Slashdot Mirror
Author of Paper Critical of Microsoft is Fired
chongo writes "Daniel E. Geer Jr., one of the primary authors of a
report
Reliance
On MS A Danger To National Security,
was fired from @stake Thursday morning.
@stake said that 'The values an opinions of the
report
are not in line with @stake's views' and that Geer's
participation was 'not sanctioned.'
Microsoft, who has worked closely with @stake
in the past, denied that it was involved in @stake's
decision to fire Dan." There might not be anything fishy going on at all, but that's no reason to stop making perfectly good conspiracy theories.
Just so everybody knows:
This is the same @stake that was formed from the l0pht heavy industries (www.l0pht.com) of old. Says itsecurity.com's Computer Security Dictionary of l0pht:
L0pht Heavy Industries
"A Boston-based group of hackers interested in free information distribution, finding alternatives to the Internet and testing the security of various products. Their web site houses the archives of the Whacked Mac Archives, Black Crawling Systems, Dr. Who's Radiophone, the Cult of the Dead Cow, and others. Current membership includes Mudge, Space Rogue, Brian Oblivion, Kingpin, Weld Pond, Tan, Stefan von Neumann and Megan A. Haquer. They can be reached at info@l0pht.com and maintain a web site at http://www.l0pht.com."
Hacker's Encyclopedia, by Logik Bomb (FOA), http://www.xmission.com/~ryder/hack.html, (1997- Revised Second Edition)
I wonder if good old mudge still works there? It's amazing what a little money'll do, eh?
Almost every state in the US recognizes this concept in one form or another.There is a concept known as "at-will employment", which basically states
ObDisclaimer: IITGNAL (I Am, Thank Gawd, Not A Lawyer), this does not constitute legal advice, yada-yada-yada....
ObLinkage: Google is your friend.
Lets hope Bruce still has his job by the end of the week.
As the founder of Counterpane, he's probably got a bit more say in his company. Also, @Stake has expanded a lot with VC, I think Counterpane has grown more... carefully.
Many businesses are 'work-at-will' businesses, meaning both that the employee or the employer can terminate the employment contract at any time.
m l :)
IANAL, but a quick search for 'work-at-will' via Google produced links by people who are, which explain a little about work-at-will and also how some litigation has made work-at-will a little less 'you can be fired whenever for whatever reason'. But in general, you have less protection as an at-will employee than you might otherwise, and most employment contracts are work-at-will. So they likely could indeed fire him, though he might have grounds to challenge his dismissal.
One example:
http://writ.news.findlaw.com/grossman/20010911.ht
--Rachel
When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company. It's not like being a prof at MIT. Noby would assume a prof officially represents the stance of a University. But companies are a differnt world. Bruce represents Counterpane when he does those sorts of publications, and Dan damned well should have known he'd be representing @Stake when he repeatedly listed the affiliation..
Wasn't @stake the security company that grew out of the l0pht? Or am I on crack?
autopr0n is like, down and stuff.
Or the researchers for pharmacuticals... where if you find that drug X doesn't help cure Y, then you shouldn't expect any grant money next year. Yeah, not fired, but certainly the same net result.
That's not exactly fair. The pharmaceuticals would prefer to find out about these things from their own people, as quickly as possible. The entire FDA approval process is essentially designed to eliminate drugs from the pipeline before they reach the market. I've seen many pharmaceutical scientists speak about drug development, and they've all emphasized their efforts to rule out as many drugs as possible even before Phase I trials. It costs a shitload if they make it to Phase III before discovering that their drug is crap.
Now, once a drug has actually been released, it's much worse for the company to find that it's ineffective. However, it's still much better for them if one of their own people finds out, because if they don't, someone else will sooner or later. They'll lose money in the short term, but they'll probably save far more in the long run, and they'll definitely look better. Hopefully they can even avoid the class action lawsuit entirely.
As far as I'm aware, the problem (well, one of them) with drug companies is generally not that they push drugs they know to be ineffective, but rather that they push drugs that genuinely are effective on people that don't need them. A huge number of mood-altering pharmaceuticals fall into this category; I refer you to the South Park episode about Ritalin for details.
Just a clarification - pharma researchers do not get grants; they have contracts. A corporation would not keep an expensive PhD biochemist on staff while discontinuing his research. Some academics do get pharmaceutical grants, but not many, and they almost always have other sources of funding which are completely unconnected.
"When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company."
The report states clearly on the first page that "Our conclusions have now been confirmed and amplified by the appearance of this important report by leading authorities in the field of cybersecurity: Dan Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, John S. Quarterman, Charles Pfleeger, and Bruce Schneier. CCIA and the report's authors have arrived at their conclusions independently. The views of the authors are their views and theirs alone."
Note that there are no company affiliations in that list, or on the front cover of the report, and that they clearly say that they're speaking as individuals, not as company representatives. The authors do list their current titles and employers in their bio's and on the "authors of the report" page, in order to establish their credibility (and that's a lot of credibility), but clearly don't speak for their employers.
Given that the document expresses the mainstream of security industry thinking, I'm a little amazed that this is even "news" much less something to fire someone over. Does any security professional think that a software monoculture is a good idea, or that Microsoft actually has security as its top priority (as opposed to market share or profitability)?
If we're to be serious about addressing vulnerabilities in our software infrastructure, we have to be willing to discuss these issues honestly, without self-censoring out of fear of stating the obvious when it's inconvenient.
Enable 3D printed prosthetics!
Yeah but what about the moderation system? Don't you know that Linux users make up about 99% of all the mods?
If you use Linux, please help development of Autopac
Windows NT 3.1 was released in 1993 and had the fancy no-limit notepad.
According to the Washington Post, Lona Therrien, the @Stake spokesperson, "said the company had no conversations with Microsoft about Geer or the report."
However (same article), Sean Sundwell of @Stake said that on Tuesday night, when notice of the report's pending release was circulated, "Microsoft was contacted by @Stake officials . . . expressing their disappointment in the report and saying that Dan Geer's opinion did not reflect the position of @Stake and its commitment to an ongoing relationship with Microsoft."
So... which is it? Did they discuss the report directly with Microsoft or not??
Quoth he
"It's all academic anyway..."
Look at the history of Virginia Commonwealth University. See that point where they were completely shut down? That's because they *were* firing their tenured professors, and in the end completely shutting down the university was all that the state could do to stop it. When they sent examiners to interview the professors about the situation, the president would not let them alone with the professors. Anyhow, the state discovered that they couldn't do anything except close the university and fire everyone.
Jump over to James Madison University. It seems that the then president of the university was trying to force through academically impossible changes. [For example, teach upper-level calculus before basic calculus, "to give them a feel for it".] So one of the Physics professors came up with proof of tax fraud. At that point, the president fired the whole Physics department, because although he couldn't fire a tenured professor without cause, he could eliminate the need for the professor by abolishing Physics [impressive stupidity for a university with a medical program, but finding tax fraud was a real threat]. Eventually, the firing was rescinded, and the president retired, but the potential for tax fraud penalties was probably a slightly larger gun than tenure. Jump forward, same university, different president. The tenured professors' contract is the University Handbook; and the administration updated it, taking to itself all the rights of academic free speech, and making the contract unilaterally modifiable. My father caught this, and in the Faculty Senate pointed out that (1) this had no effect without Faculty Senate ratification, (2) they couldn't ratify it because unlaterally modifiable contracts are illegal,
(3) they shouldn't ratify it, and (4) without ratification, they were working either on the old handbook (in which case the old handbook stood), or else without a contract, which implied no particular tenure protection, but also implied no protection for the univeristy against lawsuit.
In the end, he got those clauses struck. But tenure really doesn't protect academic free speech too well.
In reality, tenure and academic free speech were initiated by the university administrations for their own convenience. It seems that, all the time people were coming up and saying "I'll donate X million dollars, if you'll teach this or that." And the problem was that if they taught this or that, 2 other donors would say "I'm not donating any more, because you're teaching nonsense." If they declined, however, then the person who wanted to affect the curriculum would begin a publicity campaign against the administration, and it was a real mess. So the academic free speech became a way that the administration could say "sorry, it's against contracts we've already signed. It's impossible."
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
Uh... if he was fired, and nobody else was, then he was pretty clearly discriminated against. Why the heck doesn't anybody understand what "discrimination" is? (separation according to characteristics of each individual).
Only some forms of discrimination are illegal. The law says words to the effect of "You may not discriminate on the basis of , , or ". That's it.
You're perfectly allowed to discriminate on the basis of how smart people are, or how bad they smell, or whether they understand the language they are trying to use. Just not by race or religion, usually, and even then only in matters of real estate and employment.
From p.3 of the report:
Unless they modified the report after it was first posted? The version I'm looking at says modified 24/09/2003, 7:03 EST
Fixing copyright
Uhm not to nitpick, but we here in the netherlands don't have much whores on streetcorners. We have more of them behind glass with red lights.
The way to corrupt a youth is to teach him to hold in higher value them who think alike than those who think differently
In a capitalist economy, the only thing that matters is capital - the buying and selling of goods and/or services. Access to votes is just another service. So is access to voters, for that matter. And the information, as we see alot these days - accurate information is a valuable commodity. Therefore, not everyone has access to it, which means that a company who controls access to information can manipulate markets. The ability to manipulate markets is just another commodity to be bought and sold on the open market.
Why use Fox News has a hypothetical example, when that did happen... to Bob Zelnick of ABC News, for writing a book about (then) Vice President Al Gore.
FYI: Rupert Murdoch, who owns Fox News Channel, also owns Harper Collins, which publishes books by authors like Michael Moore.
@stake, eeye, and iss have all agreed w/ microsoft not to release details of even potential exploits until the microsoft has had 30 days to "evaluate" them, leaving admins and the public unnecessarily exposed to vulnerabilities. This is completely unacceptable, and contrary to the scientific peer-review process of real science.
What an idiotic thing to say. Most legitimate security researchers give any company an agreed upon period of time before making public an exploitable security hole. Many times, this period is longer than a month. This allows a company time to create and distribute a patch against the hole. No legitimate researcher wants the internet to melt down or information compromised in the desire to rush to make a statement.
In professional ("real") scientific circles, there might not be a built-in delay before disseminating information, but you certainly jeopardize your career if you state anything in your publication that might be quickly interpreted as incorrect. (Just ask Pons & Fleischmann.) Many scientists will delay publication of information to be dead certain of their facts, and there can be a year of delay before a scientific journal will publish the information. (This is part of the peer review process.)
Microsoft may engage in egregious policies concerning disclosure of security vulnerabilities (but none that I'm immediately aware of), but requesting a researcher to delay public announcement before evaluating and producing a security patch is not one of them.
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
I'm posting my own translation, to clear up a couple of things.
> > It's a sad state of affairs, but not surprising. It's been a long time since the "CIFS is caca" paper...
> CIFS=Common Internet File System. This is a reference to the security flaws highlighted by Hobbit (from memory it was defcon 5, back in 1997) in the microsoft SMB (windows networking) products.
You're correct on which defcon, but I'd like to remind you that mudge and *hobbit* stood up there together. I was saddened to see how quickly mudge compromised his principles for cash. I have nothing but respect for *hobbit*, who has retained his.
> > and I lost respect for the l0pht back when *hobbit* was edged out. Mudge became "Dr. Mudge" (as if), and they all started running after the limelight. Sad, really. The Hacker News Network is long gone, and mudge is Pieter. It sucks for Dan, but it's just more of the same for the rest of us.
> L0pht Heavy Industries (creaters of the L0phtcrack suite Pwdump that allowed brute force cracking of windows NT user/passes) went though a period of internal discontent. I cannot provide any details on this.
It was more than just a bit of internal discontent. I'd say it was a basic separation into two camps; the old school hackers, and the group that felt it would be good to take advantage of the notoriety, and cash in. The original Back Orifice product was written by cult of the dead cow, and only ran on windows 95/98. It was a (soon to be) member of the l0pht that rewrote it to work on win NT. L0phtcrack was not the only thing interesting that came out of that group. Wish I'd made a mirror of the old site. There was plenty of MS bashing.
> > It takes a lot of nerve for Chris Wysopal to issue his little statement. Weld Pond would never have said something like that. Man, it's been a long path from BO2K to appeasing Microsoft. What a long, strange trip it's been. Sigh.
> I have to admit this part has me stumped. I assume he means that Chris Wysopal of @stake would answer differently to Weld Pond of Lopht. Since they are one and the same person I assume he means to highlight the change over time in Chris's opinions/loyalties... not really surprising in the context of articles like this (para. headed Who's Who).
Yeah, I was perfectly aware that Weld Pond == Chris Wysopal. The comment was expressing my sadness at just how much he's changed. Thanks for the link to the Register, I'd forgotten that article. That grouping never came off, BTW, but there's still the pay early version of CERT that doesn't much make me happy.
> It has indeed been a long and strange trip... no end in sight yet.
The difference between a Miracle and a Fact is exactly the difference between a mermaid and a seal. (Mark Twain)
I'm not surprised they didn't tell you anything. They didn't tell me anything either. A big part of the secret was not to upset anyone else. Immediately from the start I had been seperated from the rest of the original L0pht folks. My guess is to make it easier to let me go later on. If they had kept us together and tried to fire one of us it would not have gone so smoothly. The old divide and conquer strategy. Consider your time at @stake a valuble lesson. never again will you allow yourself to be brainwashed when they tell you that their company is different, that they will suceed where others have failed, that they will change the world. Remember it _ALL_ about the dollar. Anything else just gets in the way. - SR
If you are going to start a conspiracy theory, at least make one that stands up to a little bit of reason. Or not so easily discoverable by the public.
frob
//TODO: Think of witty sig statement