Re: Can't trust COMODO - An Update

[Gunter Ollmann <gunter () ngssoftware com>]

Hi List,

An Update on progress with Comodo.

Firstly thanks to all of you who emailed directly with advice and 
disbelief on the way Comodo plagiarised/copied my work.  I could only 
reply to a few of you at the time because the volume of replies was 
amazing (it would appear that many of you were disgusted at the audacity 
of Comodo).

To date it would appear that Comodo have made some progress in removing 
copies of their "Identity Assurance in a Virtual World" whitepaper from 
multiple locations on the web and have said that this would be achieved 
in another week.  Unfortunately the same could not be said for receipt 
of an apology - public or otherwise.

I still fail to see how an international security company that bases 
their services and offerings on trust and integrity could think they 
could pull a stunt like that.

I have asked for a public apology, and strongly recommended that they 
make a similar apology to the security community.  A copy of the email 
to Steve Roylance (and Comodo) is below.

Anyhow, thanks for all the support thus far, and I'll update you all 
should there be any further progress on this.

Cheers,

Gunter

Email dated: 04/05/05 17:06 London
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Hi Steve,

I have now had a response from my legal advisor concerning your 
unauthorised inclusion of copyright material from my paper entitled "The 
Phishing Guide" and publicly released in September 2004.

The offending paper, "Identity Assurance in a Virtual World" appears to 
be dated 21/02/05 and contains extensive copy/paste sections that have 
been stolen from my paper.  This paper of yours, copyright 2005 Comodo 
Inc.', appears to have been uploaded to multiple Internet whitepaper 
repositories/sites in addition to the instance hosted on the Comodo 
www.vengine.com website.

Given the effort and original research that was required to develop "The 
Phishing Guide" content, I find it offensive and thoroughly 
unprofessional that you and your organisation would seek steal this 
material - not only failing to quote and reference the original source 
of the material, but carte blanche copy/paste of great sections of the 
paper.

In our very brief conversation yesterday, you agreed to remove all 
instances of the offending paper from public Internet areas within the 
next two weeks.  From my perspective this includes all other 
repositories to which the offending paper has been submitted, and to 
take corrective actions that prevent it from being posted to any further 
sites in the future.  As stated yesterday, no authorisation has been (or 
will be) given to incorporate content from my whitepaper(s) into any 
Comodo whitepaper.

Given the thoroughly unprofessional, unethical and illegal actions taken 
by Comodo, I expect a full formal - and public - apology.  In addition, 
given the volume of personal responses from the security community that 
I have already received (ranging from offers to prosecute, existing 
Comodo clients wishing to express their displeasure, through to advice 
from Comodo employees), I would like to see you also post an apology to 
bugtraq () securityfocus com for what Comodo has done and reassure the 
community that this episode will not be repeated.  I see no reason why 
these apologies cannot be made before the end of this week.

I would also advise you and your company to carefully review the content 
of any other whitepapers Comodo have produced in the past to ensure that 
other illegally copied material hasn't also found it's way into them - 
particularly if the same authors have been involved in their publication.

Awaiting your apologies,

Gunter Ollmann
--
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


> ----- Original Message ----- From: "Gunter Ollmann (NGS)" 
> <gunter () ngssoftware com>
> To: <bugtraq () securityfocus com>
>
>
> > Hey List,
> >
> > For a company that supposedly provides "Anti-fraud protection" and 
> > "identity
> > assurance" - why do they clearly plagiarise someone else's copyright
> > whitepaper material and present it as their own work?  So much for a
> > "security company" you can trust.
> >
> > As many of you are aware, I produced a whitepaper mid-2004 called "The
> > Phishing Guide" (http://www.ngssoftware.com/papers/NISR-WP-Phishing.pdf)
> > that covered in detail the phishing threat and reviewed some 
> > defences.  It
> > would now appear that COMODO (http://www.comodogroup.com/) in their 
> > infinite
> > wisdom think they can repackage the paper as their own work by calling it
> > "Identity Assurance in a Virtual World"
> > (http://www.vengine.com/pdfs/identity_assurance.pdf - dated 21/02/2005).
> >
> > I can assure you that I never gave permission for their recycling of my
> > material.  In fact I'd never heard of them until someone researching
> > Phishing pointed out that COMODO illegally copied my paper.
> >
> > The paper appears to have been "written" by Steve Roylance - Technical
> > Marketing Director (and the PDF details also refer to him).
> >
> > Has anyone on the list had similar experience with them?
> >
> > What should the next step be?