Digg this story   Add to del.icio.us  
Stones, Fire and Water
Tim Mullen, 2002-11-11

A nasty trade secret lawsuit displays the ugly side of the network security industry.

While driving to work the other day, a squirrel began to cross the road ahead of me; its slow, steady advances quickening as my vehicle drew near. Just as it made it safely to the other side, some invisible stimulus seen only by Scuridae caused it to suddenly reverse direction and dart back across the road directly in front of me.

If squirrels have final memories, this one's was "B.F. Goodrich."

While picking out pieces of fur-embedded squirrel meat from the treads, it dawned on me just how costly reactionary behavior can be. I'm sure it made sense to the squirrel at the time, but in the Grand Scheme of Things, its change of direction was not the smartest move.

The security world watched with keen interest last month when Foundstone was granted a temporary restraining order against NTObjectives for alleged trade secret misappropriation. J. D. Glaser, the well-respected and talented President of NTO, was named in a declaration by Foundstone's Stuart McClure, where he was accused of stealing "well-guarded algorithms, methods, and databases that are highly valuable trade secrets of Foundstone" from the FoundScan vulnerability scanner-- and using them directly in his newly-developed "Fire and Water" Web application security auditing tool.

Glaser had been employed at Foundstone, and he left the company to lead NTO full time. Subsequently, three more individuals left Foundstone and joined J. D. in the development of Fire and Water.

From what I could glean from the declaration, Foundstone claimed that their methods of OS fingerprinting, port scanning, vulnerability checking and database logging were all proprietary. Though NTO's Fire and Water toolkit does not perform all of the same functions as FoundScan, McClure concluded that Glaser must have stolen "trade secrets" of his product since the Fire and Water toolkit beta was developed in just three months.

McClure argued that it was "simply impossible" to create such a toolkit in that timeframe -- therefore, the only way it could be done was by using Foundstone's trade secrets. The consequences for the company, he wrote, were dire. "If Defendants proceed with their plan to release their software for free over the Internet, the value of Foundstone's investment of 80,000 person-hours and $4,000,000 in its trade secret technology will be devastated."

What's worse, giving away the security tool would actually endanger National Security, McClure insisted. "The public would be armed by the potential for misuses of these technologies by hackers and cyberterrorists."

Hypocrisy Exposed?
No actual evidence was presented, but McClure's arguments were enough for the judge in the case to issue a retraining order blocking Glaser and NTO from releasing Fire and Water.

It was not until after a solid month of NTO being forced to basically shut down operations, that the same judge reversed herself and withdrew the preliminary injunction, stating that "the trade secret allegedly being used by the defendant(s) is not identified with sufficient particularity nor with any particularity." [Emphasis original].

The underlying lawsuit continues. But personally, I think the action has already hurt Foundstone. For one, it does not bode well with security researchers to see a company wrap the collective efforts of a public community into a product and then call the methods "proprietary."

The science of OS fingerprinting, for example, was pioneered by Fyodor and Ofir Arkin in open-source utilities like "nmap" and Xprobe. While I don't have access to Foundstone's coveted trade secrets, I'm skeptical that FoundScan adds any top-secret high-tech advancements to the state of the art carved out by those researchers.

And from a marketing standpoint, this can't help the FoundScan product's image. Fire and Water v.s. FoundScan is a David and Goliath billing. While F&W is a great suite of applications one can use to help audit application security, it is by no means an enterprise-level vulnerability scanner and assessment tool, as is FoundScan. But you wouldn't know that from Foundstone's reaction.

Foundstone's response should have been, "Fire and Water? Oh that. Yeah, whatever." Instead they have, in no small way, provided validation and authentication of Fire and Water's awesome power... whether it really holds it or not. They have taken a program developed by a couple of guys in a few months and put it on the same level as an application that took Foundstone 80,000 man hours and $4,000,000 to develop. I am told that the average sales price for FoundScan is about $250,000 (it used to be, anyway)-- you can download a corporate version of Fire and Water for $150.

I also didn't think it was too bright for McClure to give sworn statements that Fire and Water should be enjoined due to concerns that evil hackers and cyberterrorists would use it to attack people, when he makes a pretty penny publishing how-to-hack tips in his Hacking Exposed series. It struck me as hypocritical at best.

Competition is hard enough as it is- it is far better to stay focused on making your product the best it can be than to divert your efforts into grappling hand-to-hand with the competition. In this business, you don't have to stray too far from the path to get squashed-- whether it's by B.F. Goodrich or J.D. Glaser.



SecurityFocus columnist Timothy M. Mullen is Vice President of Consulting Services for NGSSoftware.
    Digg this story   Add to del.icio.us  
Comments Mode:
Stones, Fire and Water 2002-11-11
TL
Well written 2002-11-11
Anonymous (1 replies)
Well written 2002-11-11
Anonymous
Stones, Fire and Water 2002-11-11
Anonymous (1 replies)
Stones, Fire and Water 2002-11-12
Anonymous
Stones, Fire and Water 2002-11-12
GarageResearcher
Axe 2 Grind? 2002-11-13
Anonymous
Stones, Fire and Water 2002-11-13
blacklight
Stones, Fire and Water 2002-11-14
TW
Stones, Fire and Water 2002-11-14
Anonymous (1 replies)
Stones, Fire and Water 2002-11-15
Anonymous HoG'r! (1 replies)
Stones, Fire and Water 2002-11-17
Anonymous
Stones, Fire and Water 2002-11-15
Anonymous (1 replies)
Stones, Fire and Water 2002-11-16
Anonymous
Talent flees Foundstone 2002-11-16
ItDoesn'tTakeAnIdiotToFigureOutTheWritingOnTheWall (1 replies)
Talent flees Foundstone 2002-11-16
GarageResearcher
Stones, Fire and Water 2002-11-17
Psuedo-Anonymous Coward (1 replies)
Stones, Fire and Water 2002-11-18
Anonymous (2 replies)
Stones, Fire and Water 2002-11-19
CmdrTostada
Stones, Fire and Water 2002-11-20
Psuedo-Anonymous Coward


 

Privacy Statement
Copyright 2010, SecurityFocus