[ISN] Security Expert Geer Sounds Off on Dismissal

From: InfoSec News (isn@private)
Date: Wed Oct 01 2003 - 01:44:30 PDT

  • Next message: InfoSec News: "[ISN] Forgotten war dialling risk leaves networks in peril"

    http://www.eweek.com/article2/0,4149,1304909,00.asp
    
    By Dennis Fisher 
    September 29, 2003
    
    When @stake Inc. on Thursday announced that it had fired its CTO Dan 
    Geer, no one was more surprised than Geer himself. 
    
    A security researcher and scientist with more than 30 years of
    experience, including work on some groundbreaking projects, Geer was
    let go just a day after the publication of a paper he co-authored that
    was sharply critical of Microsoft Corp. - one of @stake's customers.  
    The paper covered the effects that Microsoft's monopolistic position
    have on the security of the Internet.
    
    The paper argues that the dominance of Windows in the marketplace has 
    created a monoculture in which all systems are more vulnerable to 
    widespread attacks and viruses. Part of the answer to the problem, 
    Geer and his collaborators wrote, is for enterprises to diversify 
    their infrastructures with products from other vendors. 
    
    Software diversity in the name of security is by no means a new idea, 
    but Geer and the other authors are all very visible in the high-tech 
    industry, especially within the security community, and their opinions 
    carry a certain weight. However, Geer said Monday that the opinions in 
    the paper were no more controversial or edgy than many of the things 
    he's said in speeches, interviews and other papers during his time 
    with @stake. 
    
    "People say that if he was surprised [by being fired], he's an idiot. 
    Well, I was surprised in this sense: I do this kind of thing all the 
    time," Geer said in an interview from his home. "My job was to be out 
    in front far enough that a company the size of @stake could be at the 
    front of an industry like this." 
    
    Microsoft, based in Redmond, Wash., has used @stake's services for 
    several years. Officials at @stake, in Cambridge, Mass., flatly deny 
    any connection between this fact and Geer's firing and say that no one 
    from Microsoft influenced their decision whatsoever. 
    
    But Geer isn't convinced. The company said Geer's last day as an 
    employee was Tuesday, but the announcement wasn't made until Thursday, 
    the day after the paper was published. Geer went on a conference call 
    with reporters Wednesday morning and identified himself as an @stake 
    employee and added that the opinions in the paper were his own and not 
    the company's. 
    
    "The Venn diagram of facts doesn't intersect. The intersection of all 
    of those statements is the null set," Geer said. 
    
    The paper generated a fair amount of controversy, with Microsoft 
    officials defending the company's security practices and corporate 
    policies and @stake employees making the media rounds to distance the 
    company from Geer's statements. 
    
    Whether Microsoft had a hand in his demise "will be forever impossible 
    to ascertain," Geer said. "One might say communication wasn't 
    necessary. There's a school of thought that says that a phone call 
    wasn't needed. The more powerful you are, the less likely you are to 
    have to pick up the phone. At most, you could call it plausible 
    deniability." 
    
    As an example of the kind of behind-the-scenes influence that large 
    vendors have, Geer cited his efforts to find an academic security 
    expert or two to sign on to the paper on software diversity. After 
    contacting nine people and striking out each time, he gave up. 
    
    "All of them said it was too hot for their position," Geer said. "They 
    enjoy the free speech benefits of tenure but not necessarily those of 
    funding." 
    
    One of the researchers that Geer spoke with said he decided not to 
    join the project for other reasons, but was nonetheless appalled by 
    Geer's firing. Avi Rubin, associate professor of computer science at 
    Johns Hopkins University in Baltimore, Md., and technical director of 
    the university's Information Security Institute, is currently serving 
    as an expert witness in a lawsuit against Microsoft and looked over 
    drafts of the paper during its development, but ultimately felt that 
    adding his name to the paper wasn't the best idea at the time. Still, 
    he said he was upset by the implications of Geer losing his job. 
    
    "I think there should be a huge outcry over his firing. It is that 
    kind of intimidation against scientists speaking their minds that can 
    be extremely dangerous to our society," Rubin said. 
    
    Microsoft spokesmen denied that the company had any involvement in 
    Geer's firing. 
    
    As for future projects, Geer said he's been inundated with offers and 
    ideas. After all, he essentially created the security consulting 
    industry more than a decade ago with his firm Geer-Zolot Associates 
    and also oversaw the development on the Massachusetts Institute of 
    Technology's Project Athena. 
    
    "The mail is still coming in fast and furious. No one's showed up with 
    a boatload of money and said, 'Take it.' But the question now is, 
    what's the wise thing to do," he said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Oct 01 2003 - 03:56:44 PDT