Tuesday, 12 February 2013
Defending our work - Part 2. The Exploit Lab Rip-off continues.
It has been a difficult week for us. First, the news of Exploit Laboratory's class material being ripped off and used in a paid webinar. This was followed by compelling and voluminous evidence that our worst fears were indeed coming true -- our core material in the form of slides, examples and scripts were being used too.
Our first set of new evidence was contributed by a student attending the webinar aired on February 2. We felt it necessary to bring this issue out in the open and state the facts as we have seen them. We felt it necessary to defend our work. In our previous blog post we spoke about some preliminary information regarding the apparent rip-off of our Exploit Lab course content. We thought it best to conceal the instructor's identity and give him a fair chance to stop the course of action before the second part of the webinar was aired on February 9.
The InfoSec community came out in great numbers in defense of our work and against our material being used without permission. During the week, many members of the InfoSec community have presented us with more evidence supporting the statement we made in our first blog post.
On February 8, the person responsible, Joe McCray of Strategic Security Inc., responded on his blog with the following note:
"I used the virtual machines from the class that I was in 2 years ago. I did it out of convenience. The virtual machines are built with software that is freely available on the Internet. There is no intellectual property of his that was stolen."
We feel it important to disabuse the community and students of the webinar of the notion that it was "just our VMs". Building up lab systems is hard work. Eight years into the Exploit Laboratory and we are continuously working on fresh content with EVERY CLASS we teach.
However, there is a lot more at hand than just virtual machines. A few members of the instructor's intern crew have also been astonished at what they have seen. Two of them have stepped forward and presented us with screenshots taken from a Dropbox account shared across the intern team. What we saw was direct evidence linking our original material - slides, scripts, class notes and virtual machines to the content continued to be taught in the webinar.
We present it here.
First, a screenshot of a stack overflow script taught in the first webinar:
Next, the directory containing scripts for the Peercast exploit. The Peercast stack overflow is one of Exploit Laboratory's introductory examples when teaching stack overflows. Here, we have the same set of scripts, our typical "cyclic pattern" file and a copy of the Peercast binary to analyse:
The instructor's "master" folder was revealed momentarily during the webinar:
Lab example notes discussed during the webinar:
A few days ago, we were presented with screenshots of this "master" folder called "Exploits-By-Type" which was seen for a brief moment during the webinar on February 2. The screenshots are from a Dropbox share. An additional folder called "Resources" is also present here:
The "Resources" folder reveals a very familiar sight:
These are our original Exploit Laboratory class slides. All of them. And here is our original Peercast exploit slide:
Another folder called "Scripts-and-DLLs" holds our original exploit scripts, written in Perl, and the same scripts "ported" to Python:
A Perl2Python "porting" guide:
Exploit Laboratory's original Peercast exploit Perl scripts, transformed to Python:
A side-by-side comparison of Perl and Python code:
Walk throughs of how to run the exploits are taken from Exploit Lab's "Live Class Notes". Our classes feature an online notepad containing a text dump of everything we type on the demo screen, which gets echoed to every student's browser.
Lastly, a finished document:
The InfoSec community is a closely knit group. A lot of information flows freely with the implied moral understanding that we respect one another's original work and intellectual property.
SK, Josh and I believe in giving our all as instructors. We strive to improve with every class, both through refining existing materials and through the creation of new and novel content. We meet the continual challenge of balancing integrating new materials while maintaining stable environments where students can concentrate on learning rather than wrangling a badly implemented environment. I think, and our student reviews from all around the world back me up on this, that we are striking a pretty decent balance.
The Exploit Lab crew is grateful to the InfoSec community for supporting us through these events. And that's why we love this industry. Do stop by CanSecWest, Blackhat Europe or any our 2013 line-ups for a POP/POP/RET with our compliments! (Thanks @En4bler for creating an awesome cocktail, and @craigbalding for an equally awesome name to go with it)
-- Saumil Shah