Infosec Institute plagiarized course material from Corelan.be

Viewing 46 reply threads
  • Author
    Posts
    • #6964
      Dark_Knight
      Participant
    • #43242
      p0et
      Participant

      Whoa!  That’s horrible.  It sucks that because of this, Corelan hasn’t published any tutorials in the last year.  We’re all suffering here… I’d love Corelan to get publishing more tutorials soon.  🙂

    • #43243
      SephStorm
      Participant

      Very concerning. Especially since they offer a nice bounty if their material is found to have been stolen….

      Anyone think it would be worth anything for me to contact them?

      (And FYI, ive never heard of Corelan, who are they?)

    • #43244
      pseud0
      Participant

      Just… ouch.  It always sucks to see an organization with a relatively good reputation pull something like that.  It’s like finding out Santa isn’t real.

    • #43245
      MaXe
      Participant

      There’s more here as well: https://www.corelan.be/index.php/2011/10/30/copyright-infringement-plagiarism-is-a-crime/

      I sent a small donation, because they (the company that stole the content) should’ve at least asked for permission to use the tutorials on the Corelan website, as it’s pretty much copyright protected.

      @SephStorm wrote:

      Anyone think it would be worth anything for me to contact them?

      (And FYI, ive never heard of Corelan, who are they?)

      If you have evidence, information, etc., then it will always be worth contacting them. All of their members are very friendly, and also very knowledgeable.

      Corelan is a team of enthusiasts and professionals, where most if not all of them are very good with Exploit Development, and for instance, mona.py is one of the greatest addons for Immunity Debugger that they’ve made. (And that is just a small portion of all the work they’ve done for the community.)

      They’ve been around for quite some time, and a lot of their members also participates in other projects, some are even in the Exploit-DB team, so if you’ve been around an offsec domain, then you’ve somewhat met a Corelan member too, at least in some sense that may sound strange  🙂

      Without Corelan, there wouldn’t be a natural, reliable and good source of exploit development tutorials, and of course a lot more. The amount of content and value they’ve added to the community is enormous, so of course they must protect their copyright  🙂

    • #43246
      SephStorm
      Participant

      Thanks for the info, I meant contacting ISI… 😉

      Realistically, the word probably hasnt gotten around in the US, hence the resources section is still available here. And I know for a fact that the CEPT class is still available, I dont know if they are using those materials. (Also a good test would be for someone to take the CEPT, see if that copyrighted material is still in there.)

      In any case, if I call to express my concern over purchasing products from a company that willfully engages in infringement, and isnt willing to reimburse the individual who was wronged… and of course, it would be my duty to inform others of this…

      Thoughts?

    • #43247
      MaXe
      Participant

      @SephStorm wrote:

      In any case, if I call to express my concern over purchasing products from a company that willfully engages in infringement, and isnt willing to reimburse the individual who was wronged… and of course, it would be my duty to inform others of this…

      Thoughts?

      I think it’s up to you, but I’m unsure how much good it would do, except making them aware that their customers are worried about this, which lowers their public relations image.

      If they have stocks and it becomes a general issue I’m sure they will drop though  😮 But the best thing to do, would be to find out if they’re still actively stealing content or not, and then report it to the rightful owner(s).

    • #43248
      r2s
      Participant

      What a shame  🙁

    • #43249
      jason
      Participant

      Wow. I was about a hair away from starting to write for them in support of their portal revamp. Glad I decided to drop by before bed. Sent an email off telling them thanks, but no thanks, and a few more to warn off some other folks that I know. Plagiarism != cool.  >:(

    • #43250
      infoseci
      Participant

      Hey guys, this is a totally ridiculous slander and defamation of our company. We have the upmost respect for copyright law and would never wish to harm another member of the information security community. 

      Let’s review the facts as they really are:

      1. We hired a contractor to create some courseware for us for this course. Part of our contract, a very important part, is that we require totally original works, and do not allow for copyright violations. Any such violation is cause for termination of the contract and any associated damages. Unfortunately, this contractor basically copied all of the information from that site.

      2. When we found out about this situation, we refunded everyone that took that class or offered them full credit towards another class. We also terminated the contractor and looked into legal options for suing for damages. We chose not to sue, as the cost and time spent doing this seemed to outweigh the benefits. We would rather concentrate on delivering great training instead of suing people.

      3. When we were alerted via the various legal notices, we offered to issue a public apology as well as pay $5000 to the offended parties. Even though it was not us, but one of our contractors that did the infringement!! They rejected this.

      4. We invite a lawsuit or to settle this in the courts, as we have a signed agreement that shows we did not do the infringement, and made a really good effort to make this right (via a public apology and paying $5000).

      In short, yes, this is a bad situation. In hindsight, we should have checked to make sure this work was not copyrighted. But, we made a mistake, as everyone does in life, and the important thing is we tried to the right thing here. We offered to make a public apology and pay $5000 but they rejected it.

      If there is anything we should be doing differently here, I would be open to suggestions.

    • #43251
      pseud0
      Participant

      infoseci,
        Out of curiosity, where have these details been posted besides this forum? I’m not trying to nit-pick, I’m honestly asking because I haven’t seen any of these details released to the public yet.  If there is an official method your organization is using to respond to these allegations please pass along those notes so we know where to go and get your side of the story.  If there is no such platform yet, then maybe you should reconsider wagging your finger at the community for not understanding your point of view.  At the moment this is a matter of perception that is being weighed in the court of public opinion, and because of the (apparently) blatant facts that have been released in the last few days it can’t be much of a surprise that the current opinion of the community is running against you.  If the Infosec Institute means to manage the message on this issue, then they should get a coherent, complete, and reasonable explanation out in a hurry.  You asked for recommendations so, off the top of my head:

      -Peter has gone out of his way to document his communications with you, grievances, and legal proof of his allegations.  He then made these publicly available.  You could do the same.  Currently it seems like your organization went incommunicado on the issue, and that vacuum isn’t helping perceptions.  If you’ve actively been working through this then show it.

      -The “it was a contractor’s fault” response is going to be a rough road if you decide to take it.  You might find some legal coverage by playing that card depending on your contracting and the skill of your lawyers, but within the security community I’d expect more blowback than forgiveness.  You don’t just trip and accidentally copy an entire (massive) work from a well known individual, do a crtl-f find/replace for names, and build an entire course around the material without someone within your organization noticing.  That just doesn’t pass the scratch and sniff test.  For many of this it sounds a lot like one Mr. Gregory Evans. (http://www.amazon.com/How-Become-Worlds-No-Hacker/dp/0982609108)  Please explain how this made it through all of the expected reviews/planning/etc that would go with building a course without someone in your company realizing what was going on.  Otherwise, are you stating that you simply bought, without any review, the product of a contractor and immediately started selling/teaching the material?  Do you do this with all of your materials? Have you initiated a review of all of your other course materials to make sure this isn’t systemic?

      -A quick check of your website shows that the CEPT certification course is still being offered. It also shows that the course includes “9 domains”. Are these the same 9 domains that were in the course previously?  Meaning, are you still offering the same course with the same material that is the source of these allegations?  Your posting seems to imply a significant amount of due diligence was performed after you were informed of the plagiarism… did that not include removing the course from your site? Are you still making money from Peter’s material in any way?  If not, then explicitly state the current status of the course and material.

      Again, this is just a response to your request for suggestions.  If you’ve already answered these points in some other format then please let us know where.  A quick review of your website doesn’t seem to show anything.

    • #43252
      Ignatius
      Participant

      I’ll preface this with “I am not a lawyer” ..

      1.  Peter’s legal representatives in Belgium and the US have sent letters to Infosec Institute but there is no indication of any response from them, hence his indication that he might wish to escalate matters.

      2.  As there was a third party contractor who was responsible for creating the handbook, I am not sure who would be responsible in the event of legal action in view of an alleged infringement of copyright.  My “gut” feeling is that Infosec Institute will be the target of any action and I suspect that they, in turn, could take action against the contractor.

      3.  Peter’s papers are well known.  I am surprised that the material was not recognised by those responsible at Infosec Institute for delivering the material on the course.  I assume that they are/were instructor-led, rather than self-directed learning.

    • #43253
      infoseci
      Participant

      Thanks guys for the advice! Here is a response we have put officially on our blog:

      http://resources.infosecinstitute.com/two-sides-to-every-story/

      To clarify here, this website material was used ONCE for ONE run of the exploit writing class. Not our advanced/cept class. The class had 7 students in it, and all were refunded and credited. Those guys have spent the last two years trying to contact people in our other classes all the time to find other times it was used, and you can bet if they did they would be writing it all over the place.

      Even though it is not “legally” our fault, we have offered to make a public apology as well as pay $5000 to peter. I think this is a fair response, but we will take what you have said to heart.

      Seriously, all these guys want is blood. Nothing else.

    • #43254
      SephStorm
      Participant

      At this point, I dont see any negative or bad party in this. As I suggested, my though is that ISI and the Copyright Holder need to reach a settlement. period. Once communication has been established, then we should step aside and let the process go forth.

      (I do think it is excellent that we were able to get some action on this. I wish the best for both parties concerned.)

    • #43255
      WCNA
      Participant

      Just a thought- When you stick you’re name on something and sell it, you are responsible. If I slap some stickers on a book over the authors name and start selling it as my own, I am responsible.

      The simplest solution is just pay Peter’s lawyer costs and give him access to review your current course. You’ve already apologized. Then go after the original culprit for the losses. That case is a slam dunk. If he has any sense (which is doubtful considering his past actions), he’ll settle . If not, his check will be garnished for quite a while.

      The damage to your company’s reputation grows by the day and it would behoove you to nip it in the bud.

    • #43256
      Ignatius
      Participant

      @WCNA – +1

      Peter has posted some more information in the form of a trail of e-mails dealing with this matter.  It seems that he has spent $10,000 already and has been offered $5,000 by Infosec Institute.  I suspect that his funds, compared with a large training organisation such as Infosec Institute, are limted and they might be hoping that he will go away.  It appears that Peter has been wronged … the question is by whom.  As I said in an earlier post, I am not a lawyer and don’t even know if the action would be taken in a Court in Belgium or the US.

      I would say that, at the very least, he shouldn’t be out of pocket when this matter has been concluded.  Surely someone at Infosec Institute saw the training material before it was delivered to those on the course and recognised it as having been published elsewhere?

    • #43257
      Dark_Knight
      Participant
    • #43258
      pseud0
      Participant

      Well done. Hopefully the follow through on the promises is carried out fully.  Delayed or not, it is refreshing to see an organization address an issue like this head on.

    • #43259
      Dark_Knight
      Participant

      @pseud0 wrote:

      Well done. Hopefully the follow through on the promises is carried out fully.  Delayed or not, it is refreshing to see an organization address an issue like this head on.

      Goes to show the power of the collective.

    • #43260
      SephStorm
      Participant

      I definatly agree on that. Now if we can just get Occupy America to DO something…

    • #43261
      pseud0
      Participant

      They are doing something. Occupying.  It’s right there in the name.

    • #43262
      Don Donzal
      Keymaster

      Let’s not occupy the thread. 😉

    • #43263
      securityfreak123
      Participant

      Did Peter publish a formal statement or response about this ?
      I noticed he tweeted about it a few hours ago, suggesting Infosec Institute has not contacted them yet.

      Maybe it’s just an attempt by Infosec to try to keep the community silent…

      Just another lie ?

    • #43264
      Joshsevo
      Participant

      @securityfreak123 wrote:

      Did Peter publish a formal statement or response about this ?
      I noticed he tweeted about it a few hours ago, suggesting Infosec Institute has not contacted them yet.

      Maybe it’s just an attempt by Infosec to try to keep the community silent…

      Just another lie ?

      You join 10 minutes ago and make this as the first post?  Interesting.

    • #43265
      SephStorm
      Participant

      Good catch.  😀

    • #43266
      Joshsevo
      Participant

      I may be a newbie when it comes to CPT but online forums and the drama people bring is nothing new and I know how to check that stuff.

    • #43267
      conch
      Participant

      In reply #12, infoseci says “Those guys have spent the last two years trying to contact people in our other classes all the time to find other times it was used”.  I find this obviously false since this entire issue is only a few weeks more than 1 year old.  I suspect it is an overt attempt by ISI to falsely influence the public, and it’s not the first instance of them using the tactic in their public statements.

    • #43268
      pseud0
      Participant

      Hey, cool, another interested individual that registered today just so they could make this post.  Seems to be a trend on this subject. 

    • #43269
      impelse
      Participant

      We cannot stop the sun with one finger, they will try to create that kind of decoy.

      There is one fact, you can use the info with authorization and some donations (or payment) but NOT put any information saying that they are the owner of the info, that’s violate the law…

      I remember when they tried to sell me the full package (3 certs with the Advance training).

    • #43270
      infoseci
      Participant

      @pseud0 wrote:

      Hey, cool, another interested individual that registered today just so they could make this post.  Seems to be a trend on this subject. 

      Thanks for your sharp eye here. Can we get IPs of these guys? Would be quite interesting to out them publicly, dont you think?

    • #43271
      impelse
      Participant

      Remember everybody has their followers, so leave them defend themselvs

    • #43272
      infoseci
      Participant

      I want to let everyone in the eh-net community know that we have posted publicly our offer to peter. Can you please take a look and give feedback?

      http://resources.infosecinstitute.com/corelan-public-apology/

    • #43273
      impelse
      Participant

      That’s a good progress, my question is why to wait until you get bad publicity? Internet is powerfull to create that publicity. Lesson: Fix as soon as possible, otherwyse who know!

    • #43274
      rattis
      Participant

      @infoseci wrote:

      @pseud0 wrote:

      Hey, cool, another interested individual that registered today just so they could make this post.  Seems to be a trend on this subject. 

      Thanks for your sharp eye here. Can we get IPs of these guys? Would be quite interesting to out them publicly, dont you think?

      No, I don’t think so. I think that would be childish and un-ethical. Sure, they might be coming off a little like jerks, but they are raising some questions. Voicing things they don’t understand. Trying to create discourse.

      Really, I think if you want to make impact beyond what you’ve done here… Take it up with attrition.org. Find and reply to the Exotic Liability tweet on twitter. Try to get a larger conversation going, within what you’re allowed to say by your lawyers.

      But asking for IP addresses to “out” people, to me sounds like a thuggish move. A “Quiet your detractors and accusers through fear” move.

      I can understand the stress of going through this, you were betrayed but because you’re the big name, everyone is firing at you. However, wanting to publicly out people, in my eyes hurts your stance more then helps it. Over all I’m still remaining neutral. I’d like to see you guys get it worked out.

      *gets off the soap box*

    • #43275
      Don Donzal
      Keymaster

      Free Speech Tenet – More is always better than less.

      And to Quote Mr. Gump,”And that’s all I have to say about that.”

      Don

    • #43276
      hayabusa
      Participant

      @infoseci wrote:

      Thanks for your sharp eye here. Can we get IPs of these guys? Would be quite interesting to out them publicly, dont you think?

      The proverbial ‘pot calling the kettle black’…

      Get the ip’s of these guys, and out them publicly???  What is this?  World versus Anonymous???  C’mon now.

      I’m with chrisj.  I prefer to remain out of the middle.  Suffice to say, I don’t think most folks here are going to be swayed by rants and banter, because each side wants the sympathy card.

      Let’s just say this- the issue has been brought to everyone’s attention.  There are recognized legal issues, and both sides ackowledge that.  Folks have weighed in.  There’s no point in bickering back and forth, here, as EH is neutral ground.  How about Infosec Institute and Peter now be allowed to settle the matter, then someone can let us know the outcome?

      Please…

    • #43277
      pseud0
      Participant

      infoseci,
        My prior comment wasn’t meant to suggest that we go on a snipe hunt, just pointing out to folks on both sides of the issue that it is fairly easy to spot someone that is coming on to the forum for the sole reason of trying to influence this conversation.  I think some of the prior posts have accurately reflect the mood regarding the idea of exposing someone, though.
        As for your latest blog posting, my personal opinion is that it appears that both sides are sorting through this and the process should run its course.  In general many folks in the community were upset because we saw no movement at all.  That seems to have been fixed.  However, folks need to calm down a bit at this point.  You can’t expect this flip to the other extreme so that you can watch every step.  A lot of this will be confidential (I’m sure lawyers from both sides are having their say about what goes public and what doesn’t) and we have no right to expect to be cc’ed on every email.  Everyone go have a frosty adult beverage of your choice and chill out for a bit.

    • #43278
      Triban
      Participant

      Another thing to think about for the future, hopefully this type of situation doesn’t happen again… but if it does, nip it in the bud quickly, quietly and fairly.  Try to keep it from getting this far for public review.  Also realize that this will hurt business for a while.  InfoSecI will be under the microscope for anything that is offered from here on in as well as past offerings.  There are plenty of other training providers out there and those of us serious about Info Sec training will seek them out.  It doesn’t come down to cost but quality and if you can offer top quality at a reasonable cost, well that is a huge plus.

      Both parties at this time should just a sit down try to agree to keep this between the parties and refrain from additional posts online until a reasonable agreement can be made. 

    • #43279
      conch
      Participant

      Sorry if being new here means the obvious facts I point out aren’t considered.  I thought this was a good place to contribute to the conversation since I’ve seen so many things being said here which contradict the published facts.  So, I’ll ask again, two years? 

    • #43280
      pseud0
      Participant

      conch,
        Being new has nothing to do with the validity of your points.  You just happened to match the profile of a common tactic on a variety of forums.  When one of the interested parties wants to influence the conversation they create a new profile for the sake of posting comments.  It has become so common that it is assumed to be the case until shown otherwise.  If you’re a new participant on EH.net and are in for the long hall then welcome.  If not, well, so be it.

    • #43281
      rattis
      Participant

      @conch wrote:

      Sorry if being new here means the obvious facts I point out aren’t considered.

      Just because we don’t say your name, doesn’t mean you didn’t have an impact. But I know how nice it is to have your name said and know you make an impact. I have an ego too. 🙂

      Hope to see you in some other threads. Welcome to the board.

    • #43282
      conch
      Participant

      Infosec Institute and Corelan have settled, the school has posted this notice http://www.infosecinstitute.com/corelan-isi-resolved/
      and Corelan has posted this one
      https://www.corelan.be/index.php/2011/11/18/copyright-dispute-resolved/

    • #43283
      impelse
      Participant

      This is good

    • #43284
      conch
      Participant

      Attrition.org worked with both parties trying to get to the truth and a settlement, here’s their report:
      http://attrition.org/errata/charlatan/infosec_institute/

    • #43285
      SephStorm
      Participant

      See what humans can do when they work together and put their minds to it?  ;D

    • #43286
      conch
      Participant

      As long as the community benefits from those who fight plagiarism, all is well.  Read those 4 links at the bottom of the attrition report and think about what’s been said recently, and take note that infosec institute was notified in advance that it would all be published.

    • #43287
      infoseci
      Participant

      Thanks to everyone out there on eh net for their support and advice. It was truly appreciated.

Viewing 46 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?