Slashdot Mirror
Geer Comments On Firing From @Stake
dwbryson writes "Last week Dan Geer, co-author of the CCIA Microsoft security report, was fired from @stake for expressing 'values and opinions [of the report] not in line with @stake's views.' Now Geer has been talking to eWeek and comments on his dismissal."
We still have the bill of rights in the USA, however it is being weekened daily.
While it's true MS is a tad "forceful" diversification isn't the real solution to the problem.
.NET makes every XML transaction cost less [or whatever]....
Having sys-admins who do their jobs instead of whining about patching will fix *many* windows related problems.
I think it's a matter of using the right tools for the job. Secretaries shouldn't have to learn userland *nix just to type up a TPS cover sheet for their weekly memos.
Likewise some network admin shouldn't be forced to use WinXP just because the latest
That being said you can run GNU/Linux and get rooted just as easily as you could with Windows if you don't patch your system.
Tom
Someday, I'll have a real sig.
Microsoft deserves it's reputation if it fires people just for speaking out. This man did not deserve to be fired just for saying what everyone knows: that Microsoft is monopolistic.
RTFA
Microsoft didn't fire him, but they may have been involved.
And his paper didn't say that Microsoft is monopolistic, it said that lack of diversity is a bad thing, be it all MS or all Linux or whatever.
This one is going to pass just like every other Microsoft injustice.
I'm ashamed of our academics, as cited in the article. He apparently went to get 9 to sign onto that paper and all declined because of funding issues.
What's the point of tenured academics if they are going to be afraid of losing corporate grants and therefore are squelched?
Yet another reason I hate academia, besides that one class...
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
If a figurehead/spokesperson for my company talked like that, I'd kick him out too. Nobody who's not a geek understands what that means.
All errors in this comment are mine. Corrections are considered a derivative work, and punishable under copyright law.
This shows once more that Microsoft has become too dominant. If even the security companies can no longer speak freely without endangering their existence (and that's why they fired Dan Gear) then what kind of free speech do you really have? Only the kind you can buy...
Irrespective of whether Microsoft had anything to do with the firing, a company such as @stake should stand by its employee and its own credibility...
Why should companies trust future research from @stake? Should existing employees be watching their backs? Bad smell all around!
unfair dismissal
While I don't really like the idea of someone getting let go for speaking their mind, what's unfair about it? His company clearly has ties to MS, and he jeopardized those ties with his statements. If it were his own company, he could have felt free to say anything about anyone he wanted to, and dealt with the aftermath of his comments on his own. But it was someone elses company... someone who was (yuck) concerned about their business relationship with Microsoft.
While the first amendment gives every American the freedom to express their beliefs/thoughts and guarantee no retribution from the government, it gives us no protection from employers.
Here's a proof. Go to your boss. Call that boss every foul word you can think of, and then say you were exercising your freedom of speech. Better yet, do it over an intercom at work, broadening your audience. You will probably be fired, but not wind up in court.
When you work for someone else, you have to play by their rules. Sometimes those rules allow for changes to be made by going through said company's proper channels, sometimes there is no room for discussion at all. Any way you look at it, they are the ones who have bestowed the job.... not the other way around.
I think the problem this guy ran into was the size of his audience. Maybe when he spoke at conferences about security and Windows (oxymoron that it is), his user base was a select group, and small by comparison. But in print, your audience can be unlimited, and so can the damages of your statement.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
What researcher doesn't have this problem? They can either tell their financial backers what they want to hear or lose funding.
It's the same way in the pharmaceutical industry isn't it?
Even if everyone was the perfect patch-applying sysadmin, one vulnerability found in the majority of boxes could lead to millions of rooted boxes.
Especially if that vulnerability was initially discovered by a "black hat."
tasks(723) drafts(105) languages(484) examples(29106)
There's an old adage that says "If you take the king's shilling you become the king's man". @Stake has just loudly announced that they are little more than another Gartner. Why should anyone take any pronouncements they make seriously? Especially since we know they are adverse to offending MS. Someone last week put it best: "l0pht is getting s0pht."
Anyway, @Stake did not "bestow" the job on Geer. He was a founding member and it become politically incorrect for him to do something he had always been doing. He is correct in that we have a very large problem. When tenured academics scuttle about in fear of MS, we definitely have a problem.
You seem to be implying that the boss is doing a favour to the workers by giving them a job, rather than the way it really is. The workers' labour is worth more to the company than the company's wages are to the workers. As long as I've a hand on each arm and a head on my shoulders, I won't go short. A boss hasn't that luxury .....
It is still unfair dismissal. As long as his name was on the report, then the report is his words, not his employer's, and if someone can't understand, well, that's their problem. You cannot be dismissed from a job simply for disliking your boss, otherwise there would be many more on the dole than working.
In my last job, I made no secret what I thought of my boss. My co-workers {as, one by one, they left the company; some had nervous breakdowns, some got other jobs, some were desperate enough that they would forego six weeks' giro by leaving a job voluntarily; one went into what he described as a less stressful job - teaching!} felt the same way. In this job, I'm fortunate to have a boss I get on with really well. Even if I didn't, that would not be grounds for dismissal.
Also, there is a commonly-overlooked defence to libel, and that is that it was true.
Je fume. Tu fumes. Nous fûmes!
The supervisors blamed the workers for being stupid and lazy. The supervisors of course hadn't done any real work in a couple of years. When I actually went to the line I saw processes that may have been good enough a few years ago, but were not now.
The problem was that the company needed more people to run the line, the line needed to run most of the time 24 hours a day seven days a week, and product needed to be shipped on a more exacting schedule. The two biggest problems were that certain steps which required some precision would have had to be made more fault tolerant so that people with less training could do them, and other steps had to be made more reliable because there wasn't time to go back and fix things after the line shut down.
Which is where I think MS is now. The update process is not suited to the current use patterns or the people using them. Take the current auto-update for home users. There are many home users that are on dial-up with a single phone line in their house. They log on for like 20 minutes a day to check email and load a web site or two. These people might not want to tie up the line for the hour it takes to do an update. They are precisely the people that would open an infected email, which would then have plenty of time to spam the victims address book.
Production updates are the same thing, especially at small companies with several computers, broadband, and a single paid low paid IT worker. Is this worker going to stay after work on the day of the update to fix all the computers. If the company is running a website locally, is the boss going to let that site go down for the hour it takes to update, or is the boss going to want to wait until the IT worker can come in late one weekend to do it? Is that worker going to be competant to deal with any other patching that might be needed after the upate?
Again, it is easy to complain the workers are lazy and stupid. It is much harder to take responsibility as a supervisor or manager and realize that it is your responsibility to create a structure in which certain things will happen. Most supervisors and managers are just as lazy as the workers, and so don't take this responsibility.
Of course, the issue is widespread. IIRC, the original article said the problem was MS was so dominant such attacks were possible. All I am saying is they need to get off their lazy asses, use some of the billions, and develop processes that allows the stupid and lazy production line programmer to create secure code. They obviously can do this, as they have created plenty of processes that allows the untrained programmer to create useful code.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
The article mentions the security consulting firm Geer started in the 90's. Geer knows how to start and run a company. By now, there are bound to be folks losing faith in their own tenure at @Stake. Perhaps this firing will be the birth of a new security firm, founded by Geer, former @Stake employees, and experts that declined to sign on to the security paper. With enough credibility, the new company might lure some of Microsoft's business away from @Stake.
Sometimes I worry that I'll develop Alzheimer's disease, but no one will notice.
I must disagree...
@Stake is supposed to be a security research and consulting firm. How is any research out of this company ever to have even one ounce of credibility again? I realize Mr. Geer's paper was not published as an "official" company report, but they were angry based on the fact that his paper might "appear" to be At Stake's opinion.
So if At Stake is so concerned about ruffling Microsoft's feathers that a report they DIDN'T EVEN WRITE causes the firing of a senior, uber-experienced employee with a vast repository of knowledge to draw on, how do we know their reports aren't already being slanted to avoid offending "partner" Microsoft?
His firing is tantamount to killing the messenger for a message they didn't like. Sorry, but as an employee I resent the idea that if I do something on my own time and dime that offends somebody inside some business partner's corporate structure, I could lose my job. In this economy, that is a pretty chilling statement, President Bush's assinine assertions that "Everything is okay!" aside...
Who did what now?
Non-sequitor. Going from Word2k to WordXP is at least as violent a change as it would be to go to OpenOffice, with the exception that OO interops better with Word2K.
That being said you can run GNU/Linux and get rooted just as easily as you could with Windows if you don't patch your system.Getting "rooted" (ie - having your system compromised by a real live human) isn't so much the problem. It's the worldwide worm of unbelievable scale, speed, and impact that poses a real problem. The ability to automate evil is a special and unique characteristic of Microsoft systems. There has been only one GNU/Linux worm, and it wasn't even a blip on the CodeRed/MSBlaster radar.
The problem is Microsoft.
who are those slashdot people? they swept over like Mongol-Tartars.
First of all, Geer just became a martyr of sorts. As he is practically the creator and one of the more important celebrities in the security field, he's not wanting for job offers or opportunities. He'll probably just make his own.
Whether or not Microsoft had anything to do with his firing, directly or not, is somewhat irrelevant. Sure it adds more fuel to the "we hate Microsoft" fire but outside of that it proves nothing except that @Stake is driven by their sponsors and not by the ideal of exposing the truth. This makes @Stake a security company that isn't secure in its convictions. Security you cannot trust.
Geer, on the other hand, has proven himself to be unshakeable from the pursuit of the truth. He is unshaken by political and financial forces and the industry will see that, like it or not, his opinions can be trusted.
Generally, this is a good thing for him and the business of security. The more high-profile these matters become, the more public opinion will influence commerce in these matters.
It is hard for the American heart to forgive even perceived violation of the free speech ethic. We believe we can say whatever we want whenever we want so long as it is the truth. The public perceives the "breech" of the free speech ethic as a bad thing. "Oh look honey, this bad company fired this man because he was doing what he was hired to do and they didn't like the truth." That's the message most people will receive in this case I believe.
They probably fired him because they knew they couldn't get him to retract anything he said.
I read some of the above, and I say:
Whether @stake abd microsoft had the right to act as they did is beside the point. The point is that this sort of thing is really really bad for society because of the chilling effects. If it's risky to criticize the big boys, guess what, they get less criticism than they should have on account of their actions. They seem to be acting better than they really are - the mechanisms in a democracy that should prevent this sort of thing don't work, because people are afraid to speak up.
I don't know if this legally is a free speech issue, but it is in practice.
xkcd is not in the sudoers file. This incident will be reported.
Yes. The private company was free to hire him, without having to clear anything with the government.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
I think you're being a little over-picky here. The legal purpose of a corporation is to limit liability to its owners. This then assumes that its owners are non-management funders. The point of investing is to gain a return. Therefore the lowest common denominator of incorporation is that they exist to make money. The default rules governing directors of corporations make it clear that it is unethical for the directors to cause the company to do anything not in the best interests of the shareholders. The only common interest the diverse shareholders in any sizable company have is in maximizing the return on their shares.
Of course, in practice, these rules are bent, non-profit corporations exist, ethical considerations are considered essential to maximizing return, etc. But, I believe the poster is correct in stating that the LCD of corporations is making money. No other ethic can be universally applied.
Milo
well..
his job was to be right and say the truth, not to be a talking head that takes money and says what somebody other wants.
at least supposedly, so it gives a real fucklike view of @stake now. why would you consult them when they don't tell you what they really think is the right decision but the decision that suits them for various reasons including commitment to some other big $$$ firm? why wouldn't you go and just read the marketing material by that other firm straight and just skip using them as a middleman without anything on stake on the issue?
fuck, if i go to doctor i'd like to hear the TRUTH about my illness or possible risk factor, not what the doctors employer thinks i should hear.
world was created 5 seconds before this post as it is.
For many companies it -is- their credibility that brings money to their company. When the credibility of a company goes into question, the cash flow slows (or even stops on some occasions) and effectively does put their wallets on the line.
Umm, if memory serves, the l0pht was, well, absorbed into @stake. That is, what was the l0pht became part of @stake, but @stake isn't just "the legitimate front for the [cr|h]ackers formerly known as the l0pht".
Remember their tagline? MS: "That vulnerability is completely theoretical." The l0pht: "Making the theoretical practical since (some year)." I'd be willing to bet that not all the people within @stake are very happy about this decision, just like there's probably a few VeriSign employees that aren't totally happy with SiteFinder.
I wonder when one of 'em will actually stand up and say it.
You weren't paying attention last week. Yes, the report was critical of Microsoft's shoddy security record. But the main concern is that any software monoculture is dangerous. Geer's #1 recommendation is to use a mix of (non-Windows) systems, which Microsoft obviously can't approve (short of being broken up by antitrust).
This may be true -- I haven't read it.
But you think that on the basis of a slashdot discussion you have enough information to take on someone who did read it? The paper is online, it is not exactly hard to find.
There is absolutely zero reason for a paper intended to summarize problems with a company's products to contain "original ideas".
The title of the report claims to be addressing national security issues. The report itself only considers a single software vendor. The report is passing itself off in a false light.
As you point out the report does nothing but attack one vendor, that does not appear to me to be a constructive consideration of cybersecurity.
When you get inside the first thing you find is a lengthy discription of Moore's law, Metcalfs Law, pretty much everything appart from Sod's law. And at the end of it you find absolutely nothing to tell you why the enumeration of these laws has anything to do with cybersecrity in general or Microsoft code in particular.
That sets the pattern for the rest of the report. It reads like a sophomore's term paper that contains reference after reference to irrelevant material that only appears to have been thrown in for the purpose of demonstrating that the author has done the background reading.
Look, man. Come back to reality. He's working in the private sector. What the heck do you think *happens* in the private sector? Microsoft comes up with people funded to make Linux look bad all the time. Big companies do this all the time.
And if any of my employees went off and participated in a similar hit job against a major customer I would fire them as well.
You keep saying that the report is OK because it is business. Well in business you don't have academic tenure. A CTO is paid to be a PR representative for the company. You expect your CTO at least to stay on message.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
It seems to be happening that matters which begin as purely technical/scientific become marketing and sales issues. Witness what happened to the Darpanet when it went public and became the Internet we know today. At the time I was studying CS in college and I recall academics and government types where wringing their hands over the inevitable "dumbing down" of the technology in favor commercial applications and services to the public. Read that as marketing and sales. And we can see where that got us; mom and pop on broadband but with "personal" technology never meant to leave the secure isolation of the living room.
Although viruses got their start on the floppy disk vector (recall boot sector viri?) they have come into their own throught the vector of the Internet. That machine could not have been better built to propogate malware even if one had set out to do so, but the only reason it can actualy do so to the degree it has is because of the brain dead operating systems (and rookie sysadmins) at the remote ends of the pipes. And the monoculture of both is at the heart of the problem. I use MacOSX on broadband, but do you seriously think I have to worry about any of this? No I do not.
Enter security. Now an entire industry has emerged to counterpoint the monoculture, an industry devoted to what would simply have been the day-to-day work of any competent sysadmin just 10 years ago, except that today there are few competent sysadmins. Rather there are hordes of desktop drones massaging M$-based networks across the planet, only incidently linked each to the other by an Internet of which they have no particular understanding nor much interest (a direct reflection of M$'s own utter indifference.) It has all become a dense, dry, sprawling monotypic tinder of light twigs and leaves awaiting the match. The security industry is built around that monoculture of neglect and ignorance, would have no purpose without it, and yet is directed at undoing what the monoculture has done to, and via, the Internet. And since M$ is just a marketing and sales juggernaut with its roots deep in the fertile manure of personal computing, should anyone be surprized that here again the network technology and science are falling under the tracks of the M$ Panzer divisions? I should hope not. M$ did not become a monopoly by being easily distracted with technical details.
I can see no solution but one. Government will not act because politicos are hip to marketing. Regulators will not act because they are afraid of the politicos and like their cushy jobs. And people will continue to select technology out of innocent ignorance. M$ spends freely, buys strategic friends, revises history, and builds outward seemingly oblivious to the coming train wreck because they know for a fact they will just walk away with profits intact; they are afterall about personal computers, and not much more. What is the Internet to M$ except a problem? They distribute their software on CDs and only security patches over the Internet to defend their CD-based software from Internet attack. I should think they would be twice-pleased if the Internet and everything associated with it, including OSS, simply vanished in a general conflagration.
The one solution? I propose we take a clue from Nature and let it burn. We don't need these weeds growing here anymore, burn them out and their seeds as well. The network will survive because the network is not the problem, while the strictly "personal" computers will burn to the ground at the ends of the pipes. Then perhaps something more robust will spring up where they were. It might even be that M$ has the very thing waiting in the wings, ready to roll out, "Windows ProSecure" or some silliness. Fine with me. But if they don't then they are fools and their undoing will be of their own devising.
=^..^= all your rodent are belong to us