Tuesday, 12 February 2013

Defending our work - Part 2. The Exploit Lab Rip-off continues.

It has been a difficult week for us. First, the news of Exploit Laboratory's class material being ripped off and used in a paid webinar. This was followed by compelling and voluminous evidence that our worst fears were indeed coming true -- our core material in the form of slides, examples and scripts were being used too.

Our first set of new evidence was contributed by a student attending the webinar aired on February 2. We felt it necessary to bring this issue out in the open and state the facts as we have seen them. We felt it necessary to defend our work. In our previous blog post we spoke about some preliminary information regarding the apparent rip-off of our Exploit Lab course content. We thought it best to conceal the instructor's identity and give him a fair chance to stop the course of action before the second part of the webinar was aired on February 9.

The InfoSec community came out in great numbers in defense of our work and against our material being used without permission. During the week, many members of the InfoSec community have presented us with more evidence supporting the statement we made in our first blog post.

On February 8, the person responsible, Joe McCray of Strategic Security Inc., responded on his blog with the following note:

"I used the virtual machines from the class that I was in 2 years ago. I did it out of convenience. The virtual machines are built with software that is freely available on the Internet. There is no intellectual property of his that was stolen."

We feel it important to disabuse the community and students of the webinar of the notion that it was "just our VMs". Building up lab systems is hard work. Eight years into the Exploit Laboratory and we are continuously working on fresh content with EVERY CLASS we teach.

However, there is a lot more at hand than just virtual machines. A few members of the instructor's intern crew have also been astonished at what they have seen. Two of them have stepped forward and presented us with screenshots taken from a Dropbox account shared across the intern team. What we saw was direct evidence linking our original material - slides, scripts, class notes and virtual machines to the content continued to be taught in the webinar.

We present it here.

First, a screenshot of a stack overflow script taught in the first webinar:

Next, the directory containing scripts for the Peercast exploit. The Peercast stack overflow is one of Exploit Laboratory's introductory examples when teaching stack overflows. Here, we have the same set of scripts, our typical "cyclic pattern" file and a copy of the Peercast binary to analyse:

The instructor's "master" folder was revealed momentarily during the webinar:

Lab example notes discussed during the webinar:

A few days ago, we were presented with screenshots of this "master" folder called "Exploits-By-Type" which was seen for a brief moment during the webinar on February 2. The screenshots are from a Dropbox share. An additional folder called "Resources" is also present here:

The "Resources" folder reveals a very familiar sight:

These are our original Exploit Laboratory class slides. All of them. And here is our original Peercast exploit slide:

Another folder called "Scripts-and-DLLs" holds our original exploit scripts, written in Perl, and the same scripts "ported" to Python:

A Perl2Python "porting" guide:

Exploit Laboratory's original Peercast exploit Perl scripts, transformed to Python:

A side-by-side comparison of Perl and Python code:

Walk throughs of how to run the exploits are taken from Exploit Lab's "Live Class Notes". Our classes feature an online notepad containing a text dump of everything we type on the demo screen, which gets echoed to every student's browser.

Lastly, a finished document:

The InfoSec community is a closely knit group. A lot of information flows freely with the implied moral understanding that we respect one another's original work and intellectual property.

SK, Josh and I believe in giving our all as instructors. We strive to improve with every class, both through refining existing materials and through the creation of new and novel content. We meet the continual challenge of balancing integrating new materials while maintaining stable environments where students can concentrate on learning rather than wrangling a badly implemented environment. I think, and our student reviews from all around the world back me up on this, that we are striking a pretty decent balance.

The Exploit Lab crew is grateful to the InfoSec community for supporting us through these events. And that's why we love this industry. Do stop by CanSecWest, Blackhat Europe or any our 2013 line-ups for a POP/POP/RET with our compliments! (Thanks @En4bler for creating an awesome cocktail, and @craigbalding for an equally awesome name to go with it)

-- Saumil Shah


  1. I can vouch for Saumil on this issue. As someone who took the Exploit Lab course in 2009 and then signed up for Joe McCray's most recent offering, it was obvious to me that the course was a rip off within the first 30 minutes of the webinar. I've seen both sets of course materials and there is no doubt whatsoever.

  2. I'm incredibly happy to hear someone has finally outed strategicsec. Over the past year I've watched a lot of things unfold with Joe McCray. You just have to look at his security rookies 'program' to understand what hes up to. His unpaid 'rookies' have in many cases preformed recon for actual pentests. Hmm unpaid people doing for the benefit of a company, yep thats a violation of labor laws. I also have personal knowledge of Joe linking to and hosting pirated books and courseware for his 'rookies' and other people. He also has his 'illegally unpaid' rookies put together some of his class material which is sold.

  3. In the interest of clarity, I have emailed CarolinaCon where Joe McCray is scheduled to speak on the subject "Exploit Development for Mere Mortals - Joe McCray" to make them aware of this information and, while I can't quite believe their response I will paste it here verbatim. Apparently Integrity is optional for some which is a shame.


    We appreciate your concern and your attempts to enlighten us, but in this case it isn't well received.

    We at CarolinaCon (staff and attendees) have nothing but mad love and respect for Joe McCray. He is considered a dear friend. He is one of the smartest guys and one of the most amazing presenters in the InfoSec/hacking field - hands down. He is also one of the most generous guys I've ever met, who donates his time and travel expenses to present at CarolinaCon. Last year he hosted an epic party at CarolinaCon, providing the conference room and many hundreds of dollars worth of libations. Joe's integrity and ethics are openly apparent by his public response to the drama and publicity seeking accusations, and by the fact that you say you were refunded seminar monies by him.

    We at CarolinaCon are nothing but fortunate to have a friend like Joe McCray. As for the capitalistic person(s) who run exploit laboratory and who charge a couple thousand dollars per person to attend their sessions, I can promise you that they did not invent/discover/create every exploit command, code snippet, technique, or philosophy that they use in their training sessions. An old proverb comes to mind. "He who lives in a glass house shouldn't throw stones."

    -Vic Vandal
    (speaking for myself, which may also reflect the opinions of the dozen annual staff members and hundreds of attendees who enjoy Joe McCray's presentations and his presence)

  4. I responded to CarolinaCon with the following:

    Here is a statement from Joe where he states that he "did it out of spite" when he also admits it was his own decision to cut the course price in half. You have made it quite apparent that CarolinaCon will and does support individuals that have admitted to plagiurism provided that they host "epic parties". Personally my own ethics and integrity cannot be purchased with "hundreds of dollars worth of libations" either, but apparently that is the status quo for the circles you run in. So while it may not be well received by you, I am sure that others in the InfoSec community do not hold such low standards for their ethics.

    I then received the following response from CarolinaCon

    Blow me, asshole. Good luck on your quest to discredit someone who knows more and has done more for the InfoSec community than you ever will. You must be a racist dick.



  5. Here I just made a Reddit link to keep track of this.


  6. As a former 'rookie' I can attest to this. Under the guise of giving us 'real world' experience he is essentially getting free labor and charging the clients for his (really our) time. Rookies are tasked with creating his training material which usually involved him providing a 'rough draft' and us fixing errors and importing it to his letterhead. Often, when having to research the problems we found that the material was pirated from SANS reading room, GIAC Gold papers, or other publicly available sources with no attribution to the original source or author. There was some original content generated, but it was far and few between and almost always created by unpaid 'interns' that was in turn sold through his training programs.