Author of Paper Critical of Microsoft is Fired

chongo writes "Daniel E. Geer Jr., one of the primary authors of a report Reliance On MS A Danger To National Security, was fired from @stake Thursday morning. @stake said that 'The values an opinions of the report are not in line with @stake's views' and that Geer's participation was 'not sanctioned.' Microsoft, who has worked closely with @stake in the past, denied that it was involved in @stake's decision to fire Dan." There might not be anything fishy going on at all, but that's no reason to stop making perfectly good conspiracy theories.

Re:More CTO openings at security consultancies...?

[bourne]

Lets hope Bruce still has his job by the end of the week.

As the founder of Counterpane, he's probably got a bit more say in his company. Also, @Stake has expanded a lot with VC, I think Counterpane has grown more... carefully.

Re:He wrote it as if it was on @Stake's behalf

[eschasi]

I've seen Geer off and on for quite a number of years. He's damned smart, and has damned little people and organizational sense. IMHO it's perfectly reasonable that he'd not consider that his statements in the forum would be taken as representing his employer, doubly so when he lists his affiliation repeatedly.

When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company. It's not like being a prof at MIT. Noby would assume a prof officially represents the stance of a University. But companies are a differnt world. Bruce represents Counterpane when he does those sorts of publications, and Dan damned well should have known he'd be representing @Stake when he repeatedly listed the affiliation..

@stake == l0pht?

[autopr0n]

Wasn't @stake the security company that grew out of the l0pht? Or am I on crack?

Re:@stake == l0pht?

[Skilf]

Indeed, L0pht heavy Industries was the hacker group who had merged with @stake a few years back.

They became the "research and development" division of @stake apparently...

here is the link to an archived press release talking about the merger:
http://www.xent.com/FoRK-archive/jan00/0035.html

From what happened to Dr. Geer we can see that the spirit of the L0pht is really gone now.

Re:He wrote it as if it was on @Stake's behalf

[laird]

"When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company."

The report states clearly on the first page that "Our conclusions have now been confirmed and amplified by the appearance of this important report by leading authorities in the field of cybersecurity: Dan Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, John S. Quarterman, Charles Pfleeger, and Bruce Schneier. CCIA and the report's authors have arrived at their conclusions independently. The views of the authors are their views and theirs alone."

Note that there are no company affiliations in that list, or on the front cover of the report, and that they clearly say that they're speaking as individuals, not as company representatives. The authors do list their current titles and employers in their bio's and on the "authors of the report" page, in order to establish their credibility (and that's a lot of credibility), but clearly don't speak for their employers.

Given that the document expresses the mainstream of security industry thinking, I'm a little amazed that this is even "news" much less something to fire someone over. Does any security professional think that a software monoculture is a good idea, or that Microsoft actually has security as its top priority (as opposed to market share or profitability)?

If we're to be serious about addressing vulnerabilities in our software infrastructure, we have to be willing to discuss these issues honestly, without self-censoring out of fear of stating the obvious when it's inconvenient.