Stones, Fire and Water, 2002-11-11
A nasty trade secret lawsuit displays the ugly side of the network security industry.
“
Giving away the security tool would empower hackers and "cyberterrorists," McClure insisted.
”
If squirrels have final memories, this one's was "B.F. Goodrich."
While picking out pieces of fur-embedded squirrel meat from the treads, it dawned on me just how costly reactionary behavior can be. I'm sure it made sense to the squirrel at the time, but in the Grand Scheme of Things, its change of direction was not the smartest move.
The security world watched with keen interest last month when Foundstone was granted a temporary restraining order against NTObjectives for alleged trade secret misappropriation. J. D. Glaser, the well-respected and talented President of NTO, was named in a declaration by Foundstone's Stuart McClure, where he was accused of stealing "well-guarded algorithms, methods, and databases that are highly valuable trade secrets of Foundstone" from the FoundScan vulnerability scanner-- and using them directly in his newly-developed "Fire and Water" Web application security auditing tool.
Glaser had been employed at Foundstone, and he left the company to lead NTO full time. Subsequently, three more individuals left Foundstone and joined J. D. in the development of Fire and Water.
From what I could glean from the
McClure argued that it was "simply impossible" to create such a toolkit in that timeframe -- therefore, the only way it could be done was by using Foundstone's trade secrets. The consequences for the company, he wrote, were dire. "If Defendants proceed with their plan to release their software for free over the Internet, the value of Foundstone's investment of 80,000 person-hours and $4,000,000 in its trade secret technology will be devastated."
What's worse, giving away the security tool would actually endanger National Security, McClure insisted. "The public would be armed by the potential for misuses of these technologies by hackers and cyberterrorists."
Hypocrisy Exposed?
No actual evidence was presented, but McClure's arguments were enough for the judge in the case to issue a retraining order blocking Glaser and NTO from releasing Fire and Water.
It was not until after a solid month of NTO being forced to basically shut down operations, that the same judge reversed herself and withdrew the preliminary injunction, stating that "the trade secret allegedly being used by the defendant(s) is not identified with sufficient particularity nor with any particularity." [Emphasis original].
The underlying lawsuit continues. But personally, I think the action has already hurt Foundstone. For one, it does not bode well with security researchers to see a company wrap the collective efforts of a public community into a product and then call the methods "proprietary."
The science of OS fingerprinting, for example, was pioneered by Fyodor and Ofir Arkin in open-source utilities like "nmap" and Xprobe. While I don't have access to Foundstone's coveted trade secrets, I'm skeptical that FoundScan adds any top-secret high-tech advancements to the state of the art carved out by those researchers.
And from a marketing standpoint, this can't help the FoundScan product's image. Fire and Water v.s. FoundScan is a David and Goliath billing. While F&W is a great suite of applications one can use to help audit application security, it is by no means an enterprise-level vulnerability scanner and assessment tool, as is FoundScan. But you wouldn't know that from Foundstone's reaction.
Foundstone's response should have been, "Fire and Water? Oh that. Yeah, whatever." Instead they have, in no small way, provided validation and authentication of Fire and Water's awesome power... whether it really holds it or not. They have taken a program developed by a couple of guys in a few months and put it on the same level as an application that took Foundstone 80,000 man hours and $4,000,000 to develop. I am told that the average sales price for FoundScan is about $250,000 (it used to be, anyway)-- you can download a corporate version of Fire and Water for $150.
I also didn't think it was too bright for McClure to give sworn statements that Fire and Water should be enjoined due to concerns that evil hackers and cyberterrorists would use it to attack people, when he makes a pretty penny publishing how-to-hack tips in his Hacking Exposed series. It struck me as hypocritical at best.
Competition is hard enough as it is- it is far better to stay focused on making your product the best it can be than to divert your efforts into grappling hand-to-hand with the competition. In this business, you don't have to stray too far from the path to get squashed-- whether it's by B.F. Goodrich or J.D. Glaser.
