From: nobody@REPLAY.COM (Anonymous)
Date: Wed, 25 Oct 95 15:41:38 PDT
To: cypherpunks@toad.com
Subject: E-mail Spy
Message-ID: <199510252241.XAA03507@utopia.hacktic.nl>
MIME-Version: 1.0
Content-Type: text/plain



The Wall Street Journal, October 25, 1995.


A '90s Espionage Tale Stars Software Rivals, E-Mail Spy

By Glenn Simpson


Technothriller novelist Tom Clancy might have a hard time
dreaming this one up.

In a computer-age case of spy vs. spy, a small software firm
is claiming to have uncovered an industrial espionage attempt
by a much larger competitor by using a controversial e-mail
program.

Court documents and interviews tell a tale of intrigue,
deception and twist upon twist. Not to mention the alleged
involvement of a mysterious "classified government agency."

The protagonist is Performix Inc., a closely held
eight-year-old firm in McLean, Va., that has carved out a
significant niche for itself producing Empower, a software
program used for "load testing," which measures the ability of
a software program to serve many users simultaneously. Every
major computer manufacturer now uses Empower.

Enter Mercury Interactive Corp., a $300 million publicly
traded California firm that also is in the business of selling
software-testing products and produces competing software
called Load Runner. In June 1995, a senior Mercury Interactive
official, Graham Burnette, allegedly wrote to Performix
inquiring about a possible corporate alliance to develop
load-testing software. Performix spurned the offer.

Around the same time, a Virginia businessman named Joel
Dietrich, president of an obscure company called Styx Systems,
approached Performix asking to try out a version of Empower
known as Empower/CS on behalf of an anonymous client.
According to Performix, Mr. Dietrich said he couldn't identify
the client because it was a federal government intelligence
agency. On June 16 Performix granted Mr. Dietrich and Styx a
short-term license to use Empower/CS.

At 1:55 a.m. on Saturday, July 29, Performix received a most
curious e-mail message over the Internet. The message
indicated that someone who wasn't authorized to do so was
trying to install Empower/CS on a large computer and examine
its "source codes" -- the software's secret programming
language. A feature Performix had embedded in Empower/CS
automatically causes an e-mail alert to be sent to Performix
whenever there are indications the software is being used
improperly.

The e-mail indicated the address from which it had been sent:
"merc-int.com." This is the registered Internet address of
Mercury Interactive.

The e-mail also gave the name of the network on which someone
was installing the copy of Empower/CS: "testrun.mercury."

The license number of the software apparently now in Mercury
Interactive's hands, the e-mail further indicated, was the
license number of the copy that had been leased to Styx.

While Mercury Interactive and Mr. Dietrich have disavowed any
knowledge of a possible software transfer, Mercury
Interactive's Mr. Burnette acknowledged in an interview that
Mr. Dietrich's daughter and son-in-law work for Mercury
Interactive.

In mid-August, in U.S. District Court in Alexandria, Va.,
Performix sued Mercury Interactive, Styx and Dietrich,
alleging copyright infringement, fraud, conversion, unfair
competition, breach of contract and unjust enrichment.
Performix alleges Mercury Interactive "acquired Empower/CS so
that it could unlawfully, willfully and maliciously copy, use
and/or reverse engineer Empower/CS for the purpose of
improving the performance and features of existing Mercury
Interactive products in an attempt to gain significant
economic advantage."

Mercury Interactive hasn't yet formally responded to the
allegations, but Mr. Burnette denied any wrongdoing by the
company. "Mercury Interactive has a very strong policy against
industrial espionage," he said. "We don't do it."

Mr. Dietrich's response filed with the court has raised some
eyebrows. While claiming no knowledge of any transfer to
Mercury, he hasn't backed away from his claim to be working
for the federal government. Indeed, Mr. Dietrich is asserting
that he is immune from the suit because he was acting as an
agent of the U.S. government. He claims in court papers that
he obtained the software on behalf of "a classified government
agency."

None of the parties to the case who were willing to be
interviewed said they knew the identity of the agency, and Mr.
Dietrich didn't respond to interview requests. However, Mr.
Burnette of Mercury Interactive said: "I know that Mr.
Dietrich works as a contractor for a government agency. I know
it's a secret government agency, but I don't know what it is."

Officials of both Mercury Interactive and Performix said the
two firms have reached a tentative settlement, although they
disagree on what it contains. "Everything Performix needed
from a business perspective they received, including the
ability to review Mercury Interactive product releases," said
Performix attorney Nelson Blitz. In addition, "money will be
paid to Performix under this agreement in principle." But Mr.
Burnette asserted that no money would change hands.

The penultimate turn: Mr. Burnette claims that Performix is
eager to settle the case because it has a problem of its own.
He contends that it is illegal to secretly embed in commercial
software code a program that causes the customer's computer to
send out e-mail. Mr. Blitz of Performix denied there was
anything legally questionable about the practice and said
Mercury Interactive never raised that issue in settlement
negotiations. He also said the feature isn't intended to be a
spycatcher. Rather, he said, it is meant solely to help
clients who are improperly installing the product by alerting
Performix that they need help. Empower's documentation informs
customers of the feature, he added.

James Haggard, president of Vasco Data Security Inc., said the
purpose of such programs is ambiguous, and it would be hard to
rebut Performix's claim that the feature is merely meant to
serve the customer. He noted that Microsoft Corp.'s new
Windows 95 software contains a program that can send Microsoft
a report on the software products being used by those who sign
up for its on-line service albeit only with the users'
permission. While critics label it a means of economic
snooping, the company says the program simply helps it assist
customers.

"The concept of a program calling home of its own accord" is
controversial in the computer industry, said computer security
expert Samuel Bellovin of Bell Labs. "People tend to get very
upset when it happens," he said, because it can look as if the
software maker is spying on them.

The final twist: Performix last week agreed to be acquired by
Pure Software Inc., a publicly held firm as large as Mercury
Interactive-which now will be up against someone its own size.

-----


[How many CompSecExp S. Bellovins o'BellLabs?]