30
Jan 16

Sources: Security Firm Norse Corp. Imploding

Norse Corp., a Foster City, Calif. based cybersecurity firm that has attracted much attention from the news media and investors alike this past year, fired its chief executive officer this week amid a major shakeup that could spell the end of the company. The move comes just weeks after the company laid off almost 30 percent of its staff.

Sources close to the matter say Norse CEO Sam Glines was asked to step down by the company’s board of directors, with board member Howard Bain stepping in as interim CEO. Those sources say the company’s investors have told employees that they can show up for work on Monday but that there is no guarantee they will get paid if they do.

A snapshot of Norse's semi-live attack map.

A snapshot of Norse’s semi-live attack map.

Glines agreed earlier this month to an interview with KrebsOnSecurity but later canceled that engagement without explanation. Bain could not be immediately reached for comment.

Two sources at Norse said the company’s assets will be merged with Irvine, Ca. based networking firm SolarFlare, which has some of the same investors and investment capital as Norse. Neither Norse nor SolarFlare would comment for this story. Update, Feb. 1, 12:34 p.m. ET: SolarFlare CEO Russell Stern just pinged me to say that “there has been no transaction between Norse and SolarFlare.”

Original story: The pink slips that Norse issued just after New Years’s Day may have come as a shock to many employees, but perhaps the layoffs shouldn’t have been much of a surprise: A careful review of previous ventures launched by the company’s founders reveals a pattern of failed businesses, reverse mergers, shell companies and product promises that missed the mark by miles.

EYE CANDY

In the tech-heavy, geek-speak world of cybersecurity, infographics and other eye candy are king because they promise to make complicated and boring subjects accessible and sexy. And Norse’s much-vaunted interactive attack map is indeed some serious eye candy: It purports to track the source and destination of countless Internet attacks in near real-time, and shows what appear to be multicolored fireballs continuously arcing across the globe.

Norse says the data that feeds its online attack map come from a network of more than eight million online “sensors” — honeypot systems that the company has strategically installed at Internet properties in 47 countries around the globe to attract and record malicious and suspicious Internet traffic.

According to the company’s marketing literature, Norse’s sensors are designed to mimic a broad range of computer systems. For example, they might pretend to be a Web server when an automated attack or bot scans the system looking for Web server vulnerabilities. In other cases, those sensors might watch for Internet attack traffic that would typically only be seen by very specific machines, such as devices that manage complex manufacturing systems, power plants or other industrial control systems.

Several departing and senior Norse employees said the company’s attack data was certainly voluminous enough to build a business upon — if not especially sophisticated or uncommon. But most of those interviewed said Norse’s top leadership didn’t appear to be interested in or capable of building a strong product behind the data. More worryingly, those same people said there are serious questions about the validity of the data that informs the company’s core product.

UP IN SMOKE(S)

Norse Corp. and its fundamental technology arose from the ashes of several companies that appear to have been launched and then acquired by shell companies owned by Norse’s top executives — principally the company’s founder and chief technology officer Tommy Stiansen. Stiansen did not respond to multiple requests for comment.

This acquisition process, known as a “reverse merger” or “reverse takeover,” involves the acquisition of a public company by a private company so that the private company can bypass the lengthy and complex process of going public.

Reverse mergers are completely legal, but they can be abused to hide the investors in a company and to conceal certain liabilities of the acquired company, such as pending lawsuits or debt. In 2011, the U.S. Securities and Exchange Commission (SEC) issued a bulletin cautioning investors about plunking down investments in reverse mergers, warning that they may be prone to fraud and other abuses.

The founders of Norse Corp. got their start in 1998 with a company called Cyco.net (pronounced “psycho”). According to a press release issued at the time, “Cyco.net was a New Mexico based firm established to develop a network of cyber companies.”

“This site is a lighthearted destination that will be like the ‘People Magazine’ of the Internet,” said Richard Urrea, Cyco’s CEO, in a bizarre explanation of the company’s intentions. “This format has proven itself by providing Time Warner with over a billion dollars of ad revenue annually. That, combined with the CYCO.NET’s e-commerce and various affiliations, such as Amazon.com, could amount to three times that figure. Not a portal like Yahoo, the CYCO.NET will serve as the launch pad to rocket the Internet surfer into the deepest reaches of cyberspace.”

In 2003, Cyco.net acquired Orion Security Services, a company founded by Stiansen, Norse’s current CTO and founder and the one Norse executive who is actually from Norway. Orion was billed as a firm that provides secure computer network management solutions, as well as video surveillance systems via satellite communications.

The Orion acquisition reportedly came with $20 million in financing from a private equity firm called Cornell Capital Partners LP, which listed itself as a Cayman Islands exempt limited partnership whose business address was in Jersey City, NJ.

Cornell later changed its name to Yorkville Advisors, an entity that became the subject of an investigation by the U.S. Securities and Exchange Commission (SEC) and a subsequent lawsuit in which the company was accused of reporting “false and inflated values.”

Despite claims that Cyco.net was poised to “rocket into the deepest riches of cyberspace,” it somehow fell short of that destination and ended up selling cigarettes online instead. Perhaps inevitably, the company soon found itself the target of a lawsuit by several states led by the Washington state attorney general that accused the company of selling tobacco products to minors, failing to report cigarette sales and taxes, and for falsely advertising cigarettes as tax-free.

COPYRIGHT COPS

In 2005, Cyco.net changed its name to Nexicon, but only after acquiring by stock swap another creation by Stiansen — Pluto Communications — a company formed in 2002 and whose stated mission was to provide “operational billing solutions for telecom networks.” Again, Urrea would issue a press release charting a course for the company that would have almost no bearing on what it actually ended up doing.

“We are very excited that the transition from our old name and identity is now complete, and we can start to formally reposition our Company under the new brand name of Nexicon,” Urrea said. “After the divestiture of our former B2C company in 2003, we have laid the foundation for our new business model, offering all-in-one or issue-specific B2B management solutions for the billing, network control, and security industries.”

In June 2008, Sam Glines — who would one day become CEO of Norse Corp. — joined Nexicon and was later promoted to chief operating officer. By that time, Nexicon had morphed itself into an online copyright cop, marketing a technology they claimed could help detect and stop illegal file-sharing. The company’s “GetAmnesty” technology sent users a pop-up notice explaining that it was expensive to sue the user and even more expensive for the user to get sued. Recipients of these notices were advised to just click the button displayed and pay for the song and all would be forgiven.

In November 2008, Nexicon was acquired by Priviam, another shell company operated by Stiansen and Nexicon’s principals. Nexicon went on to sign Youtube.com and several entertainment studios as customers. But soon enough, reports began rolling in of rampant false-positives — Internet users receiving threatening legal notices from Nexicon that they were illegally sharing files when they actually weren’t. Nexicon/Priviam’s business began drying up, and it’s stock price plummeted.

In September 2011, the Securities and Exchange Commission revoked the company’s ability to trade its penny stock (then NXCO on the pink sheets), noting that the company had failed to file any periodic reports with the SEC since its inception. In June 2012, the SEC also revoked Priviam’s ability to trade its stock, citing the same compliance failings that led to the de-listing of Nexicon.

By the time the SEC revoked Nexicon’s trading ability, the company’s founders were already working to reinvent themselves yet again. In August 2011, they raised $50,000 in seed money from Capital Innovators to jump-start Norse Corp. A year later, Norse received $3.5 million in debt refinancing, and in December 2013 got its first big infusion of cash — $10 million from Oak Investment Partners. In September 2015, KPMG invested $11.4 million in the company.

Several former employees say Stiansen’s penchant for creating shell corporations served him well in building out Norse’s global sensor network. Some of the sensors are in countries where U.S. assets are heavily monitored, such as China. Those same insiders said Norse’s network of shell corporations also helped the company gain visibility into attack traffic in countries where it is forbidden for U.S. firms to do business, such as Iran and Syria.

THE MAN BEHIND THE CURTAIN

By 2014, Norse was throwing lavish parties at top Internet security conferences and luring dozens of smart security experts away from other firms. Among them was Mary Landesman, formerly a senior security researcher at Cisco Systems. Landesman said Norse had recently hired many of her friends in the cybersecurity business and had developed such a buzz in the industry that she recruited her son to come work alongside her at the company.

As a senior data scientist at Norse, Landesman’s job was to discover useful and interesting patterns in the real-time attack data that drove the company’s “cyber threat intelligence” offerings (including its eye candy online attack map referenced at the beginning of this story). By this time, former employees say Norse’s systems were collecting a whopping 140 terabytes of Internet attack and traffic data per day. To put that in perspective a single terabyte can hold approximately 1,000 copies of the Encyclopedia Britannica. The entire printed collection of the U.S. Library of Congress would take up about ten terabytes.

Landesman said she wasn’t actually given access to all that data until the fall of 2015 — seven months after being hired as Norse’s chief data scientist — and that when she got the chance to dig into it, she was disappointed: The information appeared to be little more than what one might glean from a Web server log — albeit millions of them around the world.

“The data isn’t great, and it’s pretty much the same thing as if you looked at Web server logs that had automated crawlers and scanning tools hitting it constantly,” Landesman said in an interview with KrebsOnSecurity. “But if you know how to look at it and bring in a bunch of third-party data and tools, the data is not without its merits, if not just based on the sheer size of it.”

Landesman and other current and former Norse employees said very few people at the company were permitted to see how Norse collected its sensor data, and that Norse founder Stiansen jealously guarded access to the back-end systems that gathered the information.

“With this latest round of layoffs, if Tommy got hit by a bus tomorrow I don’t think there would be a single person in the company left who understands how the whole thing works,” said one former employee at Norse who spoke on condition of anonymity.

SHOW ME THE DATA

Stuart McClure, president and founder of the cybersecurity firm Cylance, said he found out just how reluctant Stiansen could be to share Norse data when he visited Stiansen and the company’s offices in Northern California in late 2014. McClure said he went there to discuss collaborating with Norse on two upcoming reports: One examining Iran’s cyber warfare capabilities, and another about exactly who was responsible for the massive Nov. 2014 cyber attack on Sony Pictures Entertainment.

The FBI had already attributed the attack to North Korean hackers. But McClure was intrigued after Stiansen confidentially shared that Norse had reached a vastly different conclusion than the FBI: Norse had data suggesting the attack on Sony was the work of disgruntled former employees.

McClure said he recalls listening to Stiansen ramble on for hours about Norse’s suspicions and simultaneously dodging direct questions about how it had reached the conclusion that the Sony attack was an inside job.

“I just kept going back to them and said, ‘Tommy, show me the data.’ We wanted to work with them, but when they couldn’t or wouldn’t produce any data or facts to substantiate their work, we couldn’t proceed.”

After that experience, McClure said he decided not to work with Norse on either the Sony report or the Iran investigation. Cylance ended up releasing its own report on Iran’s cyber capabilities; that analysis — dubbed “Operation Cleaver” (PDF) — was later tacitly acknowledged in a confidential report by the FBI.

Conversely, Norse’s take on Iran’s cyber prowess (PDF) was trounced by critics as a deeply biased, headline-grabbing report. It came near the height of international negotiations over lifting nuclear sanctions against Iran, and Norse had teamed up with the American Enterprise Institute, a conservative think tank that has traditionally taken a hard line against threats or potential threats to the United States.

In its report, Norse said it saw a half-million attacks on industrial control systems by Iran in the previous 24 months — a 115 percent increase in attacks. But in a scathing analysis of Norse’s findings, critical infrastructure security expert Robert M. Lee said Norse’s claim of industrial control systems being attacked and implying it was definitively the Iranian government was disingenuous at best. Lee said he obtained an advanced copy of an earlier version of the report that was shared with unclassified government and private industry channels, and that the data in the report simply did not support its conclusions.

“The systems in question are fake systems….and the data obtained cannot be accurately used for attribution,” Lee wrote of Norse’s sensor network. “In essence, Norse identified scans from Iranian Internet locations against fake systems and announced them as attacks on industrial control systems by a foreign government. The Norse report’s claims of attacks on industrial control systems is wrong. The data is misleading. The attention it gained is damaging. And even though a real threat is identified it is done in a way that only damages national cybersecurity.”

FROM SMOKES TO SMOKE & MIRRORS?

KrebsOnSecurity interviewed almost a dozen current and former employees at Norse, as well as several outside investors who said they considered buying the firm. None but Landesman would speak on the record. Most said Norse’s data — the core of its offering — was solid, if prematurely marketed as a way to help banks and others detect and deflect cyber attacks.

“I think they just went to market with this a couple of years too soon,” said one former Norse employee who left on his own a few months prior to the January 2016 layoffs, in part because of concerns about the validity of the data that the company was using to justify some of its public threat reports. “It wasn’t all there, and I worried that they were finding what they wanted to find in the data. If you think about the network they built, that’s a lot of power.”

On Jan. 4, 2016, Landesman learned she and roughly two dozen other colleagues at Norse were being let go. The data scientist said she vetted Norse’s founders prior to joining the firm, but that it wasn’t until she was fired at the beginning of 2016 that she started doing deeper research into the company’s founders.

“I realized that, oh crap, I think this is a scam,” Landesman said. “They’re trying to draw this out and tap into whatever the buzzwords du jour there are, and have a product that’s going to meet that and suck in new investors.”

Calls to Norse investor KPMG International went unreturned. An outside PR firm for KPMG listed on the press release about the original $11.4 million funding for Norse referred my inquiry to a woman running an outside PR firm for Norse, who declined to talk on the record because she said she wasn’t sure whether her firm was still representing the tech company.

“These shell companies formed by [the company’s founders] bilked investors,” Landesman said. “Had anyone gone and investigated any of these partnerships they were espousing as being the next big thing, they would have realized this was all smoke and mirrors.”

Tags: , , , , , , , , , , , , , , , , , , , , , , , ,

206 comments

  1. This is what i received when i asked them to sell their data for my research.

    —————————————————————-
    Hi Yun-Sik,

    I appreciate your interest in Norse. Unfortunately, we do not have pricing models for individuals/small groups. Our pricing structure is focused around enterprise level companies, with pricing starting at around $500,000/yr. If this is a number you could potentially work with then I would be happy to put you in touch with the correct person.

    Thanks,
    Beau

    Beau Bassett
    Business Development
    Norse
    512-637-5590
    bb@norsecorp.com

    • <>

      if your research is completely free (no fee charged for results, no salary paid to the researcher), you can use farsight’s data at no charge. i am vixie@fsi.io if you want to pursue that topic.

      • Paul,

        I recall something in the past where in the past Farsight kept a perpetual license to all derivative works done by researchers.

        Can’t remember the details, but is this still the case?

        • maybe. if it’s raw data, there’s no license necessary. if it’s cooked, licensing is negotiable, with perpetual as one option. we make our raw sensor data available at non-discriminatory commercial rates in order to connect our sensor operators indirectly to the whole security industry who can do good (defend the innocent; frustrate or incarcerate the guilty) with the raw sensor data. once we cook the data and put it on other SIE channels, those channels have different rules from the raw ones.

          feel free to reach out to me at vixie@fsi.io if you want to discuss details. i expect that our mr. krebs considers this thread off-topic.

    • Elliot Alderson

      reminds me of the e – corp, steel mountain and allsafe cyber security company incident due to fsociety. sorta.

  2. Thanks Brian. Interesting read.

    After the smoke and dust settle and after enough people lose their jobs, the larger threat remains left behind as a forgotten relic while new business and corporate names get created and draw attention in other directions. My concern is with these “assets” that are the “sensors”. Things that just sit there waiting for someone else to pick up and use. Anyone with some level of knowledge (good guy or bad) utilizing things that have been deemed ‘write-offs’. We get so worried about people we call “hackers” but never really consider how we create our own problems. It’s all in the fact that these ‘maps’ even exist in the first place. At a certain point, it all ends up on some military scrap-heep somewhere. I understand the need to know where attacks are coming from. It’s so much in the way a so-called ‘security’ firm ends up not really being all that secure (in it’s leadership or it’s IT infrastructure).

    And I’m supposed to just trust a company that trys to assure me that a credit card reader has it’s ‘seal of approval? It’s that misplaced trust that gave us Enron. It’s that misplaced trust along with too many dollars chasing too many fantasies that gave us the ever popular “dot-com-bubble”.

    In the end….”a rose by any other name would smell just the same”.

    • I agree. It is that same misplaced trust that gave us our current president.

      • I can give the commentor before you Enron because of the fraud. I would contend the dot-com bubble wasn’t fraudulent but speculative much like the real estate bubble. Not sure what that had to do with trust. Websites and their associated companies have real and potential value just like real estate. The only issue is when people describe said value/products/earnings in a fraudulent manner. What you said about Obama makes no sense. People partially supported him out of frustration with the staus quo, similar to the rise of Trump. None of these things outside of Enron is similar to Norse. SRSLY? LOL @ UR LOGIC.

        • Place your faith and hedge your bets as you see fit. There are many variations on the shell game. Some, more subtle than others.

          • I wasn’t saying I trust any politician from either side of the aisle or salesman in the general as I think I possess a enough understanding of their respective motivations. I just don’t like when people randomly interject politics into discussions. #KanyeWest2020

  3. Wow! I talked to Sam and at that time never imagined this whole thing. I actually was in the process of building an attack map into my product and always thought how the heck they managed so many honeynets and what data exactly was being collected. I actually built one based on pewpew and threatstream with razpi2’s.
    I hope we can build our solution into what I believe we all need. If anyone is interested let me know. I am looking for investers but I have no shell co’s to boast of, just busting my ass getting systems built that actually make sense of all the data. Wow, just WOW…. Man this sucks for our industry, so sucks….

  4. Looks like their site is gone completely now.

    http://www.norsecorp.com

  5. Sorry, but I don’t believe everything I read. Just after a couple hours of my own research there seems to be some falsities in the article. Maybe it’s just me who doesn’t trust reporters always being factual as they get paid to put juicy stories together. But yet, I’m sure there are many people out there who believe Gwen Stefani is pregnant and if they share Mark Zuckerbergs Facebook post as they will receive a million dollars.

    • Anthony M. Freed

      It would be helpful if you pointed out what you feel are inaccuracies instead of just making an empty statement…

      • Yes, I’ll second Anthony’s request, Kimmie. Tell us what you found, and tell us please what you believe the falsities are. There are lots of ways I could have made this story “juicy” but I stuck to stuff that I could back up with quotes and facts.

    • I have no idea how Brian Krebs gets his money. That’s of no concern to me. However, I do believe that his reports, findings, and analysis are genuine and honest as it is presented on this site.

    • Where are you facts Kimmie? You said you did your own research, so why didn’t you post links to your sources? Please do post if you truly have such compelling data. But until then, I am going to go with Mr Krebs who actually did take the time to not only site sources, but compile an informative article based upon them.

      • Hank Johnston, Where in this article are sources sited? Disgruntle ex-employees are hardly reliable or credible sources. And just because he is “Brian Krebs” does not mean he is God and has his “facts” straight. If you research the companies named in this article you can CLEARLY see that The “founders of Norse” did not make these “shell” companies. I vote you do research yourself not drink the kool-aid.
        Here is just ONE example for you….Tommy Stiansen founded Pluto Communications in 2002 and joined the Nexicon management team when Nexicon Inc. acquired his company in 2004. Not sure how on earth he travel back in time to do what Krebs quoted..” The founders of Norse Corp. got their start in 1998 with a company called Cyco.net” when Stiansen NOR Glines where even apart of this company. I could go on and on with the inaccuracies of this article but honestly I don’t have the time. It is just a typical reporter piecing together a story for fame.

        • Totally not Tommy Stiansen

          Uh oh, Brian, you’ve upset one of the two Tommy Stiansen fans.

          • No what’s funny is now Krebs is reviewing posts and allowing something like yours to go through but not ones that cite the “real” facts or the factual ones defending the company. Hmmm not malice by any means. Just trying to cover his ass as he knows he screwed this one up big time.

            • Antonio, the only people I ever moderate on this blog are people who falsely accuse me of moderating posts. I simply don’t have the time for moderating comments. I depend on my anti-spam system to do that. You should know that comments which contain profanity usually get auto-moderated. I had to approve yours manually because of that.

          • Awww did I upset a Krebs fan? I am just stating the REAL facts. look them up! I told you I don’t trust reporters and from what others are saying in the comments below he has his facts wrong just like I said!

            • It does not work that way. You provide your facts to buttress your argument. You do not ever ask others to do your research for you. That’s laziness.

              • Mike, obviously you didn’t read my previous posts or others. Sounds like to were too busy at the punch bowl drinking the kool aid. I’m not a lawyer nor do I have anything vested in this so I’m not going to waste anymore of my time nor help provide a case for anyone since the “lawsuit” word has been tossed around in here. Plus I’m not your Mommy. You’re a big boy now and can look up things on your own.

                • You already know the rules of the playground, Kimmie; put up or shut up.

                • I did Kimmie K’s research for her. And it is wrong. If you don’t believe me, do your own research for me to prove my research I am doing for her is wrong on the research that she is having us do for her is wrong. 😉

                  • yeah.. Thenuthouse. Can you find any documents anywhere stating that the cofounders of Norse where the founders of Cyco? If so please provide that. Wonder if Krebs can? Because he’s clearly stating that is where these two got their start from right? I won’t be holding my breath for either of you two to provide that as it’s NOT True!

    • the statement here is quite heavy, compare this article to scam or false gossip is, at minimum, unfair. without solid evidence about your search (some references at least) I would subscribe your comment in the same league of the Gwen Stefani and Mark Zuckerberg’s Facebook post. Mr Krebs and this site has a long respectable history, and build credibility during the years with solid fact and great opinions, so please if you have something to prove mr Krebs made mistakes or, worse, willingly distort reality for some obscure purpose, please explain us. Otherwise we could think you have some interest in Norse.

  6. Justin Ferguson

    You go, Brian.

  7. Brian, this story about Norse reminds me of another company you wrote about back in May of 2015…Root9b located in Colorado Springs. The other day the Colorado Springs Gazette put out a story wherein Root9b was declared the TOP cyber security company in the world! If you look at their 10Qs, they lose money hands over fists and there are lots of reasons to question them. An anonymous contributor at Seeking Alpha claims Root9b is a total scam and goes to some lengths to offer up proof.

    Whatever the story is…I think it is safe to say that Root9b is not the top cyber security company in the world.

    • That company is totally legit, but does have many of the problems (leadership-wise) that other start-ups have. It is run by former military, Gov, and LE peeps.

  8. Interesting the attack map site has been now rebranded HP and redirected to:

    http://hp.ipviking.com/

    • Top left logo actually links to the Hewlett Packard site now? I wonder what’s going on over there…

    • Norse made a number of branded maps for various companies during their partnership/acquisition bids. This was just one of those.

  9. The map was lovely eye candy, I had a number of non-tech friends who treated that thing like it was the herald of doom, despite the fact there was little information on what was being presented.

    When they did the smear of Iran with the American Enterprise Institute I figured there were two courses – either a stratospheric rise in the realm of mischaracterizing the Islamic Republic, or an ignominious end. Glad it’s the latter, we’ve made enough bad foreign policy decisions based on systematic, professional hand wringing.

  10. trying to post my comments… seriously i there a character limit or something?

    • I have a few serious problems with this article.

      Firstly, let me introduce myself to the others. I’m Jason Belich, former Chief Architect, first engineering employee of Norse, and the highest ranking person let go during the mass layoff. There are no ex-Norse employees more intimate with the core of the company than me, not even my friend Kurt, or other ex-Norsers who have posted here, Anthony and Bev.

      I hope i’ve established my credibility w/r/t this story. Anyway….

      • Ah, Jason. Welcome. Is this the same Jason Belich that I spoke with on at least three different occasions, practically begging you to provide your perspective in my story? And now you go and publish a blog post claiming this was an “agenda driven” “hit piece”? If you were so scared to go on the record before, what emboldened you now?

        I repeatedly sought comment from you, Jason, mainly because I knew you had positive things to say about the company. I even held my story for almost a week in the hopes of getting your perspective in my piece before publishing it. So you can understand why I am flabbergasted to hear you saying the things you are in your blog now.

        • I get that… but i don’t think anything I could have told you on or off the record would have deterred you from writing this. You would never have given me the info necessary (i.e. Mary’s actual defamatory quote) for me to give an appropriate comment on.

          • jason, your linkedin profile claims that you are “Co-Creator of the Cyber Threat Intelligence Industry” among other things. can you explain what you mean by this? –paul

            • Easy. Before Norse, no one used correlative actuarials for intel purposes. We created that.. Norse even has a patent on it. So yes, am I being a bit of a showman in making a slightly farfetched statement? yes.

              There are now dozens of companies trying to emulate what we built, look at any trade show floor.

              But if Norse is so bad, why did you hunt us down so hard? at one point you thought I was Tommy… it’s my understanding you even offered to sell your company to us at one point.

              • jason, the following statements are unsubstantiated on your part, and disagreeable on my part: “Before Norse, no one used correlative actuarials for intel purposes”, “why did you hunt us down?”, and “it’s my understanding you even offered to sell your company to us at one point.”.

                i don’t know you, i don’t know tommy, and while i’ve found norse’s gimmickry to be reprehensible and its tactics an embarrassment to the industry i work in, i’ve cheered every success made by norse because of the friends of mine who work(ed) there. i’m not in the threat intelligence business per se, so norse’s success would not have come at my expense. i have never solicited an offer to purchase the farsight company or any farsight asset, not from norse, not from anybody.

                please check your premises. –paul

              • btw.. I’m a coder.. I don’t claim to be any good at marketing 😉

              • wait what? first what? just because you abused the US patent system doesn’t mean that you were the first. Remember ODS networks? Them and a few dozen other companies were claiming this long before Norse

              • Jason B,

                I’m not certain that the use of correlative actuarials may be all that unique. Trying to market it as a unique product is innovative, and I have not yet read the patent but I can say that back in 2010 I performed several location-based and timeline based threat profiles that were shared with several Federal agencies. Since your threat assessment may not be exactly what I was doing, it may be apples to oranges but I can say that using ‘correlative actuarials’ as a term only works on those who do not understand the space.

                As far as the claim that Brian Krebs made concerning New Mexico and 1998, as Brian may well know from my previous investigative reporting, I used to be licensed in NM as a private investigator during that time period, while also working my way back into technology. The Albuquerque tech sector was very closely held and, should he request it or exchange source / leads with me, I would not mind being a third party validator of that claim, or try and follow it up further based on my personal connections, dusty as they are.

                As far as my background goes, Krebs probably remembers me from the indepth FINCEN investigative reporting I did back in July 2010 that examined potential collusion between banks in order to report all Suspicious Activity Reports as ‘other’ that were likely derived from credential theft via banking trojans that should have been reported as ‘computer intrusion’. Anthony Freed is probably a decent character witness to the fact that I have no dog in this fight (really, no dog in any fight in five years, lol) and Robert Lee has seen some of my ‘correlative actuarials’ in a completely different manner.

                Essentially, Brian, I’m on standby if you care to have a backup on this guy trashing your source. Jason, I’m thinking that vaporware only works until someone looks behind the mirror and blows away the smoke. If all you have is that single claim, I’m willing to check out the validity since you only put up circular reasoning as your objection.

                Kimmie K., the same Pepsi challenge goes to you as well. If you think that Krebs’ story can’t withstand third party scrutiny, I’m willing to take a taste and go on the record.

            • Apparently he has removed that position from his LinkedIn profile, what a funny guy.

          • Jason — should I have shared your comments with others I interviewed and told them it was from you? It’s all well and good for you to say that nothing would have deterred me from writing this story, but then you go and write your own blog saying my story was one-sided? You can’t have it both ways, Jason. Either man up and defend the company you are so clearly proud of, or don’t. But don’t publish an entire blog post saying I ran a “hit piece” when you don’t have the guts to say what you really feel up front, especially when I afforded you every opportunity to do that and even held my story for almost a week in the hopes that you would.

            • What would you have me say? That I hate Tommy Stiansen with every ounce of my being? okay… totally true. That I fear him? yep.. that too. That I think he’s more responsible for the implosion of Norse than any other single person? yep… i’ll go with that too. That political fuckery and inane absurdities couple with licentious spendthrift tendencies screwed us all over? okay.. yeah sure… Is any of that actually relevant or for public consumption? No. Not really. Did nexicon have anything whatsoever to do with any of it in the slightest? fuck to the no.. No. No. No a dozen times No.

              Would you have had much of a story with out that? Also, No.. so nothing I could have said would have changed that.

              • Jason, you seem to think that people (to say nothing of executives) should not be judged on their prior performance. In this case, it was my view that this information was very relevant to the way Norse was run. You seem to agree, although you seem to dismiss the impact that this pattern of poor decisions has had on dozens of Norse employees (yourself included).

                We all get that you’re proud of what you built. I’m guessing what this is really about is that you’re upset that the world won’t ever get to know how cool it all was. Oh well. Perhaps you and others will take greater care to whom you hitch your fortunes going forward. If that’s the only thing people take away from this story, then I’m happy.

                • but you went back to 1998. the only relevant things are the decisions made Tommy and Sam. Problem is, Tommy and Sam weren’t in charge… Richard Urrea was. The most you could possibly say is they didn’t see the warning signs because they were conditioned by the insanity of back then. Instead you layed it out as a pattern of planned malfeasance, and that’s not only defamatory, it’s also false.

                  what distresses me so much, is you seem perfectly fine with that.

                • You make two verifiable and specifically false accusations.

                  “The founders of Norse Corp. got their start in 1998 …” and “By the time the SEC revoked Nexicon’s trading ability, the company’s founders were already working to reinvent themselves yet again.”

                  Who founded what in 1998? It sure wasn’t Tommy Stiansen or Sam Glines and it sure wasn’t Norse. You already stated Tommy didn’t get involved for at least 4 or 5 years and Sam for another 10. Since Tommy and Sam are the 2 founders of Norse, did they travel back in time?

                  You then say Nexicon’s founders “working to reinvent themselves again”. Who are Nexicon’s founders? Not Tommy or Sam. They were just employees: Head Geek and Taskmaster. Perhaps it was Richard Urrea, who was definitely not involved with Norse.

                  Again, specifically and verifiably false, like a nice ribbon of lies to stitch your narrative together.

                  • The reality here is you were fed a seemingly ready-made pile of sketch, perfectly attenuated with incompetence and a touch of malfeasance, and you had to tie in that juicy, hit-generating tidbit no matter what, even if it meant begging the question to do so… because the reality, that the founders of Norse, like so many other startup founders, two employees of a failing company sick and tired of their bosses incompetence and games, wasn’t interesting enough to fill column inches.

                  • The more I think about this, the more I wonder if this false link you’ve made, that Nexicon = Norse, and that Norse is an extension of Richard Urrea’s corporate shell games, isn’t dangerously close to the definition of “actual malice”

                  • Great question Jason! Who founded what in 1998? It sure wasn’t Tommy Stiansen or Sam Glines and it sure wasn’t Norse. You already stated Tommy didn’t get involved for at least 4 or 5 years and Sam for another 10. Since Tommy and Sam are the 2 founders of Norse, did they travel back in time?

                    I think your quote sums up this article perfectly… “Again, specifically and verifiably false, like a nice ribbon of lies to stitch your narrative together.”

                  • Any comment on this Krebs?

                    Jason Belich
                    February 1, 2016 at 5:07 am
                    You make two verifiable and specifically false accusations.

                    “The founders of Norse Corp. got their start in 1998 …” and “By the time the SEC revoked Nexicon’s trading ability, the company’s founders were already working to reinvent themselves yet again.”

                    Who founded what in 1998? It sure wasn’t Tommy Stiansen or Sam Glines and it sure wasn’t Norse. You already stated Tommy didn’t get involved for at least 4 or 5 years and Sam for another 10. Since Tommy and Sam are the 2 founders of Norse, did they travel back in time?

                    You then say Nexicon’s founders “working to reinvent themselves again”. Who are Nexicon’s founders? Not Tommy or Sam. They were just employees: Head Geek and Taskmaster. Perhaps it was Richard Urrea, who was definitely not involved with Norse.

                    Again, specifically and verifiably false, like a nice ribbon of lies to stitch your narrative together.

                    *****Also Did Glines have these shell companies as well because your article makes it sound plural numerous times throughout? From just googling him it does not seem like he did/does. Kind of misleading to the readers if not and really kind of defaming to his name.

            • Again. I’m not blaming or calling you out for writing what you wrote. I fully believe you had no actual malice. And based upon the info you had, the fact that a dozen haters wanted to dish and no fan was willing to, it’s perfectly understandable that you wrote what you wrote. But what you wrote is wrong. you’re leading to the wrong conclusion.

              And worse of all, it impugns all of us who worked so hard to build it. How can I be proud of my achievements at Norse when people now believe, because of the problems in this story, that Norse is literally a fraud? How can I let that go?

            • After I read this article and these comments I agree with the gentleman above. It sounds like a “hit piece’ and “one-sided” even almost Malicious.

      • anyway…

        I hate deep linking, but it seems you have a character limiter, so I need to simply give a link to my comments (2nd big block o’ text, scroll down a bit)

        http://pandawhale.com/post/70333/sources-security-firm-norse-corp-imploding-krebs-on-security

    • > But I stand behind everything we built and everything we accomplished. No one has the data collection capability that we built. No one has the correlative, actuarial, data analysis capability that we built. And no one is able to do so, not just in real-time, but live, not even the 3 letter agencies.

      If any of this is true, then why is the business disappearing, rather than getting bought by somebody?

      • Who says it’s disappearing? Didn’t Krebs say …. “Two sources at Norse said the company’s assets will be merged with Irvine, Ca. based networking firm SolarFlare” ? Maybe they are working on that or some other possible deal? Even though this article probably smashed that.

        • But the site is not working so it must mean he “got” them. Nothing else is possible. Boom you da man Brian.

      • Anonymousaswell

        Who said it wasn’t? Even Krebs stated it was in works with Solarflare. but now due to the libel, defamation of character and malice this article contains that deal looks like it is gone. If I was an employee, investor, or had majority ownership in Norse and lost that deal I know who I would be after. and I can tell you this not one of them have been employed by Norse.

  11. Wow.. A whole lot of grunting and squealing by people who know absolutely nothing about Norse… The concern about hackers being able to take over “abandoned” sensors is the funniest thing I’ve read.. I’m sure the can just Remote Desktop right in…All in all a fairly pathetic attempt at cyber chest thumping.. But don’t worry.. An ice storm is coming… Ya’ll can get Krebby with it.

    • The funniest thing I see here:
      A company leader (supposedly tech savvy) worried about meaning ideas of “character limiters” for posting on this site when email and phone conversation has no such thing attached to them. If he would have just had the conversation with Krebs in the first place, much nonsense and attitude could have easily been avoided. I can see for myself ‘the why’ as to the cause for such a company to implode. Leadership flows from the top down.

  12. Richard Steven Hack

    It’s clear to me from the corporate history Brian presents of these people that they’re mostly scam artists, or at least incompetent and deceptive as corporate execs. “Snake oil” would seem to be an appropriate phrase. Not that there’s any lack of that in the infosec game.

    Back during the Sony thing, I was intrigued by and supported Norse’s position on Sony, but I was concerned that they never revealed their “evidence”. And I was more concerned about their Iran position, since I know a fair amount about the nuclear issue and the AEI’s neocon-Israel First connections. Now it all becomes clear.

    Some consider this a bellwether for “threat intelligence”, but others are saying Norse is an exception, not a rule. Personally I consider “threat intelligence” to be of limited value. “Knowing your enemy” is one thing, wasting time browsing through scads of mostly irrelevant “intelligence” is not helpful. Unless it can be pinned down to threats directed at YOU, it’s not that useful – as the NSA has proven with their massive and completely worthless – in terms of actual “hits” – surveillance.

  13. “Before Norse, no one used correlative actuarials for intel purposes. We created that.. Norse even has a patent on it.”

    This babble everything anyone needs to know about the company and the author of the posting.

    • agreed. especially considering that the reality is that they were not the first but the first to patent it.

  14. Why does a Senior Data Scientist do for 8 months without access to data? At what point do you think something is wrong? The answer is surely less than 8 months, no? This does not add up for me.

    • That is certainly a fair question, Rick S. I spent most of those months analyzing prospect-provided logs, looking for signs of malware and providing the appropriate report back to the prospect based on those findings. While I happen to be good at spotting malware in logs, it wasn’t what I was hired to do. Getting to what I was hired to do took nearly 8 months.

      • I see. Thanks for adding that clarification!

      • Mary, I would understand if this happened in a large corporation… where bureaucracy takes over and jealousy between different BU forbids some things to happen at the right speed…. remember cisco & MS, right?
        from what i heard, Norse was not such an enormous elephant, but rather an agile beast.
        I understand settling in, being dragged in other things meanwhile, but you are very experienced and cold (should?) have spotted something’s wrong.
        What’s the REAL reason why it took seven months to get to the data???
        it must have been frustrating keeping on asking and always getting a different answer? did you inform anyone?

  15. This back and forth is as good as the article! Love it.

    • agree, this is an article where the comments are actually a better read than the article itself. 🙂

  16. Jason Belich’s comment rambling is making him look like a right chop.

  17. Maybe you can help me out with what Norse was providing. How was it different from the Digital Attack Map that is offered for free?

    http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=16832&view=map

  18. Its “sounds like” a lot of great techs got tricked by an investor that didn’t’ really care about a product as much as building up “an asset” to garner investors and sell off, for the sole purpose of making money (like domain squatters) without really having a product (finished product in this case).
    Clearly there were highly skilled people that took their work seriously and got the shaft from multiple directions.
    Hopefully the person(s) who took advantage of everyone or just made drunken decisions in the name of wealth get their karma share in a timely manner. It is GREAT to see people discus this in an adult manner here. You would never see that on The Reg~~~.

  19. Excellent Reporting, Mr. Krebs.

    You have lit the fuse which brought the explosion providing the light for proper forensics. Or was it “jenga,” pulling the proper piece to bring down the whole edifice?

    In either case your approach is beyond reproach, and triggered a classic chain reaction in which all are better informed. Kudos.

    On a personal note, I do feel for all the excellent tech folks who got pulled in and down by this/these scammers.

    It is my thought that trying to do the “right thing” is always the proper course, even when it hits the rocks. Don’t let the bitterness of a temporary defeat alter the fine lines of your “compass points.”

    I look forward to seeing all of you contribute to our security in the future.

  20. The amazing thing is that anyone bought anything from them.

    • Anonymousaswell

      Why wouldn’t people buy from them? Norse is a legit and honest company with amazing technology, employees, investors and board members. There are no “facts” in this article pointing otherwise just libel, defamation and malice which probably destroyed the company and all it’s employees. Clearly it killed the solarflare deal which will destroy the company and those who were supposed to go meet with Solarflare to get a job. I would not be surprised if we saw BIG lawsuits. Sadly, all from listening to a few whining disgruntle people who lost their jobs and “thinking” he connected the dots to a scandal when in fact there wasn’t one. Great job dude! great job!

      • Gee.. Krebs is pretty powerful, to be able to singlehandedly brought down Norse this way. Norse’s current situation is all his fault!

  21. Man I loved that attack map, and to think it might not had been using real data….bummer man. I know a couple of NOC’s that have that up for show-n-tell on large monitors. Just a shame they are imploding, great article Brian thanks for the real stories we all depend on that matter. KB

  22. so much drama in the dmz

  23. Now I need another pointlessly processor intensive visual to use as wall banter in my office…it’s an attack…dang that’s telnet…watch out!

  24. Anyone care to hazard a guess how much of that 140 TB/day gathering result in actionable intelligence?

  25. I read Norse’s web site and collateral again and again, and I was never able to believe that any company could build a proprietary network of 8,000,000 honeypots. How could they get their hands on the hardware resources? Even with hypervisors? EIGHT MILLION honeypots? PLEASE.

    • …That makes one wonder how many of those 8,000,000 sensors were installed because of functionality buried in terms of service of an otherwise useful utility.

    • Very large address space and highly optimzed virtualisation

  26. Fascinating, like reading my obituary. Wonder what hemisphere I am in.

  27. Surprised there was no mention of the supercars… Maybe these are the “licentious spendthrift tendencies” Jason mentions. Although it is not evidence of anything, it certainly brings things in perspective after reading this article.
    Our office faces the Norse office in San Mateo. One peculiar thing about Norse was the fact that there was a stable of supercars all stamped with massive Norse logos regularly parked in the lot. I am talking about a $1.2M McLaren, a Bentley, Lamborghinis, top of the line Mercedes and a few more I can’t remember. The story going around (complete hersay) was that the wealthy owner of the firm owned the cars and used them as a hiring perks to get talented engineers. Hard to compete with that! I suppose that that Norse logo means that they were paid by the business maybe… Mmmm. The plot thickens.

  28. Great article and comments indeed.

  29. seems all quiet on the slander front, i reread the article after reading jasons response and my take away was that even if the norse founders were just employees of the predessor they clearly learned their business processes from their past ceo. as far as the chief data scientist being hired as a blogger, her comment on her responsibilities sounded more sciency than maeting but im ommenting post imbibing anyhow. i dabbled in penny stocks as a youngster with some scratch money , ragingbull.com, and the business descriptions were consistent with vaporware boosting i read back then on other companies. might as well make commenters ip and account creation dates available for click many of the supporting replies to the neg comments were just too fortuitous unless there was coordinated effort amongst norse boosters vs a few duobl8ng down and replyinv to their own comment.

  30. fake project is gone !!!!