Foundstone Shoe On Other Foot

Cimmer writes "One of the premier hack shops (to pun or not to pun) gets busted for unethically ethically hacking. After filing a lawsuit against former employee JD Glaser for supposedly jacking company source code, Foundstone gets nailed for massive internal software piracy. Tonight's entree: Foot in Mouth."

Uneasy truce: white hats and their employers

[mao+che+minh]

You have to love it when law and politics gets their claws into the ever-shady business of white hat hacking. These types of cases hit the news every once in a while. I suppose that such risks are part of the game, but what would I know? Up until last month I thought that hacking was a lot like flying through a wire-frame cityscape.

I once worked with a terrific cracker (he ended up doing time for hacking into NASA owned systems at the University of Florida - in fact, I believe that he is still incarcerated). He really knew his shit, especially when it came to invisibly manipulating Cisco equipment and covering his tracks in Unix/Linux/BSD logs. He was also somewhat of a coder. He was kind of scary in a way. It was funny to see how much the entire operation of the IT department changed once we found out how good we really was, and how much the manager started reviewing technology laws. He was on our side, our white hat, and still everyone was immensely wary of him.

Even though he effortlessly secured three large networks and found glaring problems with our state-wide backbone, he was canned out of fear. He was later found guilty of causing damages to the network after his termination, at the same time he was busted for the NASA fiasco (the FBI had been watching his movements for some time). In hindsight, I can say that our cautious approach towards him was warranted, even though it caused him obvious grief when he was employed with us.

Hell, he will be making twice my salary at McAfee or something when he gets out of prison anyways, why am I feeling bad for him?

Two completely seperate issues here.

[evil_roy]

From the articles it would appear that Foundstone preach security and educate corporate clients & toughen their clients networks. This is done for all the valid security reasons, but is third party licensing protection part of this? No way - it is a different issue.

This is like saying that they haven't registered their cars - it is an issue,but not one that would affect their business or their abilities.

I would see some of the moronic management practices that are mentioned in the article as grounds for ceasing business with these clowns, but I cannot see why a client cares less if their consultants use legit licensed software or not. If you are buying software from them, or outsourcing work directly to them then the answer is different, but these guys IP theft has no bearing on their output, it only affects their profit margin.

Their risk - their choice - their business.

Re:Corporate piracy is evil

[swb]

Even the most rigid places are willing to bend the rules for licensing when it comes to testing.

Sometimes its entirely legitimate -- building a new box for some CAD guy; he can't stop working on the application while the box is built and tested, and we can't get the box built and tested without the license. The same has to be true in a zillion different production hardware swapouts. The old box is wiped when the swap is completed, so there's no production use of two copies (although one place I worked had a circular buffer about 90 days long for old hardware, and the old box sat untouched during the days until it got reused, just in case something was missed).

Sometimes its somewhat less legitimate, like the support guy that has a whole suite of applications installed on his every day machine so that he can try to replicate problems from the people that make production use of it. They're not installed/uninstalled/reinstalled to test each problem, since that would take hours, but since they're not used to actually do production work, no one interprets the licensing rules to say that the copies are illegitimate.

I call that one somewhat less legitimate than the first, which is a legitimate chicken-and-egg problem, because the apps are staying resident on the machine, usable. I personally think it's a fair exception to make, since that test suite of applications aren't making anyone money from their use, and the total usage of a couple of hours per month in a 'test' mode would never pass the finance people's justification for the $10k it would take to buy them.

And then there's the "backup server" that doesn't even get turned on but to sync configs with the production box once in a while or as a total drop-in replacement when the production server stops being usable.

I'm sure there's 1001 variations on these kinds of rule-bending, but I've never worked someplace so inflexible that they required new licensing (or at least a 10+ copy slack) to cover legitimate IT maintenance issues. If the SPA nazis aren't going to give us some slack, how can we make their applications usable?

They tried to violate the GPL too

[nicholasharbour]

This company had tried to market a ext2fs undelete tool to the computer forensics market. I looked through the binary and found several references to lib ext2 (they left all debugging symbols in so I could see exactly what files they had compiled and linked). the ext2 library is GPL and not LGPL so therefore their program should have been GPL. When we told them about it, they just wrote back and basically said "we arent violating anything". a short while later the tool disappeared from the market. Food for thought.