Slashdot Mirror
Geer Comments On Firing From @Stake
dwbryson writes "Last week Dan Geer, co-author of the CCIA Microsoft security report, was fired from @stake for expressing 'values and opinions [of the report] not in line with @stake's views.' Now Geer has been talking to eWeek and comments on his dismissal."
We still have the bill of rights in the USA, however it is being weekened daily.
"The Venn diagram of facts doesn't intersect. The intersection of all of those statements is the null set," Geer said.
Ahhh, one of our own... :)
While it's true MS is a tad "forceful" diversification isn't the real solution to the problem.
.NET makes every XML transaction cost less [or whatever]....
Having sys-admins who do their jobs instead of whining about patching will fix *many* windows related problems.
I think it's a matter of using the right tools for the job. Secretaries shouldn't have to learn userland *nix just to type up a TPS cover sheet for their weekly memos.
Likewise some network admin shouldn't be forced to use WinXP just because the latest
That being said you can run GNU/Linux and get rooted just as easily as you could with Windows if you don't patch your system.
Tom
Someday, I'll have a real sig.
I guess Geer should read "The Surprising Benefits of Being Unemployed" from earlier. Perhaps it will help?
Microsoft deserves it's reputation if it fires people just for speaking out. This man did not deserve to be fired just for saying what everyone knows: that Microsoft is monopolistic.
RTFA
Microsoft didn't fire him, but they may have been involved.
And his paper didn't say that Microsoft is monopolistic, it said that lack of diversity is a bad thing, be it all MS or all Linux or whatever.
This one is going to pass just like every other Microsoft injustice.
I'm ashamed of our academics, as cited in the article. He apparently went to get 9 to sign onto that paper and all declined because of funding issues.
What's the point of tenured academics if they are going to be afraid of losing corporate grants and therefore are squelched?
Yet another reason I hate academia, besides that one class...
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
"In the land of the freeeee and home of the brave......."
If a figurehead/spokesperson for my company talked like that, I'd kick him out too. Nobody who's not a geek understands what that means.
All errors in this comment are mine. Corrections are considered a derivative work, and punishable under copyright law.
Reading the article a bit more closely and you find that he blames Microsoft despite saying they didn't do anything to get him fired.
"The more powerful you are, the less likely you are to have to pick up the phone" he said. In other words, MS didn't do a thing, but its still their fault.
Hey, it could have been the government, they dislike people criticising the security on the systems they use. Or the Illuminati, don't want to upset them you know, and Bill Gates is quite high up in that organisation...
What kind of wooly crap is this? I mean, if I criticise my biggest customer, or my company's profit base, I think I can expect my manager to have 'words' with me at least. This is just another MS-is-bad-and-I-don't-care-if-that's-true-or-not story.
This shows once more that Microsoft has become too dominant. If even the security companies can no longer speak freely without endangering their existence (and that's why they fired Dan Gear) then what kind of free speech do you really have? Only the kind you can buy...
Irrespective of whether Microsoft had anything to do with the firing, a company such as @stake should stand by its employee and its own credibility...
Why should companies trust future research from @stake? Should existing employees be watching their backs? Bad smell all around!
He calls it "plausible deniability".
Microsoft didn't need to pick up the phone; Greer's boss knew what they wanted anyway.
tasks(723) drafts(105) languages(484) examples(29106)
unfair dismissal
While I don't really like the idea of someone getting let go for speaking their mind, what's unfair about it? His company clearly has ties to MS, and he jeopardized those ties with his statements. If it were his own company, he could have felt free to say anything about anyone he wanted to, and dealt with the aftermath of his comments on his own. But it was someone elses company... someone who was (yuck) concerned about their business relationship with Microsoft.
While the first amendment gives every American the freedom to express their beliefs/thoughts and guarantee no retribution from the government, it gives us no protection from employers.
Here's a proof. Go to your boss. Call that boss every foul word you can think of, and then say you were exercising your freedom of speech. Better yet, do it over an intercom at work, broadening your audience. You will probably be fired, but not wind up in court.
When you work for someone else, you have to play by their rules. Sometimes those rules allow for changes to be made by going through said company's proper channels, sometimes there is no room for discussion at all. Any way you look at it, they are the ones who have bestowed the job.... not the other way around.
I think the problem this guy ran into was the size of his audience. Maybe when he spoke at conferences about security and Windows (oxymoron that it is), his user base was a select group, and small by comparison. But in print, your audience can be unlimited, and so can the damages of your statement.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
What researcher doesn't have this problem? They can either tell their financial backers what they want to hear or lose funding.
It's the same way in the pharmaceutical industry isn't it?
I agree that any company today would have fired Geer after he endangered its revenues. However, I also think that is a problem in itself. I would have liked to see @stake defend Geer, but unfortunately that's not the nature of the beast. People are becoming expendable.
Even if everyone was the perfect patch-applying sysadmin, one vulnerability found in the majority of boxes could lead to millions of rooted boxes.
Especially if that vulnerability was initially discovered by a "black hat."
tasks(723) drafts(105) languages(484) examples(29106)
There's an old adage that says "If you take the king's shilling you become the king's man". @Stake has just loudly announced that they are little more than another Gartner. Why should anyone take any pronouncements they make seriously? Especially since we know they are adverse to offending MS. Someone last week put it best: "l0pht is getting s0pht."
Anyway, @Stake did not "bestow" the job on Geer. He was a founding member and it become politically incorrect for him to do something he had always been doing. He is correct in that we have a very large problem. When tenured academics scuttle about in fear of MS, we definitely have a problem.
Bloody peasant!
Karma: Bad. Calmer, good.
What kind of wooly crap is this? I mean, if I criticise my biggest customer, or my company's profit base, I think I can expect my manager to have 'words' with me at least. This is just another MS-is-bad-and-I-don't-care-if-that's-true-or-not story.
If you claim to be security consultants who know security, rather than PR consultants who use words like "security" to help advertising, then you do very poorly for yourself by so obviously and publicaly squelching any appearance of having said something potentially negative about the security of one of your largest customers.
The point is that Microsoft's huge power in the industry appears to be making it impossible for real security firms to exist. As such, we should all be leary of any such's claims, and wonder if in fact they are really PR firms who use words like "security".
-Rob
Which is why we trust performance specs released by Intel, and studies funded by Microsoft, right?
tasks(723) drafts(105) languages(484) examples(29106)
His job is to spot the trends coming in the future - And his employer gags him for doing his job - I stand by my remarks in the previous thread on this topic - @Stake will have a very hard time attracting a decent replacement candidate, and their research will now always be suspect...
Becoming?
People have long been the most expendable part of any enterprise.
Karma: Bad. Calmer, good.
I like it that the CTO is expendable, and not just the 'little people' for a change.
@Stake probably didn't defend him because it knew what he was saying was a biased, and incorrect interpretation. After all, if security is improved by using a variety of products, he'd have said that TCP/IP is the bad boy of internet security (as *all* internet attacks use it), or SMTP, or HTTP, etc. No, instead he singles out MS. At no point did he bother to point out the benefits of a widespread 'standard' either.
I wouldn't mind if Linux was 99% of all systems used today, I think we'd have pretty much the same issues to deal with though - and Geer would be sniping at Linux's security flaws in favour of OpenBSD!
Yeah. It would be better if companies had to pay researchers up front. Then they could sue only if they could prove the researcher was BSing, negligent, or biased. That would put researchers in a better position to be objective.
Man gets fired for making 'false' claims that a company exploits its monopoly of the market, because his bosses dare not offend that company. Hmm.
"I Know You Are But What Am I?"
These people should get funding from companies who actually want objective analysis/research, ie companies who want good advice on which product to buy, investors, etc. not by companies that have a stake in the outcome of the research.
@stake used to be "l0pht heavy industries", a nifty little group of hackers toying around. (www.l0pht.com) Now they're all business. Lame. "What happened l0pht? You used to be cool."
You seem to be implying that the boss is doing a favour to the workers by giving them a job, rather than the way it really is. The workers' labour is worth more to the company than the company's wages are to the workers. As long as I've a hand on each arm and a head on my shoulders, I won't go short. A boss hasn't that luxury .....
It is still unfair dismissal. As long as his name was on the report, then the report is his words, not his employer's, and if someone can't understand, well, that's their problem. You cannot be dismissed from a job simply for disliking your boss, otherwise there would be many more on the dole than working.
In my last job, I made no secret what I thought of my boss. My co-workers {as, one by one, they left the company; some had nervous breakdowns, some got other jobs, some were desperate enough that they would forego six weeks' giro by leaving a job voluntarily; one went into what he described as a less stressful job - teaching!} felt the same way. In this job, I'm fortunate to have a boss I get on with really well. Even if I didn't, that would not be grounds for dismissal.
Also, there is a commonly-overlooked defence to libel, and that is that it was true.
Je fume. Tu fumes. Nous fûmes!
I am surprised that Dan has decided to publicly say anything. This would seem to indicate his relutcance to pursue the matter in court. Or maybe he just hasn't spoken to a lawyer yet. Or is this opening slavo?
Before the obvious referances are made let me just say (again) that what @stake has become is in no way related to what L0pht was. I think there is only one of us left (Weld), everyone else has seen the writing on the wall and moved on. I just hope Dan is able to put this behind him soon and move on as well.
- SRspacerog AT spacerogue DOT net
It's a basic rule of employment, accept the money, play by the rules.
If one of my employees did or said something that was obviously against the interests of my business, I would reprimand and possibly fire him. If they discussed this in public, I would blacklist him as a "big mouth".
What Greer says is something I also believe, but unfortunately being right does not pay the bills. He has probably made himself unemployable by any conventional organisation, and will have to find a way to leverage his notoriety into another kind of power: lobbyist, perhaps.
Ceci n'est pas une signature
@Stake probably didn't defend him because it knew what he was saying was a biased, and incorrect interpretation. After all, if security is improved by using a variety of products, he'd have said that TCP/IP is the bad boy of internet security (as *all* internet attacks use it), or SMTP, or HTTP, etc. No, instead he singles out MS. At no point did he bother to point out the benefits of a widespread 'standard' either.
Did you even read the paper? TCP, SMTP, and HTTP are open protocols with many different implementations. Generally public protocols don't have major design flaws. It's the implementations that introduce buffer overflows and other exploits. If you have multiple implementations, these exploits tend to get spread around.
I wouldn't mind if Linux was 99% of all systems used today, I think we'd have pretty much the same issues to deal with though - and Geer would be sniping at Linux's security flaws in favour of OpenBSD!
Yes, any monoculture is vulnerable to infections, and 99% Linux would be as well. Its only possible advantage over Windows in that case would the modularity of some of its services, and more open codebase for security audits. But who wants 99% of anything? I'd much prefer the "Big 3" that most mature industries settle on. The fact that we're still 90% Ford Model T means we've got at least a decade or two to go.
Patching is a reactive thing. If you look at SQL Slammer was able to infect over 90% of hosts in under 10 minutes
This time we were lucky, A) the patch had been available before hand (although it was nearly impossible to apply) B) it was for a service that usually shouldn't be Internet facing. C) It was for a service that has "minor" use on the Internet.
What about next time? When someone finds an exploit in a common web server? ssh daemon? smtp daemon? or name server? All things that are much less likely to be firewalled, the exploit can be coded into a virulent worm before the "white hats" know about it, before a patch is announced. And, if like Slammer it can reach >90% of the hosts in under 10 minutes, are you going to have time to even notice, isolate and identify the problem and put a solution in place before it infects your machines? Do you constantly moniter the internet 24 hours a day 7 days a week?
As a sysadmin there is only so much you can do. Sure being a good sysadmin can prevent many of these attacks, but it can't prevent them all. Diversity is the only real defense against worms, and it's something that Microsoft do very very poorly. Under Linux you can get cheap diversity and very little administration overhead by running redundant servers under two different hardware architectures (Intel + PowerPC for instance). once the kernel has booted the administration of the two machines is virtual identical, but they might as well be from different planets as far as a worm is concerned.
As an example of the kind of behind-the-scenes influence that large vendors have, Geer cited his efforts to find an academic security expert or two to sign on to the paper on software diversity. After contacting nine people and striking out each time, he gave up.
"All of them said it was too hot for their position," Geer said. "They enjoy the free speech benefits of tenure but not necessarily those of funding."
His experience is interesting; it shows just how there are limits, even in academia, to how far people are willing to go in their pursuit of the truth.
Microsoft might not have an irresponsible security record due to business practices, but the hypothesis put forward by Geer and the others should be examined carefully and openly both for where it might errors, and where their hypothesis fits the facts. That's the way all scientific progress is made.
And he's right, too, about a phone call not being necessary. Conditioning, and seeing what happens to people that take a stand in opposition to some powerful force, is enough to convince most people that self-censorship, if not the better part of valor, is certainly the better expedient for maintaining your comfort.
"Provided by the management for your protection."
The supervisors blamed the workers for being stupid and lazy. The supervisors of course hadn't done any real work in a couple of years. When I actually went to the line I saw processes that may have been good enough a few years ago, but were not now.
The problem was that the company needed more people to run the line, the line needed to run most of the time 24 hours a day seven days a week, and product needed to be shipped on a more exacting schedule. The two biggest problems were that certain steps which required some precision would have had to be made more fault tolerant so that people with less training could do them, and other steps had to be made more reliable because there wasn't time to go back and fix things after the line shut down.
Which is where I think MS is now. The update process is not suited to the current use patterns or the people using them. Take the current auto-update for home users. There are many home users that are on dial-up with a single phone line in their house. They log on for like 20 minutes a day to check email and load a web site or two. These people might not want to tie up the line for the hour it takes to do an update. They are precisely the people that would open an infected email, which would then have plenty of time to spam the victims address book.
Production updates are the same thing, especially at small companies with several computers, broadband, and a single paid low paid IT worker. Is this worker going to stay after work on the day of the update to fix all the computers. If the company is running a website locally, is the boss going to let that site go down for the hour it takes to update, or is the boss going to want to wait until the IT worker can come in late one weekend to do it? Is that worker going to be competant to deal with any other patching that might be needed after the upate?
Again, it is easy to complain the workers are lazy and stupid. It is much harder to take responsibility as a supervisor or manager and realize that it is your responsibility to create a structure in which certain things will happen. Most supervisors and managers are just as lazy as the workers, and so don't take this responsibility.
Of course, the issue is widespread. IIRC, the original article said the problem was MS was so dominant such attacks were possible. All I am saying is they need to get off their lazy asses, use some of the billions, and develop processes that allows the stupid and lazy production line programmer to create secure code. They obviously can do this, as they have created plenty of processes that allows the untrained programmer to create useful code.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
The article mentions the security consulting firm Geer started in the 90's. Geer knows how to start and run a company. By now, there are bound to be folks losing faith in their own tenure at @Stake. Perhaps this firing will be the birth of a new security firm, founded by Geer, former @Stake employees, and experts that declined to sign on to the security paper. With enough credibility, the new company might lure some of Microsoft's business away from @Stake.
Sometimes I worry that I'll develop Alzheimer's disease, but no one will notice.
I must disagree...
@Stake is supposed to be a security research and consulting firm. How is any research out of this company ever to have even one ounce of credibility again? I realize Mr. Geer's paper was not published as an "official" company report, but they were angry based on the fact that his paper might "appear" to be At Stake's opinion.
So if At Stake is so concerned about ruffling Microsoft's feathers that a report they DIDN'T EVEN WRITE causes the firing of a senior, uber-experienced employee with a vast repository of knowledge to draw on, how do we know their reports aren't already being slanted to avoid offending "partner" Microsoft?
His firing is tantamount to killing the messenger for a message they didn't like. Sorry, but as an employee I resent the idea that if I do something on my own time and dime that offends somebody inside some business partner's corporate structure, I could lose my job. In this economy, that is a pretty chilling statement, President Bush's assinine assertions that "Everything is okay!" aside...
Who did what now?
Non-sequitor. Going from Word2k to WordXP is at least as violent a change as it would be to go to OpenOffice, with the exception that OO interops better with Word2K.
That being said you can run GNU/Linux and get rooted just as easily as you could with Windows if you don't patch your system.Getting "rooted" (ie - having your system compromised by a real live human) isn't so much the problem. It's the worldwide worm of unbelievable scale, speed, and impact that poses a real problem. The ability to automate evil is a special and unique characteristic of Microsoft systems. There has been only one GNU/Linux worm, and it wasn't even a blip on the CodeRed/MSBlaster radar.
The problem is Microsoft.
who are those slashdot people? they swept over like Mongol-Tartars.
I think it's a matter of using the right tools for the job. Secretaries shouldn't have to learn userland *nix just to type up a TPS cover sheet for their weekly memos.
But secretaries should have to learn userland WinXP? Using OpenOffice under (say) KDE to do memos is as easy as running XP.
That being said you can run GNU/Linux and get rooted just as easily as you could with Windows if you don't patch your system.
No you can't! Did you read the paper? With GNU/Linux I can set up the box with just those services I need. Microsoft won't let me do that with XP. There are too many bundled services with Windows that I can't (or is difficult to) remove or replace with something else.
Personally, I don't think Windows is ready for the internet yet.
)9TSS
First of all, Geer just became a martyr of sorts. As he is practically the creator and one of the more important celebrities in the security field, he's not wanting for job offers or opportunities. He'll probably just make his own.
Whether or not Microsoft had anything to do with his firing, directly or not, is somewhat irrelevant. Sure it adds more fuel to the "we hate Microsoft" fire but outside of that it proves nothing except that @Stake is driven by their sponsors and not by the ideal of exposing the truth. This makes @Stake a security company that isn't secure in its convictions. Security you cannot trust.
Geer, on the other hand, has proven himself to be unshakeable from the pursuit of the truth. He is unshaken by political and financial forces and the industry will see that, like it or not, his opinions can be trusted.
Generally, this is a good thing for him and the business of security. The more high-profile these matters become, the more public opinion will influence commerce in these matters.
It is hard for the American heart to forgive even perceived violation of the free speech ethic. We believe we can say whatever we want whenever we want so long as it is the truth. The public perceives the "breech" of the free speech ethic as a bad thing. "Oh look honey, this bad company fired this man because he was doing what he was hired to do and they didn't like the truth." That's the message most people will receive in this case I believe.
They probably fired him because they knew they couldn't get him to retract anything he said.
I don't see use of common communication protocols as a significant monoculture problem. I think the popular standardization on Wintel is, however. And I agree that Geer's group would be protesting about the standardization on Linux if Intel GNU/Linux was on 90% of all computers running today - that's the entire point, it's the standardization on a single platform that's the problem, not Microsoft itself.
You are not alone. This is not normal. None of this is normal.
"Secretaries shouldn't have to learn userland *nix just to type up a TPS cover sheet for their weekly memos."
You haven't installed OpenOffice.org in a while, have you? If you had, you would have seen the rotating ad that explicitly informs you that OO.o is ideal for all your TPS reports -- whether on Windows or Linux.
This has nothing to do with libel, or slander for that matter. It has everything to do with the idea that an employer does not have to retain anyone on it's payroll for any reason whatsoever. If I have a company, you cannot force me to keep someone under my employ that I don't want to (other than the OSHA, EEOC type laws here in the US). That's absurd!
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.
Where does that say anything about being able to keep your job when you exercise your right to say what you want? He didn't go to jail, so freedom of speech was upheld.
You seem to be implying that the boss is doing a favour to the workers by giving them a job, rather than the way it really is. The workers' labour is worth more to the company than the company's wages are to the workers.
That's extremely arrogant. While I take pride in myself and my work, and would not compromise myself, my morals, ethics, or my beliefs for an employer, I am fully aware that any of those can get me terminated from this company at any time. My company has a dress code, and I abide by it. My company has policies about timekeeping, and I abide by them. If I don't like them, then I don't have to work here.
I liken it to the Jewish man who had his son join the Boy Scouts of America (a Christian organization), then sued them for saying a Christian prayer before every meeting (he lost). There is no law saying that any private organization has to allow freedom of any kind in their arena. If a company says you have to wear blue suits (old IBM) then either you do, or you leave.
It's simple really. Their money, their rules.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
Considering that the avowed objective of any corporation is to make money, and no other purpose, they are by definition non-ethical.
Considering that you're making an assumption about all corporations, you are by definition not using logic. Please provide evidence first that 'corporations' (excluding the individuals that make them up) have *any* sort of aim. Then please provide evidence that every corporation in existence (including all employees) has no aim or goal other than 'making money' and has no legal or moral compunction when it comes to said sole aim. I won't hold my breath. Of course the 'virtual entity' isn't ethical, because it's virtual. However, the decisions aren't made by the 'virtual entity', they're made by people, who may or may not be ethical.
A corporation has no conscience, no morals, and should not be considered equal or superior to a human being, and be given equal rights.
Are you saying that people should give up their rights when they are employed by 'a corporation', but not when they are self-employed? How can you justify this? If Geer worked for me, and my biggest customer was IBM, and he wrote a paper that was highly critical of IBM, I'd fire him. Why shouldn't a corporation be allowed to do that too? He made a choice in putting his name to that report. I respected the choice he made, until I found out that he didn't expect any fallout from it. Initially I thought he was risking his job to speak his mind on purpose. Now it seems he had no clue there could be repercussions from his action, even though 9 other people had the prudence to know it.
I know everyone likes to jump on the 'corporations are evil' personification bandwagon, but people make up the corporations, they make the decisions, and in this case, it was a prudent business decision. It's not like they fired him cause he put up an 'I hate Microsoft' blog or something.
http://xkcd.com/386/
>It's so funny when people get carried away by the
>expertise they possess in aparticular area, and think they
>can apply it for an another -especially, when they speak
>on behalf of their employer.
RTFAs.
1) Geer is both well known and well respected inside this field, he was speaking inside of his area of expertise.
2) He wasn't speaking "on behalf of [his] employer." The paper specifically states that the individuals who signed it represented themselves and not their companies.
3) From what he has said he has a long list of job offers already.
Integrate Keynote and LaTeX
Gheez!!! Why is everyone else, who has no involvement with this company, saying what they're supposed to do, and how they're supposed to act? This is America, and that company broke exactly zero laws. While most of us will disagree with their reasoning behind it, that company is not "supposed" to do anything.
While this hurts their reputation with the informed general public, nothing wrong, according to US law, happened.
When you do something on your own time and dime, and you're a leading expert at a company in the same field as your comments were made, you may have just damaged the company's relationship with another. While that's fine and dandy, the company loses money. Maybe the should. Maybe their relationship is a distasteful one anyway. But the bottom line is, when someone causes a company that kind of stress, they generally get let go.
You don't own your job, your company does. All you own is your career.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
That being said you can run GNU/Linux and get rooted just as easily as you could with Windows if you don't patch your system.
Except that by default, Windows leaves a lot more ways open, and makes it just the slightest bit harder to close them (read: damn near impossible).
Once again, repeat after me: people can't root a box they can't send traffic to. With Linux, that's possible. With Windows, it's a lot more work, if not impossible (depends on how far you trust XP's firewall).
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
That being said you can run GNU/Linux and get rooted just as easily as you could with Windows if you don't patch your system.
if you don't have root you can't get rooted
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
You should understand what the word means before you accuse someone of plagiarism.
Mea navis aericumbens anguillis abundat
I read some of the above, and I say:
Whether @stake abd microsoft had the right to act as they did is beside the point. The point is that this sort of thing is really really bad for society because of the chilling effects. If it's risky to criticize the big boys, guess what, they get less criticism than they should have on account of their actions. They seem to be acting better than they really are - the mechanisms in a democracy that should prevent this sort of thing don't work, because people are afraid to speak up.
I don't know if this legally is a free speech issue, but it is in practice.
xkcd is not in the sudoers file. This incident will be reported.
True, but that's up to the company, and they'll have to live with their decision.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
Well stated. To which I'd add:
4) In the paper, Geer identifies himself as the Chief Technical Officer of @Stake. Kindly explain how being the CTO of a computer security company fails to qualify one to speak about computer security.
On the most immediate level, yes, the government's *not* taking action against @stake affirms the Bill of Rights (and yes, the Bill of Rights is best applied to *all* groups within our society, including both individuals and corporations and even clubs if you like.)
However, let me push this to an extreme: suppose Microsoft employed everyone in the US: by saying who had a job and who didn't, they could say who died without trial. At that point, wouldn't they be the de facto government? Thus, the Bill of Rights, as a philosophical statement of politically and economically effective action, is denied by @stake's actions (and by Microsoft).
Which probably meets most peoples' sensibilities pretty well -- nothing against Bill Gates, but they wouldn't want to live in a country ruled by Microsoft without a Bill of Rights (though some do have something against Bill Gates, too). So no, the Bill of Rights doesn't apply. But really, if things were the best possible, it would.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
I feel bad for him partly because he got fired for a stupid reason... But mostly because people in this thread keep spelling his last name wrong!
There are only 10 kinds of people in this world... those who understand binary and those who don't
No-one in the computing field will accept what they say in relation to non-MS products without more data to back it up.
I think you're being a little over-picky here. The legal purpose of a corporation is to limit liability to its owners. This then assumes that its owners are non-management funders. The point of investing is to gain a return. Therefore the lowest common denominator of incorporation is that they exist to make money. The default rules governing directors of corporations make it clear that it is unethical for the directors to cause the company to do anything not in the best interests of the shareholders. The only common interest the diverse shareholders in any sizable company have is in maximizing the return on their shares.
Of course, in practice, these rules are bent, non-profit corporations exist, ethical considerations are considered essential to maximizing return, etc. But, I believe the poster is correct in stating that the LCD of corporations is making money. No other ethic can be universally applied.
Milo
Q.
Insert Signature Here
Having sys-admins who do their jobs instead of whining about patching will fix *many* windows related problems.
I'd sure like to know how you intend to implement your proposed "solution".
I wonder if Computer World will drop their rankings in the "Top 100 Places to Work in IT"
Computer World PDF?
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
If you cash in your business for gold, you're going to lose the gold, and then have nothing. If, on the other hand, you trade in your gold for a business, then you're going to get even more gold.
Substitute reputation for business, and you have the security business in a nutshell. @Stake just traded in their business for gold. Geer just traded in his gold for business.
Sooner or later, it's going to be apparent: EVERYONE gets what they deserve.
Bravo, Geer. If you never get another job, I predict you'll still look back on this and say it was one of the best days of your life.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
now THAT is a serious charge, and should never be made without evidence. Can you point to specific examples of plagiarism? If so, then your *answer* should be modded through the roof. But aside from that, you've just made a false accusation, and should never be listened to again.
Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's
WTF are you talking about. Yes, I am accusing him of plagiarism. Did you read the (.pdf) document?
He passes off this "analysis" as his own. But really he's pulling stuff right out of the anti-trust complaint, which, has been around for many years.
See, if I were Microsoft... (thinking about that for a moment... ahh) I would be out there trying to hire the guy to head up my security division and give him a free hand.
Kill a few birds with one stone - de-fuse everyone who said they had something to do with his firing, make some friends in the security industry, and have someone in charge of security who will definately push for what he thinks is right...
- ------- There are ten kinds of people in the world. Those who understand binary, and those who... Huh?
Here's an idea that I don't think has been explored much... maybe the big problem was that he said the opinions were his own and not @stake's.
If I worked for Adobe, and then decided to release a photoshop clone in my spare time, and claimed that it was my own program, not Adobe's, I think that there would be some problems.
In his job as a security expert, I'm sure that he used @stake's resources and expertise in coming up with the paper. So technically he might not have the right to say that the paper is his own and has no affiliation with the company.
Perhaps if he had brought the paper to his employers and gotten their approval, they could have released it as part of a security report and sold it. Basically he took something that he made for his company and gave it away.
I read the paper. It really was nothing new, nothing groundbreaking. It read just like so many stories before.
Stating the obvious is not Plagarism. Plagarism means copying someone else's words. Got evidence for that?
My Karma: ran over your Dogma
StrawberryFrog
Not true. Passing an idea off as one's own is plagiarism. They need more citations. Now, I see, the (.pdf) is an executive summary. Maybe the real paper has better citing.
aye, and if the whole world had been using whatever happened to be the most common form of *nix instead of windows, there wouldn't be a single soul tempted to write a worm targetting whatever exploits that OS may have, right?
People replying to my sig annoy me. That's why I change it all the time.
@stake ethics
People couldn't type. We realized: Death would eventually take care of this.
He spoke up, maybe made a mistake in using his company's name related to his name as co-author.
However, the company then firing him as a result, would for me, anyway, be a sure sign that I would not want to work at that company.
So, IMHO, maybe for him it is a blessing in disguise.
Regards,
Fredrick
Let's get it weekdayed.
While it will probably help slow the spread of worms, "diversity" is not a total guarantee.
I was looking at my Apache logs the other day, and for kicks was looking at a series of attacks from someone who still has Code Red (or Nimda, or one of those other stupid microsloth worms.) The worm itself launched over a dozen independent attacks, testing for many different vulnerabilities in the various versions of IIS.
If version X.Y of any application has a hole, it has a hole that could probably be exploited regardless of the platform beneath it. Buffer overruns don't go away magically simply by porting the code to PowerPC. Anyone able to exploit it on an Intel Linux server could probably muster up the code required to also exploit it on a PowerPC running OS X as well. A multi-pronged attack would be able to strike multiple platforms. Since we're talking broadband speeds for most of the problems these days, fat binary worms would go almost as unnoticed as the svelte single-platform worms.
This is, of course, the worst-case scenario. Most defacement hackers aren't going to go to the trouble of generating i386, PPC and SPARC fat-binary worms. But the biggest point of Geer & Co's* report was that a monoculture leads to national security issues. A well-funded, determined, malicious attacker (I hesitate to invoke the "T" word) intent on delivering an internationally crippling blow to the 'net might take the extra time to add exploits for many various platforms and OSes. The weaknesses inherent in a monoculture extend not just to OSes, but to applications as well.
[ * Tongue firmly planted in cheek here. ]
John
aye, and if the whole world had been using whatever happened to be the most common form of *nix instead of windows, there wouldn't be a single soul tempted to write a worm targetting whatever exploits that OS may have, right?
Sure there would. But the fact of the matter is that *nix is more secure than Windows. There is also the issue the M$ware that you don't really know how the thing works-you don't have the code. SO how can you really be sure you are secure?
Aye, the code's the thing, wherein we'll catch the concience of the king(Gates)
"There's no set architecture in Linux. All roads lead to madness" -Microsoft
From 1998:
Microsoft: A U.S. Security Threat
An all-encompassing operating system bares itself to hostile exploitation of paralyzing security flaws. The presence of a fatal defect is unavoidable, as the complexity of Microsoft systems expands to bizarre proportions with each new release. It's the search for such a fault that occupies the minds of some of the brightest computer experts. Finding a crack through which one could induce mayhem with only a few keystrokes would be worth a great deal of money, especially when supporting an act of terrorism.
The point is, this is nothing new. And here's a simple example of somebody drawing the Code Complexity parallel to increased insecurity.
Man gets fired for making 'false' claims that a company exploits its monopoly of the market, because his bosses dare not offend that company. Hmm.
I didn't read anyone from @stake saying his claims were false, merely that they did not reflect the official company stance. He got fired not for speaking truth, or even presenting his opinion; he got fired for possibly negatively impacting his company's bottom line.
http://xkcd.com/386/
I suppose if you were hiring a security consultant, a prime concern would be how well he could blow smoke up your ass.
Corrected version:
I suppose if you were hiring a consultant, a prime concern would be how well he could blow smoke up your ass.
People rarely want consultants to say anything other than what they were hired to say.
I equate it to government/corporate funded surveys and studies: find what we're looking for or it's your ass.
http://xkcd.com/386/
Of course, in practice, these rules are bent, non-profit corporations exist, ethical considerations are considered essential to maximizing return, etc. But, I believe the poster is correct in stating that the LCD of corporations is making money. No other ethic can be universally applied.
No ethic can be universally applied. That was my point. If all corporations exist to make money, non-profit corporations would not exist. Yet they do. Therefore, not all corporations exist to make money; not all corporations exist for any single common reason.
That was the point I was making. Also, the OP was guilty of personification, which is not applicable to the 'legal entity' which is a corporation.
Had the OP stated that 'many corporations exist to make money' I would not have quibbled with that particular point, although I still reject the personification aspects of the OP. I realize it may seem like a tiny distinction, but it is not. It's the difference between 'some white people are racist' and 'all white people are racist'.
http://xkcd.com/386/
He SPECIFICALLY stated he was NOT representing his employer. How much clearer could he make that? Knowing where he works and who he was representing in the paper was VERY clear and spelled out.
If he said "Production Line Worker, General Motors", would that mean he was representing GM? What if he stated he was catholic, would that mean he was representing the Pope?
Do you think that if had no specific reference to CTO of @Stake that the outcome here would be any different and he'd still be working there? What would you suggest he should have done? Do you think your idea would have prevented him from being fired?
IMHO, he was fired because MS is their biggest client and as a consultant, he said something negative about them (on his own time). In the financial industry this process is heavily regulated by the SEC and can be labeled as deceptive and is illegal. Not illegal in the non finacial world but definately a questionable practice.
Bad boys rape our young girls but Violet gives willingly.
So what you're really saying is If Geer worked for me, and my biggest customer was IBM, and he told the truth, I'd fire him.
Nice.
I realize how someone of limited intelligence might come to that conclusion, however that was not at all what I was 'really saying'. Any employee of mine should feel free to speak only truth. I'd fire someone I caught lying. However, publishing a paper bashing your biggest source of revenue is NOT SMART. It wasn't the veracity of his comments that got him fired, it was at whom they were aimed. Should an employee of mine cause my customers to stop giving me revenue, with what would you propose I pay the rest of my employees? Righteous anger? Become self-employed if you don't wish to consider the consequences of your actions, or else you risk becoming unemployed.
http://xkcd.com/386/
was naming microsoft specifically. That entire paper could have been written without stating the name of our favorite monopoly. People would infer it.
This then assumes that its owners are non-management funders.
Wrong. A great number of privately held corporations are actively managed by one or more shareholders. Indeed, it is also the case that with public corporations that persons holding large numbers of shares would be likely candidates for the Board. But even so, every shareholder is a "manager" in the sense that they have input into the overall direction of the corporation.
Not that this invalidates your overall argument. It's obvious that if the main goal were not to generate a financial return on investment that a corporation is a lesser vehicle than a not-for-profit structure. So the choice to use a corporate structure would imply that profit was a goal of the enterprise. I suppose you could ask whether the goal of making a profit was ethical, but that's a whole separate question. And I think most reasonable people would say that if a company performed its operations in an ethical manner, then the profits were ethical. And vice versa.
I do not have a signature
What I was responding to was this:
My point is that Geer was qualified to speak on security issues, not that he was speaking on behalf of his employer.
In his report, Geer blows the whistle on the dangers of a Microsoft monoculture. As we know all too well, whistleblowers are often rewarded for the efforts with firing, blacklisting, ect.
Here's a snippit from an article discussing the space shuttle disasters, which displays a few parallels with the current situation:
It is often said that whistleblowers are like miners' canaries, warning of impending tragedies that others cannot sense. Experience also shows that, particularly in "can-do" workplaces like NASA's, whistleblower complaints reflect otherwise hidden or unrecognized agency pathologies. For example, in the early 1990s, senior officials at NASA's Office of the Inspector General (OIG) -- the guardians of an agency's correctness -- were themselves the targets of accusations that they were asking their employees to lie about illegalities they witnessed in the inspector general's office. The NASA OIG also was accused of "signing off" on a $1.7 billion contract so that a contractor would have reduced oversight at the Jet Propulsion Laboratory. These and other revelations were brought to light by whistle-blowers, often at considerable risk to their professions.
Which do you think is more prevalent in terms of internet-visible hosts? *nix systems running Apache or Microsoft systems running MSSQL?
Please compare the impact of SQL slammer with the Apache worm and get back to me if you really want to continue this discussion.
who are those slashdot people? they swept over like Mongol-Tartars.
Dude, I miss HNN. Just thought I'd let you know that I used to read it all the time, and submitted fairly often, too. I appreciated your efforts. Also, not that you would remember me, but I want to thank you for being polite to me.
I talked to you at BlackHat one year(can't remember which one). I was one of the wanna-bes hovering around at the opening mixer while you were eating with Jericho and some of the other people from attrition.org. You were really nice to me, despite my annoying fanboy behavior.
The same is true of Hobbit. He talked to me for about an hour friday night of DC6, and I thought that was the high point of that con. So many of the people with major reputations are rude (e.g. Route)....It is really cool that you guys don't act that way.
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
@Stake is a security consultant. It couldn't care less about it's reputation with the general public, "informed" or otherwise, what matters is the expectations of your clients, who keep their own people on a pretty tight leash.
But funders that are actively involved in the management of the company do not necessarily have limited liability. The function of investor and manager are legally segregated. This is, in fact, a common problem for investors (like VCs) that are guaranteed a seat on the board of directors: who do they represent? Themselves or all shareholders? To avoid liability for their decisions as directors, they have to disregard their individual interest as a shareholder in favor of the interests of all shareholders. The same goes for management.
So, the assumption of the theory of the corporation is that investors and managers are separate entities and, although in practice these rules are not always strictly followed, they are separate decision-making entities.
Milo
It was pretty painful, but not like you'd think.
"For those who don't know, Geer wrote an article talking about the risks of monoculture that situations like we have with Microsoft expose."
Lets look at the article's title:
Does anyone see the word Monoculture in there? No, just monopoly. It's up there next to "Dominance", "Cost", and "Insecurity".
Somewhere along the lines, this paper jumped from technical analysis to political polemic, and Geer got the political response. Don't get me wrong: The vast majority of the conclusions reached in this article have way more than a grain of truth in them. But the degree to which Schneier backpedalled on the tone was pretty noticable, and stood in stark contrast to the near-rage of the paper itself.
Would Geer have kept his job if the paper was more objectively written? I don't know. But I sure note what I see reported on doesn't match what I read in that paper, and I have to wonder why.
Yours Truly,
Dan Kaminsky, CISSP
DoxPara Research
http://www.doxpara.com
Go to your boss. Call that boss every foul word you can think of, and then say you were exercising your freedom of speech. Better yet, do it over an intercom at work, broadening your audience. You will probably be fired, but not wind up in court.
How about doing it while you are both on vacation? Does he have a right to fire you? He still has? Then it's not capitalism, it's fucking barbarian feodalism. You call yourself a free country? Free country my ass! You freed the blacks, didn't you? Much good it did to you - now there is no distinction between whites and blacks, but only because you all have slave mentality now.
I am not trolling. Seriously, how can anyone sane consider that normal???
Future Wiki -- If you don't think about the future, you cannot have one.
You weren't paying attention last week. Yes, the report was critical of Microsoft's shoddy security record. But the main concern is that any software monoculture is dangerous. Geer's #1 recommendation is to use a mix of (non-Windows) systems, which Microsoft obviously can't approve (short of being broken up by antitrust).
The report was a baddly written crock
This may be true -- I haven't read it.
I could not find a single original thought. You can find more interesting arguments in an average slashdot post.
Frankly, this comment sounds like someone *else* with an axe to grind. There is absolutely zero reason for a paper intended to summarize problems with a company's products to contain "original ideas". If I am a researcher that simply ties a vast set of information and ideas that other people have come up with but together form a useful set of data, I've done my job.
Academics do not routinely brief the press over the papers they are releasing.
And it's probably a less-than-good idea for those in academia, but he was working in the private sector. Building name recognition is a good idea. Lots of historically important scientists have become famous not some much for coming up with ideas themselves, but because they were the ones to popularize them -- they were good at promoting themselves.
Geer was clearly grinding an axe.
I'm impressed that you can so comfortably make such a call -- but even if this is the case, I fail to see why someone writing a paper that expresses their own opinions should then lose their job for it. He wasn't doing this at work, and he wasn't claiming that his employer's views were his. I damn well think that I should be able to write critically about a company in my free time even if my employer has a business relationship with that company without fear of being fired.
It is quite another to participate in a press call organized by the customer's competitors with the sole purpose of damaging the competitor.
Look, man. Come back to reality. He's working in the private sector. What the heck do you think *happens* in the private sector? Microsoft comes up with people funded to make Linux look bad all the time. Big companies do this all the time.
May we never see th
The key was informed general public. Most people could care less about security consultants. The informed general public could be potential clients of this company. They're the ones who should be concened with this company's reputation. Current clients also, but they obviously aren't that informed since they signed on with them anyway.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
You're missing the point. If I were an employer and I had an employee that hurt a business relationship by using their status as a security expert (which either the got from my company or perpetuated through my company), I would fire them on the spot.
Similar to the hollywood elite who use their status as a public figure to soapbox their own personal beliefs. They have an advantage by being public figures that you and I don't have... free access to the media. However, you can bet that if one of them got on TV and said "Everyone should download movies for free, rather than buy them from MGM" that they wouldn't work for MGM again.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
I also don't believe that Microsoft had a hand in firing Greer. I seriously doubt that anybody from Redmond called anyone at @stake and said that Greer had to go...or that there was even any indirect pressure. But given the publicity that his paper received, I can certainly believe that the management of @stake looked at the paper and looked at their relationship with Microsoft and decided that one was more important to them than the other.
Who knows...maybe Greer did know that he had a high probability of being fired for publishing the paper. He's not going to be standing in the unemployment line. He'll have a new job very soon. But that line of reasoning is just as unfair to Greer as suggesting that there was some kind of unspoken conspiracy between Microsoft and @stake.
In the end, I think that an individual who holds a prominent position within a company and who also takes a philosophical position against one of that company's largest customers knows (or should know) that there may be unpleasant fallout from that stance. Whether or not Greer knew, it seems to me that he is handling the situation reasonably well by keeping the issue alive and above the noise level in the news.
And ultimately, that will probably serve him well and keep attention focused on the issues that he raised in his paper.
-h-
That's not a point. That's pedantic hair-splitting. The poster was clearly (to everyone but you) referring to for-profit corporate entities. And as far as the personification of "the legal entity which is a corporation" goes, the Supreme Court is about 117 years ahead of you. See Santa Clara County v. Southern Pacific Railroad Company.
"If you're thinking what I'm thinking, you're right." -
Horse. Bolted. Stable door.
They couldn't download their patches within the month before the worm started off? Pro-active, rather than re-active.
Get your own free personal location tracker
Let's assume that you're right about the quality of the paper. What *possible* impact does the quality of the paper have on whether he would be fired or not? I also didn't see him saying that "@Stake has discovered..." he says that "Geer has discovered...". If you think that the fact that he works in the security field precludes him from publishing his private opinions, something's wrong with you. Hell, if I worked at a security company that had a business relationship with Red Hat and I also happened to feel that Linux had flaws, I'd damn well feel that I should be able to write a document complaining about Linux's problems.
May we never see th
Exactly. If you kowtow to the demands of everyone who tells you they are helping you out by letting you work for them, you are making things worse, not better, for everyone else. If you conform to unreasonable expectations instead of protesting at them, you merely reinforce the company's idea that their expectations are reasonable. Then they start expecting even more unreasonable things. That's how your rights get eaten.
But it's a fundamental law that anything anybody does on their own time, at their own expense and away from company premises is their own business. Not their employer's. When knocking-off time comes around, workers are free of all obligations to their employees save turning up for work the next day. If my boss doesn't like dogs, there is nothing he can do to stop me from owning a dog, as long as I don't bring it into work with me. My workplace might have a no-smoking policy, but as long as I could last the day without a puff, I'm free to smoke all the fags I want the minute I'm off the premises. Even if I had lived out a fantasy and beaten my old boss up in an alleyway, as long as that incident took place away from company premises, it would never have been sufficient grounds in and of itself for dismissal.
Je fume. Tu fumes. Nous fûmes!
The article(yeah I know, sacrilege for RTFA)... states that this guy's last day as an employee was Tuesday.
The report was published Wednesday.
An announcement went out on Thursday publiclly stating this guy wasn't an employee.
So obviously his no longer being an employee was not some sort of reaction to his opinion paper.
However, he also states that on Wednesday he did telephone interviews and referred to himself as an @stake employee. Well considering his last day was tuesday, that certainly was not the case. So it's not unreasonable for the company to on thursday issue a press release pointing out how he isn't an employee.
I have to question Dan Geer's credibility here, as well as his motivations. This report when it came out was quite clearly paid for and motivated by Microsoft competitors. Now we have a guy who quit his job on Tuesday claiming that he's being repressed so he can get free publicity. Sorry, not buying it.
No, the GOP is a division of big business, not the other way around.
Of course, the democratic party is a division of the American Trial Lawyers Association, so choose your poison.
Milo
That's not a point. That's pedantic hair-splitting. The poster was clearly (to everyone but you) referring to for-profit corporate entities. And as far as the personification of "the legal entity which is a corporation" goes, the Supreme Court is about 117 years ahead of you. See Santa Clara County v. Southern Pacific Railroad Company.
I suppose you'd call it 'pedantic hair-splitting' if he had said 'all women are blonde' and I said 'some women are blonde'. If the poster meant 'for profit corporate entities', then that's what should have been said. Words mean things, and 'all' means 'all'. The phrase 'all corporations' has NO business meaning 'only for-profit corporations'. Sorry, it's not hair-splitting, it's knowing the difference between 'some' and 'all'.
There's a difference between 'a group of people join together to form a legally recognized entity' and 'the entity itself possesses human traits and emotions'. Again, you may call it hair-splitting but to me it's a vast difference. Calling all corporations unethical (but not the people which make them up) is ridiculous. It would be ridiculous to say 'all people who make up corporations are unethical', yet remove the 'all people who make up' part and I'm supposed to accept it? Why? That makes no sense.
http://xkcd.com/386/
Je fume. Tu fumes. Nous fûmes!
Corporations have all the same constitutional rights and responsibilities under the law as individuals. Of course, while it's easy for a corporation to benefit from the rights (e.g. freedom of speech) there is no one person to bear the responsibility (e.g. punishment for murder). This follows an 1886 Supreme Court ruling, so this isn't news. More info here.
After all, if security is improved by using a variety of products, he'd have said that TCP/IP is the bad boy of internet security (as *all* internet attacks use it), or SMTP, or HTTP, etc.
No, he's absolutely correct. Heterogenous environments necessarily tend towards being more secure against complete collapse, since complete collapse entails failure of all components simultaneously -- and different components have different weaknesses.
TCP/IP *is* a risk, but the benefits of using a single protocol are overwhelming (plus, it's relatively small and simple, and doesn't have that much potential for holes at the design level). One of the attacks against TCP/IP at the design, rather than implementation level, was SYN flooding. When SYN flooding came out, there was a serious concern about its impact. Same goes with source spoofing -- another design level issue that provided a whole generation of headaches WRT to the r* services.
However, using the same *implementation* of TCP/IP, which is more analogous to what Geer was arguing, *has* had exactly the kind of security impact that you're claiming is not an issue. The BSD TCP/IP stack is almost everywhere today -- Linux is one of the very rare exceptions that (currently) uses a different codebase. Attacks against this TCP/IP implementation like teardrop and bonk have affected significant swaths of computers, and had a serious impact.
The argument that relying on a single implementation of software to provide global services is exactly what Geer's pointing out is a bad idea. Word a bad idea? Absolutely. Before the Word monoculture, macro viruses simply were not an issue. Now, if a worm can propagate using Word, it can cause untold damages to individuals and companies aroung the globe in a short period of time. Same goes for Outlook viruses. You can't claim that this isn't the case -- it's *happened*.
I wouldn't mind if Linux was 99% of all systems used today, I think we'd have pretty much the same issues to deal with though - and Geer would be sniping at Linux's security flaws in favour of OpenBSD!
Absolutely. What's wrong with that? There's nothing hypocritical there. Linux is significantly more enjoyable than Windows for me, so I'd prefer a 99% Linux universe to the current situation. That world would be more prone to complete failure than a 30% Linux, 30% Windows, 30% BSD universe, however.
May we never see th
Huh?
It sure sounds like you are saying monoculture is not a bad thing!
Chant the mantra with me now: "Diversity enhances Survivability". Repeat until you reach inner peace.
All exploitable bugs start life as undetected exploitable bugs. Patching does not fix bugs which are not detected by the patcher. The Bad Guys (TM) are not motivated to disclose all exploitable bugs to the patcher. Therefore, there are going to be (at some point in time) exploits for bugs without patches.
In a high-bandwidth software monoculture (such as exists in many if not most large corporations) this is a recipe for disaster. Google for blaster and nachia/welchia if you don't believe me!
Software (particularly OS) diversity is the ONLY "real solution", as you put it, to this problem. The really hard-core high-availability guys are now implementing dual-OS redundant systems; a Win2K box that takes over from a linux machine or an Tru64 box that can substitute itself for a Sun system.
Scott Adams says you should even encourage users to get whatever system they find most useful for their desktop, so that macs, linux, BSD, Windows, BEOS, etc. are all represented on the corporate network. It seems to me that would only work in low-turnover knowledge-worker type environments, though; otherwise the support burden would probably outweigh the productivity and survivability increases.
Obviously, you should patch. But that's a reactive rather than an active solution, and it's not a remedy for the fabled zero-day exploit anyway.
IME, when companies want a consultant to analyze something, it's generally to sign off on a point they want made. They're leveraging the consultant's reputation. This can either be for external use ("Look, customers! This product is good/competitor's product is bad/etc!") or for internal use ("Look, VP! My idea is good!")
May we never see th
This makes it worse not better
What this means, if true, is that you can NEVER trust anything from anybody in the commercial world that pertains to Microsoft.
Nothing Nada Zilch,
Treat anything as an Infomercials with without the warning.
Help fight continental drift.
You are very correct, I did misunderstand.
Bad boys rape our young girls but Violet gives willingly.
I'm sorry. I didn't realize I was communicating with one of those special people who are differently abled when it comes to making contextual inferences. I hope I didn't hurt your feelings.
"If you're thinking what I'm thinking, you're right." -
1/ Microsoft and @Stake credibility is damaged.
2/ Mucho publicity means, at the very least, more people will read Dan's paper.
3/ Dan Geer will find a fulfilling new gig. Presumably his new employer will have a stomach for his outspoken nature.
Hardly a catastrophe or injustice.
@stake was claiming his last day was tusday.. but they never informed him or anyone else until thurdsay... Makeing it seem they decided to fire him after the paper came out wednesday, decided to fire him and "covered their tracks" my saying they already had decided on firing him before the release of the paper. That's why Geeer made the commend about the facts not matching up and creating a "null set".
I'm sorry. I didn't realize I was communicating with one of those special people who are differently abled when it comes to making contextual inferences. I hope I didn't hurt your feelings.
I guess wanting words to have meanings which don't change every 2 seconds *is* different, here on slashdot. However, no matter how you wish to slice it up, no matter how much you insult me, no matter how you twist what I said, 'all' and 'a subset of all' are not, and will never be, the same thing. Sorry. About hurting my feelings: only people that have some sort of worth to me can hurt my feelings, and you've no need to ever worry about that. Just to state it again, you shouldn't use the word 'all' if you aren't referring to...wait for it...all of something.
http://xkcd.com/386/
Did you even read the paper?
OP is quoting or paraphrasing an interview (at the bottom) from Chris Wypol and seen on EWeek.
I find it very odd that Chris Wysopal is trying to completely blow off the context of the study and making the comparison with a flaw in TCP/IP. His statement is a 100% a pure corporate puppet remark and pretty much sums up where @Stakes interests really are.
Bad boys rape our young girls but Violet gives willingly.
Of course, you'll go on to say that all of the things that drove the firing didn't have anything to do with it. You'll be a pussy and trot out some lines about team players or corporate vision and dissemble on the actual reasons.
Hey, if certain other companies knew the real reasons they might not choose to do business with you in the future, right? If you're a bend-over bitch for a company like Microsoft, there are companies who might want a more impartial vendor and/or researcher who may not use you if they know you're going to vet everything through a billg-filter.
When I was a kid, we only had one Darth.
Indirectly, by being such a formidable and fear-inspiring force (kind of like God was in the middle ages), Microsoft was perhaps the reason he lost his job, yet Microsoft didn't have to take any action directly (kind of like God in the middle ages).
L0pht were fantastic. There were always 'up-there'. There was always some wicked code coming from them, new ideas, a PalmOS wardialer, whatever. They were doing what they were good at. @Stake are just corporate money whores. You can see them as a front for Microsoft. By that, I mean that Microsoft will use them to validate & push their own agenda. Apart from that, they're the security equivalent of McDonalds. SpaceRogue mentionned that Weld was the only person from L0pht left at @Stake. If all the rats leave the ship, do you think it's because 'something' is wrong with the ship ? You have group of friends/coders/hackers who fuck off when funding arrives ?!! What does that tell you ? As soon as @Stake became alive, I forgot about them. For me L0pht died right there and then. I doubt that I'm alone in that belief. In my mind @Stake == 1/L0pht || @Stake =! L0pht. Pick your favorite.
> ...I see nothing wrong with presenting both ideas in the proper light...
And there, in one simple phrase, is the reason why Creationism does not belong in a school. Why is it that you present the idea of evolution, and the idea of creation, and don't cover the literal thousands of other "beginning of time" theories that exist all over the world? You don't want to teach any theory of creation other than your own personal version, and by not presenting your particular creation theory among a hundred other creation theories, you seek to give it a level of validity above any of those "other" theories. Isn't this what you accuse evolutionists of doing?
When you're willing to present any religious theory other than your own as a valid "theory", then you can readdress the issue. For now, you're just forcing your religion into the classroom as "scientific".
Virg
It seems to be happening that matters which begin as purely technical/scientific become marketing and sales issues. Witness what happened to the Darpanet when it went public and became the Internet we know today. At the time I was studying CS in college and I recall academics and government types where wringing their hands over the inevitable "dumbing down" of the technology in favor commercial applications and services to the public. Read that as marketing and sales. And we can see where that got us; mom and pop on broadband but with "personal" technology never meant to leave the secure isolation of the living room.
Although viruses got their start on the floppy disk vector (recall boot sector viri?) they have come into their own throught the vector of the Internet. That machine could not have been better built to propogate malware even if one had set out to do so, but the only reason it can actualy do so to the degree it has is because of the brain dead operating systems (and rookie sysadmins) at the remote ends of the pipes. And the monoculture of both is at the heart of the problem. I use MacOSX on broadband, but do you seriously think I have to worry about any of this? No I do not.
Enter security. Now an entire industry has emerged to counterpoint the monoculture, an industry devoted to what would simply have been the day-to-day work of any competent sysadmin just 10 years ago, except that today there are few competent sysadmins. Rather there are hordes of desktop drones massaging M$-based networks across the planet, only incidently linked each to the other by an Internet of which they have no particular understanding nor much interest (a direct reflection of M$'s own utter indifference.) It has all become a dense, dry, sprawling monotypic tinder of light twigs and leaves awaiting the match. The security industry is built around that monoculture of neglect and ignorance, would have no purpose without it, and yet is directed at undoing what the monoculture has done to, and via, the Internet. And since M$ is just a marketing and sales juggernaut with its roots deep in the fertile manure of personal computing, should anyone be surprized that here again the network technology and science are falling under the tracks of the M$ Panzer divisions? I should hope not. M$ did not become a monopoly by being easily distracted with technical details.
I can see no solution but one. Government will not act because politicos are hip to marketing. Regulators will not act because they are afraid of the politicos and like their cushy jobs. And people will continue to select technology out of innocent ignorance. M$ spends freely, buys strategic friends, revises history, and builds outward seemingly oblivious to the coming train wreck because they know for a fact they will just walk away with profits intact; they are afterall about personal computers, and not much more. What is the Internet to M$ except a problem? They distribute their software on CDs and only security patches over the Internet to defend their CD-based software from Internet attack. I should think they would be twice-pleased if the Internet and everything associated with it, including OSS, simply vanished in a general conflagration.
The one solution? I propose we take a clue from Nature and let it burn. We don't need these weeds growing here anymore, burn them out and their seeds as well. The network will survive because the network is not the problem, while the strictly "personal" computers will burn to the ground at the ends of the pipes. Then perhaps something more robust will spring up where they were. It might even be that M$ has the very thing waiting in the wings, ready to roll out, "Windows ProSecure" or some silliness. Fine with me. But if they don't then they are fools and their undoing will be of their own devising.
=^..^= all your rodent are belong to us
> Since the theory of evolution states that everything evolved by pure chance without any intelligent design...
BZZZT. This is not what the theory of evolution says. Reread it and try again, being careful not to confuse the terms "intelligent design" with "environmental constants".
Virg
Your making the assumption that the paper is correct. The paper is a thinly veiled attempt to push an agenda of open standards, using security as an excuse. No one in their right mind relies on obscure software for security, but this is what the paper suggests. I don't believe the author believes this either, but was pushing a different agenda, and that is why he was rightly fired.
Vote for Pedro
What you are alluding to is called a "gag clause," and used to be a part of some HMO contracts. It was designed to prevent a physician from discussing treatment options that the HMO does not cover... typically expensive treatments like bone marrow transplants for certain cancers, etc.
Such clauses are almost universally despised by the public in general, and the medical community in particular. A number of states have passed laws making them explicitly illegal.
Most all doctors I've ever known would give you the straight scoop... I sure as hell would. Without full knowledge of risks and benefits, there can be no real choice... it's that "informed" part of "informed consent."
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
Of course, you'll go on to say that all of the things that drove the firing didn't have anything to do with it.
No, I wouldn't. I'd explain to my employee that vilifying our biggest revenue source has caused him to become fired. I don't bullshit.
Hey, if certain other companies knew the real reasons they might not choose to do business with you in the future, right?
Which do you think is more likely:
a large corporation would like my company if my employees were on record saying negative things about my customers
a large corporation would like my company if employees who published papers disparaging my customers were fired
If you're a bend-over bitch for a company like Microsoft, there are companies who might want a more impartial vendor and/or researcher who may not use you if they know you're going to vet everything through a billg-filter.
Yeah, right. I'm sure companies would much rather give money to companies that insult them. That's a good one! You're funny. I'm sure there are companies out there like that, but I guarantee you none of them have the resources of Microsoft.
Yes, I realize that the world would be a better place if anyone could insult anyone else with no repercussions. The world would also be a better place if ambrosia flowed like water and I never had to talk about my feelings to get laid, but that doesn't change the real world.
http://xkcd.com/386/
The only unfair dismissals are found under EEOC, OSHA, etc... guidelines. An employer can fire you because they don't like the color of your hair. Believe me, this is not guessing, it's something I know very well, as I've written code for human resources departments for the last 9 years.
Saying Android is a family of phones is akin to saying Linux is a family of PCs.
I realize how someone of limited intelligence might come to that conclusion, however that was not at all what I was 'really saying'. Any employee of mine should feel free to speak only truth. I'd fire someone I caught lying. However, publishing a paper bashing your biggest source of revenue is NOT SMART. It wasn't the veracity of his comments that got him fired, it was at whom they were aimed. Should an employee of mine cause my customers to stop giving me revenue, with what would you propose I pay the rest of my employees? Righteous anger? Become self-employed if you don't wish to consider the consequences of your actions, or else you risk becoming unemployed.
I think you are missing a very important point, here. @Stake's sole product is security advice. If they cannot publish any papers critical of Microsoft, what good is their security advice?
A company whose business is to provide factual consulting information should ensure that that information is accurate and in fact the best advice they can provide their customers. If they are artificially limited in the advice they can give, that opens the doror for a situation in which they are providing bad advice to their customers, for a fee. Would you buy that?
And in this case by your own admission what Greer was saying was factually correct, and good advice to customers. He did not give this advice as a representative of @Stake, but you seem not to care about that hair so I will not split it here. If @Stake truly believes that going to a 100% Microsoft shop is the best advice for their customers (which would be the opposite of Greer's paper) despite all the scientific evidence to the contrary they are indeed lying to their customers and giving them bad advice for their money.
It is not smart for a consulting company to become biased in any way because their aim should be to provide the best solution for their customers, no matter what that solution is. It is also not smart for any company to ignore or suppress all criticism. Criticism is healthy and it is a way for companies to do better. Denying the truth is the way to ruin. Unfortunately for microsoft, this is the way they are headed. They refuse to understand or believe the probelsm with their model and OS design, so they will never fix them. Instead they will continue to try to force people to buy their products and therefore not have to improve them since they don't have to compete with anyone.
> Now, lets propose an experiment. Find a small isolated island and drop off a few hundred dogs of all different breeds. Every day we'll drop off food to make sure they get fed. Question is.... how many breeds will exist on the island after a hundred years? What you will find is that differences in species tend to get bred out unless the breeding is controlled. The number of breeds of dogs on the island will converge not diverge. This is one example of observations not supporting evolution. And yet in many places, discussion of these same facts could lead to a teacher getting fired.
Here's the curious part: your experiment actually goes a long way toward proving natural selection as a force for evolution, despite your presenting it as a refutation. It seems logical that the dogs would breed out until they were all the same, but that's only because your experiment removes the very mechanism by which evolution is purported to occur. If you provide the dogs with plentiful food (and presumably put them on an island that is neither so cold that they'd die of exposure if they slept outside nor so hot they'd die of heatstroke or thirst), there's no reason for the dogs to adapt to the environment at all, so any member can breed with any other member and the puppies will have about the same chance of surviving. Now, what if we did what you said, but put the food in ten foot long tubes that were only eight inches in diameter, to replicate an environment where the only food is burrowing small animals? Now how would your dogs fare, especially the ones that didn't fit in the tubes? Soon, you'd have an island full of dachshund-looking dogs, possibly with a second breed of dogs on the surface well adapted to hunting dachshunds. So you see, this does not constitute disproof of the mechanism of natural selection, but in reality it goes to prove it by showing that if there are no environmental pressures for different breeds, they disappear.
> For example, the fruit fly experiments have shown that aberations can occur to produce an extra set of wings. This seems to support evolution on the surface. However, if you look a little closer, you will find that there are no muscles behind those wings and that these mutations die off quickly when placed outside the controlled environment (laboratory). This results in a net gain of "0" on the evolutionary scale.
Again, you're misconsidering. The appearance of the second set of wings is not considered proof of evolution, it's proof of mutation. Second, the fact that two-wing mayflies die off while one-wing mayflies surivive indicates that one-wing mayflies are better adapted to their environment, so they survive while their two-wing brothers die off. That is specifically the mechanism of natural selection, which goes toward proving the theory of evolving life, not against it. After all, if natural selection didn't work, why wouldn't both the one- and two-wing models survive together?
> What ever happened to the scientific method being used in scientific experiments? Why aren't we allowed to question of the Theory of Evolution? What makes it different from every other area of science?
Um, an awful lot of people have questioned the theory of evolution, but as you can see from the problems presented above, there are many situations where something has been presented as disproof in a very unscientific manner, as your dogs-on-island theory, in which you propose only one experimental situation and no controls (like putting the dogs on another island without outside food) or changes (like the food in pipes that I suggest) and then concluding from the very unscientific experiment that the theory is invalidated. We are allowed to question the theory of evolution, just not by using limited or biased experiments, since that's not following the scientific method.
> If observations don't support the theory, you don't throw out the observations, you throw out the theory. And yet this is what we have in the sci
From Merriam-Webster Online:
fact: a piece of information presented as having objective reality
theory(1): the analysis of a set of facts in their relation to one another
theory(2): an unproved assumption
Evolution is a theory by the first definition. That I agree with absolutely. However, you are using the second definition of the word theory to incite argument. Evolution is a theory which is supported by the evidence. Have we witnessed monkeys evolving into humans? No. Have we witnessed evolution within a species? Yes, it's called selective breeding and people have been practising it for 10,000 years. You are correct that we need a longer timeframe to witness cross-species evolution, and our recorded history is too short.
The evidence for evolution is a collection of facts, not the theory which they support.
HBH"Smart is sexy." -- D. Scully ("War of the Coprophages")
by your definition of plagarism (if it's been done at all before, in any way, it's plagarism) everything is plagarism.
Actually, it's both more and less strict than that.
If you copy someone else's words, and properly attribute them, then it isn't plagarism. (OK, that's a nit pick.)
But it's also plagarism to take someone's new idea and claim it as your own new idea.
OTOH, what is being claimed sounds more like research, with faulty footnoting. (But have you ever noticed how hard it is to find that web page you read that had that idea you wanted to reference. It likely isn't there any more.)
What is really being pointed out (or the valid core which is what should be being pointed out) is how difficult it is to properly cite internet sources. If they aren't retained by Google, they quickly vanish...except some of them.
I can agree that most of what I've seen reported as what he said strikes me as "obvious". And monoculture is a much better term for the causitive principle behind the problem than monopoly is. Monopoly has legal definitions that foul things up. Monoculture has biological definitions, and the analog to bilogical viruses act in and analogous way in the analog to biological monoculture YIELDS computer viruses in a computer OS monoculture will act like biological viruses in a biological monoculture. It seems reasonable. You need to check that the mechanisms for action properly survived the translation, and once you find that they did, it's an eminently plausible conjecture, sustained by informal observation. A formal proof would require much experimentation, most of which is currently illegal.
I think we've pushed this "anyone can grow up to be president" thing too far.
Slashdot makes a lot of revenue from Microsoft advertising. If you were Taco, would you ban posters critcal of Microsoft?
No. Nor is that comparable to what @stake did. Posters are not employees and Geer was not posting to an internet bulletin board. Ad revenue is not the same as 'largest customer of your product or service'. I would, as an employer, fire any employee who went on record insulting my biggest source of revenue. If I did not, I would expect my revenue to dry up, my business to go away, and *all* of my employees to be unemployed. Perhaps that wouldn't happen, and definitely it shouldn't, but as an employer I wouldn't take the chance. Fair? No. If you expect life to be fair, however, you've a disappointment coming.
http://xkcd.com/386/
Did he quote this? Do you know that he remembers ever having even read it?
I can easily accept that he reiterates common knowledge. Much of that common knowledge originates with him, and his associates. If he retrieves an analysis from his memory, why should he not think he did it himself? He's done many. Probably more than he's read.
And, for that matter, how original was that paper in 1998? I seem to recall the same basic idea, less well developed, circulating in the 1960s. And the idea is implicit in a science fiction story from the early 1950's (A nice little niche..Astounding..author? year?). You need to accept that independently acting computer programs are analogous to life, but once you do that, the conclusion is the point of the story. And the term "computer virus" explicitly acknowledges that analogy.
So just how much is new? Not bloody much. So what? People need to be reminded of things, or they forget them. This report was needed, because it expresses a truth that people keep forgetting. (We seem to have a difficulty remembering some kinds of things that we find nearly obvious when we think about them.)
I think we've pushed this "anyone can grow up to be president" thing too far.
With the termination of Geer, @Stake has shouted from the rooftops that they are NOT an unbiased source for information security.
When I write a security paper, I write it from the perspective of an independant auditor, which I am. Someone from the outside looking in. I don't CARE what someones intention was when they created an insecure system. If I found it to be insecure, I let them have it.
I just lambasted a luddite CEO of a major corporation for not making information security HIS #1 priority. I told him that the insecurity of his network was his problem, a management problem, not an IT problem. I railed on him for two hours in a meeting last monday... and he appreciated it. Was my report one-sided? Your damn right! I don't care what his intentions/perceptions are or were. What I told him was the pure, unadulterated and unvarnished truth. As painful as it was - it was true.
He's a good CEO and changes are being made. Now, if this same info were coming from an @Stake consultant: The information would now be suspect as being slanted in M$ favor, because 'they help pay our paychecks' and we can't speak out too strongly against them. @Stake now takes the side of Microsoft.
Was there any lies in what Geer wrote? No... Was it the painful truth, backed up by facts? Yes... Did the truth hurt? You bet. And it needed to be said.
I think that the political ramifications taken out on Geer has just signed the death warrant for @Stake.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
My girlfriend would argue otherwise.
"Sufferin' succotash."
His argument was that he was surprised from the standpoint that he had said what the paper said in public many times before, and the company never had a problem with that.
And he also noted that a company as big as Microsoft didn't nessicarily have to pick up the phone to have an effect on his employment.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
While I'm not a fan of this action I think this is pretty much par for the course. Things to consider:
1) Dan Greer was the CTO. This means he is a director or officer and in business this means greater responsibility. This isn't the same as "@stake underling fired for bad mouthing Microsoft in IRC channel". He is a representative of the company and does speak/act on their behalf. He has the ability to sign documents on behalf of the company too.
2) @stake most likely didn't fire him, the Board of Directors did. BoD's are tough to deal with as they are usually more "investor" types. They see an action like this as a huge problem as MS probobly accounts for a large percentage of their biz revenue. Again I don't think this is right, but from a cold emotionless biz standpoint this makes a lot of sense. Please your revenue masters or go out of business.
3)Microsoft probobly didn't have any type of overt hand in this. It's likely the BoD was being proactive by firing them so MS didn't even have the opportunity to suggest firing him.
"The Venn diagram of facts doesn't intersect. The intersection of all of those statements is the null set," Geer said.
Wow, lets not try and sound like and even BIGGER idiot than we are already. Someone is sounding just a wee *tad* in love with themself... but thats just how its reading off on my end.
Whether Microsoft had a hand in his demise "will be forever impossible to ascertain," Geer said. "One might say communication wasn't necessary. There's a school of thought that says that a phone call wasn't needed. The more powerful you are, the less likely you are to have to pick up the phone. At most, you could call it plausible deniability."
Wow, he fits right in at Slashdot! I'll bet he is a huge poster here, just a guess. The article is a mirror of the conspiracy theories and half-baked ideas always thrown about over here.
Now, to address the last poster's comments-
Having sys-admins who do their jobs instead of whining about patching will fix *many* windows related problems
True dat. One thing the Slashdot crowd is particulary ignorant of is MS's free content management service, SUS (Software Update Service), which provides an admin with the ability to snap their network right into the already-existing Windows Update Service in Win2k/XP. And any savvy admin can easily config Windows Update at the desktop level with a logon script (Kixtart (which is free), SMS, or ScriptLogic are my prefered methods), thereby covering software updates for the ENTIRE enterprise. For free. Using things they already own.
Pretty nice, in my book.
Secretaries shouldn't have to learn userland *nix just to type up a TPS cover sheet for their weekly memos
Ya, it really sucks when ten people have to bitch cuz you fuxd up the coversheet for the TPS report ;)
Likewise some network admin shouldn't be forced to use WinXP just because the latest .NET makes every XML transaction cost less [or whatever]....
With all due respect, .NET is a MS creation. But there are open-source implimentations which will plug into it, strangely enough. I'm not an expert by any means, but I believe .NET hooks right in to XML, which is why connectivity to disparate systems is so easy.
Now what gets me with this whole stupid 'OS diversity' arguement is that, from a networking standpoint, its somewhat dumb. I mean, if you have MS Active Directory handling the logins and NOS, Unix doing your DDNS, and your firewall done with Linux, an attack on ANY of those are going to adversely effect the network. The only REAL way to address that problem is to have redundant services on different OS's as a fail-over (which isnt 100% possible, especially in the case of the NOS); this is really expensive, for one thing, and since you will most likely need the expertise of more than one tech admin, prohibitively so for small to medium sized organizations.
So quite honestly, its a bit of a strawman they are erecting everytime they raise this issue.
Anyway, since I know honesty isnt respected here, ESPECIALLY when it isnt anti-MS, feel free to mod me down.
Manipulate the moderator system! Mod someone as "overrated" today.
Hell, everyone acknowledges Windows has issues. MS is very upfront about that; they have very good technical resources, IMO. But the issue is that Windows isnt the ONLY OS with issues- THEY ALL HAVE THEM!!!
And again, this is nothing new- if you are in the biz, you know that if somebody can build it, somebody can unbuild it. Especially when they have unlimited time to figure out how to hax0r your network while you are focusing on getting constructive work done, for *only* 40-60 hours a week. Irregardless of your OS, you will ultimately be vulnerable. The trick is just to stay ahead of the curve, and hopefully have a bit of luck- nothing sucks more than being the first person hacked by a new exploit, or catching a new virus.
Manipulate the moderator system! Mod someone as "overrated" today.
This was a corporation that's main business was security. Geer published a report critical of the security of Microsoft products. Much of the stuff in it has been proven as true by many studies. He wrote a paper scrutinising Microsoft's products' security. This happens to be part of his job, ie. providing information about internet security. They fired him because the facts didn't favor the provider of some of their funding.
read my blog
musings on politics and technol
Nor would Job have been afflicted. Unless the God they worship is a bit more complex than the god you deride.
Ooh, relish the smugness. You brave, bold pioneer who threw off all preformed belief systems and exposed yourself to the world of observation and reasoning, you. Given today's orthodoxies, it's quite possible that the person to whom you're replying is actually more open than you to data which contradict his theories.
"Belief" is childish, but it becomes unbearable when it takes on the patina of science. One who believes in a scientific theory (such as Evolution) with the fervor of religion disgraces science.
This is rich!
@Stake is just the new name of l0pht Heavy Industries (remember l0phtcrack anyone?). Only now they've gotten used to feeding at the corporate trough. They used to be a lean, mean, usefull, security (through hacking) machine, albeit a bit on the grey side of the law. At least then you could count on what came out of them to be unfettered by corporate sponsorship!
I don't care if Microsoft phoned them up or not. Geer's report was simply common sense. So much so, that I'm suprised it got released as a "paper". Maybe I'll release a paper that proclaims "it is better to breathe fresh air than car exhaust". How can a position like Greer's paper be "expressing 'values and opinions [of the report] not in line with @stake's views."?
@Stake has forgotten it's independent, anti-establishment roots. They have lost all credibility, IMO. The link to Microsoft over the firing (whether MS actually picked up the phone or not) is as obvious as the point of the paper in question.
Maybe their ought to be a new company formed: Greer, Lamo and Assoc. I'd trust what they said when it comes to security over anything @Stake says now.
[/RANT]
"terrorism" and "pedophilia" are the root passwords to the Constitution
Not my definition, it Websters dictionary. I bet if you check Oxford, it's even more stringent.
;->
Look man, what started as a simple "What's the big deal over this paper, it's nothing new", it turns in to a flame war.
They do a paper, that really man, just reiterates several other studies (probably all citing eachother in some incestuous manner). The paper throws in a few extra metrics, and cites a few examples, but really, there's nothing original at all, one iota, in this paper. You "flamers of my supposed troll" are so emotional you can't really see this. I really didn't mean this to be a troll.
Papers passed off like this, really man, ought to be original thought.
Then, funny thing is, I look further into it, and within 5 minutes I come pretty darn close to finding an article that is 5 years older with the same premise. Of, the idea that Microsoft's dominance is a security threat because it is a monopoly er uh Ubiquitous, and it's code is just to damn complex.
----
Let's get the f^%k over this and move on to the 21st century. I work in a shop that is becoming more and more Sun,IBM, and Oracle centric (can you name the software tools I develop with?). Microsoft is a laugh, and it's great sport to go to the meeting every 6 months from some MS Evangelist plant that wants to tell us how stupid we are for not using Exchange for everything, including brewing our coffee and picking our noses.
----
I have no original thoughts. Except maybe this one... Where the fuck do we go from here. Money talks, and bullshit walks, windoze is here to stay. I work for an IT department to provide excellence too. We've never had any of these major virus problems because we're a Notes shop off all things We feel we've done well by steering clear of MS NT for everything within spitting distance of a DMZ.
Win NT, etc. isn't in realtime weapon systems, and it won't be for some time if ever. Once that happens, then, let the floodgates of "WIN NT is a threat to freedon" articles rain free. Otherwise, this is hippy brooding over some rich nerd that's maybe not quite as smart others, but know how to make a mint. By the way, my wife's legs are longer than his wife, and her ass is extremely perky. You don't have to be rich, to have a hotter piece of ass at home than Will Gates'...
Like, pardon me while I go and vomit?
Got time? Spend some of it coding or testing
Ak: Why are you building chapel?
Homer: Because you're all terrible sinners.
Q'Toktok: Since when?
Homer: Since I got here. Now either grab a stone or go to Hell.
-- "Missionary: Impossible"
I feel fantastic, and I'm still alive.
So what. All you do is increase the attackers workload *linearly* but increase the users workload much more [cuz now they have to learn two different systems].
Say I right a mod_ssl exploit [for really old apache distros] for Linux and a RPC sploit for windows that deliver the same payload [e.g. a DDoS program]. Where's this "everything is more secure" paradigm now?
Tom
Someday, I'll have a real sig.
Um? what?
The purpose of this paper was to say that diversity was good, not thatl linux is better than windows. So your comment doesn't make sense.
Also if you doubt people will plomb "linux" in their box [e.g. RH6 or something] just to check a box on a form somewhere you're sadly mistaken.
My point was that idiots who can't setup NAT firewalls and patch systems in Windows won't fare much better in Linux where daily patching [if you ever used Gentoo you know this] is pretty much par for course.
Tom
Someday, I'll have a real sig.
Are ya done yet? We get the point. Some idiot doesn't like Tom St Denis. Now move on. There are a couple million other slashdot readers you could annoy.
What's worse is your some lame ass coward that takes potshots at people from behind a curtain. You're probably the type that will go around threatening people in person with your "macho big stuff" attitude then never actually follow through with it.
So shut the fuck up already.
Someday, I'll have a real sig.