Steven Lentz, CISSP, maintained a blogger account on CISSP.com, a site that bills itself as:
CISSP.com and all related web sites are an effort by Mr. Afifi to help promote the CISSP Certification, share knowledge and communication amongst certified information system security professionals and to help information security professionals who are seeking to become CISSPs.
Mr. Lentz has taken at least two articles from infosecisland.com, both written by Scot Terban, and posted them in full on his CISSP.com blog. In each case, the article was posted without giving any attribution to Terban or InfosecIsland. Worse, both articles were only designated as "Posted by: Steven Lentz", giving the impression that he was the author.
When Lentz copied "Strutting and Fretting Upon the Security Stage: The Players", he did not look at the links or notice that the first one pointed back to 'Part 1' of the article on InfosecIsland. This followed the first time he copied an article in full, "Strutting and Fretting Upon the Security Stage: Intro", without attribution. In a third case, Lentz copied Terban's article "Anonymous: Insidiae, Psychologia, Et Liber Pericula" in full for his CISSP.com blog. It was posted without credit to Terban or a link to InfosecIsland. When Terban sent e-mail to CISSP.com complaining and asking for the article to be removed completely, Lentz added "The correct credit for this article should go to Scot Terban not me. I did not give the credit when originally posted posted. [sic]", added a "Contributed by" Scot Terban and removed part of the article. This attempt to give credit to Terban without removing the content demonstrates Lentz' lack of knowledge of copyright and ethical shortcoming to obtain permission before using the material. Terban never contributed his article to Lentz or CISSP.com.
Any claim of not understanding copyright or 'accident' are also easily dismissed, as every single article on InfosecIsland ends with "Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use."
After the copyright violation, Terban wrote another blog post summarizing the incident. The summary was also posted to InfosecIsland which prompted many comments.
In comments to Terban's article outlining the copyright violations (arguably plagiarism), Lentz defended himself several times:
I am sorry about this. When I copied the text to share I inadvertently did not copy all the text. Also my bad for not double checking. If there are credits I add to the post. But again this was an accident.
I would like to also add that I post this content because the site has good information that should be shared. But as you point out with the correct credits. I will ensure I have the correct credits going forward. It is not my intent to plagiarism. Again I am sorry for the bad posting on my part.
Terban replied to these two comments reminding Lentz "Once is an accident, three times is a pattern of behavior." As Terban notes, it is difficult to believe that he would fail to copy "all the text", which really means just the byline, three times in a row.
I have not been careful in my posts. I just wanted to share info with others. I have stated I will be more careful for all future postings and ensure to give the proper credit.
agreed, I will just use links to the articles from now on. My bad for the complete posts without proper credit and permission. Again I am truly sorry to all who I have offended in these actions of mine.
At this point, Jamie Adams discovers and notes that Lentz had copied an article of his as well. Adams comments:
Mr. Lentz: You've also plagiarized MY article "Red Hat 5 STIG: Network Settings" -- which I spent a lot of time reviewing, correlating, and verifying kernel settings.
I wonder how many more have been "scraped."
I've put my trust into the Infosec Island folks... not you.
Anthony Freed, from InfosecIsland, had been in contact with CISSP.com regarding the repeated use of their material without permission. Andrew Afifi quickly took action by removing not only the offending content, but removing Lentz' entire blogger account on the site. Afifi commented on the article:
On behalf of CISSP.com and the CISSPs community I would like to extend my personal apologies to you as authors, colleagues and security professionals regarding this incident. This incident is against our CISSP.COM publishing policy and the CISSP code of ethics and common professional protocols specially in information security.
I became aware of this today after I was contacted by Anthony Freed and Mike and we have deleted Steve's account on CISSP.com and we are removing all of his contents as it violates our policies and our ethics code. We are reviewing other users submitted contents to ensure its compliance and we are removing contents and will do what need to be done to protect author's writes. I hope you all accept our apologies. I assure you that these contents will be removed and that we will conduct an immediate review of user submitted contents and we will remove any contents that doesn't give credit to its original author or a link to where it came from. You all are free to contact me directly if you believe that your rights have been violated.
Andrew A. Afifi, M.Sc. Network Security, CISSP, PCI-QSA, CCSE, ACFE
Managing Director and Founder - CISSP.com
At this point, Lentz has been found to have taken four articles in full, stripped out the byline to remove credit, and posted them on his blog. No reasonable excuse can be provided for this as it demonstrates serial copyright violation on the part of Lentz. Despite that, he goes on to comment further:
In my own defense, have I learned a lesson from this? Of course I have. Am I claiming responsibility? Yes. I have apologized on the Infosec and CISSP.com sites. I even reported myself to ISC2 by sending them a message of my misconduct. Am I out to claim accolades for myself? No. I have admitted to this unlike many other people do not and I am ashamed and humiliated by my actions. I have apologized several times for offending anyone for my actions. I have been dropped from the CISSP.com site even after admitting in a blog on that site what I did was wrong. I am now awaiting judgment from the ISC2. So when does the witch-hunting end? What kind of example are we setting when someone owns up to the mistake and apologizes versus a person that intentionally does this and does not try to make amends? Did anyone try contacting me prior to this and say you are plagiarizing my article so I could correct? No. If it was malicious on my part I would not care but I do. I responded right away when I found out and accepted responsibility and apologized. Humans make mistakes and hopefully learn from them, I sure have from this one. Again I am sorry to the CISSP community and ask for forgiveness. I will definitely pay more attention to my actions.
Lentz' attempt to call this "witch-hunting" is a non sequitur. This isn't a case of trying to assign blame to someone based on appearance or simply through desire to punish someone. This is punishing someone that consistently violated copyright in a manner that suggests it was willful.