lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: dhtml at hush.com (dhtml@...h.com)
Subject: The Two Faces of Foundstone

http://www.fortune.com/fortune/technology/articles/0,15114,457276,00.html

COMPUTER SECURITY
The Two Faces of Foundstone
A leading computer-security company is accused of software piracy.
FORTUNE
Monday, June 9, 2003 
By Richard Behar 


George Kurtz may be his own worst enemy. In just four years Kurtz, CEO
of Foundstone, and Stuart McClure, its president, created one of the
best-known U.S. computer-security companies by exposing the vulnerabilities
of software firms. Thousands of FORTUNE 500 executives and government
officials--from the FBI and the National Security Agency to the Army,
 the Federal Reserve, and even the White House--have taken Foundstone's
Ultimate Hacking courses, at up to $4,000 per person. Motorola and Bank
of America have shelled out more than $300,000 each for Foundstone products,
 and the company recently installed software to protect the FAA. 

But it doesn't take the skills of a hacker to see that Foundstone, a
privately owned $20-million-a-year company in Mission Viejo, Calif.,
is in trouble. It has been accused of widespread software piracy by a
leading industry trade group, FORTUNE has learned--charges corroborated
by current and former Foundstone employees and by computer printouts
obtained by the magazine. 

The trade group, the Software & Information Industry Association, informed
Kurtz by letter in May that it intended to pursue copyright-infringement
charges against Foundstone. It acted after a confidential source alleged
that McClure and Gary Bahadur, Foundstone's chief information officer,
 routinely spread unlicensed software to the company's 125-member workforce;
that Kurtz was aware of that practice; and that in early April the CEO
ordered his staff to delete unlicensed software from their computers.
"They're gambling with their reputation," says Keith Kupferschmid, head
of the association's antipiracy unit, which investigated and found the
allegations credible. "That's not a smart thing to do." 

Kurtz vehemently denies the company engaged in piracy. "We have strict
policies against piracy," he says. "We take intellectual property very
seriously, given that we are a software company." He adds that Foundstone
conducted an internal audit in April, "and we're in compliance." 

The evidence suggests otherwise. For years, according to former employees,
 top executives at Foundstone dumped a seemingly endless supply of the
latest software onto a company server called Zeus and into a Microsoft
Outlook folder called Tools, available to everyone on staff. Employees
say they were told to download whatever programs they needed by using
license keys registered only to McClure or Bahadur. (Legally Foundstone
should have paid for each user.) The unauthorized software ranged in
value from $35 to $15,000 per user and included everything from Acrobat
to X-WinPro. 

"They've stolen pretty much everything when it comes to software," says
a founding employee who asked not to be named. The company even cracked
Microsoft's operating system, Windows XP, says Dan Kuykendall, a former
Foundstone software engineer, "so you could install it on multiple computers
without any problems." The founding employee estimates that only 5% of
the software used at Foundstone was paid for. (Foundstone's lawyers say
that only 5% was unlicensed and that the company has spent more than
$1.5 million on software.) Foundstone also trained thousands of corporate
and government security personnel on software that it duplicated in ways
that avoided triggering license fees, according to Kurt Weiss, a training
coordinator until last year, who says it was part of his job to copy
software packages onto the drives of 40 laptops per class. 

The use of unlicensed software is a global problem--estimates of lost
revenues range up to $13 billion a year--but it's rare among companies
whose business is safeguarding intellectual property. "We happen not
to have any experience with other security-software companies' doing
that," says William Plante, chief investigator at Symantec, a Foundstone
competitor. "Especially for a software company interested in protecting
its own copyrighted material. If true, it's pretty unconscionable." 

One software package available on Foundstone's server was Teleport Pro,
 an offline browser program made by Tennyson Maxwell Information Systems.
Only Bahadur had a license, says Michael Del Monte, Tennyson's top developer.
"That's a no-no," he says. "Companies are pretty responsible about purchasing
licenses for everybody who's going to be using the software. You would
think that as a security company, they'd be more careful about that kind
of thing." Another software package, UltraEdit, was in Foundstone's Tools
folder in violation of its one-user license, the manufacturer says. 

In some ways the Foundstone tale is a microcosm of the ugly side of the
dot-com craze--arrogance, greed, mismanagement, and stupidity. But those
are indulgences the computer-security industry can no longer afford.
The market for its services has gotten tougher. While large firms such
as IBM, EDS, and Symantec still dominate, the midsized players--including
Foundstone, @Stake, and Guardent--are duking it out for business. 

Foundstone's troubles began last October when the company brought a trade-
secrets case against J.D. Glaser, its former director of engineering,
 accusing him of stealing proprietary code. Glaser had left Foundstone
in May to reactivate his old company, NT Objectives. After ten staffers
followed him, Foundstone got a temporary restraining order barring Glaser
from marketing his software. But a judge declined to grant an injunction,
 saying that Foundstone had not identified the trade secret and was unlikely
to prevail on the merits. 

In most industries such a dispute would have been routine. But the computer-
security industry prides itself on being an open-source community that
shares innovations. That much is clear from Kurtz and McClure's bestselling
book, Hacking Exposed, perhaps the most detailed account ever written
of how to hack--and defend--popular computer networks and software. 

Things quickly went from bad to worse. Soon after the case was filed,
 Jason Glassberg, Foundstone's software-consulting guru and its key contact
with Microsoft, the company's largest client, sent an e-mail to Kurtz.
"This is bullshit," he wrote. "We will regret the day we became a litigious
company. You realize you have zero support from the rest of the company
on this action, don't you?" 

Kurtz promptly fired Glassberg, who was immediately offered work by Microsoft.
The software giant then yanked its Foundstone business, which had accounted
for about a quarter of the company's revenue. More staff defections followed.
"Most of the people I know who work at Foundstone are looking for jobs
elsewhere," says Jeff Moss, who runs the BlackHat computer-security conferences.


Despite losing its bid for an injunction against Glaser, Foundstone is
still pursuing the case in arbitration--a decision that sparked the piracy
allegations, which will now make the case even more difficult to win.
"How can you have a trade secret when your product was built on software
that didn't belong to you?" asks Glaser. Saumil Shah, a former Foundstone
employee and a highly regarded technical expert, says Kurtz, McClure,
 and Bahadur were involved: "There is absolutely no denying that they
committed piracy. They did that knowingly and in huge volume." 

In March, Foundstone asked an arbitration judge to seal evidence of software
piracy presented by Glaser. The company said it would preserve its records.
But in early April, Kurtz called a staff meeting. "Don't do anything
with your software," Kurtz says he told his employees. Then he made his
next move clear: "If there's anything that's not in compliance, we'll
get it addressed. We get the license, or we delete it." Foundstone lawyers
say some software has since been deleted from the company's servers,
but maintain that anything deleted would still be on backup tapes. 

It will be harder to delete Foundstone's tarnished reputation. Ex-employees
are piling on, telling FORTUNE that Kurtz and McClure took credit for
other people's work and created an unusually harsh office environment.
(There are even allegations that Foundstone's Ultimate Hacking classes
were a ripoff of the Extreme Hacking classes its founders ran at Ernst
& Young in the 1990s.) In doing so, they are shedding light on a bunch
of executives who seem to have believed their press clips--Fast Company
recently named Kurtz one of its 50 champions of innovation--and somehow
got lost along the way. 


.





Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ