Slashdot Mirror
Author of Paper Critical of Microsoft is Fired
chongo writes "Daniel E. Geer Jr., one of the primary authors of a
report
Reliance
On MS A Danger To National Security,
was fired from @stake Thursday morning.
@stake said that 'The values an opinions of the
report
are not in line with @stake's views' and that Geer's
participation was 'not sanctioned.'
Microsoft, who has worked closely with @stake
in the past, denied that it was involved in @stake's
decision to fire Dan." There might not be anything fishy going on at all, but that's no reason to stop making perfectly good conspiracy theories.
Can I have his job? I can write well, and I can be non-critical of Microsoft software.
For instance, they have made great strides in improving Calculator and Notepad in recent versions of Windows.
Human being opposed to Micro$oft gestapo forced to leave the United States.
Did he do this on his own, or as an @stake employee? I find it rather disturbing that a company can fire you for something you do of your own accord. What's next, are companies who like to suck up to MS gonna fire you for developing a linux program?
Am I just being naiive, or does this bother other people too?
if(!cool) exit(-1);
I bet it was... the Time Terrorists*!
*Time Terrorists also responisble for the destruction of the Titanic, the Hindenburg, and the creation of SCO.http://mediagoblin.org/
Looks like there was more "@stake" than he expected =p
(waits for groans)
"Linux would be just as insecure, we swear!"- @stake.
Is there anything better than clicking through Microsoft ads on Slashdot?
OK, if you need to mention a company's gimmicky, non-alphabetical name once, so be it. But all those @s are giving me a headache in a brain region I haven't had to use since we had that run of :CueCat stories.
The scary thing is that you could use 4tst4k3 repeatedly and I wouldn't blink at it. 47s74k3 would require some effort...
What I'm listening to now on Pandora...
I'm tired of people hashing out their stupid little pet peeves on the basis of 'national security'. Its inane and tiresome to hear people trump up the 'unassailable argument'. Oh now we can't challenge you because if we do we're rooting for terrorists.
dont these places have editors? surely, a story that would have gotten someone fired wouldnt get approved.
And, in other news, in an SEC filing, Microsoft has disclosed a cash "gift" to a company called @stake.
Said Microsoft spokesman: "It's a voluntary contribution, with much at stake. ".
I have no problem with your religion until you decide it's reason to deprive others of the truth.
While the firing was unecessary and I don't agreee with it in the slightest. (How can your participation be 'unauthorized'?), it's the editorial tagline that really irks me.
You, slashdot editor, member of the press, are actually encouraging and suggesting that false and misleading information be interpolated from a small number of facts. Sure, a healthy skepticism and more investigation is required to determine why he was fired but i think an editorial remark with a message consisting of:
"This isn't really big news, but if we pretend like all sorts of mysterious things are happening that we don't know about, it will be."
Those sorts of things happen on their own more than enough as is; encouraging it is just unecessary.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
I guess that's where the phrase, "power corrupts" comes from, eh?
Read the EFF's Fair Use FAQ
Seriously though, that movie is full of great quotes...who remembers the Supreme Being saying "I am the supreme being, I am not entirely dim"? And Evil talking about God:
Evil: God is not interested in technology... He knows nothing of the potential of the micro-chip or the silicon revolution. He's obsessed with making the grass grow and getting rainbows right... Look at what he spends his time on. 43 species of parrot! Nipples for men!
-Cyc
/.'s 10 Millionth
Well actually it was Computing Technology Industry Association, but they are funded by MS. The say "the report is flawed by "myopically looking to technology (i.e., 'bad' software OS) instead of addressing the underlying cause -- human behavior -- for cyber breaches." "
So basically if humans just would stop being mean or stupid, there wouldn't be any problems.
Isn't that sort of like blaming plane crashes on gravity? I mean, human nature is what it is. There will be virus writers, there will be people who don't always install the patches right away.
What are they suggesting, that we try to change human nature? Genetically engineer better humans? How about they take human nature as a given (like gravity to an aeronautical engineer), and then fix the damn product?
The difference is that your consulting job is not on the line when you post alternative viewpoints on Slashdot.
Now, if you get fired for reading too much Slashdot on company time, we are absolutely not responsible.
I read that as "Author of Paper Clip of Microsoft is Fired". It sounded much more exciting.
Thanks to Google's cache, this is Dr. Geer's bio from @stake. I had the opportunity to hear him speak once, and he sounded about as brilliant as the following description would make you think:
Daniel E. Geer, Jr., Sc.D.
Chief Technology Officer
Daniel E. Geer, Jr., Sc.D. oversees the strategy and direction of @stake's approach to digital security. Over the last thirty years, Dr. Geer has led the application of technology in medical computing, distributed systems management, electronic commerce, and digital security. After fifteen years in the Harvard medical establishment, he variously served in senior leadership roles for MIT's groundbreaking Project Athena, Digital Equipment Corporation's External Research Program, Open Market, OpenVision Technologies (now Veritas), CertCo, and now @stake. His security consulting firm, Geer Zolot, was the first of its kind.
An expert in modern security protocols and business metrics, Dr. Geer has been called upon to testify before Congress on multiple occasions. Dr. Geer speaks and publishes regularly on a range of issues in digital security; his November 1998 speech, "Risk Management is Where the Money Is," has been widely quoted, warranting both reprint as a special issue of the RISKS Digest and prompting editorial comment in Wired Magazine. His bibliography is deep and continuing, and with Avi Rubin and Marcus Ranum, he is co-author of The Web Security Sourcebook.
He holds a Sc.D. in Biostatistics from Harvard University's School of Public Health as well as an S.B. in Electrical Engineering and Computer Science from MIT. His professional involvement includes a decade of leadership within USENIX, the advanced computing systems association, of which he is past president. He today serves as an advisor to the board of the Financial Services Information Sharing & Analysis Center (FS/ISAC) under the auspices of the US Dept. of the Treasury, as well as similar fiduciary and non-fiduciary roles for a select number of promising startups.
-- Brian T. Sniffen
Gotta love those @stake guys. Here's a relevant quote from their website:
"@stake has assembled the best minds in digital security to help you understand and mitigate the security risks inherent in your business model, so that you can maximize the opportunity in front of you. We help you make the hard decisions about what matters most in your business, so that your security investment has the greatest impact. We work in the space where your business and technology meet, because we believe that this is where security is most powerful."
Talk about blowing it out both ends. You can read their ethical and guiding principles as well.
This is what l0pht has turned into?
The report itself stated quite clearly in several places that Dr Geer was the Chief Technical Officer of @Stake.
I can't find a disclaimer anywhere in the report saying that he wasn't representing @Stake, and yet he used it to back up his authoritarian position, and intentional or not it appear that he was speaking on behalf of the company he worked for.
Perhaps more details will emerge about what actually went on, but it does seem quite irresponsible to make it appear that you're speaking on behalf of a company if you're not... if that's what happened.
If you sign an employment agreement, you'd better stick to it.
In particular, you shouldn't publish a paper without running it by corporate communications first. You especially shouldn't publish a paper that might be critical of a partner or customer without doing this. You know why? Exactly. You get fired. For violating your employment agreement. If you don't agree with the things that you signed, you shouldn't have signed them. Hell, even if you have permission to publish the paper, you might want to think twice about publishing a paper which is critical of a rather large customer.
When I worked at AOL, I tried to get some of the execs to realize that some of the employees could be a powerful force in the technical community to raise the image of the company. Just the ability to explain some of the things that weren't confidential, correct some of the misconceptions. It wouldn't be a magical transformation, but it would be an effort. And actually joining the community would be a big step. Peer review and PR oversight could both be used to help make sure that more incorrect information didn't go out, or that the wrong things didn't go out.
Noone wanted to talk about it. My assumption is that noone I got to wanted to rock the boat, and noone responsible trusted the employees. It's too bad really. But even with something like that in place, this type of paper would never pass muster. Not through a peer review, and not through PR. You just don't criticize a large customer. Especially a customer with as much money as Microsoft.
-Todd
"The details of my life are quite inconsequential..."
This really is something Greer should have seen coming. He published a highly critical, highly-publicized report bashing his consulting company's biggest client. Whether it is true or not is irrelevant; that the client was Microsoft is irrelevant -- replace "MS" with "Sun" or "Oracle" or any other company you like, and I bet his higher-ups still wouldn't be happy about it. You may not like who you work for, but it's not a good idea to bite the hand that feeds you.
The bold print giveth, and the fine print taketh away
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
Just so everybody knows:
This is the same @stake that was formed from the l0pht heavy industries (www.l0pht.com) of old. Says itsecurity.com's Computer Security Dictionary of l0pht:
L0pht Heavy Industries
"A Boston-based group of hackers interested in free information distribution, finding alternatives to the Internet and testing the security of various products. Their web site houses the archives of the Whacked Mac Archives, Black Crawling Systems, Dr. Who's Radiophone, the Cult of the Dead Cow, and others. Current membership includes Mudge, Space Rogue, Brian Oblivion, Kingpin, Weld Pond, Tan, Stefan von Neumann and Megan A. Haquer. They can be reached at info@l0pht.com and maintain a web site at http://www.l0pht.com."
Hacker's Encyclopedia, by Logik Bomb (FOA), http://www.xmission.com/~ryder/hack.html, (1997- Revised Second Edition)
I wonder if good old mudge still works there? It's amazing what a little money'll do, eh?
I was watching a US House of Reps "Worms and cyber security" subcommmitee on C-SPAN the other day. Testifying before the Congressmen were the following - Microsoft Corp senior security strategist Philip Reitinger, VeriSign VP Kenneth Silva, Lawrence Hale, director of the Federal Computer Incident Response Center, Christoper Wysopal consultant for @stake Inc, some other Russian security consultant, and a few other random folks.
The chairman of the committee asked the Verisign PHB and the two consultants if there were any security benefits in running open-source software, and which was more secure, open or closed. I almost shat myself. Here was the perfect opportunity to hear some glowing reviews of open source. Instead the two consultants, who seemed decently knowledgeable, and long winded on all other issues merely said that there are flaws in all types of software, and they would "guess" that the frequency of security flaws were the same as for closed source. Although the guy from @stake did mention that the theory behind open source security was that "the more eyes, the better", he also countered it with noting that most users of open source wouldn't be able to fix the code when a vulnerability was found.
That was it. No detailed explanation about anything. Just a brush off that was not quite as long as their testimony on why ipv6 wouldn't offer any extra security over ipv4. Luckily the Verisign bastard was there to add his two cents. To paraphrase him - "I would agree with their, (the consultants) testimony, but I would like to add that often the people who write open source software are not professionals". Then he took another shot mentioning "that often worms affect open-source software too". Often... I wonder what he considers "often". How can he even trot out the word "often" to describe the frequency of worms that affect open-source software when there are millions of Windows boxes that are constantly being hit by worms. He then added - "We must resist the temptation to demonize software vendors and other members of the network community. The finger pointing is often misplaced and in most cases does more harm than good." It was quite the interesting hearing, and gives me a bit of insight into what kind of info our Government is getting about open source.
Anti-social? My code is just platform-specific.
As many, many researchers know, this is why so much commercial research is flawed - there are too many strong influences out there that taint the data.
This is the first overt firing that I've heard of in the IT industry, but I'm sure there have been thousands that we just never heard of.
Just think of those poor researchers at the cigarette companies - you know, the ones where if you found that there was a link between cigarettes and cancer, well, you must be fired.
Or the researchers for pharmacuticals... where if you find that drug X doesn't help cure Y, then you shouldn't expect any grant money next year. Yeah, not fired, but certainly the same net result.
The fact is that research SHOULD be independent. I don't know or care if this guy's paper was right or wrong. But it should be the research community, not MBAs, who decide the quality of research. Period.
I think that firing this guy due to his research is wrong. It looks like he was fired for financial relationship reasons, not because his study was consistently rejected by the research community. Should his employers be considered biased? As a potential customer, should I trust this company? If they are motivated more by their relationship with microsoft versus upholding the truth, I'll never recommend anyone to do business with them. And it looks like they are, and so I'll make sure they're scratched off the list.
...that he decided to list his company affiliation in the list of authors. Most companies require any paper that goes external to go through a review and approval process, which would catch any differences in opinion between the author and the entity which that author represents in title.
I personally agree with the paper, too bad @Stake lost such a valuable employee. OS diversity can be a great asset in system security, as it keeps an attacker on their toes. However, administration becomes that much more complicated of course : |
"Sed Quis Custodiet Ipsos Custodes?" -Juvenal
Someone just learned the value of a pseudonym.
Interesting. Does that mean that employees should only issue statements in the course of their job responsibilities? Or that job statements must be objective, fact-based and truthful but personal statements can be whatever they want? This latter interpretation seems to conflict with their action.
I don't think Dan Geer will have trouble finding a new job. However, it is an interesting reflection of what @Stake has become. Look at their management team. Looks awfully VC to me.
It's a sad state of affairs, but not surprising. It's been a long time since the "CIFS is caca" paper, and I lost respect for the l0pht back when *hobbit* was edged out. Mudge became "Dr. Mudge" (as if), and they all started running after the limelight. Sad, really. The Hacker News Network is long gone, and mudge is Pieter. It sucks for Dan, but it's just more of the same for the rest of us.
It takes a lot of nerve for Chris Wysopal to issue his little statement. Weld Pond would never have said something like that. Man, it's been a long path from BO2K to appeasing Microsoft. What a long, strange trip it's been. Sigh.
The difference between a Miracle and a Fact is exactly the difference between a mermaid and a seal. (Mark Twain)
Leave it to the Mercury News to report with more sordid details.
What caught my eye...
The CCIA trade group also ran into trouble Thursday when it sought to send a paid announcement about its critical Microsoft report to 140,000 subscribers of popular trade magazines for chief security officers and chief information officers.
The publisher for CIO and CSO magazines, CXO Media Inc., offers such announcements ``to target a specific market segment of our audience by designing a list of prospects for direct mail and e-mail purposes.''
But in this case, the subject was too touchy.
``We find it is too sensitive of material to send out. I'm sorry to be the bearer of bad news, but I have to deny your request,'' according to an e-mail from the publisher obtained by The Associated Press.
``We need to try to provide some balance on these issues, and this seemed a little one-sided,'' CXO spokeswoman Karen Fogerty said.
Sheesh! The mags won't even report this story if you pay them!
---
Fight the Power!
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
It's really interesting, because I don't doubt for one second that M$ told them that either they fire them or they loose their business together. It is common sense, one uncloud's their mind, that M$ is a REALLY bad platform to be on in regards to security. It definitely has a wonderful software base, but that is due mostly to really good marketing, including making a visually appealing interface. Lock-in also plays a big role. However, when one has to worry continually about security holes in their systems, that is bad. Linux systems may have a large number of holes, but they are typically in the daemons running on the machine, and one can jail or chroot them into secure directories, but Windows' core services are the ones that are the culprits here-- and they cannot be jailed!
It's sad that a person who speaks truth gets fired if it is not in the best interest of their companies, but I guess that is why a truly outspoken person must be freelance, because otherwise they WILL be fired eventually for their honesty.
M$OS-less 15" Powerbook G4
Actually, he didn't even criticize Microsoft. What the report said was that having all computers run the same OS was a risk to security. Just like having only one species of a crop would be a huge risk to agriculture. Single species are vulnerable in both biology and computer networks.
This seems to me to be awfully rational.
If they fired him for that kind of thinking, then it's probably their loss, not his.
--Hi. I'm in Portland and it's raining. This appears to be a permanent condition.
Wasn't @stake the security company that grew out of the l0pht? Or am I on crack?
autopr0n is like, down and stuff.
Of course he'll get a new job, probably a better paying one. @Stake, on the other hand... None of you will ever buy from them after this, right? They let their greed get in the way of their objectivity. Those insecurities earn them money, that's why they don't support his opinions. You can't trust companies like that to give you good security advice.
I read the report, and it didn't sound like a "MS is teh ghey" rant to me.
It sounded more like a new argument against OS monopoly, and one that made sense: it doesn't matter who has the monopoly -- just the mere fact that there is no OS diversity in itself presents a security risk. Whether or not you believe it, it is at least plausible, and a point of view that needed to be heard. Schneier put his name on it, and in my book, even if it's wrong, that at least means you should pay attention.
How can @stake fire a guy for writing that? I agree, @stake doesn't owe him employment. But how can a company that calls itself a "security consulting company" fire an employee for helping to write a paper suggesting that OS monopoly is bad for security?
Would you seriously hire @stake now? If your security consultants will be fired if they criticize microsoft?
I mean, if you're Microsoft, you've got a thick skin toward bad press.
I imagine it was just some chickenshit middle management type over at @stake who wet himself when his little pet security project churned out a ton of anti-microsoft press.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Lock-in also plays a big role.
People in Soviet Russia, however, appear to be afflicted with amusing juxtapositions of the aforementioned situation.
A programmer is a machine for converting coffee into code.
Microsoft corporation would like to publically state that we had absolutely nothing to do with the termination of Mr. Geer. This action was entirely the choice and responsibility of @stake.
We would also like to take this opportunity to point out the sack of goat's blood splashed across the front door of Mr. Black was a random act of vandalism, and we know nothing about it. Except that it was a random act of vandalism, nothing more. The note in his mailbox threatening his life if he worked on any more papers with similar topics.. that had nothing to do with us either.
And, for the record, we have no knowledge of how or why someone used a laser engraver to etch a Windows Server ad into the side of Mr. Quarterman's car. We also did not kick his puppy in the ribs, breaking three of them because the little bastard got in our way. I mean, in the way of the perpetrator, whoever he may be.
Also, although we sympathize with Mr. Shchneier over his wife's recent permanent paralysis, we -- hold on, that one hasn't happened yet. I mean, uh, that one is, uh... WOW LOOK AT THAT MONKEY!
*ahem*
Live Meeting, formerly PlaceWare Conference Center, is a new service in the Microsoft Office System that enables you to collaborate online with employees, clients, and customers in real time with groups of 2 or more than 2,000. With just a phone and a computer with an Internet connection, you can free yourself from the cost and hassle of business travel. Download a trial today!
"Participation in and release of the report was not sanctioned by @Stake," the security and consulting company said. "The values and opinions of the report are not in line with @Stake's views."
What?! What exactly wasn't true about what was said?
Quote: Daniel Geer "As fast as the world's computing infrastructure is growing, vulnerability to attack is growing faster still"
Quote: Daniel Geer "Microsoft's attempts to tightly integrate myriad applications with its operating system have significantly contributed to excessive complexity and vulnerability. This deterioration of security compounds when nearly all computers rely on a single operating system subject to the same vulnerabilities the world over"
Quote: Ed Black "Microsoft's monopoly threatens consumers in a number of ways, it it's clear it is now also a threat to our security, our safety, and even our national security."
Quote: Bruce Schneier "The problem is that of monoculture. As long as all computers are running the same OS, they're all vulnerable."
If @stake is saying they don't agree with these statements, then their credibility as a security company is seriously in question. It's one thing to say they fired someone for violating professional protocol, it's quite another to terminate them because what they said was incorrect.
Everything said by Geer, Black and Schneier is correct. What does @stake not agree with?
Ruby on Rails Screencast
Obviously, he knew full well what he was doing when he signed the report. I find it very believable he also understood what the end result of his actions would be. It seems a huge stretch to believe a man of his experience and background didn't fully understand the position he was placing himself and his employer in by participating in this report. He no doubt had an employment agreement specifically stating "pre-acceptance" of anything he published while while employed by @Stake. He violated the agreement, and they fired him. Not the first to get fired for violation of an employment agreement, certainly won't be the last.
@stake, eeye, and iss have all agreed w/ microsoft not to release details of even potential exploits until the microsoft has had 30 days to "evaluate" them, leaving admins and the public unnecessarily exposed to vulnerabilities. This is completely unacceptable, and contrary to the scientific peer-review process of real science. If you know there's a problem, you speak out, suggest a fix, and hopefully the appropriate parties will be responsible enough to take action. Additionally, others have to be able to VERIFY and REPRODUCE findings, a critical part of *real* research. But microsoft's tactic is to force so-called security "research" companies (who are in it for money, not necessarily for altruistic research or making things more secure) into a lop-sided, biases "standards" NGO, the "Organization for Internet Safety" (OIS), which Microsoft is a member. (read this). What they are proposing is censorship, hiding information until they can find a fix, so that only the hackers will know what's broken. Talk about the fox guarding the hen-house!!!
Additionally, the director of research for @stake, Chris Wysopal, is effectively lobbying congress to give teeth to the OIS, and more power to microsoft and their buddies.
OIS = @stake, BindView, SCO, Foundstone, Guardent, ISS, Microsoft, NAI, Oracle, SGI, Symantec. sounds like the stone cutter's guild to me.
Eeye seems to be left out for obvious reasons, they oppose this secretive "research." Read eeye's Marc Maiffret's (chief hacking officer) thoughts on things to a congressional subcommittee here.
"windows corrupts, microsoft corrupts absolutely."
The biggest trick the devil pulled was letting lawyers become politicians so they can write the laws.
For him to be canned over this report (which is excellent by the way), is awful. Other heavy hitters in infosec also collaborated on this report e.g. Schneier, Becky Bace, and Charles Pfleeger.
It's not so much that @stake doesn't have the right to fire him, but rather that it's a pity that they can't stand up to the truth. Not that corporations are known for their honor anyway. I would not trust a @stake with my business at this point-what's next? MS buying them into using their clearly superior security products?!
Its sad that @Stake would be so scared of Microsoft to fire someone for telling the truth.
I'm sure that some other company will be perfectly happy to snatch him right up, partly as a slap in the face to Microsoft and because he can obviously provide some valuable information about the security risks involved with Windows now and in the future.
Maybe even the CCIA might snatch him up? Personally, I think they owe it to him.
Volunteer Mozilla developer, RPI Student.
@stake has demonstrated that nothing, absolutely nothing, will get in the way of satisfying their clients. While this is admirable from a capitalist viewpoint, how much do you trust any information that they disseminate?
Thought so.
Tarring yourself as a Microsoft shill might be good for the bottom line but I doubt @stake's long term viability was helped by this move. Particularly since the point that Mr. Geer was making is patently obvious to anyone with a clue.
I'm sure going to tune out anything they say in the future.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
I can't argue with those points. You're absolutely right. It's just a shame to me that someone who knows a lot about something that affects the security of millions of Americans can't speak out about that threat without being fired by their employer.
It's rare to see a group of people take a stand about something they feel is of more importance than just dollars and cents. These folks are essentially blowing the whistle on something a lot of people have known about for a long time but have been too frightened to say for fear of the wrath of Microsoft.
While I absolutely agree with you that @Stake is just protecting their own interest, their action is proof of how far Microsoft has permeated the fabric of the IT business. Virtually every company in the industry has to be careful about criticizing (or even allowing an employee to criticize) Microsoft, for fear of retribution.
Read the EFF's Fair Use FAQ
First off, "they" wrote it. Each of the contributors listed their position and company with equal emphasis. No representations were made about the "official" positions of the respecitve and multiple companies listed.
Yes, we seem to be living in a world with increasing need to disclaim. In fact, we live in a legal claim/disclaim toxic environment.
If you were to global search-and-replace the company names with the names of universities; and likewise exchange the professional titles with academic ones; this paper would be perfectly kosher.
So now, apparently you can't publish a shcollarly work unless you *don't* have a "real job." How nice.
Remember: The great/golden age of the Arrab Empires collapsed because of one act. They closed their libraries. After that scolarship fell into disrepute. Then learning. Then knowledge. Then "not being an idiot" was against the social norm, and *poof* they lost the initiative.
Let's not repeat that debacle in our age, shall we?
Persons should enjoy the right to freely publish their thoughts and understandings of any issue with greater social ramafications.
Silence == Death... As a slogan it is applicable to far more than the AIDS crisis.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Yeah but what about the moderation system? Don't you know that Linux users make up about 99% of all the mods?
If you use Linux, please help development of Autopac
Did he have to train his Indian replacement?
@Stake on the other hand...
This is probably going to be a bit of a nightmare for them. The firing is starting to generate a lot of attention in the press. People who may or may not have heard of @Stake before this are now going to remember them as "the company that fired a guy for dissing the security of using all Microsoft."
I for one wouldn't want to hire a company whose line of business is other people's security but who fired a guy for pointing out obvious and factual problems with the security of a major software vendor. It speaks volumes to whose interests they are going to represent if I were ever their client.
It wouldn't be mine -- it would be their own and any bigger client whose interests might run contrary to mine.
Quoth he
"It's all academic anyway..."
One day, I'm sure IE will get around to displaying them correctly.
Yes, but... other than roads, sanitation, better medicine and the streets bein' safe at night, what have the Romans ever done for us?
Got time? Spend some of it coding or testing
Why assume that MS had ANYTHING to do with his getting fired - it could've just as easily been some nervous CEO who perceived, rightly or not, that firing this guy would be a better move than keeping him on board.
Think about whatever company you may work at, if not now then some day. If you wrote something critical of one of your company's main sponsors, or a frequent collaborative partner, it wouldn't be likely to go over well with the President, would it?
If you're at all worried that there's competition for your position in a collaborative partnership with, in this case MS, you're going to take pre-emptive steps to ensure that your partner knows how devoted you are, and if it gets to the point that they're pressuring you to do these things, then it probably means you're behind, which is a bad sign.
It's very possible that Microsoft didn't give a whit about this guy, or at least didn't care enough to tell the company to "do something about him!". Let's be honest, we do have a tendency to overhype the anti-MS sentiment in this community sometimes.
Moo
...who bears bad news. Looks like this is @Stake's loss more than Mr. Greer's. Someone with his knowledge of secuity won't have a problem finding a job even in this economy (security being kind of a hot topic these days).
Are you nuts? Or do you just have a very small understanding of business?
If this person was a writer/researcher/whatever for a company, and he made comments that were not only attributed to him, as an individual, but to the company he worked for- yes, they can get rid of him. And, if these comments made by him, under the guise of 'official' statements were contrary to the companies position, then yes, he *should* be fired.
If he wants to say these things on his own time, and not associate them with his company, then fine. Unless of course he has a contract that states he CANNOT do this. This is fairly common for people who are a 'spokesperson' for their company. Or, who are strongly identified with the company.
But, this person wanted to use their company's good name to push his own agenda- that is not a good thing. I work for a major university- I cannot publish papers filled with my opinions, and my own platform, and associate it with my university. In fact, anything that IS published, and associated with the university, needs to get peer-reviewed by at least 3 other people who are experts in the field. This is to ensure that individuals cannot use the university's good name as their own pulpit.
No reason to lie.
According to the Washington Post, Lona Therrien, the @Stake spokesperson, "said the company had no conversations with Microsoft about Geer or the report."
However (same article), Sean Sundwell of @Stake said that on Tuesday night, when notice of the report's pending release was circulated, "Microsoft was contacted by @Stake officials . . . expressing their disappointment in the report and saying that Dan Geer's opinion did not reflect the position of @Stake and its commitment to an ongoing relationship with Microsoft."
So... which is it? Did they discuss the report directly with Microsoft or not??
Quoth he
"It's all academic anyway..."
Simple point here: whether or not @stake is involved in a conspiracy, @stake clearly considers themselves to be a advertising/publicity agent of Microsoft.
@Stake clearly does not consider themselves to be a news organization, or a news clearing house.
That said, they should, in the future, be held to the standards of advertising agents, with all the benefits of such -- not news agents with their benefits.
Therefore, if they want to come in to cover a software convention, by all means let them [but at full price: no media pass]. If they want to claim first Amendment right to speech, they can, within the bounds and with the protections set by our government for advertisers. Not within the bounds and with the protections set by our government for news media.
I don't see a reason to apply conspiracy here; just treat them as what they consider themselves to be.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
My favorite bit:
... pleased that he had maintained plausible deniability.
> Microsoft spokesman Sean Sundwall said AtStake
> contacted Microsoft Tuesday night to express
> disappointment in the report and to say it did not
> reflect AtStake's position.
So, if AtStake has all this integrity and independence, why do they contact someone at Microsoft to do the old "No! No, Master, it wasn't us! It was the tricksy CTO. But we fires him, yes! Is Master pleased with us?" routine?
> "Microsoft had absolutely nothing to do with
> AtStake's internal personnel decision," Sundwall said.
Just another day at the weasel ranch...
Wow, Write that Microsoft dominance hurts the country. Get fired for insulting Microsoft with company name.
Headline should have read:
Writer gets burnt @Stake.
This looks seriously bad for everyone concerned.
Whistle-blowing is never a popular job, but it's even riskier during bad economic times. Most of the backlash against this employee is due to the spineless quivering, in management, about losing vital business. Once again, we see why monopolies are unhealthy for society.
What are you gonna do, though, if you're canned? The employment-at-will doctrine has essentially always allowed bosses to hire and dump whomever they wish for any reason; dear old kooky Walt Disney used to go nuts with this easily abused freedom, and the 1990s left a trail of shattered lives and communities behind the rapacious "downsizing" of workers. Except where protected by civil rights or state employment law (and good luck bringing a case!), this is where you stand as an employee in America - at the mercy of the Man's whims. Learn to kiss ass; learn to run your own business; learn to work for decent people; these are among the few options for workers, and guess which one is most popular.
But this is also a hysterical time politically. Under the New McCarthyism the pasture of sacred cows has been enlarged: now not only our Glorious Leader is supposed to be beyond reproach, but so are certain corporate entities. And by burrowing like a common bacterial spirochete into the guts of American national security, Microsoft has begun to undergo the transformation - symbolically - from mere lawless and sloppy monopolist to vital U.S. institution. Yesterday, MS merely brought you BSODs, viral weakness and data loss. Today, it defends America against her enemies with its arsenal of...er...BSODs, viral weakness and data loss.
If this transformation continues, it will be more and more costly to criticize Microsoft as it mutates into an adjunct of the security state. HomeSec is already MS's taxpayer-subsidized tech support service, busily issuing warnings about the latest viruses and worms. This relationship should be promptly terminated by the next administration when the adults get to run things again.
Look at the history of Virginia Commonwealth University. See that point where they were completely shut down? That's because they *were* firing their tenured professors, and in the end completely shutting down the university was all that the state could do to stop it. When they sent examiners to interview the professors about the situation, the president would not let them alone with the professors. Anyhow, the state discovered that they couldn't do anything except close the university and fire everyone.
Jump over to James Madison University. It seems that the then president of the university was trying to force through academically impossible changes. [For example, teach upper-level calculus before basic calculus, "to give them a feel for it".] So one of the Physics professors came up with proof of tax fraud. At that point, the president fired the whole Physics department, because although he couldn't fire a tenured professor without cause, he could eliminate the need for the professor by abolishing Physics [impressive stupidity for a university with a medical program, but finding tax fraud was a real threat]. Eventually, the firing was rescinded, and the president retired, but the potential for tax fraud penalties was probably a slightly larger gun than tenure. Jump forward, same university, different president. The tenured professors' contract is the University Handbook; and the administration updated it, taking to itself all the rights of academic free speech, and making the contract unilaterally modifiable. My father caught this, and in the Faculty Senate pointed out that (1) this had no effect without Faculty Senate ratification, (2) they couldn't ratify it because unlaterally modifiable contracts are illegal,
(3) they shouldn't ratify it, and (4) without ratification, they were working either on the old handbook (in which case the old handbook stood), or else without a contract, which implied no particular tenure protection, but also implied no protection for the univeristy against lawsuit.
In the end, he got those clauses struck. But tenure really doesn't protect academic free speech too well.
In reality, tenure and academic free speech were initiated by the university administrations for their own convenience. It seems that, all the time people were coming up and saying "I'll donate X million dollars, if you'll teach this or that." And the problem was that if they taught this or that, 2 other donors would say "I'm not donating any more, because you're teaching nonsense." If they declined, however, then the person who wanted to affect the curriculum would begin a publicity campaign against the administration, and it was a real mess. So the academic free speech became a way that the administration could say "sorry, it's against contracts we've already signed. It's impossible."
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
So, it looks like his job was @stake?
Sigh.
@Stake absorbed l0pht, which had serious hacker cred just a couple years ago.
Google suggests, for more background: this and this.
Daniel E. Geer Jr must have really hit a sensitive area of Microsoft. Its really sad to see them so unwilling to realize that the report isnt a hit on MS but more about monoculture in the internet. Monoculture is bad, ask any biologist and hell tell you why. Diversity is much better but it demands open standards and interopability, something Microsoft have been successfully avoiding since day one.
HTTP/1.1 400
If they want MS as their sole client, that's one thing.
Their publically firing a whistleblower for being part of a group writing a negative article about MS software tells me that @stake can never be trusted again in any statement they make about MS software, operating systems, or security procedures. So what's the upside for a non-MS client to hire them?
Is anybody left at @stake from the old l0pht days?
Tech Public Policy stuff
@Stake just sold their reputation to Microsoft, lock, stock and barrel. If you need a "clean bill of health" security audit to hand to the shareholders and you're a 100% Microsoft shop, you now know where to find a friend: @Stake. If you're actively interested in security, rather than simply checking a box off on your manager's list, @Stake doesn't have any whuffie left.
My prediction is whatever is left of @stake after this fiasco will be purchased by Microsoft by assumption of debt, probably in the next two years or so.
@Stake has always looked good in the past. They sure looked brilliant this week when this paper came out. And now, it appears that all this time their talent was locked up inside their CTO. So they threw the baby out and kept the bathwater. They're not looking so good anymore.
John
CIFS=Common Internet File System. This is a reference to the security flaws highlighted by Hobbit (from memory it was defcon 5, back in 1997) in the microsoft SMB (windows networking) products. A copy is still available from here.
and I lost respect for the l0pht back when *hobbit* was edged out. Mudge became "Dr. Mudge" (as if), and they all started running after the limelight. Sad, really. The Hacker News Network is long gone, and mudge is Pieter. It sucks for Dan, but it's just more of the same for the rest of us.
L0pht Heavy Industries (creaters of the L0phtcrack suite Pwdump that allowed brute force cracking of windows NT user/passes) went though a period of internal discontent. I cannot provide any details on this. Basically the author seems to be trying to highlight the corporate yes-men culture that has permeated this sector and presumably led to this dismissal for speaking the obvious but unapproved "truth".
It takes a lot of nerve for Chris Wysopal to issue his little statement. Weld Pond would never have said something like that. Man, it's been a long path from BO2K to appeasing Microsoft. What a long, strange trip it's been. Sigh.
I have to admit this part has me stumped. I assume he means that Chris Wysopal of @stake would answer differently to Weld Pond of Lopht. Since they are one and the same person I assume he means to highlight the change over time in Chris's opinions/loyalties... not really surprising in the context of articles like this (para. headed Who's Who).
It has indeed been a long and strange trip... no end in sight yet.
Q.
Insert Signature Here
...I guess he really didn't realize his job was @Stake...
(Mod -1 Horrible)
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
"Then "not being an idiot" was against the social norm, and *poof* they lost the initiative.
Let's not repeat that debacle in our age, shall we?"
Too late.
KFG
I've mentioned this before when technology publications that focuse primaraly on Microsoft products CLAME the are impartal and have no ties to Microsoft that when you rely on someone for information your not impartal to that source.
Info 64 a publication for Commodore 64 users created on the Commodore 64 etc etc. The whole philosophy is the magazine should live and die by the products they support. Obveously they are no longer in publication.
Anywho when Commodore published the specs for the 4+ and C16 every Commodore mag published the specs exactly from the press kit. Info 64 did not.
A reporter at Info64 wrote an artical ripping on other Commodore based publications for doing that.
The point he made was that ANY publication that focuses on Commodore is answerable to Commodore. When Commodore hands out press kits there is an implied threat "report this and be glad we give you anything".
I rember that. I was a subscriber to Computs Gazzet Commoodre and Info 64. Compute was a publication powerhouse and got ALL the latest news and information but they were never critical of Commodore or the software titles. When they did report weak points they'd glaze them over like it didn't really matter.
All the platform publications were like that.
Except for Info64. Thats what I liked about them.
Info 64 starts off with a bunch of reviews and I always read them over. They are very critical and careful to review the software properly.
In other publications I skip the reviews becouse they were just free ads pretending to be lagit reviews.
The greatest database program ever... on the Vic 20? See where I'm going with this? Some of thies reviews were just downright garbage becouse the publications were fearful of being cut off.
Info64 didn't care. If they can't do it right they can't do it at all.
No Commodore never cut them off.
But now jump forward... Commodore is dead Microsoft rains suppream and Microsoft is making noises about it's latest and greatest Windows 95. Bug free and an Os itself not an envronment running on top of Dos. It now uses protected mode processing like OS/2 so a bug in a driver or application won't crash the whole operating system.
Microsoft handed out Windows 95 beta CDs.
Nearly every industry reporter got one. One reporter had the balls to point out every single problem in the Windows 95 beta.
Microsoft was angry and pulled that reporter from the beta program.
Commodore was bluffing Microsoft wasn't.
Now everyone is being very careful.
Unless they are Mac or Linux publications.
If you work for a publication that works with Microsoft ANY time your critical of Microsoft you put your job at risk.
I don't actually exist.
If you talk as an individual in a matter in which your employer may have a stake (think a financial analyst working for a bank) you better make sure your employer does not have a problem with what you are going to say, no matter how many disclaimers you put around your words.
The reason is very simple: a given company needs to keep a reputation, in the case of a security company they need to appear to be open and impartial when assesing different products. By having an employee that clearly has reached his own conclussions and made them public the employer is left in the difficult position to explain how they may be choosing MS stuff or recommending it given that one prominent employee has lambasted those products in a public forum.
Sorry, but I have no pity for this person in spite of broadly agreeing with his conclussions.
IANAL but write like a drunk one.
I hate to be a rant...but I can't help myself. :-)
Ethics is going down the tubes. An example, I think was the investment community in the U.S.
If you watch the media, you have this over all impression, well, Enron was just a fluke, they had poor accounting.
But if you read the papers, this fluke, is being practiced by 100's of companies, all screwing over their investors like cheap whores on a Dutch street corner.
I hate to point this out, but these Ivy league trained people were taught and are taught that this is just ducky. How can it not be with so many companies screwing you on a daily basis.
It can't be a fluke when everyone is doing it.
Fluke? I think not, but you decide.
It has become ethical to do business unethically and it is proudly taught that way in our so called finest Universities.
If anyone has any money in US retirement investment funds, when they retire 30-40 years from now, I will be really amazed.
If you are an investor, and you are investing in US companies for retirement, you my friend are a sucker.
Same thing is happening here. Microsoft is not an innovative company, it buys companies.
They do not write good software and if you are stupid enough to buy Microsoft Press books written by PhD's who claim they even have a clue about good Software Engineering principles, you are just another duped "investor".
I would like to point out that Microsoft is one of the largest employers of Computer Science PhD's in the country.
As an example, one must ask this question after looking at these Software Engineering practices books that Microsoft Press publishes as oxymoronic.
My reasoning is as follows:
Exhibit A: Microsoft hires more PhD computer scientists than even IBM has to work on the secure initiative for 2000 and XP. Building and rebuilding the entire OS 2000, and then again with XP, from scratch, at a estimated cost of 2.8 billion dollars.
Exhibit B: A 18 year old in Minnesota, a 16 year old in Malaysia, and a 21 year old in Russia. All with WAY too much time on their hands, with NO source code, find more security holes in 2000, XP than you can possibly say "Code 'in'-Complete" in that past 14 months.
Exhibit C: A University student, in Finland builds a new operating system kernel called Linux, and in just 8 years it is being worked on by almost no PhD's and many testors and code contributors are in their early 20's or teens, and is far more capable than windows, 1.8 billion dollars later.
Is Linux just another Enron? Fluke?
My point is that the way we are being taught code in this country is not the way code should be written. Even if you have a PhD, its business as usual dogma, just like our MBA friends.
Is it a fluke that the best code being written is not through institutionalized learning in this country?
What do these exhibits tell us about our country in general, with regards to ethics?
It doesn't take a rocket scientist to figure out what is going on here.
Fluke?
I think not, but you decide.
-Hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
From p.3 of the report:
Unless they modified the report after it was first posted? The version I'm looking at says modified 24/09/2003, 7:03 EST
Fixing copyright
Why use Fox News has a hypothetical example, when that did happen... to Bob Zelnick of ABC News, for writing a book about (then) Vice President Al Gore.
FYI: Rupert Murdoch, who owns Fox News Channel, also owns Harper Collins, which publishes books by authors like Michael Moore.
@stake, eeye, and iss have all agreed w/ microsoft not to release details of even potential exploits until the microsoft has had 30 days to "evaluate" them, leaving admins and the public unnecessarily exposed to vulnerabilities. This is completely unacceptable, and contrary to the scientific peer-review process of real science.
What an idiotic thing to say. Most legitimate security researchers give any company an agreed upon period of time before making public an exploitable security hole. Many times, this period is longer than a month. This allows a company time to create and distribute a patch against the hole. No legitimate researcher wants the internet to melt down or information compromised in the desire to rush to make a statement.
In professional ("real") scientific circles, there might not be a built-in delay before disseminating information, but you certainly jeopardize your career if you state anything in your publication that might be quickly interpreted as incorrect. (Just ask Pons & Fleischmann.) Many scientists will delay publication of information to be dead certain of their facts, and there can be a year of delay before a scientific journal will publish the information. (This is part of the peer review process.)
Microsoft may engage in egregious policies concerning disclosure of security vulnerabilities (but none that I'm immediately aware of), but requesting a researcher to delay public announcement before evaluating and producing a security patch is not one of them.
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
Microsoft hired @stake to improve security in Windows. In order to improve security (or most anything), you have to recognize what is wrong with that security. @stake just fired someone for publishing independent research related to what @stake paid this person to do: be critical of Microsoft Windows security. This firing leads me to believe that @stake wants it's employees to be critical --but not too critical-- of Windows. And while @stake can surely find people to fill this mediocre requirement, they probably won't find the "best" people. Indeed, there might be a quiet exodus of talent from @stake after this, and @stake might have trouble naming a replacement CTO that has the same level of competence in Windows security. Perhaps, an Anonymous Coward from @stake will update us on the chilling effects, if any, inside the company.
Sometimes I worry that I'll develop Alzheimer's disease, but no one will notice.
He's not just some shlub in a lab. The guy's the CTO, and as such, he is assumed to set the technical tone for the company (that's why he's the chief). If the board believes his personal vision is not in line with the company's goals (i.e., taking Microsoft's money and getting rich), then they would be failing in their duties if they did not replace him.
Sure wish I had seen this earlier instead of 300+ replies later. Oh well, I guess thats what happens when you stick your head inside a Hobbit hole for three years and don't come out.
I feel I must reitterate L0phT =! @stake. Please do not confuse what I consider to be the good work of the L0pht with the corporate nonense that is @stake.
As for Dan and everyone else that works there they should have seen the writing on the wall three years ago when they fired my poor ass. Remember me, Space Rogue? HNN? All Gone. Why? I can only speculate but I think they felt that a critical mouthpiece would not be a good thing. Sound familiar? Hard to get someone to sign a big contract if you might call them names the next day.
Dan is a remarkable person. His mind works like no other person I have ever met. Don't feel sorry for him. Trust me, he is in a better place now.
Microsoft has continued its embrace, extend and I assume, extinguish policy with regards to information security. How? By hiring several of the people who were critical of the organization. Yes, that means previous @stake, Guardent, Foundstone, etc employees. That also means hackers, all who now work for the Giant in Redmond. Keep your enemies close. What better way to silence your critics than to hire them. Then you can keep them silent until they no longer pose a threat and dispose of them quietly at a later time when no one is looking.
Oh well, life goes on, the Internet is as insecure as ever, companies are still able to hide thier vulnerability, risks are not taken seriously and hackers still roam free. Nothing has changed, and nothing will until such time that people stop trusting everything that is spoon feed by anyone looking to make a buck. Yeah, I'm cynical. Sue me.
- SR
I was the IT Specialist of The divisional headquarters of The Salvation Army in Cincinnati - the 'go to' guy for half of Ohio and Norther Kentucky. I was one of the 30,000+ people sending letters to the DoJ regarding Microsoft's anticompetitive pratices. (I shared account of how they tried charging us twice for Office licenses.)
Three months later, I had a four day vacation and when I came back, the locks on my office were changed and my personal contents were cleaned out. They gave me a "farewell interview" to express that their sole reason for firing me was "dissatisfactory performance," which is all their employment policy required. My ten year career with them was over, they would not give me opportunity to defend myself, and they wouldn't give me severance or unemployment.
(The Salvation Army, as a church, is not required by Ohio law to pay into unemployment. Compounded with losing my pension settlement for three months, I spent those months at zero income.)
I found out over a year later that Microsoft was behind it... It wasn't a local decision at all, but was enforced by Paul Kelly, IT Director of New York's Territorial HQ, along with policy banning Linux in our ten state territory! Paul normally has no direct dealings with me on the divisional level, but a contact in New York revealed how pivotal Paul considered me in that contraversy.
I haven't pulled together the witnesses and evidence to prove this in court, but the commonly held opinion is that Paul got the call from Microsoft which says "get rid of the problem, or we'll audit your business licenses."
So it seems The Salvation Army, a church, is also a wholy owned and operated subsidiary of Bill Gate's Evil Empire(tm).
Joel 'Twisty' Nye, MCSA, Linux+
All this does is shoots down @stake's credibility.
Anyone with half brain will realise that running an entire network on a single OS is asking for it. This is why buildings don't tend to have the same key for every lock and the burglar alarm and keep skeleton keys well guarded. If this were the case, someone drops the key in the car park and whoever finds it has free reign and oh boy, the joy of the discovering that it opens every desk, filing cabinet and safe as well.
The headline was that a singular reliance on Windows is a bad thing and I can't see that this argument is flawed. For @stake to sack someone for daring to state the obvious is laughable and makes them look stupid in the same way that Microsoft always looked stupid when they'd claim that there were no reliability issues in Windows despite the fact that even the non-techiest people in an office could tell you what BSOD stands for.
If anyone at MS is thinking that this is a good thing then they should consider that many people watching have already, based on their previous record of dubious behaviour, put this down to their intervention. Whether it's true of not is irrelevant, it just seems most likely.
Hmmmmmm..... Deep fried and look like Squirrel.
I am always very careful whenever I post anywhere. Anything that comes close to my job or interests that my job affects. If you have not learned that management of your company may find your notes somewhere.
Years ago, I posted something similiar in an abject statement during my job, that I was supposed to address. Without going into specifics we got threatened to be sued because of FACTUAL statements. I did not get fired but was forced to post a retraction.
If what you say is true, and part of your job to say such things.. and you still get smacked.. its time to move to something different.
Problem? There is very little jobs out there that are that isolated that you can avoid such issues.
I can program myself out of a Hello World Contest!!
Please do not confuse Americans' right under the Constitution to speak freely with an obligation on the part of private parties (like Geer's employer) not to react negatively to our speech. You might be able to convince me that @stake's action was unreasonable, obnoxious, unethical, or even stupid, but never that it has anything to do with Geer's constitutional rights.
Every time some public figure says something that someone disapproves of, we see the First Amendment get trotted out. Stop it!
"Rub her feet." -- L.L.
It saddens me to see @stake doing this. Back when I worked for them, they were just starting up; the office was abuzz with energy and belief in what we were doing. There was talk from the l0pht guys about "making a dent in the universe", in changing the way things got done. There was a wall of pizza boxes near them -- these guys were dedicated and amazing.
Around late 2000, early 2001, though, the culture at the company changed. Although it's always been a place I'd have been happy to have gone back to, now I wonder about it. I remember when Mudge cut off his signature long hair and started going by his given name (Chris Wysopal). The office colors went from grey, red, and black, with a logo "Making the Impossible Possible" to teal and orange, with "Securing the Internet Economy". Where once we were given black shirts with "Hacker" written on them, now we had shirts I would never wear.
Corporate color and hair styling I can forgive -- @stake wanted to be a respectable company, and the hacker image might have stood in the way of that. But to think that they'd fire their chief technology officer because he pointed out something that we *all* once believed back when we were working there sucks. Nearly every one of us ran Linux; we were not a company that was beholden to Microsoft. Sigh.
We who were living are now dying
With a little patience
If you are going to start a conspiracy theory, at least make one that stands up to a little bit of reason. Or not so easily discoverable by the public.
frob
//TODO: Think of witty sig statement