Author of Paper Critical of Microsoft is Fired

chongo writes "Daniel E. Geer Jr., one of the primary authors of a report Reliance On MS A Danger To National Security, was fired from @stake Thursday morning. @stake said that 'The values an opinions of the report are not in line with @stake's views' and that Geer's participation was 'not sanctioned.' Microsoft, who has worked closely with @stake in the past, denied that it was involved in @stake's decision to fire Dan." There might not be anything fishy going on at all, but that's no reason to stop making perfectly good conspiracy theories.

Geer was doing @stake a favor working there

[Dunedain]

Thanks to Google's cache, this is Dr. Geer's bio from @stake. I had the opportunity to hear him speak once, and he sounded about as brilliant as the following description would make you think:

Daniel E. Geer, Jr., Sc.D.

Chief Technology Officer

Daniel E. Geer, Jr., Sc.D. oversees the strategy and direction of @stake's approach to digital security. Over the last thirty years, Dr. Geer has led the application of technology in medical computing, distributed systems management, electronic commerce, and digital security. After fifteen years in the Harvard medical establishment, he variously served in senior leadership roles for MIT's groundbreaking Project Athena, Digital Equipment Corporation's External Research Program, Open Market, OpenVision Technologies (now Veritas), CertCo, and now @stake. His security consulting firm, Geer Zolot, was the first of its kind.

An expert in modern security protocols and business metrics, Dr. Geer has been called upon to testify before Congress on multiple occasions. Dr. Geer speaks and publishes regularly on a range of issues in digital security; his November 1998 speech, "Risk Management is Where the Money Is," has been widely quoted, warranting both reprint as a special issue of the RISKS Digest and prompting editorial comment in Wired Magazine. His bibliography is deep and continuing, and with Avi Rubin and Marcus Ranum, he is co-author of The Web Security Sourcebook.

He holds a Sc.D. in Biostatistics from Harvard University's School of Public Health as well as an S.B. in Electrical Engineering and Computer Science from MIT. His professional involvement includes a decade of leadership within USENIX, the advanced computing systems association, of which he is past president. He today serves as an advisor to the board of the Financial Services Information Sharing & Analysis Center (FS/ISAC) under the auspices of the US Dept. of the Treasury, as well as similar fiduciary and non-fiduciary roles for a select number of promising startups.

More CTO openings at security consultancies...?

[slashdot_commentator]

Bruce Schneier, the chief technology officer for Counterpane Systems Inc., worked with Geer on the report. He said security experts contacted to help work on the report critical of Microsoft indicated their support but couldn't participate publicly. ``There is a huge chilling effect based on Microsoft's monopoly position,'' Schneier said. ``It's unfortunate that AtStake put its private agenda ahead of intellectual integrity.''

Lets hope Bruce still has his job by the end of the week.

Saw @stake employee on tv...

[Read+Icculus]

I was watching a US House of Reps "Worms and cyber security" subcommmitee on C-SPAN the other day. Testifying before the Congressmen were the following - Microsoft Corp senior security strategist Philip Reitinger, VeriSign VP Kenneth Silva, Lawrence Hale, director of the Federal Computer Incident Response Center, Christoper Wysopal consultant for @stake Inc, some other Russian security consultant, and a few other random folks.

The chairman of the committee asked the Verisign PHB and the two consultants if there were any security benefits in running open-source software, and which was more secure, open or closed. I almost shat myself. Here was the perfect opportunity to hear some glowing reviews of open source. Instead the two consultants, who seemed decently knowledgeable, and long winded on all other issues merely said that there are flaws in all types of software, and they would "guess" that the frequency of security flaws were the same as for closed source. Although the guy from @stake did mention that the theory behind open source security was that "the more eyes, the better", he also countered it with noting that most users of open source wouldn't be able to fix the code when a vulnerability was found.

That was it. No detailed explanation about anything. Just a brush off that was not quite as long as their testimony on why ipv6 wouldn't offer any extra security over ipv4. Luckily the Verisign bastard was there to add his two cents. To paraphrase him - "I would agree with their, (the consultants) testimony, but I would like to add that often the people who write open source software are not professionals". Then he took another shot mentioning "that often worms affect open-source software too". Often... I wonder what he considers "often". How can he even trot out the word "often" to describe the frequency of worms that affect open-source software when there are millions of Windows boxes that are constantly being hit by worms. He then added - "We must resist the temptation to demonize software vendors and other members of the network community. The finger pointing is often misplaced and in most cases does more harm than good." It was quite the interesting hearing, and gives me a bit of insight into what kind of info our Government is getting about open source.

@Stake code of ethics sez:

[bourne]

"[employees] agree to: Issue public statements, advisories, and the like only in an objective, fact-based and truthful manner while in the course of our job responsibilities."

Interesting. Does that mean that employees should only issue statements in the course of their job responsibilities? Or that job statements must be objective, fact-based and truthful but personal statements can be whatever they want? This latter interpretation seems to conflict with their action.

I don't think Dan Geer will have trouble finding a new job. However, it is an interesting reflection of what @Stake has become. Look at their management team. Looks awfully VC to me.

Re:I'm sure he'll find a new job

[shrdlu]

With a high paying open source company... oh wait, it's 2003, not 1998.

It's a sad state of affairs, but not surprising. It's been a long time since the "CIFS is caca" paper, and I lost respect for the l0pht back when *hobbit* was edged out. Mudge became "Dr. Mudge" (as if), and they all started running after the limelight. Sad, really. The Hacker News Network is long gone, and mudge is Pieter. It sucks for Dan, but it's just more of the same for the rest of us.

It takes a lot of nerve for Chris Wysopal to issue his little statement. Weld Pond would never have said something like that. Man, it's been a long path from BO2K to appeasing Microsoft. What a long, strange trip it's been. Sigh.

Another unmentioned angle to the story....

[slashdot_commentator]

Leave it to the Mercury News to report with more sordid details.

What caught my eye...

The CCIA trade group also ran into trouble Thursday when it sought to send a paid announcement about its critical Microsoft report to 140,000 subscribers of popular trade magazines for chief security officers and chief information officers.

The publisher for CIO and CSO magazines, CXO Media Inc., offers such announcements ``to target a specific market segment of our audience by designing a list of prospects for direct mail and e-mail purposes.''

But in this case, the subject was too touchy.

``We find it is too sensitive of material to send out. I'm sorry to be the bearer of bad news, but I have to deny your request,'' according to an e-mail from the publisher obtained by The Associated Press.

``We need to try to provide some balance on these issues, and this seemed a little one-sided,'' CXO spokeswoman Karen Fogerty said.

Sheesh! The mags won't even report this story if you pay them!

---

Fight the Power!

Re:Can they do that?

[xjimhb]

Way back when I worked for IBM, there were very stringent rules about publishing anything even vaguely computer-related, and I doubt it is any better nowadays. Stuff had to be run through the Publications department, which sent it all over the company for approval/disapproval.

At one time I was working on my Master's degree, and the Professor to whom I submitted a term paper on "LISP on MicroComputers" suggested I submit it to a journal. BUT this was just before the PC came out, so I was using examples like PDP and TRS-80. When the paper got to the division that was preparing to release the PC, they vetoed it instantly.

Some people were so paranoid back then that they would "clear" a term paper through Publications before they dared to give it to the Professor!

So the answer is, "Yes, they can do that."

Let the Truth be known

[Ridgelift]

"Participation in and release of the report was not sanctioned by @Stake," the security and consulting company said. "The values and opinions of the report are not in line with @Stake's views."

What?! What exactly wasn't true about what was said?

Quote: Daniel Geer "As fast as the world's computing infrastructure is growing, vulnerability to attack is growing faster still"

Quote: Daniel Geer "Microsoft's attempts to tightly integrate myriad applications with its operating system have significantly contributed to excessive complexity and vulnerability. This deterioration of security compounds when nearly all computers rely on a single operating system subject to the same vulnerabilities the world over"

Quote: Ed Black "Microsoft's monopoly threatens consumers in a number of ways, it it's clear it is now also a threat to our security, our safety, and even our national security."

Quote: Bruce Schneier "The problem is that of monoculture. As long as all computers are running the same OS, they're all vulnerable."

If @stake is saying they don't agree with these statements, then their credibility as a security company is seriously in question. It's one thing to say they fired someone for violating professional protocol, it's quite another to terminate them because what they said was incorrect.

Everything said by Geer, Black and Schneier is correct. What does @stake not agree with?

@stake making power plays w/ microsoft == OIS

[SkewlD00d]

@stake, eeye, and iss have all agreed w/ microsoft not to release details of even potential exploits until the microsoft has had 30 days to "evaluate" them, leaving admins and the public unnecessarily exposed to vulnerabilities. This is completely unacceptable, and contrary to the scientific peer-review process of real science. If you know there's a problem, you speak out, suggest a fix, and hopefully the appropriate parties will be responsible enough to take action. Additionally, others have to be able to VERIFY and REPRODUCE findings, a critical part of *real* research. But microsoft's tactic is to force so-called security "research" companies (who are in it for money, not necessarily for altruistic research or making things more secure) into a lop-sided, biases "standards" NGO, the "Organization for Internet Safety" (OIS), which Microsoft is a member. (read this). What they are proposing is censorship, hiding information until they can find a fix, so that only the hackers will know what's broken. Talk about the fox guarding the hen-house!!!

Additionally, the director of research for @stake, Chris Wysopal, is effectively lobbying congress to give teeth to the OIS, and more power to microsoft and their buddies.

OIS = @stake, BindView, SCO, Foundstone, Guardent, ISS, Microsoft, NAI, Oracle, SGI, Symantec. sounds like the stone cutter's guild to me.

Eeye seems to be left out for obvious reasons, they oppose this secretive "research." Read eeye's Marc Maiffret's (chief hacking officer) thoughts on things to a congressional subcommittee here.

"windows corrupts, microsoft corrupts absolutely."

umm, has anyone mentioned...

[HBI]

@stake has demonstrated that nothing, absolutely nothing, will get in the way of satisfying their clients. While this is admirable from a capitalist viewpoint, how much do you trust any information that they disseminate?

Thought so.

Tarring yourself as a Microsoft shill might be good for the bottom line but I doubt @stake's long term viability was helped by this move. Particularly since the point that Mr. Geer was making is patently obvious to anyone with a clue.

I'm sure going to tune out anything they say in the future.

Re:He wrote it as if it was on @Stake's behalf

[kfg]

Please note that according to @stake Dr. Greer was not employed by them at the time he made his opinions public.

Therefore:

A)He was not actually fired for his public statement
B)At the time of the statement he clearly could not have been speaking for his employer, because he was unemployed and in much the same position as Ms. Welles

If @stake's position in this matter has certain legal implications, well, that's their problem I guess. They chose their actions and statements.

As for Dr. Geer's termination I covered that in my original post. I don't know the terms of his contract or their legality in his legal jurisdiction.

And neither do you.

Unless, of course, you're posting as an AC because you are an officer of @stake.

As for his collegues most of them probably share his opinion but keep private about it. Virtually every government is quite vocal about sharing the same opinion so it's not like it's a big secret or something.

It can be equally applied to nearly any other industry as well. A nearly universal reliance on Boeing for nearly all of our military aircraft would be a tragic mistake for national security.

I'd hazard a guess you could find a Boeing executive who would even be willing to state that for the record -- and not even get fired for it.

KFG

for the sake of one client

[alizard]

@Stake just blew off a big chunk of their credibility. Is there anybody around here who was thinking about hiring them who hasn't changed their minds yet?

If they want MS as their sole client, that's one thing.

Their publically firing a whistleblower for being part of a group writing a negative article about MS software tells me that @stake can never be trusted again in any statement they make about MS software, operating systems, or security procedures. So what's the upside for a non-MS client to hire them?

Is anybody left at @stake from the old l0pht days?

Rough Translation

[quinkin]

It's a sad state of affairs, but not surprising. It's been a long time since the "CIFS is caca" paper,

CIFS=Common Internet File System. This is a reference to the security flaws highlighted by Hobbit (from memory it was defcon 5, back in 1997) in the microsoft SMB (windows networking) products. A copy is still available from here.

and I lost respect for the l0pht back when *hobbit* was edged out. Mudge became "Dr. Mudge" (as if), and they all started running after the limelight. Sad, really. The Hacker News Network is long gone, and mudge is Pieter. It sucks for Dan, but it's just more of the same for the rest of us.

L0pht Heavy Industries (creaters of the L0phtcrack suite Pwdump that allowed brute force cracking of windows NT user/passes) went though a period of internal discontent. I cannot provide any details on this. Basically the author seems to be trying to highlight the corporate yes-men culture that has permeated this sector and presumably led to this dismissal for speaking the obvious but unapproved "truth".

It takes a lot of nerve for Chris Wysopal to issue his little statement. Weld Pond would never have said something like that. Man, it's been a long path from BO2K to appeasing Microsoft. What a long, strange trip it's been. Sigh.

I have to admit this part has me stumped. I assume he means that Chris Wysopal of @stake would answer differently to Weld Pond of Lopht. Since they are one and the same person I assume he means to highlight the change over time in Chris's opinions/loyalties... not really surprising in the context of articles like this (para. headed Who's Who).

It has indeed been a long and strange trip... no end in sight yet.

Q.

Wish I had seen this earlier

[spacerog]

Sure wish I had seen this earlier instead of 300+ replies later. Oh well, I guess thats what happens when you stick your head inside a Hobbit hole for three years and don't come out.

I feel I must reitterate L0phT =! @stake. Please do not confuse what I consider to be the good work of the L0pht with the corporate nonense that is @stake.

As for Dan and everyone else that works there they should have seen the writing on the wall three years ago when they fired my poor ass. Remember me, Space Rogue? HNN? All Gone. Why? I can only speculate but I think they felt that a critical mouthpiece would not be a good thing. Sound familiar? Hard to get someone to sign a big contract if you might call them names the next day.

Dan is a remarkable person. His mind works like no other person I have ever met. Don't feel sorry for him. Trust me, he is in a better place now.

Microsoft has continued its embrace, extend and I assume, extinguish policy with regards to information security. How? By hiring several of the people who were critical of the organization. Yes, that means previous @stake, Guardent, Foundstone, etc employees. That also means hackers, all who now work for the Giant in Redmond. Keep your enemies close. What better way to silence your critics than to hire them. Then you can keep them silent until they no longer pose a threat and dispose of them quietly at a later time when no one is looking.

Oh well, life goes on, the Internet is as insecure as ever, companies are still able to hide thier vulnerability, risks are not taken seriously and hackers still roam free. Nothing has changed, and nothing will until such time that people stop trusting everything that is spoon feed by anyone looking to make a buck. Yeah, I'm cynical. Sue me.

- SR

I got fired testifying the Antitrust

[twisty]

I was the IT Specialist of The divisional headquarters of The Salvation Army in Cincinnati - the 'go to' guy for half of Ohio and Norther Kentucky. I was one of the 30,000+ people sending letters to the DoJ regarding Microsoft's anticompetitive pratices. (I shared account of how they tried charging us twice for Office licenses.)

Three months later, I had a four day vacation and when I came back, the locks on my office were changed and my personal contents were cleaned out. They gave me a "farewell interview" to express that their sole reason for firing me was "dissatisfactory performance," which is all their employment policy required. My ten year career with them was over, they would not give me opportunity to defend myself, and they wouldn't give me severance or unemployment.

(The Salvation Army, as a church, is not required by Ohio law to pay into unemployment. Compounded with losing my pension settlement for three months, I spent those months at zero income.)

I found out over a year later that Microsoft was behind it... It wasn't a local decision at all, but was enforced by Paul Kelly, IT Director of New York's Territorial HQ, along with policy banning Linux in our ten state territory! Paul normally has no direct dealings with me on the divisional level, but a contact in New York revealed how pivotal Paul considered me in that contraversy.

I haven't pulled together the witnesses and evidence to prove this in court, but the commonly held opinion is that Paul got the call from Microsoft which says "get rid of the problem, or we'll audit your business licenses."

So it seems The Salvation Army, a church, is also a wholy owned and operated subsidiary of Bill Gate's Evil Empire(tm).

Joel 'Twisty' Nye, MCSA, Linux+