Well, I have a new port and not the IPv6 one I had planned to start this new year. I found it surprising to come back from a break accused of plagiarizing material in one of my books.
It is surprising for a couple reasons:
- I am strongly opposed to the unauthorized and unattributed use of other’s works.
- I use Turn-it-in AND have a subscription to Grammarly (which includes plagiarism checks).
Having used these services now for six (6) years, I found the accusations surprising. That said, I will go through each section one by one. This will of course take time and I will offer the supporting evidence this week as I progress through it.
What I have done is missed the attributions for a total of under three pages of a 750 page book. The reasons are not excuses, but are offered below.
Mostly, I have self plagurised a few sections of what I have created as far back as the 90’s and which has been re-used since. Not all of this material is easy to find in a Google search, but I will add the originals of this material.
I will start with the areas I missed and did not attribute well. That is first the IT Security Cookbook by Sean Boran.
The section I used was from notes from a course I took in 2002. I did not reference this correctly and the notes I have are clearly copied. I am surprised that neither Turnitin nor Grammarly noted this. This I missed badly despite using these products.
The section “Identifying Vulnerabilities” (1 page of list on pages 286-287) should have been referenced. I missed this as well (as did the checking software).
I cannot excuse this but will say it was time constraints that led to it being missed. A shame in more ways than one as a whole set of pages were dropped that did reference that paper. The chapter was cut short and ended not having an entire section (one I think was necessary) on testing. For this, I offer my apologies to the authors of the paper as I dropped any reference to them and this was a paper that should have been linked (and was at one stage).
This was originally chapter 15 but was merged with another to make chapter 11 without much of the material (and some referencing). I am good at writing voluminous amounts, but I am not good at editing my work down to a smaller size. When the page count was already at 750 and the deadline was approaching, I should have checked the editing more thoroughly, but losing pages and hence footnotes and references is not my strong point.
When writing a book with time constraints, it is possible to miss many things. Hence why I use these services and why I was surprised I have missed a reference. This was inexcusable, the others are less of an issue and will be addressed below.
Page 13 has a section taken from COSO. This could have been referenced better, but it is referenced. The text from page 13 of the book states the following:
The Committee of Sponsoring Organizations of the Treadway Commission [COSO] defines an Internal Control as follows:
Internal control is a process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories
So yes, I have taken material from COSO. I also referenced it. I saw no need and in fact a detriment in not using the material from COSO as this is the Gold Standard for Internal Auditing. This is what referencing is for, to show where we have sourced material.
Page 16 and pages 46-47 come to a standard refrain used to and spoken by auditors the world over. I have not seen nor even sighted “Ethics in Quality” by Mundel.
I should have started that the original source is unknown as it is definitely not something that only dates to 1991. These statements on objectivity and ethics have been a professional refrain for at least 50 years now. It is something that has been used by the IIA, ICA and more for as long as they have been professional bodies. I could have written what I did and added a reference to the end after searching (I do this sometimes), but I do see it silly adding a reference for the sake of adding a reference.
If I write something and it is a common definition, then I am writing it. I do not remember nor reference each and everything I have learned nor do I seek references having written something.
Having worked in an audit firm for years, the previous mater was something I spouted without reference much to the consternation of others. So, it was not referenced, but no, I also have never seen the site of the supposed match. I can (as with the IIA site) find many others that are equally close to my definition here.
The same also applies to page 27.
I have not read nor still seen a copy of Sawyer's Internal Auditing : The Practice of Modern Internal Auditing by Lawrence B. Sawyer. So I cannot say what is and is not close.
What I can say is that these are common refrains drilled into Internal Auditors. I have read and re-read the same for years and having worked for an audit firm, it was not something I needed a reference source to write. Yes, there will be some similarities, these are common terms and definitions and I did not need to use a source to have these definitions. I suspect many dictionaries have both similar and differing definitions. Yet this does not make them plagiarized.
If anything and had I referenced this, it would have been the following as this is a paper I have read many times and in detail to the point I can quote some sections verbatim:
The Professional Practices Framework IIA ; 20 Questions Directors should ask about Internal Audit By Fraser and Lindsay, ECIIA Position Paper on Internal Auditing in Europe; and Practice Advisories 1000-1,1100-1,1110-1,1120-1.
Page 37 is one that should have been picked up by Turnitin. It was written as it was as I had memorized it. I had not noted the source as CERT as I did not obtain it from there. I had studied for my GSE-Compliance the year before and I knew this rote as it was at that time.
I read and re-read the definition of many terms over and over in 2007 in preparation for my SANS GSE exam. By the end of it, I could state many things word for word. This was a remnant that slipped through. I am sure that others also existed, but they should have been picked up using Turnitin. I am not happy that this, nor even some of the other services used (such as Eve) did not note this.
That stated, as similar to the cert definition as this is, it was not actually copied.
It is also possible to “mine” for text and ensure that you match something another has also written.
Now…. some things I have written and found used against me. I hate the notion of self-referencing, but I have actually started doing this. One reason is that it is becoming necessary to defend one’s self.
This applies to the accusations in the following pages which will be addressed individually:
First page 50.
There are two parts to this, the Wiki one and that from IBM.
First to the Wiki page I have to note that using Wiki as an authoritative source is a means to getting into trouble.
The original source of the Wiki section was the BCP policy document written for Mikael Michau at the Australian Stock Exchange Ltd in 1996/1997. This was way back, but like many of the documents I created back then, it was re-used and distributed widely. I have not seen Mikael for more than a decade, but I did enjoy my time back then at the ASX.
Like many consultants, this was not the end of the document and with modifications, it became a part of the policy and procedures for News Ltd here in Australia when I issued a copy to Nick Rishbeth and I will admit I even added some of this to policies I helped create for Vodafone.
So, did I copy this, well yes, from myself. Have others also copied it? Copiously since it was first written in late 1996. The first draft of the Wiki article to include this was published in 17 Jan 2005. DeMorgan was no more at that stage so it is difficult to see how a document I will show as a DeMorgan template could be construed as not being the original over a Wiki post.
Back in the 90’s I contracted to IBM. They have rights to use any of the material they paid me for in any format. The other sites using this do not.
I was a contractor for a small time with them (that is IBM and sub contracting through DeMorgan). The document that Wiki has taken some material from is actually an IBM sales and template document I helped create. The BCP section is mine. This template has been used by several consulting firms and has evolved into what I have seen as the “BCP Master Plan” used by a number of organizations.
I will download, scan and display some of the old DeMorgan material later in the week. A waste of time, but it offers proof that this was the original source.
Now to page 61. Here I have self plagiarized some earlier work that has been around a long time. This was in part taken from policy work I completed for a firm I started and ran for a time, DeMorgan. This policy was written and that segment was used for the following organizations (as well as others) that engaged me (between 1997 and 2002):
- HREOC (Human rights and equal opportunities commission
- ASX (Australian Stock Exchange)
- Dept. Treasury
- Several Credit Unions
- Mahindra and Mahindra
Some of the policy documents have been loaded to Auditnet.org. They were loaded around 2002, so I have no idea how current the versions there are.
Again, I will waste time showing that the origins of these was my time at DeMorgan.
Page 110, again… materials issued to IBM were allowed to be used by IBM… but they are still a part of what I created. The RBAC points date to 1999 with the ASX yet again.
Next 110-111 (Bell La Padula).
ACTUALLY… the source is way wrong. There is a reason this is “some text”. We have EACH taken from Bell (one of the creators of the model). I did reference this on page 108, but also needed to ensure that more footnotes existed later to stop confusion. The text was taken from old class notes.
These have bounced around since the late 80’s, but I have NO idea which class I actually got this page from any more. I have seen it used in several Universities as a handout. It is DIRECTLY based on the paper by Bell but the person to first summarize this is anonymous now. It dates back to at least 1989 and being that there was no web, there is no way to trace it I can see.
Page 545 came from a longer document I also self plagiarized. It was first created in 2006 for selected clients of BDO. It was updated in late 2007 for Microsoft. So yes, this was copied, from myself. I do not see small sections of self-copied text as an issue personally. When entire documents are resubmitted or at least large sections thereof, well that is another issue.
It could be argued that I have not attributed the source where I leant this material. That is true, it was SANS. I could have stated that on each page nearly from the start.
Page 541 was badly referenced not plagiarized.
I contacted several people to get permission for using material in the book. RSnake was very good as were the people at FWBuilder and other sites. It was noted that I used material from CGISecurity and Ha.Ckers.org, just badly.
I will dig up and link copies of emails and permission forms that I have received for this section. Each party was sent a copy of what I was doing and only RSnake at Ha.Ckers.org corresponded to any extent about the materials (and nobody noted the mission attribution for their material at the time).
So I did miss the XSS refernce to CGISecurity, but so did RSnake. I had contacted Robert Hansen regarding the use of the material as I stated and did send a chapter for review. I was given permission. I still have this and will link the permission received for this later this week. So yes, my referencing was not up to scratch on this section, but Robert did not ping me for it before publication.
So in a 750 page book with over 2,000 included reference sources, I have missed three and also self plagiarized. I still think self referencing really sux. I do not like doing it, but I am seeing that it is necessary for reasons I did not think of.
I will continue with the following pages tomorrow.
I will add more later, but there is also work to be done. I will load copies of some of the early documents later in the week as I have an opportunity. I still maintain the original emails and submitted documents, so I will load these.