Slashdot Mirror
Foundstone Shoe On Other Foot
Cimmer writes "One of the premier hack shops (to pun or not to pun) gets busted for unethically ethically hacking.
After filing a lawsuit against former employee JD Glaser for supposedly jacking company source code, Foundstone gets nailed for massive internal software piracy. Tonight's entree: Foot in Mouth."
I once worked with a terrific cracker (he ended up doing time for hacking into NASA owned systems at the University of Florida - in fact, I believe that he is still incarcerated). He really knew his shit, especially when it came to invisibly manipulating Cisco equipment and covering his tracks in Unix/Linux/BSD logs. He was also somewhat of a coder. He was kind of scary in a way. It was funny to see how much the entire operation of the IT department changed once we found out how good we really was, and how much the manager started reviewing technology laws. He was on our side, our white hat, and still everyone was immensely wary of him.
Even though he effortlessly secured three large networks and found glaring problems with our state-wide backbone, he was canned out of fear. He was later found guilty of causing damages to the network after his termination, at the same time he was busted for the NASA fiasco (the FBI had been watching his movements for some time). In hindsight, I can say that our cautious approach towards him was warranted, even though it caused him obvious grief when he was employed with us.
Hell, he will be making twice my salary at McAfee or something when he gets out of prison anyways, why am I feeling bad for him?
of the "Microsoft profits from piracy." idea. Another facet of this is that many of these companies get caught and are forced to pay up.
A rival computer store in my town has been peddling the same Windows XP key for an entire year. This hurts the business of legitimate sellers who can't compete with the price as well, and it hurts Microsoft's goal of making several hundred dollars from every desktop computer in America. Now I don't know what to believe...
You can't judge a book by the way it wears its hair.
so what did foundstone have to say? the article doesnt even say they tried to get their side. seems like jd was trying to take the heat off his lawsuit buy working the software piracy angle.
like all of us here register winzip? riiiiight.
Why in the world would you use winzip when you can get powerarchiver (version 6) for free? I never understood people who use such a lame shareware program.
prudence and suicidal lemmings (or according to the article, misguided squirrels)
/., I agree that a certain amount of prudence is needed to keep our world "safe and secure from those pesky hackers and virtual terrorists, etc" but come on, there are so many more critical things to worry about.
;) )
What's worse, giving away the security tool would actually endanger National Security, McClure insisted. "The public would be armed by the potential for misuses of these technologies by hackers and cyberterrorists."
without reiterating the many articles here on
and besides, the claim by foundstone that "it was 'simply impossible' to create such a toolkit in that timeframe", doesn't necessarily mean that it couldn't be done.
I hate even wasting keystrokes on this, but when I read the article, I couldn't help but imagine some corporate bigwig nearly in tears, throwing a tantrum about not getting his way... and when he (McClure) pulled the ole 'terrorist' card, it sealed my opinion. ( woo hoo, like my opinion is worth anything
I don't know who is in the clear here, but the whole situation stinks. and I fear it's just going to get worse. oh, and the kicker (IMO),
No actual evidence was presented, but McClure's arguments were enough for the judge in the case to issue a retraining order blocking Glaser and NTO from releasing Fire and Water.
perhaps this was prudent, but these days I wouldn't put any money on it. Anymore, I am inclined to believe that there are tons of lemmings/squirrels out there who are determined to try to screw up any little bit of the world which can possibly be screwed up. Although I sound rather pessimistic, I think we will get through this in relatively decent shape, but the road to get there is sure to be bumpy ride.
-John
"The definition of insanity is continuing to do the same thing and hoping for different results"
Not I, I run Filzip instead. Just as good and free.
When I have to use a windoze box, I use zipcentral. There is good free software out there for windoze (putty, anyone?), if you care to look.
Why would anyone use that crappy winzip program when there are so much better ones like WinRAR that are able to compress a lot better and are fully compatible with zip and most other compression formats? :^)
I havent had a copy of winzip since the glorious days of windows 3.1, and even then I converted everything to RAR, which I've been using since 1994.
Of course, there are even better programs than RAR in terms of raw compression, but I'm a rabid RAR zealot
From the articles it would appear that Foundstone preach security and educate corporate clients & toughen their clients networks. This is done for all the valid security reasons, but is third party licensing protection part of this? No way - it is a different issue.
This is like saying that they haven't registered their cars - it is an issue,but not one that would affect their business or their abilities.
I would see some of the moronic management practices that are mentioned in the article as grounds for ceasing business with these clowns, but I cannot see why a client cares less if their consultants use legit licensed software or not. If you are buying software from them, or outsourcing work directly to them then the answer is different, but these guys IP theft has no bearing on their output, it only affects their profit margin.
Their risk - their choice - their business.
"Oh yea, I forgot we still have Republicans"
I guess this is how ideologically rabid the left has gotten. Republicans, apparently, have a monopoly on corruption, and Democrats (and/or Greens) a monopoly on sainthood. By the way, did you know that John Kerry served in Vietnam?
AFAIK, only lefty Democrats think that by cutting taxes, we are "costing the government money". Get it, not collecting taxes is treated as a government expense. As if they have the right to all of your paycheck, but by the graciousness of their (the Republicans, since the last Democrat to push a tax cut was Kennedy) hearts, they'll "spend" some of your money by giving it back to you.
Even the most rigid places are willing to bend the rules for licensing when it comes to testing.
Sometimes its entirely legitimate -- building a new box for some CAD guy; he can't stop working on the application while the box is built and tested, and we can't get the box built and tested without the license. The same has to be true in a zillion different production hardware swapouts. The old box is wiped when the swap is completed, so there's no production use of two copies (although one place I worked had a circular buffer about 90 days long for old hardware, and the old box sat untouched during the days until it got reused, just in case something was missed).
Sometimes its somewhat less legitimate, like the support guy that has a whole suite of applications installed on his every day machine so that he can try to replicate problems from the people that make production use of it. They're not installed/uninstalled/reinstalled to test each problem, since that would take hours, but since they're not used to actually do production work, no one interprets the licensing rules to say that the copies are illegitimate.
I call that one somewhat less legitimate than the first, which is a legitimate chicken-and-egg problem, because the apps are staying resident on the machine, usable. I personally think it's a fair exception to make, since that test suite of applications aren't making anyone money from their use, and the total usage of a couple of hours per month in a 'test' mode would never pass the finance people's justification for the $10k it would take to buy them.
And then there's the "backup server" that doesn't even get turned on but to sync configs with the production box once in a while or as a total drop-in replacement when the production server stops being usable.
I'm sure there's 1001 variations on these kinds of rule-bending, but I've never worked someplace so inflexible that they required new licensing (or at least a 10+ copy slack) to cover legitimate IT maintenance issues. If the SPA nazis aren't going to give us some slack, how can we make their applications usable?
The insanity of 'white-hat' security companies will surely come to an end
sooner rather than later. Securing the corporate or home network simply
isn't that difficult anymore.
Thats not to say that in some way these prepubescent, security Scooby Doos
don't have their place. But today, they are simply usurped by competent
system and network administrators and the forethought of coders to write
code with security in mind.
Think back to the burgeoning days of online commerce and the cavalier
"Internet for everyone!" in the workplace roll outs. Book wise MCSEs,
trench hardened Oracle/Solaris admins, and street savvy (but cowboyish)
Linux/BSD admins were all the pointy haireds had to turn to. It was a
friggin free-for-all against many up and coming businesses as well as some
borderline brave industry Goliaths seeking a swim in the paranah infested
Internet soup. Networks and software were regularly blasted through by
kids with code they hadn't written themselves. Sometimes it happened due
to the poor design of deployed code. Sometimes it happened because the
attacks themselves were mini-masterpieces. But whatever the reason, in a
space where people could be anonymous supervillans, the will of the
Internet (of the people) to communicate persevered. The Internet
infrastructure, and the networks attached to it, and the people running
them all got a little bit smarter and a lot wiser.
Tell the guy in the suit you want to sell him a network security auditing
tool (or service), because he doesn't have the man power to do it in
house. He may be willing to pay. Tell the manager of a group of coders
you want to sell her your competence and third party viewpoint of the
security of their code. She may be willing to pay. Tell me you want to
sell me a 250,000 dollar piece of network auditing code, or scan my
network from the outside to tell me where my vulnerabilities lie without
knowing my network already, or bebop around my 30,000+ user network
analyzing a bunch of known signatures and I'll tell you to go back to the
drawing board and tell me why your first answer wasn't to invest in a
competent enough staff to make you obsolete.
The wake up call has already been dialed by the customers at large. The
VC money won't last forever. And almost none of you are as cool as you
made yourselves out to be. I suppose in the end it will be just as
amusing to watch you tear at each other in a corporate environment with
lawyers and press releases as it was to watch you tear at each other r00ts
and mailing-list posts.
http://windows.scares.us
Congrats!! It is that line of thought, one based on reality, that indicates someone that will enjoy life. And before more people start foaming at the mouth.. I do mean to say you can enjoy life and not hurt others while doing it.
This company had tried to market a ext2fs undelete tool to the computer forensics market. I looked through the binary and found several references to lib ext2 (they left all debugging symbols in so I could see exactly what files they had compiled and linked). the ext2 library is GPL and not LGPL so therefore their program should have been GPL. When we told them about it, they just wrote back and basically said "we arent violating anything". a short while later the tool disappeared from the market. Food for thought.
Nearly half of all people are below average
The reply to Kurtz was covered in an internal memo over at FC.
Wacky.