lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: xlopkov at eml.cc (xlopkov@....cc) Subject: The Two Faces of Foundstone > Outlook folder called Tools, available to everyone on staff. Employees > say they were told to download whatever programs they needed by using > license keys registered only to McClure or Bahadur. (Legally Foundstone > should have paid for each user.) The unauthorized software ranged in > value from $35 to $15,000 per user and included everything from Acrobat > to X-WinPro. an offtopic question. 15k for one user license. can anyone give me an example of something. i'm just curious thanks On Tue, 10 Jun 2003 07:23:34 -0700, dhtml@...h.com said: > > http://www.fortune.com/fortune/technology/articles/0,15114,457276,00.html > > COMPUTER SECURITY > The Two Faces of Foundstone > A leading computer-security company is accused of software piracy. > FORTUNE > Monday, June 9, 2003 > By Richard Behar > > > George Kurtz may be his own worst enemy. In just four years Kurtz, CEO > of Foundstone, and Stuart McClure, its president, created one of the > best-known U.S. computer-security companies by exposing the > vulnerabilities > of software firms. Thousands of FORTUNE 500 executives and government > officials--from the FBI and the National Security Agency to the Army, > the Federal Reserve, and even the White House--have taken Foundstone's > Ultimate Hacking courses, at up to $4,000 per person. Motorola and Bank > of America have shelled out more than $300,000 each for Foundstone > products, > and the company recently installed software to protect the FAA. > > But it doesn't take the skills of a hacker to see that Foundstone, a > privately owned $20-million-a-year company in Mission Viejo, Calif., > is in trouble. It has been accused of widespread software piracy by a > leading industry trade group, FORTUNE has learned--charges corroborated > by current and former Foundstone employees and by computer printouts > obtained by the magazine. > > The trade group, the Software & Information Industry Association, > informed > Kurtz by letter in May that it intended to pursue copyright-infringement > charges against Foundstone. It acted after a confidential source alleged > that McClure and Gary Bahadur, Foundstone's chief information officer, > routinely spread unlicensed software to the company's 125-member > workforce; > that Kurtz was aware of that practice; and that in early April the CEO > ordered his staff to delete unlicensed software from their computers. > "They're gambling with their reputation," says Keith Kupferschmid, head > of the association's antipiracy unit, which investigated and found the > allegations credible. "That's not a smart thing to do." > > Kurtz vehemently denies the company engaged in piracy. "We have strict > policies against piracy," he says. "We take intellectual property very > seriously, given that we are a software company." He adds that Foundstone > conducted an internal audit in April, "and we're in compliance." > > The evidence suggests otherwise. For years, according to former > employees, > top executives at Foundstone dumped a seemingly endless supply of the > latest software onto a company server called Zeus and into a Microsoft > Outlook folder called Tools, available to everyone on staff. Employees > say they were told to download whatever programs they needed by using > license keys registered only to McClure or Bahadur. (Legally Foundstone > should have paid for each user.) The unauthorized software ranged in > value from $35 to $15,000 per user and included everything from Acrobat > to X-WinPro. > > "They've stolen pretty much everything when it comes to software," says > a founding employee who asked not to be named. The company even cracked > Microsoft's operating system, Windows XP, says Dan Kuykendall, a former > Foundstone software engineer, "so you could install it on multiple > computers > without any problems." The founding employee estimates that only 5% of > the software used at Foundstone was paid for. (Foundstone's lawyers say > that only 5% was unlicensed and that the company has spent more than > $1.5 million on software.) Foundstone also trained thousands of corporate > and government security personnel on software that it duplicated in ways > that avoided triggering license fees, according to Kurt Weiss, a training > coordinator until last year, who says it was part of his job to copy > software packages onto the drives of 40 laptops per class. > > The use of unlicensed software is a global problem--estimates of lost > revenues range up to $13 billion a year--but it's rare among companies > whose business is safeguarding intellectual property. "We happen not > to have any experience with other security-software companies' doing > that," says William Plante, chief investigator at Symantec, a Foundstone > competitor. "Especially for a software company interested in protecting > its own copyrighted material. If true, it's pretty unconscionable." > > One software package available on Foundstone's server was Teleport Pro, > an offline browser program made by Tennyson Maxwell Information Systems. > Only Bahadur had a license, says Michael Del Monte, Tennyson's top > developer. > "That's a no-no," he says. "Companies are pretty responsible about > purchasing > licenses for everybody who's going to be using the software. You would > think that as a security company, they'd be more careful about that kind > of thing." Another software package, UltraEdit, was in Foundstone's Tools > folder in violation of its one-user license, the manufacturer says. > > In some ways the Foundstone tale is a microcosm of the ugly side of the > dot-com craze--arrogance, greed, mismanagement, and stupidity. But those > are indulgences the computer-security industry can no longer afford. > The market for its services has gotten tougher. While large firms such > as IBM, EDS, and Symantec still dominate, the midsized players--including > Foundstone, @Stake, and Guardent--are duking it out for business. > > Foundstone's troubles began last October when the company brought a > trade- > secrets case against J.D. Glaser, its former director of engineering, > accusing him of stealing proprietary code. Glaser had left Foundstone > in May to reactivate his old company, NT Objectives. After ten staffers > followed him, Foundstone got a temporary restraining order barring Glaser > from marketing his software. But a judge declined to grant an injunction, > saying that Foundstone had not identified the trade secret and was > unlikely > to prevail on the merits. > > In most industries such a dispute would have been routine. But the > computer- > security industry prides itself on being an open-source community that > shares innovations. That much is clear from Kurtz and McClure's > bestselling > book, Hacking Exposed, perhaps the most detailed account ever written > of how to hack--and defend--popular computer networks and software. > > Things quickly went from bad to worse. Soon after the case was filed, > Jason Glassberg, Foundstone's software-consulting guru and its key > contact > with Microsoft, the company's largest client, sent an e-mail to Kurtz. > "This is bullshit," he wrote. "We will regret the day we became a > litigious > company. You realize you have zero support from the rest of the company > on this action, don't you?" > > Kurtz promptly fired Glassberg, who was immediately offered work by > Microsoft. > The software giant then yanked its Foundstone business, which had > accounted > for about a quarter of the company's revenue. More staff defections > followed. > "Most of the people I know who work at Foundstone are looking for jobs > elsewhere," says Jeff Moss, who runs the BlackHat computer-security > conferences. > > > Despite losing its bid for an injunction against Glaser, Foundstone is > still pursuing the case in arbitration--a decision that sparked the > piracy > allegations, which will now make the case even more difficult to win. > "How can you have a trade secret when your product was built on software > that didn't belong to you?" asks Glaser. Saumil Shah, a former Foundstone > employee and a highly regarded technical expert, says Kurtz, McClure, > and Bahadur were involved: "There is absolutely no denying that they > committed piracy. They did that knowingly and in huge volume." > > In March, Foundstone asked an arbitration judge to seal evidence of > software > piracy presented by Glaser. The company said it would preserve its > records. > But in early April, Kurtz called a staff meeting. "Don't do anything > with your software," Kurtz says he told his employees. Then he made his > next move clear: "If there's anything that's not in compliance, we'll > get it addressed. We get the license, or we delete it." Foundstone > lawyers > say some software has since been deleted from the company's servers, > but maintain that anything deleted would still be on backup tapes. > > It will be harder to delete Foundstone's tarnished reputation. > Ex-employees > are piling on, telling FORTUNE that Kurtz and McClure took credit for > other people's work and created an unusually harsh office environment. > (There are even allegations that Foundstone's Ultimate Hacking classes > were a ripoff of the Extreme Hacking classes its founders ran at Ernst > & Young in the 1990s.) In doing so, they are shedding light on a bunch > of executives who seem to have believed their press clips--Fast Company > recently named Kurtz one of its 50 champions of innovation--and somehow > got lost along the way. > > > . > > > > > > Concerned about your privacy? Follow this link to get > FREE encrypted email: https://www.hushmail.com/?l=2 > > Free, ultra-private instant messaging with Hush Messenger > https://www.hushmail.com/services.php?subloc=messenger&l=434 > > Big $$$ to be made with the HushMail Affiliate Program: > https://www.hushmail.com/about.php?subloc=affiliate&l=427 > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -- http://www.fastmail.fm - Access your email from home and the web
Powered by blists - more mailing lists