Interesting People mailing list archives
Something to think about while you hack DigiCash
From: Dave Farber <farber () central cis upenn edu>
Date: Thu, 26 Oct 1995 10:08:40 -0400
Posted-Date: Thu, 26 Oct 1995 09:59:07 -0400 Date: Thu, 26 Oct 1995 06:34:35 -0700 To: www-buyinfo () allegra att com From: anonymous-remailer () shell portal com Subject: Something to think about while you hack DigiCash Comments: This message is NOT from the person listed in the From line. It is from an automated software remailing service operating at that address. THE PORTAL SYSTEM DOES NOT CONDONE OR APPROVE OF THE CONTENTS OF THIS POSTING. Please report problem mail to <hfinney () shell portal com>. A '90s Espionage Tale Stars Software Rivals, E-Mail Spy By GLENN R. SIMPSON Staff Reporter of The Wall Street Journal Technothriller novelist Tom Clancy might have a hard time dreaming this one up. In a computer-age case of spy vs. spy, a small software firm is claiming to have uncovered an industrial espionage attempt by a much larger competitor by using a controversial e-mail program. Court documents and interviews tell a tale of intrigue, deception and twist upon twist. Not to mention the alleged involvement of a mysterious "classified government agency." The protagonist is Performix Inc., a closely held eight-year-old firm in McLean, Va., that has carved out a significant niche for itself producing Empower, a software program used for "load testing," which measures the ability of a software program to serve many users simultaneously. Every major computer manufacturer now uses Empower. Enter Mercury Interactive Corp., a $300 million publicly traded California firm that also is in the business of selling software-testing products and produces competing software called Load Runner. In June 1995, a senior Mercury Interactive official, Graham Burnette, allegedly wrote to Performix inquiring about a possible corporate alliance to develop load-testing software. Performix spurned the offer. Around the same time, a Virginia businessman named Joel Dietrich, president of an obscure company called Styx Systems, approached Performix asking to try out a version of Empower known as Empower/CS on behalf of an anonymous client. According to Performix, Mr. Dietrich said he couldn't identify the client because it was a federal government intelligence agency. On June 16 Performix granted Mr. Dietrich and Styx a short-term license to use Empower/CS. At 1:55 a.m. on Saturday, July 29, Performix received a most curious e-mail message over the Internet. The message indicated that someone who wasn't authorized to do so was trying to install Empower/CS on a large computer and examine its "source codes" -- the software's secret programming language. A feature Performix had embedded in Empower/CS automatically causes an e-mail alert to be sent to Performix whenever there are indications the software is being used improperly. The e-mail indicated the address from which it had been sent: "merc-int.com." This is the registered Internet address of Mercury Interactive. The e-mail also gave the name of the network on which someone was installing the copy of Empower/CS: "testrun.mercury." The license number of the software apparently now in Mercury Interactive's hands, the e-mail further indicated, was the license number of the copy that had been leased to Styx. While Mercury Interactive and Mr. Dietrich have disavowed any knowledge of a possible software transfer, Mercury Interactive's Mr. Burnette acknowledged in an interview that Mr. Dietrich's daughter and son-in-law work for Mercury Interactive. In mid-August, in U.S. District Court in Alexandria, Va., Performix sued Mercury Interactive, Styx and Dietrich, alleging copyright infringement, fraud, conversion, unfair competition, breach of contract and unjust enrichment. Performix alleges Mercury Interactive "acquired Empower/CS so that it could unlawfully, willfully and maliciously copy, use and/or reverse engineer Empower/CS for the purpose of improving the performance and features of existing Mercury Interactive products in an attempt to gain significant economic advantage." Mercury Interactive hasn't yet formally responded to the allegations, but Mr. Burnette denied any wrongdoing by the company. "Mercury Interactive has a very strong policy against industrial espionage," he said. "We don't do it." Mr. Dietrich's response filed with the court has raised some eyebrows. While claiming no knowledge of any transfer to Mercury, he hasn't backed away from his claim to be working for the federal government. Indeed, Mr. Dietrich is asserting that he is immune from the suit because he was acting as an agent of the U.S. government. He claims in court papers that he obtained the software on behalf of "a classified government agency." None of the parties to the case who were willing to be interviewed said they knew the identity of the agency, and Mr. Dietrich didn't respond to interview requests. However, Mr. Burnette of Mercury Interactive said: "I know that Mr. Dietrich works as a contractor for a government agency. I know it's a secret government agency, but I don't know what it is." Officials of both Mercury Interactive and Performix said the two firms have reached a tentative settlement, although they disagree on what it contains. Everything Performix needed from a business perspective they received, including the ability to review Mercury Interactive product releases," said Performix attorney Nelson Blitz. In addition, "money will be paid to Performix under this agreement in principle." But Mr. Burnette asserted that no money would change hands. The penultimate turn: Mr. Burnette claims that Performix is eager to settle the case because it has a problem of its own. He contends that it is illegal to secretly embed in commercial software code a program that causes the customer's computer to send out e-mail. Mr. Blitz of Performix denied there was anything legally questionable about the practice and said Mercury Interactive never raised that issue in settlement negotiations. He also said the feature isn't intended to be a spycatcher. Rather, he said, it is meant solely to help clients who are improperly installing the product by alerting Performix that they need help. Empower's documentation informs customers of the feature, he added. James Haggard, president of Vasco Data Security Inc., said the purpose of such programs is ambiguous, and it would be hard to rebut Performix's claim that the feature is merely meant to serve the customer. He noted that Microsoft Corp.'s new Windows 95 software contains a program that can send Microsoft a report on the software products being used by those who sign up for its on-line service, albeit only with the users' permission. While critics label it a means of economic snooping, the company says the program simply helps it assist customers. "The concept of a program calling home of its own accord" is controversial in the computer industry, said computer security expert Samuel Bellovin of Bell Labs. "People tend to get very upset when it happens," he said, because it can look as if the software maker is spying on them. The final twist: Performix last week agreed to be acquired by Pure Software Inc., a publicly held firm as large as Mercury Interactive -- which now will be up against someone its own size.
Current thread:
- Something to think about while you hack DigiCash Dave Farber (Oct 26)