Slashdot Mirror
Author of Paper Critical of Microsoft is Fired
chongo writes "Daniel E. Geer Jr., one of the primary authors of a
report
Reliance
On MS A Danger To National Security,
was fired from @stake Thursday morning.
@stake said that 'The values an opinions of the
report
are not in line with @stake's views' and that Geer's
participation was 'not sanctioned.'
Microsoft, who has worked closely with @stake
in the past, denied that it was involved in @stake's
decision to fire Dan." There might not be anything fishy going on at all, but that's no reason to stop making perfectly good conspiracy theories.
Can I have his job? I can write well, and I can be non-critical of Microsoft software.
For instance, they have made great strides in improving Calculator and Notepad in recent versions of Windows.
I bet it was... the Time Terrorists*!
*Time Terrorists also responisble for the destruction of the Titanic, the Hindenburg, and the creation of SCO.http://mediagoblin.org/
Looks like there was more "@stake" than he expected =p
(waits for groans)
Thanks to Google's cache, this is Dr. Geer's bio from @stake. I had the opportunity to hear him speak once, and he sounded about as brilliant as the following description would make you think:
Daniel E. Geer, Jr., Sc.D.
Chief Technology Officer
Daniel E. Geer, Jr., Sc.D. oversees the strategy and direction of @stake's approach to digital security. Over the last thirty years, Dr. Geer has led the application of technology in medical computing, distributed systems management, electronic commerce, and digital security. After fifteen years in the Harvard medical establishment, he variously served in senior leadership roles for MIT's groundbreaking Project Athena, Digital Equipment Corporation's External Research Program, Open Market, OpenVision Technologies (now Veritas), CertCo, and now @stake. His security consulting firm, Geer Zolot, was the first of its kind.
An expert in modern security protocols and business metrics, Dr. Geer has been called upon to testify before Congress on multiple occasions. Dr. Geer speaks and publishes regularly on a range of issues in digital security; his November 1998 speech, "Risk Management is Where the Money Is," has been widely quoted, warranting both reprint as a special issue of the RISKS Digest and prompting editorial comment in Wired Magazine. His bibliography is deep and continuing, and with Avi Rubin and Marcus Ranum, he is co-author of The Web Security Sourcebook.
He holds a Sc.D. in Biostatistics from Harvard University's School of Public Health as well as an S.B. in Electrical Engineering and Computer Science from MIT. His professional involvement includes a decade of leadership within USENIX, the advanced computing systems association, of which he is past president. He today serves as an advisor to the board of the Financial Services Information Sharing & Analysis Center (FS/ISAC) under the auspices of the US Dept. of the Treasury, as well as similar fiduciary and non-fiduciary roles for a select number of promising startups.
-- Brian T. Sniffen
Gotta love those @stake guys. Here's a relevant quote from their website:
"@stake has assembled the best minds in digital security to help you understand and mitigate the security risks inherent in your business model, so that you can maximize the opportunity in front of you. We help you make the hard decisions about what matters most in your business, so that your security investment has the greatest impact. We work in the space where your business and technology meet, because we believe that this is where security is most powerful."
Talk about blowing it out both ends. You can read their ethical and guiding principles as well.
This is what l0pht has turned into?
If you sign an employment agreement, you'd better stick to it.
In particular, you shouldn't publish a paper without running it by corporate communications first. You especially shouldn't publish a paper that might be critical of a partner or customer without doing this. You know why? Exactly. You get fired. For violating your employment agreement. If you don't agree with the things that you signed, you shouldn't have signed them. Hell, even if you have permission to publish the paper, you might want to think twice about publishing a paper which is critical of a rather large customer.
When I worked at AOL, I tried to get some of the execs to realize that some of the employees could be a powerful force in the technical community to raise the image of the company. Just the ability to explain some of the things that weren't confidential, correct some of the misconceptions. It wouldn't be a magical transformation, but it would be an effort. And actually joining the community would be a big step. Peer review and PR oversight could both be used to help make sure that more incorrect information didn't go out, or that the wrong things didn't go out.
Noone wanted to talk about it. My assumption is that noone I got to wanted to rock the boat, and noone responsible trusted the employees. It's too bad really. But even with something like that in place, this type of paper would never pass muster. Not through a peer review, and not through PR. You just don't criticize a large customer. Especially a customer with as much money as Microsoft.
-Todd
"The details of my life are quite inconsequential..."
There is no America. There is no democracy. There is only IBM and AT&T and DuPont, Dow, General Electric, and Exxon
I was watching a US House of Reps "Worms and cyber security" subcommmitee on C-SPAN the other day. Testifying before the Congressmen were the following - Microsoft Corp senior security strategist Philip Reitinger, VeriSign VP Kenneth Silva, Lawrence Hale, director of the Federal Computer Incident Response Center, Christoper Wysopal consultant for @stake Inc, some other Russian security consultant, and a few other random folks.
The chairman of the committee asked the Verisign PHB and the two consultants if there were any security benefits in running open-source software, and which was more secure, open or closed. I almost shat myself. Here was the perfect opportunity to hear some glowing reviews of open source. Instead the two consultants, who seemed decently knowledgeable, and long winded on all other issues merely said that there are flaws in all types of software, and they would "guess" that the frequency of security flaws were the same as for closed source. Although the guy from @stake did mention that the theory behind open source security was that "the more eyes, the better", he also countered it with noting that most users of open source wouldn't be able to fix the code when a vulnerability was found.
That was it. No detailed explanation about anything. Just a brush off that was not quite as long as their testimony on why ipv6 wouldn't offer any extra security over ipv4. Luckily the Verisign bastard was there to add his two cents. To paraphrase him - "I would agree with their, (the consultants) testimony, but I would like to add that often the people who write open source software are not professionals". Then he took another shot mentioning "that often worms affect open-source software too". Often... I wonder what he considers "often". How can he even trot out the word "often" to describe the frequency of worms that affect open-source software when there are millions of Windows boxes that are constantly being hit by worms. He then added - "We must resist the temptation to demonize software vendors and other members of the network community. The finger pointing is often misplaced and in most cases does more harm than good." It was quite the interesting hearing, and gives me a bit of insight into what kind of info our Government is getting about open source.
Anti-social? My code is just platform-specific.
It's a sad state of affairs, but not surprising. It's been a long time since the "CIFS is caca" paper, and I lost respect for the l0pht back when *hobbit* was edged out. Mudge became "Dr. Mudge" (as if), and they all started running after the limelight. Sad, really. The Hacker News Network is long gone, and mudge is Pieter. It sucks for Dan, but it's just more of the same for the rest of us.
It takes a lot of nerve for Chris Wysopal to issue his little statement. Weld Pond would never have said something like that. Man, it's been a long path from BO2K to appeasing Microsoft. What a long, strange trip it's been. Sigh.
The difference between a Miracle and a Fact is exactly the difference between a mermaid and a seal. (Mark Twain)
Way back when I worked for IBM, there were very stringent rules about publishing anything even vaguely computer-related, and I doubt it is any better nowadays. Stuff had to be run through the Publications department, which sent it all over the company for approval/disapproval.
At one time I was working on my Master's degree, and the Professor to whom I submitted a term paper on "LISP on MicroComputers" suggested I submit it to a journal. BUT this was just before the PC came out, so I was using examples like PDP and TRS-80. When the paper got to the division that was preparing to release the PC, they vetoed it instantly.
Some people were so paranoid back then that they would "clear" a term paper through Publications before they dared to give it to the Professor!
So the answer is, "Yes, they can do that."
Teen Angel - a Ghost Story
"Participation in and release of the report was not sanctioned by @Stake," the security and consulting company said. "The values and opinions of the report are not in line with @Stake's views."
What?! What exactly wasn't true about what was said?
Quote: Daniel Geer "As fast as the world's computing infrastructure is growing, vulnerability to attack is growing faster still"
Quote: Daniel Geer "Microsoft's attempts to tightly integrate myriad applications with its operating system have significantly contributed to excessive complexity and vulnerability. This deterioration of security compounds when nearly all computers rely on a single operating system subject to the same vulnerabilities the world over"
Quote: Ed Black "Microsoft's monopoly threatens consumers in a number of ways, it it's clear it is now also a threat to our security, our safety, and even our national security."
Quote: Bruce Schneier "The problem is that of monoculture. As long as all computers are running the same OS, they're all vulnerable."
If @stake is saying they don't agree with these statements, then their credibility as a security company is seriously in question. It's one thing to say they fired someone for violating professional protocol, it's quite another to terminate them because what they said was incorrect.
Everything said by Geer, Black and Schneier is correct. What does @stake not agree with?
Ruby on Rails Screencast
"When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company."
The report states clearly on the first page that "Our conclusions have now been confirmed and amplified by the appearance of this important report by leading authorities in the field of cybersecurity: Dan Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, John S. Quarterman, Charles Pfleeger, and Bruce Schneier. CCIA and the report's authors have arrived at their conclusions independently. The views of the authors are their views and theirs alone."
Note that there are no company affiliations in that list, or on the front cover of the report, and that they clearly say that they're speaking as individuals, not as company representatives. The authors do list their current titles and employers in their bio's and on the "authors of the report" page, in order to establish their credibility (and that's a lot of credibility), but clearly don't speak for their employers.
Given that the document expresses the mainstream of security industry thinking, I'm a little amazed that this is even "news" much less something to fire someone over. Does any security professional think that a software monoculture is a good idea, or that Microsoft actually has security as its top priority (as opposed to market share or profitability)?
If we're to be serious about addressing vulnerabilities in our software infrastructure, we have to be willing to discuss these issues honestly, without self-censoring out of fear of stating the obvious when it's inconvenient.
Enable 3D printed prosthetics!
For him to be canned over this report (which is excellent by the way), is awful. Other heavy hitters in infosec also collaborated on this report e.g. Schneier, Becky Bace, and Charles Pfleeger.
It's not so much that @stake doesn't have the right to fire him, but rather that it's a pity that they can't stand up to the truth. Not that corporations are known for their honor anyway. I would not trust a @stake with my business at this point-what's next? MS buying them into using their clearly superior security products?!
See Playboy vs. Terri Welles.
Statements of fact do not imply endorsement.
Terri Welles was, in fact, a Playmate. Playboy cannot restrict her from saying so, even by attempting to apply trademark law against Ms. Welle's use of the trademarked word "Playboy" in for commercial gain.
The fact that being able to claim to have been a Playboy Playmate gives her a certain professional standing in her field (tits) and she is free to use that standing for her own benefit even over the objections of Playboy.
Dr. Geer is (ok, was) the Chief Technical Officer of @Stake. This is a position of authority in a particular field and stating that one has that authority gives one's opinion in that field certain standing. It is a factual statement and does not imply endorsement by his employer. It only imlies that one has recognized special skills.
If people misconstrue that that is a problem of their understanding, just as it is if people believe that Ms. Welles' personal site is an official Playboy site because she lists her employment by Playboy.
That doesn't make her an infringer. It makes them morons.
If the guy down the street who works for a Ford dealership tells me that he thinks Fords suck I too would have to be a moron to believe that was the official position of his employer.
Whether or not that might be legal grounds for firing said employee is another issue. I'd have to review the relevant law in his jurisdiction and make an examination of his contract to have an opinion on that.
I'd think his employer was an asshole for doing it though, if he was otherwise performing his duites satisfactorally. That's just my opinion of course, which is colored by knowing many people who worked for companies they don't like. I've even worked for a few myself. Hell, I even owned one of those companies.
But I didn't fire myself.
KFG
OTOH, MS software and national security is probably not a life-or-death issue. At least, I hope it's not.
So, when a U.S. Navy missile cruiser has to be towed back to port because it's computers running MS Windows have crashed it's not life and death? What about the Dept. of Homeland Security using Microsoft products for their servers and workstations? How about the network operations centers and shore bases of the Navy using Microsoft for the servers and workstations?
Come on, Microsoft is wide spread and pervasive throughout the U.S. government. The State Department couldn't issue visa's because Welchia, which could be prevented by patching or anti-virus software, infected their network. An offline nuclear reactor had safety systems fail that were running Windows. Just what OS do you suppose the Army and Marine Corps battle computers are running? What would happen in a war if our enemy penetrated those battle networks with a worm of some sort? How much more do you need to be convinced that depending on seriously flawed software in the government is not only dangerous to national security but also a "matter of life and death".
In my universe I'm perfectly normal, it's not my fault you don't live in my universe.
Whistle-blowing is never a popular job, but it's even riskier during bad economic times. Most of the backlash against this employee is due to the spineless quivering, in management, about losing vital business. Once again, we see why monopolies are unhealthy for society.
What are you gonna do, though, if you're canned? The employment-at-will doctrine has essentially always allowed bosses to hire and dump whomever they wish for any reason; dear old kooky Walt Disney used to go nuts with this easily abused freedom, and the 1990s left a trail of shattered lives and communities behind the rapacious "downsizing" of workers. Except where protected by civil rights or state employment law (and good luck bringing a case!), this is where you stand as an employee in America - at the mercy of the Man's whims. Learn to kiss ass; learn to run your own business; learn to work for decent people; these are among the few options for workers, and guess which one is most popular.
But this is also a hysterical time politically. Under the New McCarthyism the pasture of sacred cows has been enlarged: now not only our Glorious Leader is supposed to be beyond reproach, but so are certain corporate entities. And by burrowing like a common bacterial spirochete into the guts of American national security, Microsoft has begun to undergo the transformation - symbolically - from mere lawless and sloppy monopolist to vital U.S. institution. Yesterday, MS merely brought you BSODs, viral weakness and data loss. Today, it defends America against her enemies with its arsenal of...er...BSODs, viral weakness and data loss.
If this transformation continues, it will be more and more costly to criticize Microsoft as it mutates into an adjunct of the security state. HomeSec is already MS's taxpayer-subsidized tech support service, busily issuing warnings about the latest viruses and worms. This relationship should be promptly terminated by the next administration when the adults get to run things again.
CIFS=Common Internet File System. This is a reference to the security flaws highlighted by Hobbit (from memory it was defcon 5, back in 1997) in the microsoft SMB (windows networking) products. A copy is still available from here.
and I lost respect for the l0pht back when *hobbit* was edged out. Mudge became "Dr. Mudge" (as if), and they all started running after the limelight. Sad, really. The Hacker News Network is long gone, and mudge is Pieter. It sucks for Dan, but it's just more of the same for the rest of us.
L0pht Heavy Industries (creaters of the L0phtcrack suite Pwdump that allowed brute force cracking of windows NT user/passes) went though a period of internal discontent. I cannot provide any details on this. Basically the author seems to be trying to highlight the corporate yes-men culture that has permeated this sector and presumably led to this dismissal for speaking the obvious but unapproved "truth".
It takes a lot of nerve for Chris Wysopal to issue his little statement. Weld Pond would never have said something like that. Man, it's been a long path from BO2K to appeasing Microsoft. What a long, strange trip it's been. Sigh.
I have to admit this part has me stumped. I assume he means that Chris Wysopal of @stake would answer differently to Weld Pond of Lopht. Since they are one and the same person I assume he means to highlight the change over time in Chris's opinions/loyalties... not really surprising in the context of articles like this (para. headed Who's Who).
It has indeed been a long and strange trip... no end in sight yet.
Q.
Insert Signature Here
...I guess he really didn't realize his job was @Stake...
(Mod -1 Horrible)
.
== WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
Sure wish I had seen this earlier instead of 300+ replies later. Oh well, I guess thats what happens when you stick your head inside a Hobbit hole for three years and don't come out.
I feel I must reitterate L0phT =! @stake. Please do not confuse what I consider to be the good work of the L0pht with the corporate nonense that is @stake.
As for Dan and everyone else that works there they should have seen the writing on the wall three years ago when they fired my poor ass. Remember me, Space Rogue? HNN? All Gone. Why? I can only speculate but I think they felt that a critical mouthpiece would not be a good thing. Sound familiar? Hard to get someone to sign a big contract if you might call them names the next day.
Dan is a remarkable person. His mind works like no other person I have ever met. Don't feel sorry for him. Trust me, he is in a better place now.
Microsoft has continued its embrace, extend and I assume, extinguish policy with regards to information security. How? By hiring several of the people who were critical of the organization. Yes, that means previous @stake, Guardent, Foundstone, etc employees. That also means hackers, all who now work for the Giant in Redmond. Keep your enemies close. What better way to silence your critics than to hire them. Then you can keep them silent until they no longer pose a threat and dispose of them quietly at a later time when no one is looking.
Oh well, life goes on, the Internet is as insecure as ever, companies are still able to hide thier vulnerability, risks are not taken seriously and hackers still roam free. Nothing has changed, and nothing will until such time that people stop trusting everything that is spoon feed by anyone looking to make a buck. Yeah, I'm cynical. Sue me.
- SR
I was the IT Specialist of The divisional headquarters of The Salvation Army in Cincinnati - the 'go to' guy for half of Ohio and Norther Kentucky. I was one of the 30,000+ people sending letters to the DoJ regarding Microsoft's anticompetitive pratices. (I shared account of how they tried charging us twice for Office licenses.)
Three months later, I had a four day vacation and when I came back, the locks on my office were changed and my personal contents were cleaned out. They gave me a "farewell interview" to express that their sole reason for firing me was "dissatisfactory performance," which is all their employment policy required. My ten year career with them was over, they would not give me opportunity to defend myself, and they wouldn't give me severance or unemployment.
(The Salvation Army, as a church, is not required by Ohio law to pay into unemployment. Compounded with losing my pension settlement for three months, I spent those months at zero income.)
I found out over a year later that Microsoft was behind it... It wasn't a local decision at all, but was enforced by Paul Kelly, IT Director of New York's Territorial HQ, along with policy banning Linux in our ten state territory! Paul normally has no direct dealings with me on the divisional level, but a contact in New York revealed how pivotal Paul considered me in that contraversy.
I haven't pulled together the witnesses and evidence to prove this in court, but the commonly held opinion is that Paul got the call from Microsoft which says "get rid of the problem, or we'll audit your business licenses."
So it seems The Salvation Army, a church, is also a wholy owned and operated subsidiary of Bill Gate's Evil Empire(tm).
Joel 'Twisty' Nye, MCSA, Linux+