Followup to this article below.

http://www.fortune.com/fortune/technology/articles/0,15114,457276,00.htm

By Richard Behar
[EMAIL PROTECTED]
Monday, June 9, 2003
FORTUNE

In the Jun. 23, 2003 Issue...

George Kurtz may be his own worst enemy. In just four years Kurtz, CEO
of Foundstone, and Stuart McClure, its president, created one of the
best-known U.S. computer-security companies by exposing the
vulnerabilities of software firms. Thousands of FORTUNE 500 executives
and government officials--from the FBI and the National Security
Agency to the Army, the Federal Reserve, and even the White
House--have taken Foundstone's Ultimate Hacking courses, at up to
$4,000 per person. Motorola and Bank of America have shelled out more
than $300,000 each for Foundstone products, and the company recently
installed software to protect the FAA.

But it doesn't take the skills of a hacker to see that Foundstone, a
privately owned $20-million-a-year company in Mission Viejo, Calif.,
is in trouble. It has been accused of widespread software piracy by a
leading industry trade group, FORTUNE has learned--charges
corroborated by current and former Foundstone employees and by
computer printouts obtained by the magazine.

The trade group, the Software & Information Industry Association,
informed Kurtz by letter in May that it intended to pursue
copyright-infringement charges against Foundstone. It acted after a
confidential source alleged that McClure and Gary Bahadur,
Foundstone's chief information officer, routinely spread unlicensed
software to the company's 125-member workforce; that Kurtz was aware
of that practice; and that in early April the CEO ordered his staff to
delete unlicensed software from their computers. "They're gambling
with their reputation," says Keith Kupferschmid, head of the
association's antipiracy unit, which investigated and found the
allegations credible. "That's not a smart thing to do."

Kurtz vehemently denies the company engaged in piracy. "We have strict
policies against piracy," he says. "We take intellectual property very
seriously, given that we are a software company." He adds that
Foundstone conducted an internal audit in April, "and we're in
compliance."

The evidence suggests otherwise. For years, according to former
employees, top executives at Foundstone dumped a seemingly endless
supply of the latest software onto a company server called Zeus and
into a Microsoft Outlook folder called Tools, available to everyone on
staff. Employees say they were told to download whatever programs they
needed by using license keys registered only to McClure or Bahadur.
(Legally Foundstone should have paid for each user.) The unauthorized
software ranged in value from $35 to $15,000 per user and included
everything from Acrobat to X-WinPro.

"They've stolen pretty much everything when it comes to software,"
says a founding employee who asked not to be named. The company even
cracked Microsoft's operating system, Windows XP, says Dan Kuykendall,
a former Foundstone software engineer, "so you could install it on
multiple computers without any problems." The founding employee
estimates that only 5% of the software used at Foundstone was paid
for. (Foundstone's lawyers say that only 5% was unlicensed and that
the company has spent more than $1.5 million on software.) Foundstone
also trained thousands of corporate and government security personnel
on software that it duplicated in ways that avoided triggering license
fees, according to Kurt Weiss, a training coordinator until last year,
who says it was part of his job to copy software packages onto the
drives of 40 laptops per class.

The use of unlicensed software is a global problem--estimates of lost
revenues range up to $13 billion a year--but it's rare among companies
whose business is safeguarding intellectual property. "We happen not
to have any experience with other security-software companies' doing
that," says William Plante, chief investigator at Symantec, a
Foundstone competitor. "Especially for a software company interested
in protecting its own copyrighted material. If true, it's pretty
unconscionable."

One software package available on Foundstone's server was Teleport
Pro, an offline browser program made by Tennyson Maxwell Information
Systems. Only Bahadur had a license, says Michael Del Monte,
Tennyson's top developer. "That's a no-no," he says. "Companies are
pretty responsible about purchasing licenses for everybody who's going
to be using the software. You would think that as a security company,
they'd be more careful about that kind of thing." Another software
package, UltraEdit, was in Foundstone's Tools folder in violation of
its one-user license, the manufacturer says.

In some ways the Foundstone tale is a microcosm of the ugly side of
the dot-com craze--arrogance, greed, mismanagement, and stupidity. But
those are indulgences the computer-security industry can no longer
afford. The market for its services has gotten tougher. While large
firms such as IBM, EDS, and Symantec still dominate, the midsized
players--including Foundstone, @Stake, and Guardent--are duking it out
for business.

Foundstone's troubles began last October when the company brought a
trade-secrets case against J.D. Glaser, its former director of
engineering, accusing him of stealing proprietary code. Glaser had
left Foundstone in May to reactivate his old company, NT Objectives.
After ten staffers followed him, Foundstone got a temporary
restraining order barring Glaser from marketing his software. But a
judge declined to grant an injunction, saying that Foundstone had not
identified the trade secret and was unlikely to prevail on the merits.

In most industries such a dispute would have been routine. But the
computer-security industry prides itself on being an open-source
community that shares innovations. That much is clear from Kurtz and
McClure's bestselling book, Hacking Exposed, perhaps the most detailed
account ever written of how to hack--and defend--popular computer
networks and software.

Things quickly went from bad to worse. Soon after the case was filed,
Jason Glassberg, Foundstone's software-consulting guru and its key
contact with Microsoft, the company's largest client, sent an e-mail
to Kurtz. "This is bullshit," he wrote. "We will regret the day we
became a litigious company. You realize you have zero support from the
rest of the company on this action, don't you?"

Kurtz promptly fired Glassberg, who was immediately offered work by
Microsoft. The software giant then yanked its Foundstone business,
which had accounted for about a quarter of the company's revenue. More
staff defections followed. "Most of the people I know who work at
Foundstone are looking for jobs elsewhere," says Jeff Moss, who runs
the BlackHat computer-security conferences.

Despite losing its bid for an injunction against Glaser, Foundstone is
still pursuing the case in arbitration--a decision that sparked the
piracy allegations, which will now make the case even more difficult
to win. "How can you have a trade secret when your product was built
on software that didn't belong to you?" asks Glaser. Saumil Shah, a
former Foundstone employee and a highly regarded technical expert,
says Kurtz, McClure, and Bahadur were involved: "There is absolutely
no denying that they committed piracy. They did that knowingly and in
huge volume."

In March, Foundstone asked an arbitration judge to seal evidence of
software piracy presented by Glaser. The company said it would
preserve its records. But in early April, Kurtz called a staff
meeting. "Don't do anything with your software," Kurtz says he told
his employees. Then he made his next move clear: "If there's anything
that's not in compliance, we'll get it addressed. We get the license,
or we delete it." Foundstone lawyers say some software has since been
deleted from the company's servers, but maintain that anything deleted
would still be on backup tapes.

It will be harder to delete Foundstone's tarnished reputation.
Ex-employees are piling on, telling FORTUNE that Kurtz and McClure
took credit for other people's work and created an unusually harsh
office environment. (There are even allegations that Foundstone's
Ultimate Hacking classes were a ripoff of the Extreme Hacking classes
its founders ran at Ernst & Young in the 1990s.) In doing so, they are
shedding light on a bunch of executives who seem to have believed
their press clips--Fast Company recently named Kurtz one of its 50
champions of innovation--and somehow got lost along the way.



From: Nick Jacobsen (nick@ethicsdesign.com)
To: dhtml@hush.com, full-disclosure@lists.netsys.com
Date: Tue, 10 Jun 2003 11:13:04 -0700
Subject: Re: [Full-Disclosure] The Two Faces of Foundstone

Heh...  this is pretty funny.  Back in 2001, I attended NetSec '01 in New
Orleans, and Foundstone had a booth there.  There were challenging people to
break into one of their WinNT boxes that was on site, and when I did so, I
notice a cracked copy of L0phtCrack, as well as the program used to crack
it...  I asked one of the employees in the booth about it, and he got this
*stupid* look on his face and said that they had lost the reg code, so they
just cracked the program...  *right*...  god, some companies can be funny


Nick J,