Foundstone Shoe On Other Foot

Cimmer writes "One of the premier hack shops (to pun or not to pun) gets busted for unethically ethically hacking. After filing a lawsuit against former employee JD Glaser for supposedly jacking company source code, Foundstone gets nailed for massive internal software piracy. Tonight's entree: Foot in Mouth."

Corporate piracy is evil

[Graspee_Leemoor]

Corporations who use one legal copy of software to install on all their company machines are doing damage to open-source.

Think about it: If it were impossible for them to just rip-off Windows, Outlook, Office, Ultraedit etc. they would use Linux, Evolution, OpenOffice, Scite/emacs/vi/whatever, since they obviously don't want to spend any money on software.

graspee

Re:Corporate piracy is evil

[mako]

Maybe but remember this is a special situation. A security company researching vulnerabilities must have at their disposal a huge quantity of software. Not just the stuff that they personally like to use, but, the stuff everyone else uses. Of course a researcher also often needs multiple versions of the same product. Therefore, it does not surprise me that such a company would commit copyright infringement in order to get some piece of software they will only use for a short time while testing something.

I was wondering when this issue would raise its ugly head. After all how many amateur bug finders have the bucks to properly license all of the software they test. It seems natural to me that large companies seeking retribution against a leaked 0-day might investigate such a thing.

Re:Corporate piracy is evil

[Graspee_Leemoor]

"A security company researching vulnerabilities must have at their disposal a huge quantity of software."

Which they can buy with the huge quantity of money they get from clients.

"...it does not surprise me that such a company would commit copyright infringement in order to get some piece of software they will only use for a short time while testing something."

If they are testing it for a client they can factor the price of the software into the price they charge the client. If they are just researching it to advance the state of knowledge in the company then they can buy it from company funds.

"After all how many amateur bug finders have the bucks to properly license all of the software they test"

These are not amateur bug finders though, they are a "professional" company.

The bottom line is that nearly every business will do everything they can to maximise PROFIT, even if it means limiting the ability of other people to do the same.

Remember the 169th rule of acquisition:

"Competition and fair play are mutually exclusive.".

graspee

Re:Corporate piracy is evil

[PetoskeyGuy]

OK, so what's your take on DRM?

I picture the ultimate goal of DRM to be computers like Nintendo boxes. Buy software cartridges plug them in and use your limited controls to get stuff done. Hardware to copy and interact is extremely controlled, complex and/or expensive so that most people will just buy the software instead of get the rom readers, burners, etc to copy a cartridge. Sure rich geeks like us may be "free" to do it, but it will be very illegal if it isn't already.

Lets say we do make computers so that it is impossible to rip-off software vendors.

Will Open Source software still exist in such a system, or will we be unable to use even that? Look at how hard it is to hack the X-Box and that's just their first try at such a system.

The US was founded on Seperation of Church and State, maybe the next time around it will be seperation of Business and State.

Re:Corporate piracy is evil

[Graspee_Leemoor]

" OK, so what's your take on DRM?"

I think DRM for software would be fantastic. I'm all for it- bring it on.

Once little Johnny next door and big Johnny business realize it's pay for Windows or use linux/*BSD/cowboynealOS/"I don't use an OS, you insensitive clod" then we will see the collapse of Microsoft mindshare and the wide-scale adoption of open-source.

Unfortunately at the moment the Johnnies of this world probably think that Linux costs money because there is a price tag on that "SuSe Linux Professional" box in the local book[shop|store].

I will be even happier when people stop using software like Ultraedit, the God-fearing author of which seemed genuinally suprised a few years' back when I told him that free software existed that had features he hadn't added to Ultraedit yet (in this case it was regexp searching).

I am of course against DRM for computers if it means that it will be made harder to write your own programs which it would be if we imagine computers being like X boxes. In this scenario it would be also hard to tinker with mods for games and so forth.

So, to answer your question, yes, I am completely for a sort of DRM for computer software which would make it next to impossible to copy the software of vendors who didn't want you to copy it, BUT ONLY if the implementation of this DRM did not intefere with our ability to write open-source software and similar activities.

I am almost sure that the future will bring us DRM for software (amongst other things), and I am afraid that it will probably remove the ability to do other, legal things, but I am unsure that anything I do or say will make a difference.

Geek apathy and geek depression.

Brought to you tonight by copious amounts of geek b33r.

graspee

Re:Corporate piracy is evil

[Chatterton]

A security company researching vulnerabilities must have at their disposal a huge quantity of software." Which they can buy with the huge quantity of money they get from clients.

Well, try to buy Office 4.3 in a way that Microsoft or the BSA accept it. You can't buy it second hand (the EULA say you can't sell it or transfert your right to use it), and Microsoft don't sell it anymore.

Winzip

How many of you run Winzip without a valid license?

Re:Winzip

[NewbieProgrammerMan]

Believe it or not I paid for my copy here at home. I guess that makes me a chump in a lot of people's minds; I just thought it was fair since I used it a lot.

Odd that my former employer - one of the biggest companies in the world - didn't have money to spare for a single license for our office. Never mind that it was installed on probably 50 computers, each of which had a properly licensed copy of WinNT or Win2000. It seemed to me that they only worried about proper licensing when it involved companies that stood a chance of giving them grief, and to hell with everyone else.

Re:Uneasy truce: white hats and their employers

[.@.]

(he ended up doing time for hacking into NASA owned systems at the University of Florida - in fact, I believe that he is still incarcerated).

He really knew his shit, especially when it came to invisibly manipulating Cisco equipment and covering his tracks in Unix/Linux/BSD logs.

I fail to see how "he is still incarcerated" supports the claim "really knew his shit." One might almost think that, if he really knew his shit, there would be no incarceration to mention.

Re:I cannot stand it when this happens.

The company I work for is a software house that produces a prominent trading package for stockbrokers.

We're out of compliance on at least the following items:
- Windows NT
- Windows 2000
- Office 97
- Office 2000
- Outlook
- Exceed
- Solaris 8

It's more common than you'd think.

Re:Uneasy truce: white hats and their employers

[packeteer]

Most hackers who can cover their tracks get caught in a less technical way. Just becuase your a good cracker doesn't mean your a good criminal. There is much more to commiting a crime then the actual execution. Most criminals plan up to and including their crime but rarely what they will do afterwards.

Not Suprising

[j_kenpo]

Im actually very suprised at the reaction to this. How many of you have worked for small to mid-size IT related companies that havnt used unlicensed software of some sort. Its somewhat contradictory for a company to cry theft when they are thieves themselves, but then again as the old saying goes there is not honor among thieves. Ive worked for a few, and it doesnt suprise me one bit. Im not in shock or awe by this. And for a company that is one of the formost authorities on computer security to take part in cracking software isnt far fetched and is happening right now by other companies. If its for a proof of concept or for cheating the financial responsibilities. And as far as the accusation that they took the concept of the Extreme Hacking courses for their Ultimate Hacking courses, so what. How many smaller companies were founded by formers of other companies that applied their skills to do their own start-ups. This isnt ground breaking, its business as usual, even if it unethical. The only thing is since this article was pressed by Fortune, quite a bit of financial damage will be done to Foundstone, but thats the risk you take when you attack former employees when partaking in unethical practices.

Re:winzip license

[IvyMike]

• Anti-piracy method 1: Spend a lot of time and effort trying to keep ahead of the serial# spreaders and/or crackers, yet still fail pretty miserably, as every other program out there does. Only the honest people actually pay.
• Anti-piracy method 2: Sit back, drink a beer, don't give a rat's ass, and the honest people still pay.

Personally, I think WinZip's got the right idea.

On fear.

[mindstrm]

Partly, it's the way people act that causes fear.

I guarantee if someone that good acts very professionaly, doens't brag about what they do, and keeps a low profile with regard to their skills, they won't have problems. If you present yourself as a rogue living on the edge, people will not trust you.

An employer will not fire you JUST because you know how to pick a lock, but the fact that you constantly talk about what locks you picked might scare him a little.

Moral of the story

[ramzak2k]

Dont trust your employees. Most of them are good, but all it takes are a few nasty ones to come back and bite your ass.

Not to sound like i condone their act, but lets face it every company must be using a few unlicensed software unless ofcourse they are running entirely on open source software. Say you were running a medium sized company and you have a 210 licenses & recently hired 10 new employees , are you going to immediately purchase the license for the 10 others - NO maybe when you get the next budget approval but not immediately.

There are ways to go about this without flagrantly handing over licenses to the employees.

1. Imaging for any upgrades : Ask your employees to backup their personal files on the network & take their disk for imaging. With lot of stuff coming preinstalled on the pc, the employee would hardly take the time to look at what is licensed where.
2. Have a highly trustworthy IT department that does the installations for the staff. This way employees see only the installed APP and not what went into the installation.

I have respect for this guy Jason Glassberg, Foundstone's former software-consulting guru. From the article, this is what he had to say about the litigation:

"This is bullshit,We will regret the day we became a litigious company. You realize you have zero support from the rest of the company on this action, don't you?"


Wonder why he got fired for saying that. Why sue when you know that you are not entirely perfect !?

Re:There is a fine line between

[BrynM]

Unfortunately, the more people that pull the "Terrorist" card for an excuse, the less is will be listened to when it's real. (pleae note, I'm not right wing or republican) So, when it's real, the media will demand to see the information anyway citing the other jerks who used it as a bluff (including many politicians). Ironically, they are slowly creating a potential threat to national security by watering down the occasional importance of the "terrorist" card.

By the way, are "terrorist" cards a method of divination? (thanks for the inspiration dude!)

Bad for the industry, not just slashdot

[akad0nric0]

This does not bode well for the industry as a whole. Think about how many companies share Foundstone's silhouette - young company, killer app, grows fast from nothing - like netForensics, ISS, et. al.

In my experience as a security analyst, the industry is chock full 'o great products that large companies hesitate to invest in because they're not IBM, Symantec, or the like. Giving 6 digits of cash to a company that could concievably go under in a year is a hard sell on my boss's boss (who signs the contracts) - and with good reason. As a result, we're left with awesome support for products that aren't always the best (IBM), or worse yet, crappy products with no support from a big company (CA).

By doing this, Foundstone has hurt a good chunk of the industry holding some great products, and by association (albeit to a lesser extent) hurt end-users of security apps like me.

THE RULE IS:

[clambake]

Don't piss people off. No matter how much you think you are right, and how much you think they deserve it. Just don't do it. Would Foundstone have lost it's reputation and been charged with so much piracy if they had just let this guy go, shurgged it off and gotten on with thier lives?

No, nothing would have happened.

The worst thing would have been that, even if this guy really did steal code, they would have a tiny new competitor with no name recognition and no clients. Just another dot-com waiting to fall flat on it's face...

If you go out of your way to not be an asshole, even to people who richly deserve it, you'll find that your life is signifigantly mor etrouble free. Maybe you don't get that two-second moment of childlike glee when you "stick it to them", but then again, is that worth possibly losing the entire company for? Foundstone thinks it is, but I disagree.