Security firm fights racism in InfoSec while apparently profiting from it (Update)by Steve Ragan - Dec 6 2010, 20:47
In the IT world, despite the majority of practitioners ignoring it, a person’s race or sex can sometimes come into play. However, within IT, the InfoSec community cares little for such things. This is why the previous claims and recent actions taken by Ligatt Security have raised eyebrows.
[An update to this story is on page 4]
In June, The Tech Herald interviewed Ligatt CEO Gregory Evans about racism in the InfoSec world, after he claimed that a well-known researcher, Chris John Riley, made racist remarks via Skype.
Riley had messaged Evans on Skype, in order to arrange an interview for the Eurotrash podcast. Evans explained to him that he discovered Riley’s apparent connection to an online identity linked to detrimental comments about Ligatt, and canceled the interview. Shortly after the cancelation, Evans said he received a message containing racial slurs.
“When the Skype message that came back from Chris, Chris stated, and I’ll paraphrase it because I don’t have it in front of me right now, ‘I wasn’t going to really put a fake nigger hacker…’, or some word like that, and this is the part that made me go ahead and say you know what, I’m fed up with everybody writing this verbiage and calling me a nigger,” Evans told us via phone this summer.
The history between Riley and Ligatt is a long one. It starts with a report that their CEO Gregory Evans plagiarized his book, taking a life of its own after overt threats were made against Riley on his blog that were later linked to Ligatt on several levels. Our previous coverage on this can be seen here and here.
Earlier this month, Errata reported on an item being sold via Ligatt’s HackerGearOnline website, noting that they were profiting from defamation. The item is seen below. The image is of Chris John Riley.
Is this defamation?
“Under the definition, it’s a knowingly false statement made with intent to probably damage this individual. To the extent that it causes him damage or injury, that’s the question. Is it published widely enough? Do people take this commentary seriously, so that it damages his reputation, causes financial hardship, or mental anguish,” explained Samuel A. Coffey, a partner with Abramowitz, Pomerantz & Coffey in Florida.
If Riley is able to get a job in the InfoSec community, but the terms are less favorable because of the defamation, it’s still actionable. For example, if he was able to get 85 to 95 percent of the value of a given contract compared to what he used to command, he may have the ability to recover a percentage of what he could have gotten.
“Calculating those intangible damages may be very difficult to do. You’d have to look at the value of the name before and the value of the name afterwards, or get some sort of informed position statement on how this has impacted his reputation in the community on a go forward basis,” Coffey added.
Defamation cases require clear and convincing evidence. If this went to trial, the burden of proof would be on Ligatt, as they would have to show that Riley is indeed a racist. All Riley would need to do is show a jury that his reputation was damaged intentionally with a statement that was well and truly false.
So assuming Riley moved forward with legal actions, and met this standard of evidence, what could he stand to gain?
There are two different types of damages that could be recovered, Coffey explained to us. Once is for compensatory damages. These damages make up for the loss of good will, economic damages, and so on. If these are intentionally bad acts though, he may be entitled to punitive damages, which are based on the percentage of the net worth of the defendants.
“That’s where these cases get a little more interesting. It’s where a large corporation through its officers or directors defames somebody, or where they condone their hourly employees to do something that’s defamatory. Where they can expose themselves to a responsibility to compensate somebody for punitive damages, and that can be a much larger recovery in a case like this,” Coffey said.
“It’s not simple negligence. They didn’t make a mistake and publish this. They went out there intentionally to try and hurt this guy’s reputation. I mean, you and I are talking because they went out there to do an intentionally bad thing here…These are people doing something maliciously to try and hurt [Riley]. If you’re going to say something like this and put it on a tee-shirt, you sure hope that it’s true and accurate I would think.”
He mentioned that the shirt was some damning evidence, and would make a great exhibit in court. So if this were his case, what would Coffey do?
“My strategy would be to file my complaint, allege my allegations, get them to file an answer, move for leave to amend my complaint to allege punitive damages, [and] the court should grant it in a case like this. It seems like this is an intentionally malicious statement,” he explained.
“The hallmark words are willful, wanton, and reckless disregard for the life, safety, health of an individual. I think publishing something like this is willful, wanton, and reckless. That’s the hallmark for punitive damages. The second tier is going to be can you show that a corporate officer or director condoned this or engaged in this. That’s going to be factual.”
So if Ligatt’s CEO authorized the printing of these tee-shirts, and the company is making a lot of money, Riley can go after them. If Ligatt is not a company with a lot of money, Riley can still find out how much money they’re making off of tee-shirt sales and ask for that in his claim for damages.
“Your closing argument in a case like this is they’ve made a half-a-million dollars or a hundred thousand dollars in tee-shirt sales, intentionally damaging my client. They should be punished five times their profits off of this particular undertaking…”
In June, Ligatt said that HackerGearOnline has “become an international sensation”, adding that it “has been generating revenue since day one of the website launch.”
In November, Ligatt published a wire release announcing that the site had become “…the worlds [sic] largest clothing line for hackers.” The wire went on to quote Gregory Evans stating that HackerGearOnline would “generate over 33% of LIGATT Security sales” by the end of this 2010.
We mentioned this to Coffey, and speculated that the revenue statement is where someone would look for damages, assuming that 33% is true. He corrected us by stating that he’d go beyond that.
“What I’d say is, they’ve driven more traffic to their site, and they’re using this as a marketing vehicle. Not only are they profiting off of the sale of the tee-shirt…, but on top of that they’re getting traffic out of this, and business out of this. So I’d look at all these profits. I’d do a complete audit of the company’s financials. I’d get their tax returns, I’d want all of their books, that’s what a corporation doesn’t like, especially a private corporation.”
Public corporations need to disclose their financials to their shareholders. Private corporations need to report to the IRS and their lenders, but that’s about it, he explained.
“Once you start doing these bad things and you put this out in the public, people don’t like to share their tax returns very much. Its pay to play, if you’re going to do this to somebody, be prepared they’re going to come back at you like this.”
The last interesting point Coffey offered to us was centered on insurance. Corporations have insurance to cover for injury cases. Yet, if it’s an intentional act, there is no insurance to cover it, and there is no insurance to cover for punitive damages aimed at a percentage of a company’s wealth.
Moreover there is the subject of bankruptcy. Everyone knows that if you file bankruptcy, you can discharge some - if not all - of your debit. However, you cannot discharge a judgment for punitive damages with bankruptcy.
“They could be saddled with having to pay that over the course of time or all at once. Then you go to collections. You shutdown their office, you take their accounts receivable, you seize their hardware, their desks and chairs, and the keys to the executive washroom or whatever you wanted to take.”
While Ligatt says they are against racism in the InfoSec community, actively calling out alleged instances of it in press releases, they still promote race to make sales.
We reached out to Riley regarding the shirt and the allegations of racism. He didn’t have any actual statement, but he did note that the image was stolen from his website. Emails to Ligatt were not returned by the time this article was published, if we hear from them we’ll update the story.
Specifically, we asked Evans to comment on racism in the InfoSec community, and explain his public stance against it, while selling a shirt that calls one researcher a racist and another that says "The Best Hackers Are Black."
We also asked how such actions benefit his anti-racism message, and if he was in fact playing both sides of the issue.
Related to the story of Ligatt and racism is the tale of another InfoSec community member, Shalini, who goes by the Twitter persona Ophelia.
She had her own run-in with the race card after a blog post against a Ligatt service prompted a comment hinting that the only reason she posted the article to begin with was to “hate” on Ligatt. The comment concluded with the statement that a “black man can’t do anything without the white man trying to always bring them down.”
In a response to the comment she noted that, “We mock you not because you’re black, Evans, it is because you’re a fraud who makes our industry look bad. The most hilarious part about your comment is that, if you’d done two seconds of research… you’d realize that far from being a ‘white man,’ I’m actually a brown woman.”
If anyone can claim racism and discrimination in an industry, we felt that she would be the one to make a clear case. With that in mind, we spoke to her on the topic.
“In the Infosec community, as is also the case with practically every community, there will be a few sexist and/or racist bad apples, but I see that as a shortcoming of that particular person itself and not a negative aspect of the community. Most people are friendly and willing to share their knowledge and help others in their security career,” she said.
“I think that the Infosec community is mostly made out of really smart people who for the most part don't let petty issues like race and gender get in the way. Despite allegations that claim otherwise, I don't think there is institutionalized racism or sexism in the community, and most certainly no more racism or sexism than any other cross-section of the population - in fact, I'd say that there is a lot more tolerance and open-mindedness in this community.”
After our story ran yesterday, we received a comment from Ligatt’s Cymone Coker. In it, he explained that Gregory Evans was not available, but added that he noticed the “Best Hackers Are Black” shirt.
“There are also shirts on the site that state the same phrase and have a different race included. So therefore I don't believe that Mr. Evans was trying to be raciest [sic], I just believe that whatever your racial preference is, you can find which shirt fits you best,” the comment concluded.
We went back to the site to look for other race related shirts. Our search turned up nothing. There were no “Best Hackers are White”, or “Best Hackers are Blue”, or “Best Hackers are North Pole Elves”, nothing related to race at all. That is, aside from the previously mentioned shirt.
[All items on the clothing site were examined on Dec. 7 2010 -Ed.]
The other points we raised were not addressed by Coker’s response. Specifically, how selling the Chris John Riley shirt and the Best Hackers Are Black shirt is benefiting their stance on the issue of race in the InfoSec community, in addition to the question asking if Ligatt was playing both sides of the race issue.
We figured that would be the end of communications with Ligatt, so we didn’t respond to the email. Considering the previous emails sent to Ligatt were never answered, we were surprised to get Coker’s comments. We were about to let the issue go and post this single update, when we got to thinking.
Shalini, who goes by the Twitter persona Ophelia, was added to this story based on her comments regarding race. What pointed us to her however was the issue of a blog post, and a comment it received. In her response to this comment, she posted the following image:
The IP address responsible for the comment, 188.8.131.52, is in the Atlanta area where Ligatt is located. Following our gut, and given our history with IP addresses and email headers, we checked Coker’s response.
The IP address once again matched a post that hints at racism.
This isn’t surprising, considering the history that is there. Still, given the recent defamation against Riley, Ligatt’s claims to fight racism in the InfoSec community, while clearly playing the race card to make sales, it is a sad state of affairs.
“We exist without skin color, without nationality, without religious bias...” For those truly part of the InfoSec community, these words hold tremendous meaning, a credo that everyone in InfoSec tries to live by.
Well, not everyone, but those who matter to the community as a whole.