Security firm fights racism in InfoSec while apparently profiting from it
by Steve Ragan – Dec 6 2010, 15:47
In the IT world, despite the majority of practitioners ignoring it, a person’s race or sex can sometimes come into play. However, within IT, the InfoSec community cares little for such things. This is why the previous claims and recent actions taken by Ligatt Security have raised eyebrows.
In June, The Tech Herald interviewed Ligatt CEO Gregory Evans about racism in the InfoSec world, after he claimed that a well-known researcher, Chris John Riley, made racist remarks via Skype.
Riley had messaged Evans on Skype, in order to arrange an interview for the Eurotrash podcast. Evans explained to him that he discovered Riley’s apparent connection to an online identity linked to detrimental comments about Ligatt, and canceled the interview. Shortly after the cancelation, Evans said he received a message containing racial slurs.
“When the Skype message that came back from Chris, Chris stated, and I’ll paraphrase it because I don’t have it in front of me right now, ‘I wasn’t going to really put a fake nigger hacker…’, or some word like that, and this is the part that made me go ahead and say you know what, I’m fed up with everybody writing this verbiage and calling me a nigger,” Evans told us via phone this summer.
The history between Riley and Ligatt is a long one. It starts with a report that their CEO Gregory Evans plagiarized his book, taking a life of its own after overt threats were made against Riley on his blog that were later linked to Ligatt on several levels. Our previous coverage on this can be seen here and here.
Earlier this month, Errata reported on an item being sold via Litt’s HackerGearOnline website, noting that they were profiting from defamation. The item is seen below. The image is of Chris John Riley.
Is this defamation?
“Under the definition, it’s a knowingly false statement made with intent to probably damage this individual. To the extent that it causes him damage or injury, that’s the question. Is it published widely enough? Do people take this commentary seriously, so that it damages his reputation, causes financial hardship, or mental anguish,” explained Sam Coffey, Esq., a partner with Coffey Trial Law in Florida.
If Riley is able to get a job in the InfoSec community, but the terms are less favorable because of the defamation, it’s still actionable. For example, if he was able to get 85 to 95 percent of the value of a given contract compared to what he used to command, he may have the ability to recover a percentage of what he could have gotten.
“Calculating those intangible damages may be very difficult to do. You’d have to look at the value of the name before and the value of the name afterwards, or get some sort of informed position statement on how this has impacted his reputation in the community on a go forward basis,” Coffey added.
Defamation cases require clear and convincing evidence. If this went to trial, the burden of proof would be on Ligatt, as they would have to show that Riley is indeed a racist. All Riley would need to do is show a jury that his reputation was damaged intentionally with a statement that was well and truly false.
So assuming Riley moved forward with legal actions, and met this standard of evidence, what could he stand to gain?
There are two different types of damages that could be recovered, Coffey explained to us. Once is for compensatory damages. These damages make up for the loss of good will, economic damages, and so on. If these are intentionally bad acts though, he may be entitled to punitive damages, which are based on the percentage of the net worth of the defendants.
“That’s where these cases get a little more interesting. It’s where a large corporation through its officers or directors defames somebody, or where they condone their hourly employees to do something that’s defamatory. Where they can expose themselves to a responsibility to compensate somebody for punitive damages, and that can be a much larger recovery in a case like this,” Coffey said.
“It’s not simple negligence. They didn’t make a mistake and publish this. They went out there intentionally to try and hurt this guy’s reputation. I mean, you and I are talking because they went out there to do an intentionally bad thing here…These are people doing something maliciously to try and hurt [Riley]. If you’re going to say something like this and put it on a tee-shirt, you sure hope that it’s true and accurate I would think.”
He mentioned that the shirt was some damning evidence, and would make a great exhibit in court. So if this were his case, what would Coffey do?
“My strategy would be to file my complaint, allege my allegations, get them to file an answer, move for leave to amend my complaint to allege punitive damages, [and] the court should grant it in a case like this. It seems like this is an intentionally malicious statement,” he explained.
“The hallmark words are willful, wanton, and reckless disregard for the life, safety, health of an individual. I think publishing something like this is willful, wanton, and reckless. That’s the hallmark for punitive damages. The second tier is going to be can you show that a corporate officer or director condoned this or engaged in this. That’s going to be factual.”
So if Ligatt’s CEO authorized the printing of these tee-shirts, and the company is making a lot of money, Riley can go after them. If Ligatt is not a company with a lot of money, Riley can still find out how much money they’re making off of tee-shirt sales and ask for that in his claim for damages.
“Your closing argument in a case like this is they’ve made a half-a-million dollars or a hundred thousand dollars in tee-shirt sales, intentionally damaging my client. They should be punished five times their profits off of this particular undertaking…”
In June, Ligatt said that HackerGearOnline has “become an international sensation”, adding that it “has been generating revenue since day one of the website launch.”
In November, Ligatt published a wire release announcing that the site had become “…the worlds [sic] largest clothing line for hackers.” The wire went on to quote Gregory Evans stating that HackerGearOnline would “generate over 33% of LIGATT Security sales” by the end of this 2010.
We mentioned this to Coffey, and speculated that the revenue statement is where someone would look for damages, assuming that 33% is true. He corrected us by stating that he’d go beyond that.
“What I’d say is, they’ve driven more traffic to their site, and they’re using this as a marketing vehicle. Not only are they profiting off of the sale of the tee-shirt…, but on top of that they’re getting traffic out of this, and business out of this. So I’d look at all these profits. I’d do a complete audit of the company’s financials. I’d get their tax returns, I’d want all of their books, that’s what a corporation doesn’t like, especially a private corporation.”
Public corporations need to disclose their financials to their shareholders. Private corporations need to report to the IRS and their lenders, but that’s about it, he explained.
“Once you start doing these bad things and you put this out in the public, people don’t like to share their tax returns very much. Its pay to play, if you’re going to do this to somebody, be prepared they’re going to come back at you like this.”
The last interesting point Coffey offered to us was centered on insurance. Corporations have insurance to cover for injury cases. Yet, if it’s an intentional act, there is no insurance to cover it, and there is no insurance to cover for punitive damages aimed at a percentage of a company’s wealth.
Moreover there is the subject of bankruptcy. Everyone knows that if you file bankruptcy, you can discharge some – if not all – of your debit. However, you cannot discharge a judgment for punitive damages with bankruptcy.
“They could be saddled with having to pay that over the course of time or all at once. Then you go to collections. You shutdown their office, you take their accounts receivable, you seize their hardware, their desks and chairs, and the keys to the executive washroom or whatever you wanted to take.”
While Ligatt says they are against racism in the InfoSec community, actively calling out alleged instances of it in press releases, they still promote race to make sales.