A leading computer-security company is accused of software piracy.
FORTUNE
Monday, June 9, 2003
By Richard Behar
George Kurtz may be his own worst enemy. In just four years Kurtz, CEO of
Foundstone, and Stuart McClure, its president, created one of the
best-known U.S. computer-security companies by exposing the
vulnerabilities of software firms. Thousands of FORTUNE 500 executives
and government officials--from the FBI and the National Security Agency
to the Army, the Federal Reserve, and even the White House--have taken
Foundstone's Ultimate Hacking courses, at up to $4,000 per person.
Motorola and Bank of America have shelled out more than $300,000 each for
Foundstone products, and the company recently installed software to
protect the FAA.
But it doesn't take the skills of a hacker to see that Foundstone, a
privately owned $20-million-a-year company in Mission Viejo, Calif., is
in trouble. It has been accused of widespread software piracy by a
leading industry trade group, FORTUNE has learned--charges corroborated
by current and former Foundstone employees and by computer printouts
obtained by the magazine.
The trade group, the Software & Information Industry Association,
informed Kurtz by letter in May that it intended to pursue
copyright-infringement charges against Foundstone. It acted after a
confidential source alleged that McClure and Gary Bahadur, Foundstone's
chief information officer, routinely spread unlicensed software to the
company's 125-member workforce; that Kurtz was aware of that practice;
and that in early April the CEO ordered his staff to delete unlicensed
software from their computers. "They're gambling with their
reputation," says Keith Kupferschmid, head of the association's
antipiracy unit, which investigated and found the allegations credible.
"That's not a smart thing to do."
Kurtz vehemently denies the company engaged in piracy. "We have
strict policies against piracy," he says. "We take intellectual
property very seriously, given that we are a software company." He
adds that Foundstone conducted an internal audit in April, "and
we're in compliance."
The evidence suggests otherwise. For years, according to former
employees, top executives at Foundstone dumped a seemingly endless supply
of the latest software onto a company server called Zeus and into a
Microsoft Outlook folder called Tools, available to everyone on staff.
Employees say they were told to download whatever programs they needed by
using license keys registered only to McClure or Bahadur. (Legally
Foundstone should have paid for each user.) The unauthorized software
ranged in value from $35 to $15,000 per user and included everything from
Acrobat to X-WinPro.
"They've stolen pretty much everything when it comes to
software," says a founding employee who asked not to be named. The
company even cracked Microsoft's operating system, Windows XP, says Dan
Kuykendall, a former Foundstone software engineer, "so you could
install it on multiple computers without any problems." The founding
employee estimates that only 5% of the software used at Foundstone was
paid for. (Foundstone's lawyers say that only 5% was unlicensed and that
the company has spent more than $1.5 million on software.) Foundstone
also trained thousands of corporate and government security personnel on
software that it duplicated in ways that avoided triggering license fees,
according to Kurt Weiss, a training coordinator until last year, who says
it was part of his job to copy software packages onto the drives of 40
laptops per class.
The use of unlicensed software is a global problem--estimates of lost
revenues range up to $13 billion a year--but it's rare among companies
whose business is safeguarding intellectual property. "We happen not
to have any experience with other security-software companies' doing
that," says William Plante, chief investigator at Symantec, a
Foundstone competitor. "Especially for a software company interested
in protecting its own copyrighted material. If true, it's pretty
unconscionable."
One software package available on Foundstone's server was Teleport Pro,
an offline browser program made by Tennyson Maxwell Information Systems.
Only Bahadur had a license, says Michael Del Monte, Tennyson's top
developer. "That's a no-no," he says. "Companies are
pretty responsible about purchasing licenses for everybody who's going to
be using the software. You would think that as a security company, they'd
be more careful about that kind of thing." Another software package,
UltraEdit, was in Foundstone's Tools folder in violation of its one-user
license, the manufacturer says.
In some ways the Foundstone tale is a microcosm of the ugly side of the
dot-com craze--arrogance, greed, mismanagement, and stupidity. But those
are indulgences the computer-security industry can no longer afford. The
market for its services has gotten tougher. While large firms such as
IBM, EDS, and Symantec still dominate, the midsized players--including
Foundstone, @Stake, and Guardent--are duking it out for business.
Foundstone's troubles began last October when the company brought a
trade-secrets case against J.D. Glaser, its former director of
engineering, accusing him of stealing proprietary code. Glaser had left
Foundstone in May to reactivate his old company, NT Objectives. After ten
staffers followed him, Foundstone got a temporary restraining order
barring Glaser from marketing his software. But a judge declined to grant
an injunction, saying that Foundstone had not identified the trade secret
and was unlikely to prevail on the merits.
In most industries such a dispute would have been routine. But the
computer-security industry prides itself on being an open-source
community that shares innovations. That much is clear from Kurtz and
McClure's bestselling book, Hacking Exposed, perhaps the most detailed
account ever written of how to hack--and defend--popular computer
networks and software.
Things quickly went from bad to worse. Soon after the case was filed,
Jason Glassberg, Foundstone's software-consulting guru and its key
contact with Microsoft, the company's largest client, sent an e-mail to
Kurtz. "This is bullshit," he wrote. "We will regret the
day we became a litigious company. You realize you have zero support from
the rest of the company on this action, don't you?"
Kurtz promptly fired Glassberg, who was immediately offered work by
Microsoft. The software giant then yanked its Foundstone business, which
had accounted for about a quarter of the company's revenue. More staff
defections followed. "Most of the people I know who work at
Foundstone are looking for jobs elsewhere," says Jeff Moss, who runs
the BlackHat computer-security conferences.
Despite losing its bid for an injunction against Glaser, Foundstone is
still pursuing the case in arbitration--a decision that sparked the
piracy allegations, which will now make the case even more difficult to
win. "How can you have a trade secret when your product was built on
software that didn't belong to you?" asks Glaser. Saumil Shah, a
former Foundstone employee and a highly regarded technical expert, says
Kurtz, McClure, and Bahadur were involved: "There is absolutely no
denying that they committed piracy. They did that knowingly and in huge
volume."
In March, Foundstone asked an arbitration judge to seal evidence of
software piracy presented by Glaser. The company said it would preserve
its records. But in early April, Kurtz called a staff meeting.
"Don't do anything with your software," Kurtz says he told his
employees. Then he made his next move clear: "If there's anything
that's not in compliance, we'll get it addressed. We get the license, or
we delete it." Foundstone lawyers say some software has since been
deleted from the company's servers, but maintain that anything deleted
would still be on backup tapes.
It will be harder to delete Foundstone's tarnished reputation.
Ex-employees are piling on, telling FORTUNE that Kurtz and McClure took
credit for other people's work and created an unusually harsh office
environment. (There are even allegations that Foundstone's Ultimate
Hacking classes were a ripoff of the Extreme Hacking classes its founders
ran at Ernst & Young in the 1990s.) In doing so, they are shedding
light on a bunch of executives who seem to have believed their press
clips--Fast Company recently named Kurtz one of its 50 champions of
innovation--and somehow got lost along the way.
Feedback:
[EMAIL PROTECTED]
From the
Jun.
23, 2003 Issue
http://www.fortune.com/fortune/technology/articles/0,15114,457276,00.html
