Slashdot Mirror
Author of Paper Critical of Microsoft is Fired
chongo writes "Daniel E. Geer Jr., one of the primary authors of a
report
Reliance
On MS A Danger To National Security,
was fired from @stake Thursday morning.
@stake said that 'The values an opinions of the
report
are not in line with @stake's views' and that Geer's
participation was 'not sanctioned.'
Microsoft, who has worked closely with @stake
in the past, denied that it was involved in @stake's
decision to fire Dan." There might not be anything fishy going on at all, but that's no reason to stop making perfectly good conspiracy theories.
Did he do this on his own, or as an @stake employee? I find it rather disturbing that a company can fire you for something you do of your own accord. What's next, are companies who like to suck up to MS gonna fire you for developing a linux program?
Am I just being naiive, or does this bother other people too?
if(!cool) exit(-1);
I'm tired of people hashing out their stupid little pet peeves on the basis of 'national security'. Its inane and tiresome to hear people trump up the 'unassailable argument'. Oh now we can't challenge you because if we do we're rooting for terrorists.
dont these places have editors? surely, a story that would have gotten someone fired wouldnt get approved.
I guess that's where the phrase, "power corrupts" comes from, eh?
Read the EFF's Fair Use FAQ
He put his company and title in the paper. If he did not clear that with his company before publishing this paper, @stake has every reason to fire him.
Not only can it be viewed as damaging to a big client (Microsoft, in this case), but it can also be viewed as competing with your own company since both @stake and the paper deal with security. I'm sure he signed a non-compete agreement with @stake when he was hired.
Well actually it was Computing Technology Industry Association, but they are funded by MS. The say "the report is flawed by "myopically looking to technology (i.e., 'bad' software OS) instead of addressing the underlying cause -- human behavior -- for cyber breaches." "
So basically if humans just would stop being mean or stupid, there wouldn't be any problems.
Isn't that sort of like blaming plane crashes on gravity? I mean, human nature is what it is. There will be virus writers, there will be people who don't always install the patches right away.
What are they suggesting, that we try to change human nature? Genetically engineer better humans? How about they take human nature as a given (like gravity to an aeronautical engineer), and then fix the damn product?
The difference is that your consulting job is not on the line when you post alternative viewpoints on Slashdot.
Now, if you get fired for reading too much Slashdot on company time, we are absolutely not responsible.
Gotta love those @stake guys. Here's a relevant quote from their website:
"@stake has assembled the best minds in digital security to help you understand and mitigate the security risks inherent in your business model, so that you can maximize the opportunity in front of you. We help you make the hard decisions about what matters most in your business, so that your security investment has the greatest impact. We work in the space where your business and technology meet, because we believe that this is where security is most powerful."
Talk about blowing it out both ends. You can read their ethical and guiding principles as well.
This is what l0pht has turned into?
The report itself stated quite clearly in several places that Dr Geer was the Chief Technical Officer of @Stake.
I can't find a disclaimer anywhere in the report saying that he wasn't representing @Stake, and yet he used it to back up his authoritarian position, and intentional or not it appear that he was speaking on behalf of the company he worked for.
Perhaps more details will emerge about what actually went on, but it does seem quite irresponsible to make it appear that you're speaking on behalf of a company if you're not... if that's what happened.
If you sign an employment agreement, you'd better stick to it.
In particular, you shouldn't publish a paper without running it by corporate communications first. You especially shouldn't publish a paper that might be critical of a partner or customer without doing this. You know why? Exactly. You get fired. For violating your employment agreement. If you don't agree with the things that you signed, you shouldn't have signed them. Hell, even if you have permission to publish the paper, you might want to think twice about publishing a paper which is critical of a rather large customer.
When I worked at AOL, I tried to get some of the execs to realize that some of the employees could be a powerful force in the technical community to raise the image of the company. Just the ability to explain some of the things that weren't confidential, correct some of the misconceptions. It wouldn't be a magical transformation, but it would be an effort. And actually joining the community would be a big step. Peer review and PR oversight could both be used to help make sure that more incorrect information didn't go out, or that the wrong things didn't go out.
Noone wanted to talk about it. My assumption is that noone I got to wanted to rock the boat, and noone responsible trusted the employees. It's too bad really. But even with something like that in place, this type of paper would never pass muster. Not through a peer review, and not through PR. You just don't criticize a large customer. Especially a customer with as much money as Microsoft.
-Todd
"The details of my life are quite inconsequential..."
This really is something Greer should have seen coming. He published a highly critical, highly-publicized report bashing his consulting company's biggest client. Whether it is true or not is irrelevant; that the client was Microsoft is irrelevant -- replace "MS" with "Sun" or "Oracle" or any other company you like, and I bet his higher-ups still wouldn't be happy about it. You may not like who you work for, but it's not a good idea to bite the hand that feeds you.
The bold print giveth, and the fine print taketh away
As many, many researchers know, this is why so much commercial research is flawed - there are too many strong influences out there that taint the data.
This is the first overt firing that I've heard of in the IT industry, but I'm sure there have been thousands that we just never heard of.
Just think of those poor researchers at the cigarette companies - you know, the ones where if you found that there was a link between cigarettes and cancer, well, you must be fired.
Or the researchers for pharmacuticals... where if you find that drug X doesn't help cure Y, then you shouldn't expect any grant money next year. Yeah, not fired, but certainly the same net result.
The fact is that research SHOULD be independent. I don't know or care if this guy's paper was right or wrong. But it should be the research community, not MBAs, who decide the quality of research. Period.
I think that firing this guy due to his research is wrong. It looks like he was fired for financial relationship reasons, not because his study was consistently rejected by the research community. Should his employers be considered biased? As a potential customer, should I trust this company? If they are motivated more by their relationship with microsoft versus upholding the truth, I'll never recommend anyone to do business with them. And it looks like they are, and so I'll make sure they're scratched off the list.
It's really interesting, because I don't doubt for one second that M$ told them that either they fire them or they loose their business together. It is common sense, one uncloud's their mind, that M$ is a REALLY bad platform to be on in regards to security. It definitely has a wonderful software base, but that is due mostly to really good marketing, including making a visually appealing interface. Lock-in also plays a big role. However, when one has to worry continually about security holes in their systems, that is bad. Linux systems may have a large number of holes, but they are typically in the daemons running on the machine, and one can jail or chroot them into secure directories, but Windows' core services are the ones that are the culprits here-- and they cannot be jailed!
It's sad that a person who speaks truth gets fired if it is not in the best interest of their companies, but I guess that is why a truly outspoken person must be freelance, because otherwise they WILL be fired eventually for their honesty.
M$OS-less 15" Powerbook G4
Actually, he didn't even criticize Microsoft. What the report said was that having all computers run the same OS was a risk to security. Just like having only one species of a crop would be a huge risk to agriculture. Single species are vulnerable in both biology and computer networks.
This seems to me to be awfully rational.
If they fired him for that kind of thinking, then it's probably their loss, not his.
--Hi. I'm in Portland and it's raining. This appears to be a permanent condition.
Nonsense. His company and title are simple facts, not an endorsement by @stake of his ideas or a claim to represent @stake in this matter.
It's clearly stated in the paper that the author's views are theirs alone.
@stake's actions are unjustified, ethically if not legally - if the law backs them, it shows only how far into corporate feudalism we've slid.
Certainly @stake has just been removed from my list of trusted voices on the topic of security.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
I read the report, and it didn't sound like a "MS is teh ghey" rant to me.
It sounded more like a new argument against OS monopoly, and one that made sense: it doesn't matter who has the monopoly -- just the mere fact that there is no OS diversity in itself presents a security risk. Whether or not you believe it, it is at least plausible, and a point of view that needed to be heard. Schneier put his name on it, and in my book, even if it's wrong, that at least means you should pay attention.
How can @stake fire a guy for writing that? I agree, @stake doesn't owe him employment. But how can a company that calls itself a "security consulting company" fire an employee for helping to write a paper suggesting that OS monopoly is bad for security?
Would you seriously hire @stake now? If your security consultants will be fired if they criticize microsoft?
What the hell?
First of all: False and misleading information? Unless you have some magical insider information on what exactly happened, who are you to claim that it's false and misleading? To dismiss it as false without having any facts is no better than accepting it as true without having any of the facts. Different sides of the same coin.
And second, it looks like a pretty tongue-in-cheek comment. You said it yourself:
Those sorts of things happen on their own more than enough as is; encouraging it is just unecessary.
Do you really believe that the editors don't also know this? Contrary to popular opinion they do actually read the site, sometimes. It's pretty clear to me that it's a jab at all the 'perfectly good conspiracy theories' that abound whenever a Microsoft story rolls around. Would you really call them 'perfectly good conspiracy theories' if you weren't against them? Sounds like a pretty sarcastic phrase to me.
But hey, don't let little old me get in the way of Slashdot's readers bashing Slashdot...
Random and weird software I've written.
I mean, if you're Microsoft, you've got a thick skin toward bad press.
I imagine it was just some chickenshit middle management type over at @stake who wet himself when his little pet security project churned out a ton of anti-microsoft press.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
For him to be canned over this report (which is excellent by the way), is awful. Other heavy hitters in infosec also collaborated on this report e.g. Schneier, Becky Bace, and Charles Pfleeger.
It's not so much that @stake doesn't have the right to fire him, but rather that it's a pity that they can't stand up to the truth. Not that corporations are known for their honor anyway. I would not trust a @stake with my business at this point-what's next? MS buying them into using their clearly superior security products?!
Well, one of the main points of the paper for which he was fired was that _any_ software monoculture is dangerous. So yes, a Linux monoculture _would_ be just as bad as a Windows monoculture. The specific criticism for Microsoft came from the fact that the company puts _so much effort_ into maintaining their Monopoly, and hence the monoculture.
I can't argue with those points. You're absolutely right. It's just a shame to me that someone who knows a lot about something that affects the security of millions of Americans can't speak out about that threat without being fired by their employer.
It's rare to see a group of people take a stand about something they feel is of more importance than just dollars and cents. These folks are essentially blowing the whistle on something a lot of people have known about for a long time but have been too frightened to say for fear of the wrath of Microsoft.
While I absolutely agree with you that @Stake is just protecting their own interest, their action is proof of how far Microsoft has permeated the fabric of the IT business. Virtually every company in the industry has to be careful about criticizing (or even allowing an employee to criticize) Microsoft, for fear of retribution.
Read the EFF's Fair Use FAQ
You guys all need a real life. Spending life cycles debating this stuff is just a total waste of time. When you're all 80 and imoblized, you'll want the precious time back that you spent talking about this stupid, meaningless, stuff -- as if your contribution to the forum will make any difference at all. It won't. But that garabage along the street that you could have been picking up will still be there. There's better ways to spend your life than being a pissed-off evanglest for some stupid peice of technology.
Why assume that MS had ANYTHING to do with his getting fired - it could've just as easily been some nervous CEO who perceived, rightly or not, that firing this guy would be a better move than keeping him on board.
Think about whatever company you may work at, if not now then some day. If you wrote something critical of one of your company's main sponsors, or a frequent collaborative partner, it wouldn't be likely to go over well with the President, would it?
If you're at all worried that there's competition for your position in a collaborative partnership with, in this case MS, you're going to take pre-emptive steps to ensure that your partner knows how devoted you are, and if it gets to the point that they're pressuring you to do these things, then it probably means you're behind, which is a bad sign.
It's very possible that Microsoft didn't give a whit about this guy, or at least didn't care enough to tell the company to "do something about him!". Let's be honest, we do have a tendency to overhype the anti-MS sentiment in this community sometimes.
Moo
...who bears bad news. Looks like this is @Stake's loss more than Mr. Greer's. Someone with his knowledge of secuity won't have a problem finding a job even in this economy (security being kind of a hot topic these days).
I remember going to one of the MIT Fleas, back when l0pht became @stake, and they had a big van pulled up and were selling off their old junky equipment. Presumably they were buying more modern gear with all that VC. I bought a big brick of a hard drive from them. It had some nice mp3s on it (among other junk), and served me well until I sold it again at the flea, l0pht sticker and all.
Anyway, hung on the side of the van was a big sign reading:
Until today, I had no idea just how much they had.
Are you nuts? Or do you just have a very small understanding of business?
If this person was a writer/researcher/whatever for a company, and he made comments that were not only attributed to him, as an individual, but to the company he worked for- yes, they can get rid of him. And, if these comments made by him, under the guise of 'official' statements were contrary to the companies position, then yes, he *should* be fired.
If he wants to say these things on his own time, and not associate them with his company, then fine. Unless of course he has a contract that states he CANNOT do this. This is fairly common for people who are a 'spokesperson' for their company. Or, who are strongly identified with the company.
But, this person wanted to use their company's good name to push his own agenda- that is not a good thing. I work for a major university- I cannot publish papers filled with my opinions, and my own platform, and associate it with my university. In fact, anything that IS published, and associated with the university, needs to get peer-reviewed by at least 3 other people who are experts in the field. This is to ensure that individuals cannot use the university's good name as their own pulpit.
No reason to lie.
Simple point here: whether or not @stake is involved in a conspiracy, @stake clearly considers themselves to be a advertising/publicity agent of Microsoft.
@Stake clearly does not consider themselves to be a news organization, or a news clearing house.
That said, they should, in the future, be held to the standards of advertising agents, with all the benefits of such -- not news agents with their benefits.
Therefore, if they want to come in to cover a software convention, by all means let them [but at full price: no media pass]. If they want to claim first Amendment right to speech, they can, within the bounds and with the protections set by our government for advertisers. Not within the bounds and with the protections set by our government for news media.
I don't see a reason to apply conspiracy here; just treat them as what they consider themselves to be.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
My favorite bit:
... pleased that he had maintained plausible deniability.
> Microsoft spokesman Sean Sundwall said AtStake
> contacted Microsoft Tuesday night to express
> disappointment in the report and to say it did not
> reflect AtStake's position.
So, if AtStake has all this integrity and independence, why do they contact someone at Microsoft to do the old "No! No, Master, it wasn't us! It was the tricksy CTO. But we fires him, yes! Is Master pleased with us?" routine?
> "Microsoft had absolutely nothing to do with
> AtStake's internal personnel decision," Sundwall said.
Just another day at the weasel ranch...
Whistle-blowing is never a popular job, but it's even riskier during bad economic times. Most of the backlash against this employee is due to the spineless quivering, in management, about losing vital business. Once again, we see why monopolies are unhealthy for society.
What are you gonna do, though, if you're canned? The employment-at-will doctrine has essentially always allowed bosses to hire and dump whomever they wish for any reason; dear old kooky Walt Disney used to go nuts with this easily abused freedom, and the 1990s left a trail of shattered lives and communities behind the rapacious "downsizing" of workers. Except where protected by civil rights or state employment law (and good luck bringing a case!), this is where you stand as an employee in America - at the mercy of the Man's whims. Learn to kiss ass; learn to run your own business; learn to work for decent people; these are among the few options for workers, and guess which one is most popular.
But this is also a hysterical time politically. Under the New McCarthyism the pasture of sacred cows has been enlarged: now not only our Glorious Leader is supposed to be beyond reproach, but so are certain corporate entities. And by burrowing like a common bacterial spirochete into the guts of American national security, Microsoft has begun to undergo the transformation - symbolically - from mere lawless and sloppy monopolist to vital U.S. institution. Yesterday, MS merely brought you BSODs, viral weakness and data loss. Today, it defends America against her enemies with its arsenal of...er...BSODs, viral weakness and data loss.
If this transformation continues, it will be more and more costly to criticize Microsoft as it mutates into an adjunct of the security state. HomeSec is already MS's taxpayer-subsidized tech support service, busily issuing warnings about the latest viruses and worms. This relationship should be promptly terminated by the next administration when the adults get to run things again.
Perhaps the reason you couldn't connect to the SMTP port of your problematic mail server was not telnet's fault, but the problematic mail server's?
postfix stop; postfix start
kthxbi
DrPascal: Not the language, the mathematician.
Daniel E. Geer Jr must have really hit a sensitive area of Microsoft. Its really sad to see them so unwilling to realize that the report isnt a hit on MS but more about monoculture in the internet. Monoculture is bad, ask any biologist and hell tell you why. Diversity is much better but it demands open standards and interopability, something Microsoft have been successfully avoiding since day one.
HTTP/1.1 400
How is this "admirable from a capitalist viewpoint"?
Protecting the image of one client by blowing your credibility with all other actual and potential clients is not "capitalist," it's stupid. It's the sort of thing that put Arthur Andersen out of business for covering for Enron.
Heck, even Microsoft should think twice before trusting @Stake now; they should assume everything @Stake tells them is just brown-nosing...
@Stake just sold their reputation to Microsoft, lock, stock and barrel. If you need a "clean bill of health" security audit to hand to the shareholders and you're a 100% Microsoft shop, you now know where to find a friend: @Stake. If you're actively interested in security, rather than simply checking a box off on your manager's list, @Stake doesn't have any whuffie left.
My prediction is whatever is left of @stake after this fiasco will be purchased by Microsoft by assumption of debt, probably in the next two years or so.
@Stake has always looked good in the past. They sure looked brilliant this week when this paper came out. And now, it appears that all this time their talent was locked up inside their CTO. So they threw the baby out and kept the bathwater. They're not looking so good anymore.
John
I've mentioned this before when technology publications that focuse primaraly on Microsoft products CLAME the are impartal and have no ties to Microsoft that when you rely on someone for information your not impartal to that source.
Info 64 a publication for Commodore 64 users created on the Commodore 64 etc etc. The whole philosophy is the magazine should live and die by the products they support. Obveously they are no longer in publication.
Anywho when Commodore published the specs for the 4+ and C16 every Commodore mag published the specs exactly from the press kit. Info 64 did not.
A reporter at Info64 wrote an artical ripping on other Commodore based publications for doing that.
The point he made was that ANY publication that focuses on Commodore is answerable to Commodore. When Commodore hands out press kits there is an implied threat "report this and be glad we give you anything".
I rember that. I was a subscriber to Computs Gazzet Commoodre and Info 64. Compute was a publication powerhouse and got ALL the latest news and information but they were never critical of Commodore or the software titles. When they did report weak points they'd glaze them over like it didn't really matter.
All the platform publications were like that.
Except for Info64. Thats what I liked about them.
Info 64 starts off with a bunch of reviews and I always read them over. They are very critical and careful to review the software properly.
In other publications I skip the reviews becouse they were just free ads pretending to be lagit reviews.
The greatest database program ever... on the Vic 20? See where I'm going with this? Some of thies reviews were just downright garbage becouse the publications were fearful of being cut off.
Info64 didn't care. If they can't do it right they can't do it at all.
No Commodore never cut them off.
But now jump forward... Commodore is dead Microsoft rains suppream and Microsoft is making noises about it's latest and greatest Windows 95. Bug free and an Os itself not an envronment running on top of Dos. It now uses protected mode processing like OS/2 so a bug in a driver or application won't crash the whole operating system.
Microsoft handed out Windows 95 beta CDs.
Nearly every industry reporter got one. One reporter had the balls to point out every single problem in the Windows 95 beta.
Microsoft was angry and pulled that reporter from the beta program.
Commodore was bluffing Microsoft wasn't.
Now everyone is being very careful.
Unless they are Mac or Linux publications.
If you work for a publication that works with Microsoft ANY time your critical of Microsoft you put your job at risk.
I don't actually exist.
If you talk as an individual in a matter in which your employer may have a stake (think a financial analyst working for a bank) you better make sure your employer does not have a problem with what you are going to say, no matter how many disclaimers you put around your words.
The reason is very simple: a given company needs to keep a reputation, in the case of a security company they need to appear to be open and impartial when assesing different products. By having an employee that clearly has reached his own conclussions and made them public the employer is left in the difficult position to explain how they may be choosing MS stuff or recommending it given that one prominent employee has lambasted those products in a public forum.
Sorry, but I have no pity for this person in spite of broadly agreeing with his conclussions.
IANAL but write like a drunk one.
Since when is slashdot a press agency? If you want fair, unbiased news, go read a newspaper.
I hate to be a rant...but I can't help myself. :-)
Ethics is going down the tubes. An example, I think was the investment community in the U.S.
If you watch the media, you have this over all impression, well, Enron was just a fluke, they had poor accounting.
But if you read the papers, this fluke, is being practiced by 100's of companies, all screwing over their investors like cheap whores on a Dutch street corner.
I hate to point this out, but these Ivy league trained people were taught and are taught that this is just ducky. How can it not be with so many companies screwing you on a daily basis.
It can't be a fluke when everyone is doing it.
Fluke? I think not, but you decide.
It has become ethical to do business unethically and it is proudly taught that way in our so called finest Universities.
If anyone has any money in US retirement investment funds, when they retire 30-40 years from now, I will be really amazed.
If you are an investor, and you are investing in US companies for retirement, you my friend are a sucker.
Same thing is happening here. Microsoft is not an innovative company, it buys companies.
They do not write good software and if you are stupid enough to buy Microsoft Press books written by PhD's who claim they even have a clue about good Software Engineering principles, you are just another duped "investor".
I would like to point out that Microsoft is one of the largest employers of Computer Science PhD's in the country.
As an example, one must ask this question after looking at these Software Engineering practices books that Microsoft Press publishes as oxymoronic.
My reasoning is as follows:
Exhibit A: Microsoft hires more PhD computer scientists than even IBM has to work on the secure initiative for 2000 and XP. Building and rebuilding the entire OS 2000, and then again with XP, from scratch, at a estimated cost of 2.8 billion dollars.
Exhibit B: A 18 year old in Minnesota, a 16 year old in Malaysia, and a 21 year old in Russia. All with WAY too much time on their hands, with NO source code, find more security holes in 2000, XP than you can possibly say "Code 'in'-Complete" in that past 14 months.
Exhibit C: A University student, in Finland builds a new operating system kernel called Linux, and in just 8 years it is being worked on by almost no PhD's and many testors and code contributors are in their early 20's or teens, and is far more capable than windows, 1.8 billion dollars later.
Is Linux just another Enron? Fluke?
My point is that the way we are being taught code in this country is not the way code should be written. Even if you have a PhD, its business as usual dogma, just like our MBA friends.
Is it a fluke that the best code being written is not through institutionalized learning in this country?
What do these exhibits tell us about our country in general, with regards to ethics?
It doesn't take a rocket scientist to figure out what is going on here.
Fluke?
I think not, but you decide.
-Hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
He's not just some shlub in a lab. The guy's the CTO, and as such, he is assumed to set the technical tone for the company (that's why he's the chief). If the board believes his personal vision is not in line with the company's goals (i.e., taking Microsoft's money and getting rich), then they would be failing in their duties if they did not replace him.
All this does is shoots down @stake's credibility.
Anyone with half brain will realise that running an entire network on a single OS is asking for it. This is why buildings don't tend to have the same key for every lock and the burglar alarm and keep skeleton keys well guarded. If this were the case, someone drops the key in the car park and whoever finds it has free reign and oh boy, the joy of the discovering that it opens every desk, filing cabinet and safe as well.
The headline was that a singular reliance on Windows is a bad thing and I can't see that this argument is flawed. For @stake to sack someone for daring to state the obvious is laughable and makes them look stupid in the same way that Microsoft always looked stupid when they'd claim that there were no reliability issues in Windows despite the fact that even the non-techiest people in an office could tell you what BSOD stands for.
If anyone at MS is thinking that this is a good thing then they should consider that many people watching have already, based on their previous record of dubious behaviour, put this down to their intervention. Whether it's true of not is irrelevant, it just seems most likely.
Hmmmmmm..... Deep fried and look like Squirrel.
Please do not confuse Americans' right under the Constitution to speak freely with an obligation on the part of private parties (like Geer's employer) not to react negatively to our speech. You might be able to convince me that @stake's action was unreasonable, obnoxious, unethical, or even stupid, but never that it has anything to do with Geer's constitutional rights.
Every time some public figure says something that someone disapproves of, we see the First Amendment get trotted out. Stop it!
"Rub her feet." -- L.L.