[ISN] The Two Faces of Foundstone

From: InfoSec News (isnat_private)
Date: Mon Jun 09 2003 - 22:18:56 PDT

  • Next message: InfoSec News: "[ISN] Army prepping IA policy"

    Forwarded from: Alan Smithee <nobodyat_private>
    
    http://www.fortune.com/fortune/technology/articles/0,15114,457276,00.htm
    
    By Richard Behar 
    rbeharat_private
    Monday, June 9, 2003 
    FORTUNE
    
    In the Jun. 23, 2003 Issue...
    
    George Kurtz may be his own worst enemy. In just four years Kurtz, CEO
    of Foundstone, and Stuart McClure, its president, created one of the
    best-known U.S. computer-security companies by exposing the
    vulnerabilities of software firms. Thousands of FORTUNE 500 executives
    and government officials--from the FBI and the National Security
    Agency to the Army, the Federal Reserve, and even the White
    House--have taken Foundstone's Ultimate Hacking courses, at up to
    $4,000 per person. Motorola and Bank of America have shelled out more
    than $300,000 each for Foundstone products, and the company recently
    installed software to protect the FAA.
    
    But it doesn't take the skills of a hacker to see that Foundstone, a
    privately owned $20-million-a-year company in Mission Viejo, Calif.,
    is in trouble. It has been accused of widespread software piracy by a
    leading industry trade group, FORTUNE has learned--charges
    corroborated by current and former Foundstone employees and by
    computer printouts obtained by the magazine.
    
    The trade group, the Software & Information Industry Association,
    informed Kurtz by letter in May that it intended to pursue
    copyright-infringement charges against Foundstone. It acted after a
    confidential source alleged that McClure and Gary Bahadur,
    Foundstone's chief information officer, routinely spread unlicensed
    software to the company's 125-member workforce; that Kurtz was aware
    of that practice; and that in early April the CEO ordered his staff to
    delete unlicensed software from their computers. "They're gambling
    with their reputation," says Keith Kupferschmid, head of the
    association's antipiracy unit, which investigated and found the
    allegations credible. "That's not a smart thing to do."
    
    Kurtz vehemently denies the company engaged in piracy. "We have strict
    policies against piracy," he says. "We take intellectual property very
    seriously, given that we are a software company." He adds that
    Foundstone conducted an internal audit in April, "and we're in
    compliance."
    
    The evidence suggests otherwise. For years, according to former
    employees, top executives at Foundstone dumped a seemingly endless
    supply of the latest software onto a company server called Zeus and
    into a Microsoft Outlook folder called Tools, available to everyone on
    staff. Employees say they were told to download whatever programs they
    needed by using license keys registered only to McClure or Bahadur.  
    (Legally Foundstone should have paid for each user.) The unauthorized
    software ranged in value from $35 to $15,000 per user and included
    everything from Acrobat to X-WinPro.
    
    "They've stolen pretty much everything when it comes to software,"  
    says a founding employee who asked not to be named. The company even
    cracked Microsoft's operating system, Windows XP, says Dan Kuykendall,
    a former Foundstone software engineer, "so you could install it on
    multiple computers without any problems." The founding employee
    estimates that only 5% of the software used at Foundstone was paid
    for. (Foundstone's lawyers say that only 5% was unlicensed and that
    the company has spent more than $1.5 million on software.) Foundstone
    also trained thousands of corporate and government security personnel
    on software that it duplicated in ways that avoided triggering license
    fees, according to Kurt Weiss, a training coordinator until last year,
    who says it was part of his job to copy software packages onto the
    drives of 40 laptops per class.
    
    The use of unlicensed software is a global problem--estimates of lost
    revenues range up to $13 billion a year--but it's rare among companies
    whose business is safeguarding intellectual property. "We happen not
    to have any experience with other security-software companies' doing
    that," says William Plante, chief investigator at Symantec, a
    Foundstone competitor. "Especially for a software company interested
    in protecting its own copyrighted material. If true, it's pretty
    unconscionable."
    
    One software package available on Foundstone's server was Teleport
    Pro, an offline browser program made by Tennyson Maxwell Information
    Systems. Only Bahadur had a license, says Michael Del Monte,
    Tennyson's top developer. "That's a no-no," he says. "Companies are
    pretty responsible about purchasing licenses for everybody who's going
    to be using the software. You would think that as a security company,
    they'd be more careful about that kind of thing." Another software
    package, UltraEdit, was in Foundstone's Tools folder in violation of
    its one-user license, the manufacturer says.
    
    In some ways the Foundstone tale is a microcosm of the ugly side of
    the dot-com craze--arrogance, greed, mismanagement, and stupidity. But
    those are indulgences the computer-security industry can no longer
    afford. The market for its services has gotten tougher. While large
    firms such as IBM, EDS, and Symantec still dominate, the midsized
    players--including Foundstone, @Stake, and Guardent--are duking it out
    for business.
    
    Foundstone's troubles began last October when the company brought a
    trade-secrets case against J.D. Glaser, its former director of
    engineering, accusing him of stealing proprietary code. Glaser had
    left Foundstone in May to reactivate his old company, NT Objectives.  
    After ten staffers followed him, Foundstone got a temporary
    restraining order barring Glaser from marketing his software. But a
    judge declined to grant an injunction, saying that Foundstone had not
    identified the trade secret and was unlikely to prevail on the merits.
    
    In most industries such a dispute would have been routine. But the
    computer-security industry prides itself on being an open-source
    community that shares innovations. That much is clear from Kurtz and
    McClure's bestselling book, Hacking Exposed, perhaps the most detailed
    account ever written of how to hack--and defend--popular computer
    networks and software.
    
    Things quickly went from bad to worse. Soon after the case was filed,
    Jason Glassberg, Foundstone's software-consulting guru and its key
    contact with Microsoft, the company's largest client, sent an e-mail
    to Kurtz. "This is bullshit," he wrote. "We will regret the day we
    became a litigious company. You realize you have zero support from the
    rest of the company on this action, don't you?"
    
    Kurtz promptly fired Glassberg, who was immediately offered work by
    Microsoft. The software giant then yanked its Foundstone business,
    which had accounted for about a quarter of the company's revenue. More
    staff defections followed. "Most of the people I know who work at
    Foundstone are looking for jobs elsewhere," says Jeff Moss, who runs
    the BlackHat computer-security conferences.
    
    Despite losing its bid for an injunction against Glaser, Foundstone is
    still pursuing the case in arbitration--a decision that sparked the
    piracy allegations, which will now make the case even more difficult
    to win. "How can you have a trade secret when your product was built
    on software that didn't belong to you?" asks Glaser. Saumil Shah, a
    former Foundstone employee and a highly regarded technical expert,
    says Kurtz, McClure, and Bahadur were involved: "There is absolutely
    no denying that they committed piracy. They did that knowingly and in
    huge volume."
    
    In March, Foundstone asked an arbitration judge to seal evidence of
    software piracy presented by Glaser. The company said it would
    preserve its records. But in early April, Kurtz called a staff
    meeting. "Don't do anything with your software," Kurtz says he told
    his employees. Then he made his next move clear: "If there's anything
    that's not in compliance, we'll get it addressed. We get the license,
    or we delete it." Foundstone lawyers say some software has since been
    deleted from the company's servers, but maintain that anything deleted
    would still be on backup tapes.
    
    It will be harder to delete Foundstone's tarnished reputation.  
    Ex-employees are piling on, telling FORTUNE that Kurtz and McClure
    took credit for other people's work and created an unusually harsh
    office environment. (There are even allegations that Foundstone's
    Ultimate Hacking classes were a ripoff of the Extreme Hacking classes
    its founders ran at Ernst & Young in the 1990s.) In doing so, they are
    shedding light on a bunch of executives who seem to have believed
    their press clips--Fast Company recently named Kurtz one of its 50
    champions of innovation--and somehow got lost along the way.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 23:57:54 PDT