[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <005701c32f7b$f136d010$45a8a8c0@01010101a>
From: nick at ethicsdesign.com (Nick Jacobsen)
Subject: The Two Faces of Foundstone
Heh... this is pretty funny. Back in 2001, I attended NetSec '01 in New
Orleans, and Foundstone had a booth there. There were challenging people to
break into one of their WinNT boxes that was on site, and when I did so, I
notice a cracked copy of L0phtCrack, as well as the program used to crack
it... I asked one of the employees in the booth about it, and he got this
*stupid* look on his face and said that they had lost the reg code, so they
just cracked the program... *right*... god, some companies can be funny
Nick J,
----- Original Message -----
From: <dhtml@...h.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Tuesday, June 10, 2003 7:23 AM
Subject: [Full-Disclosure] The Two Faces of Foundstone
>
> http://www.fortune.com/fortune/technology/articles/0,15114,457276,00.html
>
> COMPUTER SECURITY
> The Two Faces of Foundstone
> A leading computer-security company is accused of software piracy.
> FORTUNE
> Monday, June 9, 2003
> By Richard Behar
>
>
> George Kurtz may be his own worst enemy. In just four years Kurtz, CEO
> of Foundstone, and Stuart McClure, its president, created one of the
> best-known U.S. computer-security companies by exposing the
vulnerabilities
> of software firms. Thousands of FORTUNE 500 executives and government
> officials--from the FBI and the National Security Agency to the Army,
> the Federal Reserve, and even the White House--have taken Foundstone's
> Ultimate Hacking courses, at up to $4,000 per person. Motorola and Bank
> of America have shelled out more than $300,000 each for Foundstone
products,
> and the company recently installed software to protect the FAA.
>
> But it doesn't take the skills of a hacker to see that Foundstone, a
> privately owned $20-million-a-year company in Mission Viejo, Calif.,
> is in trouble. It has been accused of widespread software piracy by a
> leading industry trade group, FORTUNE has learned--charges corroborated
> by current and former Foundstone employees and by computer printouts
> obtained by the magazine.
>
> The trade group, the Software & Information Industry Association, informed
> Kurtz by letter in May that it intended to pursue copyright-infringement
> charges against Foundstone. It acted after a confidential source alleged
> that McClure and Gary Bahadur, Foundstone's chief information officer,
> routinely spread unlicensed software to the company's 125-member
workforce;
> that Kurtz was aware of that practice; and that in early April the CEO
> ordered his staff to delete unlicensed software from their computers.
> "They're gambling with their reputation," says Keith Kupferschmid, head
> of the association's antipiracy unit, which investigated and found the
> allegations credible. "That's not a smart thing to do."
>
> Kurtz vehemently denies the company engaged in piracy. "We have strict
> policies against piracy," he says. "We take intellectual property very
> seriously, given that we are a software company." He adds that Foundstone
> conducted an internal audit in April, "and we're in compliance."
>
> The evidence suggests otherwise. For years, according to former employees,
> top executives at Foundstone dumped a seemingly endless supply of the
> latest software onto a company server called Zeus and into a Microsoft
> Outlook folder called Tools, available to everyone on staff. Employees
> say they were told to download whatever programs they needed by using
> license keys registered only to McClure or Bahadur. (Legally Foundstone
> should have paid for each user.) The unauthorized software ranged in
> value from $35 to $15,000 per user and included everything from Acrobat
> to X-WinPro.
>
> "They've stolen pretty much everything when it comes to software," says
> a founding employee who asked not to be named. The company even cracked
> Microsoft's operating system, Windows XP, says Dan Kuykendall, a former
> Foundstone software engineer, "so you could install it on multiple
computers
> without any problems." The founding employee estimates that only 5% of
> the software used at Foundstone was paid for. (Foundstone's lawyers say
> that only 5% was unlicensed and that the company has spent more than
> $1.5 million on software.) Foundstone also trained thousands of corporate
> and government security personnel on software that it duplicated in ways
> that avoided triggering license fees, according to Kurt Weiss, a training
> coordinator until last year, who says it was part of his job to copy
> software packages onto the drives of 40 laptops per class.
>
> The use of unlicensed software is a global problem--estimates of lost
> revenues range up to $13 billion a year--but it's rare among companies
> whose business is safeguarding intellectual property. "We happen not
> to have any experience with other security-software companies' doing
> that," says William Plante, chief investigator at Symantec, a Foundstone
> competitor. "Especially for a software company interested in protecting
> its own copyrighted material. If true, it's pretty unconscionable."
>
> One software package available on Foundstone's server was Teleport Pro,
> an offline browser program made by Tennyson Maxwell Information Systems.
> Only Bahadur had a license, says Michael Del Monte, Tennyson's top
developer.
> "That's a no-no," he says. "Companies are pretty responsible about
purchasing
> licenses for everybody who's going to be using the software. You would
> think that as a security company, they'd be more careful about that kind
> of thing." Another software package, UltraEdit, was in Foundstone's Tools
> folder in violation of its one-user license, the manufacturer says.
>
> In some ways the Foundstone tale is a microcosm of the ugly side of the
> dot-com craze--arrogance, greed, mismanagement, and stupidity. But those
> are indulgences the computer-security industry can no longer afford.
> The market for its services has gotten tougher. While large firms such
> as IBM, EDS, and Symantec still dominate, the midsized players--including
> Foundstone, @Stake, and Guardent--are duking it out for business.
>
> Foundstone's troubles began last October when the company brought a trade-
> secrets case against J.D. Glaser, its former director of engineering,
> accusing him of stealing proprietary code. Glaser had left Foundstone
> in May to reactivate his old company, NT Objectives. After ten staffers
> followed him, Foundstone got a temporary restraining order barring Glaser
> from marketing his software. But a judge declined to grant an injunction,
> saying that Foundstone had not identified the trade secret and was
unlikely
> to prevail on the merits.
>
> In most industries such a dispute would have been routine. But the
computer-
> security industry prides itself on being an open-source community that
> shares innovations. That much is clear from Kurtz and McClure's
bestselling
> book, Hacking Exposed, perhaps the most detailed account ever written
> of how to hack--and defend--popular computer networks and software.
>
> Things quickly went from bad to worse. Soon after the case was filed,
> Jason Glassberg, Foundstone's software-consulting guru and its key
contact
> with Microsoft, the company's largest client, sent an e-mail to Kurtz.
> "This is bullshit," he wrote. "We will regret the day we became a
litigious
> company. You realize you have zero support from the rest of the company
> on this action, don't you?"
>
> Kurtz promptly fired Glassberg, who was immediately offered work by
Microsoft.
> The software giant then yanked its Foundstone business, which had
accounted
> for about a quarter of the company's revenue. More staff defections
followed.
> "Most of the people I know who work at Foundstone are looking for jobs
> elsewhere," says Jeff Moss, who runs the BlackHat computer-security
conferences.
>
>
> Despite losing its bid for an injunction against Glaser, Foundstone is
> still pursuing the case in arbitration--a decision that sparked the piracy
> allegations, which will now make the case even more difficult to win.
> "How can you have a trade secret when your product was built on software
> that didn't belong to you?" asks Glaser. Saumil Shah, a former Foundstone
> employee and a highly regarded technical expert, says Kurtz, McClure,
> and Bahadur were involved: "There is absolutely no denying that they
> committed piracy. They did that knowingly and in huge volume."
>
> In March, Foundstone asked an arbitration judge to seal evidence of
software
> piracy presented by Glaser. The company said it would preserve its
records.
> But in early April, Kurtz called a staff meeting. "Don't do anything
> with your software," Kurtz says he told his employees. Then he made his
> next move clear: "If there's anything that's not in compliance, we'll
> get it addressed. We get the license, or we delete it." Foundstone lawyers
> say some software has since been deleted from the company's servers,
> but maintain that anything deleted would still be on backup tapes.
>
> It will be harder to delete Foundstone's tarnished reputation.
Ex-employees
> are piling on, telling FORTUNE that Kurtz and McClure took credit for
> other people's work and created an unusually harsh office environment.
> (There are even allegations that Foundstone's Ultimate Hacking classes
> were a ripoff of the Extreme Hacking classes its founders ran at Ernst
> & Young in the 1990s.) In doing so, they are shedding light on a bunch
> of executives who seem to have believed their press clips--Fast Company
> recently named Kurtz one of its 50 champions of innovation--and somehow
> got lost along the way.
>
>
> .
>
>
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Free, ultra-private instant messaging with Hush Messenger
> https://www.hushmail.com/services.php?subloc=messenger&l=434
>
> Big $$$ to be made with the HushMail Affiliate Program:
> https://www.hushmail.com/about.php?subloc=affiliate&l=427
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists