Author of Paper Critical of Microsoft is Fired

chongo writes "Daniel E. Geer Jr., one of the primary authors of a report Reliance On MS A Danger To National Security, was fired from @stake Thursday morning. @stake said that 'The values an opinions of the report are not in line with @stake's views' and that Geer's participation was 'not sanctioned.' Microsoft, who has worked closely with @stake in the past, denied that it was involved in @stake's decision to fire Dan." There might not be anything fishy going on at all, but that's no reason to stop making perfectly good conspiracy theories.

Re:He wrote it as if it was on @Stake's behalf

[laird]

"When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company."

The report states clearly on the first page that "Our conclusions have now been confirmed and amplified by the appearance of this important report by leading authorities in the field of cybersecurity: Dan Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, John S. Quarterman, Charles Pfleeger, and Bruce Schneier. CCIA and the report's authors have arrived at their conclusions independently. The views of the authors are their views and theirs alone."

Note that there are no company affiliations in that list, or on the front cover of the report, and that they clearly say that they're speaking as individuals, not as company representatives. The authors do list their current titles and employers in their bio's and on the "authors of the report" page, in order to establish their credibility (and that's a lot of credibility), but clearly don't speak for their employers.

Given that the document expresses the mainstream of security industry thinking, I'm a little amazed that this is even "news" much less something to fire someone over. Does any security professional think that a software monoculture is a good idea, or that Microsoft actually has security as its top priority (as opposed to market share or profitability)?

If we're to be serious about addressing vulnerabilities in our software infrastructure, we have to be willing to discuss these issues honestly, without self-censoring out of fear of stating the obvious when it's inconvenient.