Something to think about while you hack DigiCash

[Dave Farber <farber () central cis upenn edu>]

> Posted-Date: Thu, 26 Oct 1995 09:59:07 -0400
> Date: Thu, 26 Oct 1995 06:34:35 -0700
> To: www-buyinfo () allegra att com
> From: anonymous-remailer () shell portal com
> Subject: Something to think about while you hack DigiCash
> Comments: This message is NOT from the person listed in the From
> line.  It is from an automated software remailing service operating at
> that address.
> THE PORTAL SYSTEM DOES NOT CONDONE OR APPROVE OF THE CONTENTS OF THIS
> POSTING.   Please report problem mail to <hfinney () shell portal com>.
>
> A '90s Espionage Tale Stars Software Rivals, E-Mail Spy
>
> By GLENN R. SIMPSON
> Staff Reporter of The Wall Street Journal
>
>
> Technothriller novelist Tom Clancy might have a hard time dreaming
> this one up.
>
> In a computer-age case of spy vs. spy, a small software firm is
> claiming to have uncovered an industrial espionage attempt by
> a much larger competitor by using a controversial e-mail program.
>
> Court documents and interviews tell a tale of intrigue, deception
> and twist upon twist. Not to mention the alleged involvement of
> a mysterious "classified government agency."
>
> The protagonist is Performix Inc., a closely held eight-year-old
> firm in McLean, Va., that has carved out a significant niche for
> itself producing Empower, a software program used for "load
> testing," which measures the ability of a software program
> to serve many users simultaneously. Every major computer manufacturer
> now uses Empower.
>
> Enter Mercury Interactive
> Corp., a $300 million publicly traded California firm that also
> is in the business of selling software-testing products and produces
> competing software called Load Runner. In June 1995, a senior
> Mercury Interactive official, Graham Burnette, allegedly wrote
> to Performix inquiring about a possible corporate alliance to
> develop load-testing software. Performix spurned the offer.
>
> Around the same time, a Virginia businessman named Joel Dietrich,
> president of an obscure company called Styx Systems, approached
> Performix asking to try out a version of Empower known as Empower/CS
> on behalf of an anonymous client. According to Performix, Mr.
> Dietrich said he couldn't identify the client because it was a
> federal government intelligence agency. On June 16 Performix granted
> Mr. Dietrich and Styx a short-term license to use Empower/CS.
>
> At 1:55 a.m. on Saturday, July 29, Performix received a most curious
> e-mail message over the Internet. The message indicated that someone
> who wasn't authorized to do so was trying to install Empower/CS
> on a large computer and examine its "source codes" --
> the software's secret programming language. A feature Performix
> had embedded in Empower/CS automatically causes an e-mail alert
> to be sent to Performix whenever there are indications the software
> is being used improperly.
>
> The e-mail indicated the address from which it had been sent:
> "merc-int.com." This is the registered Internet address
> of Mercury Interactive.
>
> The e-mail also gave the name of the network on which someone
> was installing the copy of Empower/CS: "testrun.mercury."
> The license number of the software apparently now in Mercury Interactive's
> hands, the e-mail further indicated, was the license number of
> the copy that had been leased to Styx.
>
> While Mercury Interactive and Mr. Dietrich have disavowed any
> knowledge of a possible software transfer, Mercury Interactive's
> Mr. Burnette acknowledged in an interview that Mr. Dietrich's
> daughter and son-in-law work for Mercury Interactive.
>
> In mid-August, in U.S. District Court in Alexandria, Va., Performix
> sued Mercury Interactive, Styx and Dietrich, alleging copyright
> infringement, fraud, conversion, unfair competition, breach of
> contract and unjust enrichment. Performix alleges Mercury Interactive
> "acquired Empower/CS so that it could unlawfully, willfully
> and maliciously copy, use and/or reverse engineer Empower/CS for
> the purpose of improving the performance and features of existing
> Mercury Interactive products in an attempt to gain significant
> economic advantage." 
>
> Mercury Interactive hasn't yet formally responded to the allegations,
> but Mr. Burnette denied any wrongdoing by the company. "Mercury
> Interactive has a very strong policy against industrial espionage,"
> he said. "We don't do it."
>
> Mr. Dietrich's response filed with the court has raised some eyebrows.
> While claiming no knowledge of any transfer to Mercury, he hasn't
> backed away from his claim to be working for the federal government.
> Indeed, Mr. Dietrich is asserting that he is immune from the suit
> because he was acting as an agent of the U.S. government. He claims
> in court papers that he obtained the software on behalf of "a
> classified government agency."
>
> None of the parties to the case who were willing to be interviewed
> said they knew the identity of the agency, and Mr. Dietrich didn't
> respond to interview requests. However, Mr. Burnette of Mercury
> Interactive said: "I know that Mr. Dietrich works as a contractor
> for a government agency. I know it's a secret government agency,
> but I don't know what it is."
>
> Officials of both Mercury Interactive and Performix said the two
> firms have reached a tentative settlement, although they disagree
> on what it contains. Everything Performix needed from a
> business perspective they received, including the ability to review
> Mercury Interactive product releases," said Performix attorney
> Nelson Blitz. In addition, "money will be paid to Performix
> under this agreement in principle." But Mr. Burnette asserted
> that no money would change hands.
>
> The penultimate turn: Mr. Burnette claims that Performix is eager
> to settle the case because it has a problem of its own. He contends
> that it is illegal to secretly embed in commercial software code
> a program that causes the customer's computer to send out e-mail.
> Mr. Blitz of Performix denied there was anything legally questionable
> about the practice and said Mercury Interactive never raised that
> issue in settlement negotiations. He also said the feature isn't
> intended to be a spycatcher. Rather, he said, it is meant solely
> to help clients who are improperly installing the product by alerting
> Performix that they need help. Empower's documentation informs
> customers of the feature, he added.
>
> James Haggard, president of Vasco Data Security Inc., said the
> purpose of such programs is ambiguous, and it would be hard to
> rebut Performix's claim that the feature is merely meant to serve
> the customer. He noted that Microsoft
> Corp.'s new Windows 95 software contains a program that can send
> Microsoft a report on the software products being used by those
> who sign up for its on-line service, albeit only with the users'
> permission. While critics label it a means of economic snooping,
> the company says the program simply helps it assist customers.
>
> "The concept of a program calling home of its own accord"
> is controversial in the computer industry, said computer security
> expert Samuel Bellovin of Bell Labs. "People tend to get
> very upset when it happens," he said, because it can look
> as if the software maker is spying on them.
>
> The final twist: Performix last week agreed to be acquired by Pure Software 
> Inc.,
> a publicly held firm as large as Mercury Interactive -- which
> now will be up against someone its own size.