Author of Paper Critical of Microsoft is Fired

chongo writes "Daniel E. Geer Jr., one of the primary authors of a report Reliance On MS A Danger To National Security, was fired from @stake Thursday morning. @stake said that 'The values an opinions of the report are not in line with @stake's views' and that Geer's participation was 'not sanctioned.' Microsoft, who has worked closely with @stake in the past, denied that it was involved in @stake's decision to fire Dan." There might not be anything fishy going on at all, but that's no reason to stop making perfectly good conspiracy theories.

Re:Hey!

[bigberk]

They also boosted the memory limitation of Notepad so that it can open files larger than 60 kilobytes

That limitation was due to the inherent maximum capacity of 'edit controls' (64 K) in the Win95 stream of operating systems. Windows NT 4.0, though as old as Windows 95, never had such Notepad limitations.

Re:More CTO openings at security consultancies...?

[bourne]

Lets hope Bruce still has his job by the end of the week.

As the founder of Counterpane, he's probably got a bit more say in his company. Also, @Stake has expanded a lot with VC, I think Counterpane has grown more... carefully.

Re:He wrote it as if it was on @Stake's behalf

[eschasi]

I've seen Geer off and on for quite a number of years. He's damned smart, and has damned little people and organizational sense. IMHO it's perfectly reasonable that he'd not consider that his statements in the forum would be taken as representing his employer, doubly so when he lists his affiliation repeatedly.

When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company. It's not like being a prof at MIT. Noby would assume a prof officially represents the stance of a University. But companies are a differnt world. Bruce represents Counterpane when he does those sorts of publications, and Dan damned well should have known he'd be representing @Stake when he repeatedly listed the affiliation..

@stake == l0pht?

[autopr0n]

Wasn't @stake the security company that grew out of the l0pht? Or am I on crack?

Re:@stake == l0pht?

[Skilf]

Indeed, L0pht heavy Industries was the hacker group who had merged with @stake a few years back.

They became the "research and development" division of @stake apparently...

here is the link to an archived press release talking about the merger:
http://www.xent.com/FoRK-archive/jan00/0035.html

From what happened to Dr. Geer we can see that the spirit of the L0pht is really gone now.

Re:He wrote it as if it was on @Stake's behalf

[laird]

"When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company."

The report states clearly on the first page that "Our conclusions have now been confirmed and amplified by the appearance of this important report by leading authorities in the field of cybersecurity: Dan Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, John S. Quarterman, Charles Pfleeger, and Bruce Schneier. CCIA and the report's authors have arrived at their conclusions independently. The views of the authors are their views and theirs alone."

Note that there are no company affiliations in that list, or on the front cover of the report, and that they clearly say that they're speaking as individuals, not as company representatives. The authors do list their current titles and employers in their bio's and on the "authors of the report" page, in order to establish their credibility (and that's a lot of credibility), but clearly don't speak for their employers.

Given that the document expresses the mainstream of security industry thinking, I'm a little amazed that this is even "news" much less something to fire someone over. Does any security professional think that a software monoculture is a good idea, or that Microsoft actually has security as its top priority (as opposed to market share or profitability)?

If we're to be serious about addressing vulnerabilities in our software infrastructure, we have to be willing to discuss these issues honestly, without self-censoring out of fear of stating the obvious when it's inconvenient.

Mmm hmmm. And it doesn't work all that great.

[MickLinux]

Look at the history of Virginia Commonwealth University. See that point where they were completely shut down? That's because they *were* firing their tenured professors, and in the end completely shutting down the university was all that the state could do to stop it. When they sent examiners to interview the professors about the situation, the president would not let them alone with the professors. Anyhow, the state discovered that they couldn't do anything except close the university and fire everyone.

Jump over to James Madison University. It seems that the then president of the university was trying to force through academically impossible changes. [For example, teach upper-level calculus before basic calculus, "to give them a feel for it".] So one of the Physics professors came up with proof of tax fraud. At that point, the president fired the whole Physics department, because although he couldn't fire a tenured professor without cause, he could eliminate the need for the professor by abolishing Physics [impressive stupidity for a university with a medical program, but finding tax fraud was a real threat]. Eventually, the firing was rescinded, and the president retired, but the potential for tax fraud penalties was probably a slightly larger gun than tenure. Jump forward, same university, different president. The tenured professors' contract is the University Handbook; and the administration updated it, taking to itself all the rights of academic free speech, and making the contract unilaterally modifiable. My father caught this, and in the Faculty Senate pointed out that (1) this had no effect without Faculty Senate ratification, (2) they couldn't ratify it because unlaterally modifiable contracts are illegal,
(3) they shouldn't ratify it, and (4) without ratification, they were working either on the old handbook (in which case the old handbook stood), or else without a contract, which implied no particular tenure protection, but also implied no protection for the univeristy against lawsuit.

In the end, he got those clauses struck. But tenure really doesn't protect academic free speech too well.

In reality, tenure and academic free speech were initiated by the university administrations for their own convenience. It seems that, all the time people were coming up and saying "I'll donate X million dollars, if you'll teach this or that." And the problem was that if they taught this or that, 2 other donors would say "I'm not donating any more, because you're teaching nonsense." If they declined, however, then the person who wanted to affect the curriculum would begin a publicity campaign against the administration, and it was a real mess. So the academic free speech became a way that the administration could say "sorry, it's against contracts we've already signed. It's impossible."