The Two Faces of Foundstone A leading computer-security company is accused of software piracy.
By Richard Behar

(FORTUNE Magazine) – George Kurtz may be his own worst enemy. In just four years Kurtz, CEO of Foundstone, and Stuart McClure, its president, created one of the best-known U.S. computer-security companies by exposing the vulnerabilities of software firms. Thousands of FORTUNE 500 executives and government officials--from the FBI and the National Security Agency to the Army, the Federal Reserve, and even the White House--have taken Foundstone's Ultimate Hacking courses, at up to $4,000 per person. Motorola and Bank of America have shelled out more than $300,000 each for Foundstone products, and the company recently installed software to protect the FAA.

But it doesn't take the skills of a hacker to see that Foundstone, a privately owned $20-million-a-year company in Mission Viejo, Calif., is in trouble. It has been accused of widespread software piracy by a leading industry trade group, FORTUNE has learned--charges corroborated by current and former Foundstone employees and by computer printouts obtained by the magazine.

The trade group, the Software & Information Industry Association, informed Kurtz by letter in May that it intended to pursue copyright-infringement charges against Foundstone. It acted after a confidential source alleged that McClure and Gary Bahadur, Foundstone's chief information officer, routinely spread unlicensed software to the company's 125-member workforce; that Kurtz was aware of that practice; and that in early April the CEO ordered his staff to delete unlicensed software from their computers. "They're gambling with their reputation," says Keith Kupferschmid, head of the association's antipiracy unit, which investigated and found the allegations credible. "That's not a smart thing to do."

Kurtz vehemently denies the company engaged in piracy. "We have strict policies against piracy," he says. "We take intellectual property very seriously, given that we are a software company." He adds that Foundstone conducted an internal audit in April, "and we're in compliance."

The evidence suggests otherwise. For years, according to former employees, top executives at Foundstone dumped a seemingly endless supply of the latest software onto a company server called Zeus and into a Microsoft Outlook folder called Tools, available to everyone on staff. Employees say they were told to download whatever programs they needed by using license keys registered only to McClure or Bahadur. (Legally Foundstone should have paid for each user.) The unauthorized software ranged in value from $35 to $15,000 per user and included everything from Acrobat to X-WinPro.

"They've stolen pretty much everything when it comes to software," says a founding employee who asked not to be named. The company even cracked Microsoft's operating system, Windows XP, says Dan Kuykendall, a former Foundstone software engineer, "so you could install it on multiple computers without any problems." The founding employee estimates that only 5% of the software used at Foundstone was paid for. (Foundstone's lawyers say that only 5% was unlicensed and that the company has spent more than $1.5 million on software.) Foundstone also trained thousands of corporate and government security personnel on software that it duplicated in ways that avoided triggering license fees, according to Kurt Weiss, a training coordinator until last year, who says it was part of his job to copy software packages onto the drives of 40 laptops per class.

The use of unlicensed software is a global problem--estimates of lost revenues range up to $13 billion a year--but it's rare among companies whose business is safeguarding intellectual property. "We happen not to have any experience with other security-software companies' doing that," says William Plante, chief investigator at Symantec, a Foundstone competitor. "Especially for a software company interested in protecting its own copyrighted material. If true, it's pretty unconscionable."

One software package available on Foundstone's server was Teleport Pro, an offline browser program made by Tennyson Maxwell Information Systems. Only Bahadur had a license, says Michael Del Monte, Tennyson's top developer. "That's a no-no," he says. "Companies are pretty responsible about purchasing licenses for everybody who's going to be using the software. You would think that as a security company, they'd be more careful about that kind of thing." Another software package, UltraEdit, was in Foundstone's Tools folder in violation of its one-user license, the manufacturer says.

In some ways the Foundstone tale is a microcosm of the ugly side of the dot-com craze--arrogance, greed, mismanagement, and stupidity. But those are indulgences the computer-security industry can no longer afford. The market for its services has gotten tougher. While large firms such as IBM, EDS, and Symantec still dominate, the midsized players--including Foundstone, @Stake, and Guardent--are duking it out for business.

Foundstone's troubles began last October when the company brought a trade-secrets case against J.D. Glaser, its former director of engineering, accusing him of stealing proprietary code. Glaser had left Foundstone in May to reactivate his old company, NT Objectives. After ten staffers followed him, Foundstone got a temporary restraining order barring Glaser from marketing his software. But a judge declined to grant an injunction, saying that Foundstone had not identified the trade secret and was unlikely to prevail on the merits.

In most industries such a dispute would have been routine. But the computer-security industry prides itself on being an open-source community that shares innovations. That much is clear from Kurtz and McClure's bestselling book, Hacking Exposed, perhaps the most detailed account ever written of how to hack--and defend--popular computer networks and software.

Things quickly went from bad to worse. Soon after the case was filed, Jason Glassberg, Foundstone's software-consulting guru and its key contact with Microsoft, the company's largest client, sent an e-mail to Kurtz. "This is bullshit," he wrote. "We will regret the day we became a litigious company. You realize you have zero support from the rest of the company on this action, don't you?"

Kurtz promptly fired Glassberg, who was immediately offered work by Microsoft. The software giant then yanked its Foundstone business, which had accounted for about a quarter of the company's revenue. More staff defections followed. "Most of the people I know who work at Foundstone are looking for jobs elsewhere," says Jeff Moss, who runs the BlackHat computer-security conferences.

Despite losing its bid for an injunction against Glaser, Foundstone is still pursuing the case in arbitration--a decision that sparked the piracy allegations, which will now make the case even more difficult to win. "How can you have a trade secret when your product was built on software that didn't belong to you?" asks Glaser. Saumil Shah, a former Foundstone employee and a highly regarded technical expert, says Kurtz, McClure, and Bahadur were involved: "There is absolutely no denying that they committed piracy. They did that knowingly and in huge volume."

In March, Foundstone asked an arbitration judge to seal evidence of software piracy presented by Glaser. The company said it would preserve its records. But in early April, Kurtz called a staff meeting. "Don't do anything with your software," Kurtz says he told his employees. Then he made his next move clear: "If there's anything that's not in compliance, we'll get it addressed. We get the license, or we delete it." Foundstone lawyers say some software has since been deleted from the company's servers, but maintain that anything deleted would still be on backup tapes.

It will be harder to delete Foundstone's tarnished reputation. Ex-employees are piling on, telling FORTUNE that Kurtz and McClure took credit for other people's work and created an unusually harsh office environment. (There are even allegations that Foundstone's Ultimate Hacking classes were a ripoff of the Extreme Hacking classes its founders ran at Ernst & Young in the 1990s.) In doing so, they are shedding light on a bunch of executives who seem to have believed their press clips--Fast Company recently named Kurtz one of its 50 champions of innovation--and somehow got lost along the way.