Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Foundstone Shoe On Other Foot 255

Cimmer writes "One of the premier hack shops (to pun or not to pun) gets busted for unethically ethically hacking. After filing a lawsuit against former employee JD Glaser for supposedly jacking company source code, Foundstone gets nailed for massive internal software piracy. Tonight's entree: Foot in Mouth."
This discussion has been archived. No new comments can be posted.

Foundstone Shoe On Other Foot

Comments Filter:
  • From the article, it sounds like Kurtz needs a good kick in the butt.
  • by mao che minh ( 611166 ) * on Monday June 09, 2003 @09:56PM (#6157511) Journal
    You have to love it when law and politics gets their claws into the ever-shady business of white hat hacking. These types of cases hit the news every once in a while. I suppose that such risks are part of the game, but what would I know? Up until last month I thought that hacking was a lot like flying through a wire-frame cityscape [slashdot.org].

    I once worked with a terrific cracker (he ended up doing time for hacking into NASA owned systems at the University of Florida - in fact, I believe that he is still incarcerated). He really knew his shit, especially when it came to invisibly manipulating Cisco equipment and covering his tracks in Unix/Linux/BSD logs. He was also somewhat of a coder. He was kind of scary in a way. It was funny to see how much the entire operation of the IT department changed once we found out how good we really was, and how much the manager started reviewing technology laws. He was on our side, our white hat, and still everyone was immensely wary of him.

    Even though he effortlessly secured three large networks and found glaring problems with our state-wide backbone, he was canned out of fear. He was later found guilty of causing damages to the network after his termination, at the same time he was busted for the NASA fiasco (the FBI had been watching his movements for some time). In hindsight, I can say that our cautious approach towards him was warranted, even though it caused him obvious grief when he was employed with us.

    Hell, he will be making twice my salary at McAfee or something when he gets out of prison anyways, why am I feeling bad for him?

  • This is like a firefighter getting busted for arsen, it just doesn't look good.
  • by Graspee_Leemoor ( 302316 ) on Monday June 09, 2003 @10:00PM (#6157533) Homepage Journal
    Corporations who use one legal copy of software to install on all their company machines are doing damage to open-source.

    Think about it: If it were impossible for them to just rip-off Windows, Outlook, Office, Ultraedit etc. they would use Linux, Evolution, OpenOffice, Scite/emacs/vi/whatever, since they obviously don't want to spend any money on software.


    • great explanation (Score:3, Interesting)

      by SHEENmaster ( 581283 )
      of the "Microsoft profits from piracy." idea. Another facet of this is that many of these companies get caught and are forced to pay up.

      A rival computer store in my town has been peddling the same Windows XP key for an entire year. This hurts the business of legitimate sellers who can't compete with the price as well, and it hurts Microsoft's goal of making several hundred dollars from every desktop computer in America. Now I don't know what to believe...
    • they would use Linux, Evolution, OpenOffice, Scite/emacs/vi/whatever

      But doesnÂt VI do all of those things Evolution, OO and above all "whatever" does? If itÂs not build in there *must* be a module somewhere :)

    • by mako ( 30489 ) on Monday June 09, 2003 @10:42PM (#6157818)
      Maybe but remember this is a special situation. A security company researching vulnerabilities must have at their disposal a huge quantity of software. Not just the stuff that they personally like to use, but, the stuff everyone else uses. Of course a researcher also often needs multiple versions of the same product. Therefore, it does not surprise me that such a company would commit copyright infringement in order to get some piece of software they will only use for a short time while testing something.

      I was wondering when this issue would raise its ugly head. After all how many amateur bug finders have the bucks to properly license all of the software they test. It seems natural to me that large companies seeking retribution against a leaked 0-day might investigate such a thing.

      • by Graspee_Leemoor ( 302316 ) on Monday June 09, 2003 @10:53PM (#6157872) Homepage Journal
        "A security company researching vulnerabilities must have at their disposal a huge quantity of software."

        Which they can buy with the huge quantity of money they get from clients.

        "...it does not surprise me that such a company would commit copyright infringement in order to get some piece of software they will only use for a short time while testing something."

        If they are testing it for a client they can factor the price of the software into the price they charge the client. If they are just researching it to advance the state of knowledge in the company then they can buy it from company funds.

        "After all how many amateur bug finders have the bucks to properly license all of the software they test"

        These are not amateur bug finders though, they are a "professional" company.

        The bottom line is that nearly every business will do everything they can to maximise PROFIT, even if it means limiting the ability of other people to do the same.

        Remember the 169th rule of acquisition:

        "Competition and fair play are mutually exclusive.".


        • A security company researching vulnerabilities must have at their disposal a huge quantity of software." Which they can buy with the huge quantity of money they get from clients.

          Well, try to buy Office 4.3 in a way that Microsoft or the BSA accept it. You can't buy it second hand (the EULA say you can't sell it or transfert your right to use it), and Microsoft don't sell it anymore.
          • Well, try to buy Office 4.3 in a way that Microsoft or the BSA accept it.

            There's about a dozen shrinkwrapped copies on eBay right now. BuyItNow prices under $10. There may or may not be license issues with these, but it's sure a lot closer to legal than leeching an ISO from Kazaa...

            Or better yet, I guarantee that Microsoft offers support contracts that give access to all previous versions of all MS software products, EXPRESSLY for the purpose of testing.
      • by swb ( 14022 ) on Monday June 09, 2003 @10:58PM (#6157897)
        Even the most rigid places are willing to bend the rules for licensing when it comes to testing.

        Sometimes its entirely legitimate -- building a new box for some CAD guy; he can't stop working on the application while the box is built and tested, and we can't get the box built and tested without the license. The same has to be true in a zillion different production hardware swapouts. The old box is wiped when the swap is completed, so there's no production use of two copies (although one place I worked had a circular buffer about 90 days long for old hardware, and the old box sat untouched during the days until it got reused, just in case something was missed).

        Sometimes its somewhat less legitimate, like the support guy that has a whole suite of applications installed on his every day machine so that he can try to replicate problems from the people that make production use of it. They're not installed/uninstalled/reinstalled to test each problem, since that would take hours, but since they're not used to actually do production work, no one interprets the licensing rules to say that the copies are illegitimate.

        I call that one somewhat less legitimate than the first, which is a legitimate chicken-and-egg problem, because the apps are staying resident on the machine, usable. I personally think it's a fair exception to make, since that test suite of applications aren't making anyone money from their use, and the total usage of a couple of hours per month in a 'test' mode would never pass the finance people's justification for the $10k it would take to buy them.

        And then there's the "backup server" that doesn't even get turned on but to sync configs with the production box once in a while or as a total drop-in replacement when the production server stops being usable.

        I'm sure there's 1001 variations on these kinds of rule-bending, but I've never worked someplace so inflexible that they required new licensing (or at least a 10+ copy slack) to cover legitimate IT maintenance issues. If the SPA nazis aren't going to give us some slack, how can we make their applications usable?
        • If the SPA nazis aren't going to give us some slack, how can we make their applications usable?

          Buy as many copies as the EULA says you have to for the number of computers you install the software on. What? The software costs too much? Well, that's because of piracy. Why do they pirate it? Because it costs too much? They're obviously only driving up prices for the rest of us, the bastards.

          Oh, and that 'free software' (or basically that whole '*nix' thing)? Communism.

    • OK, so what's your take on DRM?

      I picture the ultimate goal of DRM to be computers like Nintendo boxes. Buy software cartridges plug them in and use your limited controls to get stuff done. Hardware to copy and interact is extremely controlled, complex and/or expensive so that most people will just buy the software instead of get the rom readers, burners, etc to copy a cartridge. Sure rich geeks like us may be "free" to do it, but it will be very illegal if it isn't already.

      Lets say we do make computers
      • " OK, so what's your take on DRM?"

        I think DRM for software would be fantastic. I'm all for it- bring it on.

        Once little Johnny next door and big Johnny business realize it's pay for Windows or use linux/*BSD/cowboynealOS/"I don't use an OS, you insensitive clod" then we will see the collapse of Microsoft mindshare and the wide-scale adoption of open-source.

        Unfortunately at the moment the Johnnies of this world probably think that Linux costs money because there is a price tag on that "SuSe Linux Professio
        • Once little Johnny next door and big Johnny business realize it's pay for Windows or use linux/*BSD/cowboynealOS/"I don't use an OS, you insensitive clod" then we will see the collapse of Microsoft mindshare and the wide-scale adoption of open-source.

          Things won't work out this nicely when there are laws (in the US at least) requiring DRM, and making much free software "illegal".
  • by BrynM ( 217883 ) * on Monday June 09, 2003 @10:00PM (#6157535) Homepage Journal
    While picking out pieces of fur-embedded squirrel meat from the treads
    There I was thinking "I'll sit down, eat dinner and read some slashdot". So much for that appetite now... My dog enjoyed the burger though. I love writers that create imagery.
    • at least it's good for the diet.


      P.S. I know people who say "I won't eat anything that has a face.", but I watch Farscape and Star Trek, that leaves out both plants and minerals.
    • Maybe my imagination just sucks from too much TV, but verbal imagery never seems to affect my appetite. I was told that after reading Upton Sinclair's The Jungle [ibiblio.org] I would never want to eat meat again, but as the book vividly described the unsanitary factory conditions, the diseased meat being passed by inspectors, the rancid smell of dead flesh, humans being made into lard after falling into the rendering machine, fingers and rats and whatnot being ground into sausages... all I could think is, "Damn! I reall
    • I think that years of trying to maintain my frag ratio (with gibs flying everywhere), while simulataneously chomping on a cheeseburger or whatever, has permanently fixed my ability to digest food. Come on, like you've never been chewing on a stick of beef jerky whilst simultaneously mousemoving and pumping the railgun trigger - to watch as enemy kibbles and perhaps a head or two come flying past.

      However, those goatse links usually still do fairly poorly for my appetite. It's annoying that the little bugg
  • Winzip (Score:5, Insightful)

    by Anonymous Coward on Monday June 09, 2003 @10:04PM (#6157568)
    How many of you run Winzip without a valid license?
    • Re:Winzip (Score:1, Interesting)

      by exspecto ( 513607 )
      Why in the world would you use winzip when you can get powerarchiver (version 6) [gf.vu.lt] for free? I never understood people who use such a lame shareware program.
    • Re:Winzip (Score:5, Funny)

      by codepunk ( 167897 ) on Monday June 09, 2003 @10:09PM (#6157616)
      hmmm, I usually just type zip in my bash shell and it is just there? I guess, no I don't have a license for Winzip.
    • Re:Winzip (Score:3, Interesting)

      by SCHecklerX ( 229973 )
      When I have to use a windoze box, I use zipcentral [iscool.net]. There is good free software out there for windoze (putty, anyone?), if you care to look.
    • Re:Winzip (Score:3, Interesting)

      by eggstasy ( 458692 )
      Why would anyone use that crappy winzip program when there are so much better ones like WinRAR [rarlabs.com] that are able to compress a lot better [rarlabs.com] and are fully compatible with zip and most other compression formats?
      I havent had a copy of winzip since the glorious days of windows 3.1, and even then I converted everything to RAR [rarlabs.com], which I've been using since 1994.
      Of course, there are even better programs than RAR in terms of raw compression, but I'm a rabid RAR zealot :^)
      • Apparently, WinACE has better compression, but winrar is faster.
      • Re:Winzip (Score:5, Funny)

        by jpetts ( 208163 ) on Monday June 09, 2003 @10:49PM (#6157850)
        but I'm a rabid RAR zealot :^)

        Rar! Rar! Rar!
      • A funny thing I've found about Winrar. I've found that for the most part for regular legit downloads rar is a no show, ie no one uses it. In fact I'm not really sure I've ever downloaded anything legal that is compressed with rar by default.

        Ironically the only place rar files are really widely used is for cracking groups and warez on places like usenet. Rar is really useful to them because of its ability to join and recover multiple compressed files in a set.

        I'm sure there are rar users like yourself who
    • I don't (Score:5, Funny)

      by Eyston ( 462981 ) on Monday June 09, 2003 @10:51PM (#6157858)
      This copy of WinXP Pro I found on the net does it automatically, so there!

    • Re:Winzip (Score:2, Funny)

      by Anonymous Coward
      Why would I do that when I can run WinRAR without a valid license instead?
    • Why bother? Info-zip and WiZ are just as good, as well as being free software. It's also ported to more platforms (more than most other programs).
    • Re:Winzip (Score:3, Insightful)

      Believe it or not I paid for my copy here at home. I guess that makes me a chump in a lot of people's minds; I just thought it was fair since I used it a lot.

      Odd that my former employer - one of the biggest companies in the world - didn't have money to spare for a single license for our office. Never mind that it was installed on probably 50 computers, each of which had a properly licensed copy of WinNT or Win2000. It seemed to me that they only worried about proper licensing when it involved companies

    • Fortunately Mac OS X comes with gzip pre-installed, but for those moment when I insist on a GUI, I use StuffIt [stuffit.com], just for the puerile name it got saddled with. StuffIt (WinZip) where the sun don't shine...
    • http://www.7-zip.org/

      Why use WinZip when 7-Zip is a much better program, and valid licenses are always included. [LGPL]
    • I mostly use FAR from RARlab [rarlab.com], which is a Norton Commander clone for Win32, with archive support built in (virtual file system). Just get the free commandline pkzip.exe and there you go. (Midnight Commander, for *,ix and Windows, is in the same vein, slightly less slick.)

      If you just need to expand archives, Aladdin Expander is very nice, and does Mac formats like sit and hqx as well as most PC and Unix ones.

  • so wait, i'm confused.
    we're all happy now that they got busted for piracy(?). they deserve it because they sued some dude who stole their code. but the author says "supposedly" in reference to "jacking company source code". is he implying that no theft occured, and therefore these guys were suing for no reason, and that's why we're on the side of the BSA for today? or are we just taking a stance against software piracy? or does what go around come around?
    what does "unethically ethically hacking" mean,
    • Quick summary (Score:5, Informative)

      by Anonymous Brave Guy ( 457657 ) on Monday June 09, 2003 @10:17PM (#6157673)

      Read the damn links. Everything you mention is covered, clearly and pretty unambiguously, in the two fairly short articles cited.

      In summary, though, lots of current and ex-employees of Foundstone are backing up claims that the guys at the top had wholesale software piracy going on in-house. This partly came to light as a result of going after another company, started by one former employee and now including several more, that developed a product in the same industry in a time that, according to Foundstone guys, wasn't possible without stealing their vitally important trade secrets. Except that they forgot to say what those secrets were, the other company's product was much smaller scale than the mainstream corporate offering from Foundstone, and most of the info is likely to have been freely available or at least widely known in the business, and not trade secret at all anyway. As a result of this lot, the judge who initially forbade the other company from shipping their product lifted that injunction a month or so later on the basis that there was basically nothing but someone from Foundstone's say-so that anything was wrong.

      Now go read the articles, please.

    • The pun: "premier hack shop"

      Think of "hack" as in "poor skills" such as in "doing a hack job". Related to "hack" meaning to cut or chop inartfully, perhaps to "hack" relating to work horses (as opposed to race horses for example). All these senses of "hack" imply characteristics such as: unskilled, common, or base.

      So the phrase could mean:
      They are excellent at hacking
      OR, they are excelently average.

      Oh yeah, and let's not forget that autoshops which break down stolen cars to sell as parts, are ca
    • It's because it's a "hacker company", and it really hurts the rep of many other companies. It's taken alot to gain the trust of corp world for these type of companies, and they just screwed that all up.

      I'm glad none of the I work with read this, because it would just confirm their fears. It doesn't matter that my company isn't that way, nor ever mentions anything like that. It's that they still feel anyone doing security must be a theif (to know all that about it).
  • by Anonymous Coward

    so what did foundstone have to say? the article doesnt even say they tried to get their side. seems like jd was trying to take the heat off his lawsuit buy working the software piracy angle.

    like all of us here register winzip? riiiiight.
  • by johnstein ( 602156 ) on Monday June 09, 2003 @10:09PM (#6157617) Journal
    prudence and suicidal lemmings (or according to the article, misguided squirrels)

    What's worse, giving away the security tool would actually endanger National Security, McClure insisted. "The public would be armed by the potential for misuses of these technologies by hackers and cyberterrorists."

    without reiterating the many articles here on /., I agree that a certain amount of prudence is needed to keep our world "safe and secure from those pesky hackers and virtual terrorists, etc" but come on, there are so many more critical things to worry about.

    and besides, the claim by foundstone that "it was 'simply impossible' to create such a toolkit in that timeframe", doesn't necessarily mean that it couldn't be done.

    I hate even wasting keystrokes on this, but when I read the article, I couldn't help but imagine some corporate bigwig nearly in tears, throwing a tantrum about not getting his way... and when he (McClure) pulled the ole 'terrorist' card, it sealed my opinion. ( woo hoo, like my opinion is worth anything ;) )

    I don't know who is in the clear here, but the whole situation stinks. and I fear it's just going to get worse. oh, and the kicker (IMO),
    No actual evidence was presented, but McClure's arguments were enough for the judge in the case to issue a retraining order blocking Glaser and NTO from releasing Fire and Water.

    perhaps this was prudent, but these days I wouldn't put any money on it. Anymore, I am inclined to believe that there are tons of lemmings/squirrels out there who are determined to try to screw up any little bit of the world which can possibly be screwed up. Although I sound rather pessimistic, I think we will get through this in relatively decent shape, but the road to get there is sure to be bumpy ride.

    • Unfortunately, the more people that pull the "Terrorist" card for an excuse, the less is will be listened to when it's real. (pleae note, I'm not right wing or republican) So, when it's real, the media will demand to see the information anyway citing the other jerks who used it as a bluff (including many politicians). Ironically, they are slowly creating a potential threat to national security by watering down the occasional importance of the "terrorist" card.

      By the way, are "terrorist" cards a method of [networkoftheapes.net]

  • Nothing worse than a software company that steals software. How the hell can someone who steals the exact thing they are trying to sell look at themselves in the mirror. Oh yea, I forgot we still have Republicans.

    Hypocrites are such a waste of space.
    • by Anonymous Coward
      The company I work for is a software house that produces a prominent trading package for stockbrokers.

      We're out of compliance on at least the following items:
      - Windows NT
      - Windows 2000
      - Office 97
      - Office 2000
      - Outlook
      - Exceed
      - Solaris 8

      It's more common than you'd think.
    • Amazing (Score:2, Interesting)

      "Oh yea, I forgot we still have Republicans"

      I guess this is how ideologically rabid the left has gotten. Republicans, apparently, have a monopoly on corruption, and Democrats (and/or Greens) a monopoly on sainthood. By the way, did you know that John Kerry served in Vietnam?

      AFAIK, only lefty Democrats think that by cutting taxes, we are "costing the government money". Get it, not collecting taxes is treated as a government expense. As if they have the right to all of your paycheck, but by the grac
      • Cutting taxes does cost the government money (it is income right?).

        I guess you would chip in for your public derived benefit of national defense if we had no taxes.

        Not all Republicans are corrupt and not all Democrats are worth a damn either. I'd say 99% of Republicans are worthless and about 50% of Democrats.

        I guess the $500 Billion dollar deficit isn't an expense? How about bankrupting Social Security, Medicare and the Government in a short 3 years? Fucking pathetic. Oh BTW George Bush has spent more t
    • Funny? Hello, meta-moderation. It's called flamebait.

  • "Squeeze Me Macaroni", by Mr. Bungle

    I wanna lock Betty Crocker in the kitchen
    And knock her upper during supper
    Clutter up her butter gutter
    Hostess Ding Dong wrapped an eggroll around my wong
    While Dolly Madison proceded to ping my pong
    Your Milky Way is M'n'M in your britches
    And I'll tell you Baby Ruth it looks mighty delicious
    Keep blowing my gum, cuz here I come
    I'm gonna get you all sticky with my Bubble Yum

    Knick knack paddywhack and give your dog a bone, baby

    I was givin' some head to some french bread
  • It is weird that a company with multi million's of dollars would pirate software. I wonder what they spent all those millions on? they should have spent the money on software, and saved there image, rahter than saving money, and losing chances at future assests, something im sure they have done if they truly pirated software.
  • by djupedal ( 584558 ) on Monday June 09, 2003 @10:23PM (#6157705)
    "In some ways the Foundstone tale is a microcosm of the ugly side of the dot-com craze--arrogance, greed, mismanagement, and stupidity."

    The ugly side?

    Spare me 'the pretty side'...I don't want to know...ok, ok..someone tell me about the pretty side of the dot-com craze... Jennifer, in accounting, perhaps? A pale yellow BMW M3 parked on the sand at Pismo Beach? A new pair of oversized Berkenstocks? A shiny new blade server with redundant power supplies and terrabytes of fiber laced storage? Corner office with a wet bar?
  • by Anonymous Coward on Monday June 09, 2003 @10:30PM (#6157741)
    SCO is reportedly sueing both companies saying that it was their source to begin with!

  • <SARCASM>It's a good thing that proprietary software companies don't fall prey to those lurking IP encumbrances that plague the Open Source world.</SARCASM>
  • Not Suprising (Score:5, Insightful)

    by j_kenpo ( 571930 ) on Monday June 09, 2003 @10:40PM (#6157802)
    Im actually very suprised at the reaction to this. How many of you have worked for small to mid-size IT related companies that havnt used unlicensed software of some sort. Its somewhat contradictory for a company to cry theft when they are thieves themselves, but then again as the old saying goes there is not honor among thieves. Ive worked for a few, and it doesnt suprise me one bit. Im not in shock or awe by this. And for a company that is one of the formost authorities on computer security to take part in cracking software isnt far fetched and is happening right now by other companies. If its for a proof of concept or for cheating the financial responsibilities. And as far as the accusation that they took the concept of the Extreme Hacking courses for their Ultimate Hacking courses, so what. How many smaller companies were founded by formers of other companies that applied their skills to do their own start-ups. This isnt ground breaking, its business as usual, even if it unethical. The only thing is since this article was pressed by Fortune, quite a bit of financial damage will be done to Foundstone, but thats the risk you take when you attack former employees when partaking in unethical practices.
  • by evil_roy ( 241455 ) on Monday June 09, 2003 @10:45PM (#6157832)
    From the articles it would appear that Foundstone preach security and educate corporate clients & toughen their clients networks. This is done for all the valid security reasons, but is third party licensing protection part of this? No way - it is a different issue.

    This is like saying that they haven't registered their cars - it is an issue,but not one that would affect their business or their abilities.

    I would see some of the moronic management practices that are mentioned in the article as grounds for ceasing business with these clowns, but I cannot see why a client cares less if their consultants use legit licensed software or not. If you are buying software from them, or outsourcing work directly to them then the answer is different, but these guys IP theft has no bearing on their output, it only affects their profit margin.

    Their risk - their choice - their business.
    • "Foundstone's troubles began last October when the company brought a trade-secrets case against J.D. Glaser, its former director of engineering, accusing him of stealing proprietary code."

      The irony is not what Foundstone does as a company, but what they recently sued an ex-employee for. Basically this is a case of the ol' pot calling the kettle black.
    • I think it is a question of ethics. Maybe ethics is a thing of yesteryear to Slashdotters but a known unethical security company isn't exactly a thing to brush off. If unchecked, it will eventually rear its ugly head, much like the accounting ethics from the dot-com era.
  • Interesting how they say "unauthorized software" instead or "pirated software"
  • by EverDense ( 575518 ) on Monday June 09, 2003 @11:00PM (#6157905) Homepage
    Employees say they were told to download whatever programs they needed by using license keys registered
    only to McClure or Bahadur. (Legally Foundstone should have paid for each user.)

    This must be the author's "Grand Unified Theory of Software Licensing". A lot of commercial software is actually
    licensed per-machine or per-processor.
  • by Anonymous Coward on Monday June 09, 2003 @11:00PM (#6157908)
    Found this on Foundstone.com:
    FS Responds to Fortune [foundstone.com]

    To our valued customers, partners, vendors and future customers,
    The current issue of Fortune Magazine contains a lengthy article about Foundstone that significantly misrepresents the way we do business, and wrongly states that Foundstone does not respect intellectual property rights. I am writing to tell you some key facts surrounding this matter, and to correct some of the irresponsible misrepresentations and factual errors in the Fortune story.

    Foundstone rigorously defends its commitment to protect intellectual property rights, and the intellectual property rights of other software makers. To demonstrate Foundstone's commitment to protecting the commercial use of other software, an independent, 3rd party audit was completed on May 2 (more than a month prior to this article). According to Harvey Liss, President of VLSystems, which conducted the independent audit, "The vast majority of the software applications running on the 510 active Foundstone systems were properly licensed. Including operating systems and applications, several hundred software programs are in current use by Foundstone and over 95% were identified as properly licensed. In our experience, having performed numerous software licensing audits, this is among the higher rates for pre-audit compliance." We recognize that for a company whose very foundations are built on protecting intellectual property, anything less than complete compliance is not acceptable. Our aggressive growth is not an excuse for non-compliance. We've taken the necessary steps to identify non-compliance and have immediately applied corrective action through new policies, procedures and education.

    The sources and recent timing of these defamatory statements about Foundstone to Fortune Magazine is not a coincidence. Unfortunately, Foundstone was forced to file a lawsuit against NT Objectives, Inc. because of the misappropriation of trade secrets and our unsuccessful attempts in obtaining key information and a reasonable level of cooperation from NTO. Foundstone recently received some favorable rulings in arbitration that would allow Foundstone full discovery rights to review NTO's code. From the very beginning, NTO has vehemently objected to full discovery, even though they proclaim innocence. This Fortune article is a deliberate attempt to shift focus away from the facts of the case and divert attention to rumor, innuendo, and misinformation.

    Our loyal customers and market standing speak for themselves. While macro economic factors are negatively impacting other high-tech firms, Foundstone continues to buck the trend with impressive revenue growth, employee growth (Foundstoneâ(TM)s attrition rate is below the industry average), expanded product offerings, and solid financial stability. Foundstone respects the interests of our partners, vendors and associates, and will continue to deliver the highest quality products and services to meet the needs of current and new customers.

    If you have any questions about this article, I invite you to call me or Stuart McClure and weâ(TM)d be happy to give you the facts.
    • I wonder if that PDF was made with a legit copy of Acrobat.

      • I can't tell.

        However, I can tell you that it was created at 1:03pm on Monday, June 9, 2003, by Robin Whaling, who seems to be a functionary at Foundstone, responsible for such things as the maintenance of security class enrollment and such. Probably and executive assistant.

        I can tell you that the document was probably created on a non-current version of Distiller.

        I can say with some certainty that it wasn't produced with a Macintosh version, and almost certainly was produced on a Windows, rather t
  • Newton's Third Law? (Score:3, Informative)

    by malia8888 ( 646496 ) on Monday June 09, 2003 @11:03PM (#6157924)
    I scanned the article in Fortune specifically to see what was the first action that made Foundstone's employees turn on him like a wolverine in heat. I was satisfied with this paragraph in answering my question.

    Foundstone's troubles began last October when the company brought a trade-secrets case against J.D. Glaser, its former director of engineering, accusing him of stealing proprietary code.

    This was, in my view, the pivotal point in the downfall of the company. It was Newton's Third Law of Motion in action. Foundstone poked Glaser in the eye, and Glaser poked back. The benches of the opposing teams emptied out on the field for an old-fashioned brawl. This human element in business and history in general has always served as a fascination to me.

    If Foundstone would have let Glaser go off and start his company without the eye gouging would there have been this expose'? I think not. Perhaps the company's small regard for employees would have brought to a head problems brewing within the firm. Lots of companies are not nice to their employees; but, I don't think it would be such potent fodder for Fortune magazine.

    • This was, in my view, the pivotal point in the downfall of the company. It was Newton's Third Law of Motion in action. Foundstone poked Glaser in the eye, and Glaser poked back. The benches of the opposing teams emptied out on the field for an old-fashioned brawl. This human element in business and history in general has always served as a fascination to me.

      Let me guess -- you're supposed to be either Q, the Architect, or Satan. The cosplay and fanfic convention is down the hall.

  • Moral of the story (Score:4, Insightful)

    by ramzak2k ( 596734 ) * on Monday June 09, 2003 @11:05PM (#6157934)
    Dont trust your employees. Most of them are good, but all it takes are a few nasty ones to come back and bite your ass.

    Not to sound like i condone their act, but lets face it every company must be using a few unlicensed software unless ofcourse they are running entirely on open source software. Say you were running a medium sized company and you have a 210 licenses & recently hired 10 new employees , are you going to immediately purchase the license for the 10 others - NO maybe when you get the next budget approval but not immediately.

    There are ways to go about this without flagrantly handing over licenses to the employees.

    1. Imaging for any upgrades : Ask your employees to backup their personal files on the network & take their disk for imaging. With lot of stuff coming preinstalled on the pc, the employee would hardly take the time to look at what is licensed where.
    2. Have a highly trustworthy IT department that does the installations for the staff. This way employees see only the installed APP and not what went into the installation.

    I have respect for this guy Jason Glassberg, Foundstone's former software-consulting guru. From the article, this is what he had to say about the litigation:

    "This is bullshit,We will regret the day we became a litigious company. You realize you have zero support from the rest of the company on this action, don't you?"

    Wonder why he got fired for saying that. Why sue when you know that you are not entirely perfect !?
    • Every company Ive worked for buys extra liscenses beause they know they will be hiring. You know, the whole budget thing. You will at least know you will need a liscense when you begin the hiring process.
  • by Psarchasm ( 6377 ) on Monday June 09, 2003 @11:28PM (#6158074) Homepage Journal
    The insanity of 'white-hat' security companies will surely come to an end
    sooner rather than later. Securing the corporate or home network simply
    isn't that difficult anymore.

    Thats not to say that in some way these prepubescent, security Scooby Doos
    don't have their place. But today, they are simply usurped by competent
    system and network administrators and the forethought of coders to write
    code with security in mind.

    Think back to the burgeoning days of online commerce and the cavalier
    "Internet for everyone!" in the workplace roll outs. Book wise MCSEs,
    trench hardened Oracle/Solaris admins, and street savvy (but cowboyish)
    Linux/BSD admins were all the pointy haireds had to turn to. It was a
    friggin free-for-all against many up and coming businesses as well as some
    borderline brave industry Goliaths seeking a swim in the paranah infested
    Internet soup. Networks and software were regularly blasted through by
    kids with code they hadn't written themselves. Sometimes it happened due
    to the poor design of deployed code. Sometimes it happened because the
    attacks themselves were mini-masterpieces. But whatever the reason, in a
    space where people could be anonymous supervillans, the will of the
    Internet (of the people) to communicate persevered. The Internet
    infrastructure, and the networks attached to it, and the people running
    them all got a little bit smarter and a lot wiser.

    Tell the guy in the suit you want to sell him a network security auditing
    tool (or service), because he doesn't have the man power to do it in
    house. He may be willing to pay. Tell the manager of a group of coders
    you want to sell her your competence and third party viewpoint of the
    security of their code. She may be willing to pay. Tell me you want to
    sell me a 250,000 dollar piece of network auditing code, or scan my
    network from the outside to tell me where my vulnerabilities lie without
    knowing my network already, or bebop around my 30,000+ user network
    analyzing a bunch of known signatures and I'll tell you to go back to the
    drawing board and tell me why your first answer wasn't to invest in a
    competent enough staff to make you obsolete.

    The wake up call has already been dialed by the customers at large. The
    VC money won't last forever. And almost none of you are as cool as you
    made yourselves out to be. I suppose in the end it will be just as
    amusing to watch you tear at each other in a corporate environment with
    lawyers and press releases as it was to watch you tear at each other r00ts
    and mailing-list posts.
    • so... (Score:3, Funny)

      by MrBlack ( 104657 )
      what's you're IP address exactly?
  • by mabu ( 178417 ) on Monday June 09, 2003 @11:41PM (#6158137)
    A reliable source claims that SCO is looking into legal action against Foundstone for infringement of their patent on Irony.
  • by akad0nric0 ( 398141 ) on Tuesday June 10, 2003 @12:18AM (#6158303)
    This does not bode well for the industry as a whole. Think about how many companies share Foundstone's silhouette - young company, killer app, grows fast from nothing - like netForensics, ISS, et. al.

    In my experience as a security analyst, the industry is chock full 'o great products that large companies hesitate to invest in because they're not IBM, Symantec, or the like. Giving 6 digits of cash to a company that could concievably go under in a year is a hard sell on my boss's boss (who signs the contracts) - and with good reason. As a result, we're left with awesome support for products that aren't always the best (IBM), or worse yet, crappy products with no support from a big company (CA).

    By doing this, Foundstone has hurt a good chunk of the industry holding some great products, and by association (albeit to a lesser extent) hurt end-users of security apps like me.
  • This company had tried to market a ext2fs undelete tool to the computer forensics market. I looked through the binary and found several references to lib ext2 (they left all debugging symbols in so I could see exactly what files they had compiled and linked). the ext2 library is GPL and not LGPL so therefore their program should have been GPL. When we told them about it, they just wrote back and basically said "we arent violating anything". a short while later the tool disappeared from the market. Food for thought.
  • The reply to Kurtz was covered in an internal memo [internalmemos.com] over at FC.

  • THE RULE IS: (Score:5, Insightful)

    by clambake ( 37702 ) on Tuesday June 10, 2003 @03:06AM (#6158909) Homepage
    Don't piss people off. No matter how much you think you are right, and how much you think they deserve it. Just don't do it. Would Foundstone have lost it's reputation and been charged with so much piracy if they had just let this guy go, shurgged it off and gotten on with thier lives?

    No, nothing would have happened.

    The worst thing would have been that, even if this guy really did steal code, they would have a tiny new competitor with no name recognition and no clients. Just another dot-com waiting to fall flat on it's face...

    If you go out of your way to not be an asshole, even to people who richly deserve it, you'll find that your life is signifigantly mor etrouble free. Maybe you don't get that two-second moment of childlike glee when you "stick it to them", but then again, is that worth possibly losing the entire company for? Foundstone thinks it is, but I disagree.
  • by Jerk City Troll ( 661616 ) on Tuesday June 10, 2003 @08:50AM (#6159827) Homepage
    It took almost no effort to find the counterpoints on Foundstone's website. Funny the editors didn't stumble upon it as easily as I did. Why not try and get the facts straight [foundstone.com]? From the PDF for those to lazy to read:
    According to Harvy Liss, President of VLSystems, which conducted the independent audit, "The vast majority of the software applications running on the 510 active Foundstone systems were properly licensed. Including operating systems and applications, several hundred software programs are currently in use by Foundstone and over 95% were identified as properly licensed. In our experience, having performed numerous software licensing audits, this is among the higher rates for pre-audit compliance."
    For being such a small shop, Foundstone appears to do pretty well in this department.

    Now, a pressing question is what about this is even news worthy? Slashdot is now helping rake a shop through the mud even though software piracy runs rampant in most businesses (especially those in the tech industry)? Are we now going to be subjected to stories like "company X accused of software piracy" where "company X" is any random org? Yes, "company X" probably has some pirated software floating around, but that doesn't mean they should get a slot on the front page. Besides, since when does the /. rally to accuse people of "intellectual property" violations when the political beat here is that IP is bullshit (which it is, but that's another argument)?

Houston, Tranquillity Base here. The Eagle has landed. -- Neil Armstrong