Angry Animal 11

Rebuttal: For it's one, two, three strikes, you're out...

Fri Aug 10 20:58:50 CDT 2012

jericho

This is a rebuttal piece and rant regarding Hacker Switches Sides to Help Public Safety Stave Off Cyber Attacks (Aug 10, 2011), a subsequent article, and communication with Mary Rose Roberts and her editor Glenn Bischoff.

Yes, I realize this is not a timely response, but it has remained on my to-do list because I find the entire incident appalling.




Strike One

The August 10, 2011 article titled "Hacker Switches Sides to Help Public Safety Stave Off Cyber Attacks" was no doubt the result of Gregory D. Evans' PR team pitching his name and story to media outlets. For those not familiar with him, Evans is a well-known and thoroughly documented charlatan in the information security arena. For any journalist to get duped by Evans and his PR team is questionable, but it seems to happen with regrettable frequency these days. While the substantial evidence against Evans has been thoroughly documented, a detailed examination of how some "journalists" react to unqualified individuals posing as experts is not well documented.

I have seen half a dozen or more mails from LIGATT fishing around, trying to get his name out there. Mary Rose Roberts seems to have taken the bait, and written this article that focuses so heavily on Evans as a result. By the third paragraph, she printed something that comes straight from Evans, and is simply not factual; that Evans was put on the FBI's "top 10 list for computer hackers". A brief call to the FBI press office would reveal that the FBI has never maintained such a list.

She goes on to regurgitate "facts" that come straight from Evans and his PR team (e.g. that his 1998 guilty plea was for hacking, when in reality it was for wire fraud). Shortly after, Roberts begins to blur the line between reporting, quoting Evans, and fabrication:

From air-traffic control to transportation systems, hackers can hide in networks and practice their mischief in simple ways, like changing street lights from red to green or "manipulation digital road sign" (sic) to read "Zombies Ahead," because governments are running programs over unsecured or vulnerable wireless networks, Evans said.

We're all familiar with the "Zombies Ahead" prank, which happened in 2009, again in 2012, and likely many other times. However, what about the mention of hackers "changing street lights from red to green"? Is this a reference to traffic signal pre-emption transmitters, a device commercially available to anyone, or is this a reference to countless TV shows and movies that depict scenes of a hacker changing traffic lights remotely via computer intrusion? We'll probably never know.

Using a single source that was actively seeking media attention, and not fact checking any of his claims is strike one for a journalist.

Strike Two

Thirteen days later, the article was updated with an editor's note, presumably from Glenn Bischoff, her editor. The update came after at least two people wrote to them complaining of the poorly sourced article and their choice to publish Evans' claims without fact checking (note: I sent emails to both, reproduced below in full).

Gregory Evans is a mercurial figure in the world of cybersecurity. He been accused by the hacker community of allegedly plagiarizing material that appears in several books that he has authored, but he also has been used as a source by numerous respected news organizations, including CNN, the New York Daily News, Bloomberg News and United Press International. But, according to Tracy White - senior vice president of sales and marketing, and chief sales officer for the Hawks and the Thrashers - they entered into marketing partnership agreement with Ligatt Security in 2009. "Part of the agreement called for Ligatt to provide services to our IT department," White wrote in an e-mail. "Shortly after the agreement was signed, we mutually agreed to dissolve the agreement and as a result, Liggatt Security never actually provided any services to our IT department."

Bischoff's update mentions the "allegations" of plagiarism, but he clearly didn't opt to fact check it himself. The extensive evidence of Evans' plagiarism has been public for some time, there for anyone to validate on their own. He goes on to casually dismiss Fire Chief's lack of vetting a source as acceptable, because Evans appeared on other higher profile sites. Bischoff apparently doesn't understand that Evans appeared on those media outlets because they too did not fact check.

There seems to be a small victory in that Bischoff does note that they did try to verify one of Evans' claims and found it untrue. I say "seems", because while it shows that at least one thing didn't check out, Bischoff's next action completely dismisses and ignores the fact that their source lied to them.

A journalist saying "others did it too" is no excuse for a lack of fact checking and fundamental integrity, and that is strike two for Fire Chief.

Strike Three

Rather than learn from their mistakes and take the route of integrity, Glenn Bischoff instead opts to write his own article claiming the message is more important than the messenger. While one could argue that the message is important, because it is, it does not excuse propping up a well-documented charlatan and giving him the media attention he begged for. Bischoff's article sums up the fundamental problem with this type of journalism, and reminds us why many bloggers with integrity and devotion get lumped in with the masses of half-assed writing that barely passes for a Facebook post, let alone serious journalism. Three bits from his article:

Admittedly, I didn't look further into the matter than the 2009 press release issued by Ligatt that announced the relationship.

Perhaps the vendetta is justified. Perhaps it's not. I don't live in the hacker world, so I don't know.

But here's what I do know - none of it matters.

And this illustrates why Bischoff is not suited to be a journalist. First, he read a press release and believed it at face value; not even first year journalism students are that naive. Second, he is under this mistaken impression that only a hacker could figure out if the vendetta is justified, despite being spoon fed a heap of evidence showing it is justified. Evidence that he could personally validate himself if he chose to do so. Third, he then throws his hands up in the air and dismisses the entire underlying issue, saying "none of it matters". Wrong, Glenn, it does matter. The fact that you do not see it also matters.

The blinders Bischoff and Roberts seem to wear, and their willingness to cast aside integrity and effort in favor of just producing copy, is a big strike three.

Bonus: Strike Four

I assume Bischoff won't fact check me when I tell him there are four strikes to an out in baseball, an analogy he uses in his article. So I will give you this bonus strike to make sure he is really out, for real.

Both articles, and presumably all of them on the Fire Chief web site, end with:

"What do you think? Tell us in the comment box below."

I can assure you that comments were left on both articles, and I can assure you that at least one comment on each was civil and constructive. Despite that, as theprez98 notes, they didn't approve any comments.

If you ask the community for feedback, and then don't allow it to be posted, that is strike four, and you are clearly out.


In the spirit of full disclosure, below are the emails related to the articles that were traded. I believe my first email was one of many that he received, and prompted Bischoff to add the editor's note to the first article. Please note the time I spent writing the mails, providing links, and explaining the issue, as compared to their short replies (basically my red backed mails versus their gray backed replies). Further, note that Roberts said she was taking my email and forwarding it to Evans for comment. Rather than expose the person(s) who leveled criticism of a source, she should have asked the questions and treated me like a confidential source. Since I have been pretty outspoken about Evans, it didn't matter to me at the time. Looking back though, it does tell me that she can never be trusted as a journalist when it comes to handling a source.

From: Brian Martin (bmartin[at]attrition.org)
To: Mary Rose Roberts (maryrose.roberts@penton.com), Glenn Bischoff (glenn.bischoff@penton.com)
Date: Mon, 22 Aug 2011 21:47:31 -0500 (CDT)
Subject: Information on one of your sources

Penton Media Staff;

In reference to your article, "Public safety can benefit when bad hackers go good" [1], I would 
like to bring some additional information to your attention.

  To learn more about the threat of cyber attacks on government agencies,
  I spoke with Gregory Evans, who claims that the FBI put him on their Top
  10 list for computer hackers in 1996 after hacking into law-firm and
  phone-company records, such as AT&T.s.

The FBI has never maintained a top 10 list for computer hackers. A call to the FBI press office or 
media liason should confirm this. The FBI has maintained a Top 10 most wanted list, but that is 
for high profile dangerous fugitives:

http://www.fbi.gov/wanted/topten. Evans has not appeared on that list either.

  Evans is a mercurial figure in the world of cybersecurity. Since going
  legit, he has been used as a source by numerous respected news
  organizations, including CNN, the New York Daily News, Bloomberg News
  and United Press International. His firm also was the cybersecurity
  consultant for the Atlanta Hawks and Atlanta Thrashers. But he also has
  been accused by the hacker community of allegedly plagiarizing material
  that appears in several books that he has authored.

And like Penton, many of those media outlets did not perform due diligence. After appearing on CNN 
several times, many in the security industry brought Evans' real story to their attention, and he 
has not appeared since. CNN has confirmed to me directly that they do not plan to use Evans again 
after reviewing the information provided. To be honest and fair, it seems like your only due diligence 
was seeing that other media outlets used him. If the preceding media outlets did the same, did any 
of them ever really do any due diligence on this man?

Claims that his firm was the "cybersecurity consultant" for the Hawks, Thrashers (and other teams) 
is also bogus. Ben Rothke, an independent security consultant and myself has confirmed that was not 
the case. There was initial talks, a tentative agreement and then nothing became of it due to Evans not 
paying the money outlined in the agreement. If you have doubts, we encourage you to contact:

Carl Lahr (CLahr[at]clippers.com)
Tracy White (Tracy.White[at]atlantaspirit.com)

There were additional mails between Rothke and some of the stadium/team representatives, but in 
several cases they asked for their mails not to be published. I can speculate that they planned to 
send a Cease & Desist to Evans and considered pursuing them legally. However, Evans and his company 
have posted their financials for 2009 and there simply isn't much to gain by suing him. We have made 
some portions of the mail available, enough to validate our side and give anyone who wishes to follow-up 
the chance to do so: http://attrition.org/errata/charlatan/gregory_evans/evans08.html. For any other 
teams or stadiums, we again encourage you to contact them yourself. Don't blindly trust us, just as 
we ask you not to blindly trust Evans.

   Evans knows all about hacking high-profile targets. When he got "in
   trouble for hacking," he had hacked AT&T and MCI/Sprint, hitting them
   up for more than $1 million a week. "They never knew because, the
   bigger the company, the easier it is to hide inside their networks,"
   Evans said...

Evans did not get in trouble for "hacking". If you look at the court docket for his 1998 case, the 
charges are centered around wire fraud: http://attrition.org/errata/charlatan/gregory_evans/ligatt07/. 
The words "hacking" and "computer" do not appear in the docket for example. An article from 
Press-Enterprise at the time of the case summarizes Evans activities: 
http://attrition.org/errata/charlatan/gregory_evans/evans29.html. Note the words "conducting a
scam" and "used false names [..] to obtain telephone numbers", as this was a classic method of fraud, 
nothing related to computer hacking.

   Most domestic hackers target companies, while rouge countries focus
   their efforts on national security by targeting public facilities .
   from transit systems to the smart grid. We don't hear much about it,
   though, "because the government isn't reporting it is because they
   don't want the mass media to turn around and say we aren't safe," Evans
   said...

First, I believe that should be "rogue" instead of "rouge". Second, the government is aware of such 
attacks and threats, and publishes information about them. Take as one example, the ICS-CERT body:
http://www.us-cert.gov/control_systems/ics-cert/. They release advisories on vulnerabilities in SCADA, 
the systems that run power grids and more. In addition, the mainstream media has been reporting about 
country-based espionage from China, state-sponsored attacks against US corporations [2], and more. 
Even later in your article you reference this attacks, suggesting that these stories are not being 
hidden or downplayed by the government in any way.

   From air-traffic control to transportation systems, hackers can hide in
   networks and practice their mischief in simple ways, like changing
   street lights from red to green or manipulation digital road sign to
   read "Zombies Ahead," because governments are running programs over
   unsecured or vulnerable wireless networks, Evans said...

Did you verify this claim with the manufacturers of any digital road signs? I believe that if you 
research this, you will find that many of these types of hacks are against the portable digital 
signs used for construction areas (as opposed to the more permanent ones that warn of travel times). 
These signs are vulnerable to a *physical* attack, where the person connects a device via a physical 
connection (e.g., a serial port) and re-programs the device there.

   "The government needs to give hackers jobs instead of having them
   working in the kitchen," Evans said. "We need to give them a laptop and
   monitor them and have them try to hack into our transportation and
   energy facilities. We need to tap into that great talent"...

This statement really lends to the theory that Evans has done very little work for the government. 
My first year as a professional security person, performing penetration tests, was in 1996. That 
first year, my clients were almost exclusively government, military or banks. Since then, I have 
done penetration testing or training for a number of government agencies including the FBI, NSA, 
DOJ, IRS, and many others. If you take the time to ask around the security industry, you will find 
that basically every single company that offers security services has done work for the government 
and/or military, or is seeking to do so.

The government tends to jail blackhat hackers that are breaking the law, often times using relatively 
simple techniques that do not show sophistication or thoroughness. Out of curiosity, did you ask Evans 
which agencies he has consulted for? Can he provide *any* form of proof? If you ask, and he claims 
that NDAs or a clearance level prohibits him from doing so, be very suspicious. While I cannot show 
you technical reports or a lot of information, I can validate my claims if needed. He should be able 
to as well.

For more information on the saga of Gregory Evans and LIGATT, I encourage you to read our page 
dedicated to him. He is considered a charlatan in the security world and even received the Defcon 
19 "Charlatan of the Year" award by popular vote (and a landslide is putting it lightly): 
http://attrition.org/errata/charlatan/gregory_evans/

I hope that in reviewing these pages, you note that we go to great lengths to back up every single 
claim, link to evidence and show as much transparency as we possibly can. That is something that Evans 
has never seemed to do himself.

Thank you for your time,

Brian Martin
attrition.org staff

[1] http://urgentcomm.com/networks_and_systems/commentary/hackers-enhance-public-safety-cybersecurity-20110817/
[2] http://en.wikipedia.org/wiki/Operation_Aurora

From: "Roberts, Mary Rose" (MaryRose.Roberts@penton.com)
To: Brian Martin (bmartin[at]attrition.org)
Date: Tue, 23 Aug 2011 13:13:18 +0000
Subject: RE: Information on one of your sources

Thanks for your feedback. I have sent your email to my source for their response. Have a great day.

Mary Rose Roberts
Fire Chief Publications & Urgent Communications
330 N. Wabash, Suite 2300
Chicago, IL 60611
312 342 2023
www.firechief.com
www.urgentcomm.com
www.wildfiremag.com

From: "Bischoff, Glenn" (Glenn.Bischoff@penton.com)
To: Brian Martin (bmartin[at]attrition.org)
Date: Tue, 23 Aug 2011 14:52:59 +0000
Subject: RE: Information on one of your sources

Thanks for your note. I have e-mailed Tracy White and await his response.


From: Brian Martin (bmartin[at]attrition.org)
To: "Bischoff, Glenn" (Glenn.Bischoff@penton.com)
Date: Tue, 23 Aug 2011 13:11:54 -0500 (CDT)
Subject: RE: Information on one of your sources

On Tue, 23 Aug 2011, Bischoff, Glenn wrote:

: Thanks for your note. I have e-mailed Tracy White and await his
: response.

Excellent, I hope he confirms to you what he has confirmed to Rothke and
myself.

Mary Rose indicated that she forwarded my mail to her source, which I take
to mean Gregory Evans. I gave her a heads up that the cries of "racism"
are likely to happen in short order. That is Evans' go-to argument for all
the "hatred" he receives in our industry.

Brian


From: Brian Martin (bmartin[at]attrition.org)
To: "Bischoff, Glenn" (Glenn.Bischoff@penton.com)
Cc: "Roberts, Mary Rose" (MaryRose.Roberts@penton.com)
Date: Fri, 26 Aug 2011 14:34:19 -0500 (CDT)
Subject: RE: Information on one of your sources

Hi again Glenn;

http://blog.firechief.com/mutual_aid/2011/08/25/trust-the-message-not-necessarily-the-messenger/

I see that you confirmed yourself that Evans is not being honest about his
relationship with the Hawks et al. I believe you told a colleague of mine:

   I can say that it would be highly unusual for firm to make a completely
   false statement concerning its relationship with organizations with
   profiles as high as that of the Hawks, Thrashers and Phillips
   Arena especially when they're all located in the same city precisely
   because litigation would be a distinct possibility. In fact, in 30
   years of reporting, I can't think of a single instance where I
   discovered a company in such a bald-faced lie.

Now that you have verified it yourself, you have caught a company in a
bald-faced lie, the first time in 30 years. Despite that, you write this
piece that is almost apologetic to Evans, and casually dismisses his lies
after you claim it would be "highly unusual" and essentially say it would
be a first.

You say the "messenger doesn't matter" in so many words, but that is
simply not the case. The information security arena is heavily based on
the concept of integrity. When a messenger does not maintain integrity,
when a computer security consultant has no integrity, how can you trust
that their message or services provide integrity to you or your
organization? Sure, in this context, his message is accurate, but it is
hardly original either. The concept of hiring hackers has gone on for over
two decades. Evans parroting that message now does not show any level of
expertise or insight.

At this point, after verifying we were correct about the affiliation, are
you a little more receptive to the idea that perhaps our extensive
research and exposing of Evans is legitimate? If so, why not pursue the
story you outlined in your mail to me? That in 30 years, you have never
seen a company lie to that degree, and that you yourself have busted him
in that lie?

In the mean time, I have published one new article on Evans outlining more
plagiarism, and will be publishing another today or in the next few days,
outlining his wilful copyright infringement of over 550 articles from a
variety of journalists, in a ploy to profit off their work. Here is a
sneak peak of the article, that is not public at the time of this mail:

http://attrition.org/errata/charlatan/gregory_evans/hi-tech_hustler_scrapbook/

Thanks again for your time,

Brian
attrition.org


From: "Bischoff, Glenn" (Glenn.Bischoff@penton.com)
To: Brian Martin (bmartin[at]attrition.org)
Cc: "Roberts, Mary Rose" (MaryRose.Roberts@penton.com)
Date: Fri, 26 Aug 2011 19:55:41 +0000
Subject: RE: Information on one of your sources

Thanks for the feedback.


At this point it was clear, Glenn Bischoff is not a journalist, and has no ambitions of being one. It is also clear that the industry can casually dismiss the Fire Chief web site as a blog with no more integrity than a random 13 year old's MySpace page.


main page ATTRITION feedback