security Rules, A book about ruling the cloud!" is a book covering cloud computing security. The book is written by 16 different authors, each contributing approximately one chapter. This article only covers one chapter that was examined, and does NOT REFLECT ANY OTHER AUTHOR!

After was tipped off to plagiarism in blog articles by Mourad Ben Lakhoua, we requested a copy of the book from Kai Roer and informed him of our previous findings. We further told him it was our intent to examine his contribution to determine if material in the book was also plagiarized. By the time we made the request, Mr. Roer had already engaged with a third party to do their own quick review of the material, after reading our previous findings. Mr. Roer not only informed us of this, he informed us that a new copy of the book would be drafted without Lakhoua's material and sent us a PDF copy of the current book to do our own independent review. This proactive response, due diligence and professional response was exceptional, and very refreshing.

Once again, this article only reflects the material contributed by Mourad Ben Lakhoua.

[Update: Two days after this article, Lakhoua published an apology for his actions.]

The Plagiarism

The following table details the portions of Lakhoua's chapter, titled "The Datacenter of the Cloud provider should be more secure than your own datacenter!", that contain plagiarized content. We estimate that the chapter is approximately 90% plagiarized. In some cases, the text was taken verbatim from a book published in 2005. In other cases, the text was altered to some degree, but the content is still clearly from the exact same source, down to the same list of bullet points. Information is included to distinguish not only plagiarized material, but also what was done in an attempt to obscure the original source (e.g., removing text or credit). This shows willful infringement of copyright and inexcusable plagiarism.

All of the plagiarized text comes from "All-In-One CISSP Certification Exam Guide" (Third Edition) by Shon Harris. The entire chapter consists of two very brief paragraphs written by Lakhoua, two bullet lists, and two plagariazed closing paragraphs.

Page Text or Description Original Source Text
144 Introduction paragraph (3 sentences) Original content
144/145 Four bullets outlining threats to a datacenter. Text nearly verbatim from from page 339 or CISSP book. Replaces "and so forth" with "etc..."
145 Paragraph (2 sentences) Original content
145/146 Fifteen bullet points outlining physical security policies. These are taken from a much longer list of 'Quick Tips' for 'Physical and Environmental Security' from pages 403 - 405 of the CISSP book. Bullet 1: First six words same, rest rewritten to change intent (e.g., to make suitable for 'cloud') of original bullet 5
Bullet 2: Paraphrase/rewrite of original bullet 4
Bullet 3: Small rewrite, changes 'locations of a facility' to 'a cloud provider', then uses most of original bullet 7
Bullet 4: Paraphrase/rewrite of original bullet 8
Bullet 5: Paraphrase/rewrite of original bullet 10
Bullet 6: Uses most of original bullet 11 verbatim
Bullet 7: Paraphrase/rewrite of original bullet 12
Bullet 8: Uses original bullet 18 verbatim
Bullet 9: Paraphrase/rewrite of original bullet 19
Bullet 10: Idea of 'security guards' taken from bullet 20, original content
Bullet 11: Re-imagined use of original bullet 25
Bullet 12: Paraphrase/rewrite of original bullet 27
Bullet 13: Paraphrase of original bullet 23
Bullet 14: Paraphrase/rewrite of original bullet 33
146 Two concluding paragraphs, underlined content in first taken almost verbatim, second paraphrased:

Cloud datacenter environment should be developed, implemented, and maintained with a physical security program that contains all security controls categories including: prevention, delay, detection, assessment, and response with mitigating as much as possible risk level.

Usually physical security is not considered seriously as it should be, but if a hacker finds a way to compromise a system it will be not important while the datacenter is burning.
Slightly re-written from page 402 of CISSP book:

Every organization should develop, implement, and maintain a physical security program that contains the following control categories: deterrence, delay, detection, assessment, and response. It is up to the organization to determine its acceptable risk level ..

Physical security is not often thought about when people think of organizational security and company asset protection, but real threats and risks need to be addressed and planned for. Who cares if a hacker can get through an open port on the web server if the building is burning down?

main page ATTRITION feedback