Forwarded from: "Bill Scherr IV, GSEC, GCIA" <bschnzl@private> People... I think we are missing the point here! As security researchers we would be remiss in ignoring the big picture, part of which Dan's report is trying to relay. It is not that Mr. Geer is unemployed. It is not that a monolithic network allows mal-users to traipse thru the digital landscape using the same exploits over and over again. It is that @stake has just blown any modicum of objectivity, spraying doubt on all it's reports. In the interests of disclosure, the biggest splash I ever made on the security scene was a mention in an @stake report. Not that splashing is good mind you! The big picture here is that objective reports require independence. Anyone who reviews a thing to issue an opinion on that thing, can not have repercussions brought upon him by folks involved in creating that thing. Likewise, if the product is good, and the reporter calls it good, no reward can be realized by that reporter, other than his normal fee. How else can we trust his word? How else can we trust that researcher not to hide a bad product behind his good reputation? The report issued an opinion on a technical issue, relating to a business practice. The business practice is tweaking code, APIs and error messages, etc. to "lock" current customers into the Microsoft suite. That is how M$ became the "sole source supplier" for Uncle Sam's desktops. The technical issue was the monolithic network mentioned above. Whether @stake acted on their own, or were levered into that action, is immaterial. @stake should have stuck by Mr. Geer, even to the extent of holding any resignation until the heat died down. The issue that Microsoft may or may not have levered @stake into firing Mr Geer should not come as a surprise to any with experience in the business. That is in keeping with how they operate. One needs only look at scandisk and how they wrenched it from Norton. (DOS v5 I believe, pre-Symantec). I think many of you could come up with better examples of questionable leverage. IF M$ did apply leverage, Mr. Wysopal (see: http://www.itoc.usma.edu/workshop/2002/documents/Wysopal_Bio.ht m) should have waved evidence of such an action for all the world to see. It may have been taken as another affront to the boys from Redmond, but it would have saved his firms' reputation. Mr. Wysopal's silence is deafening. As a USMA grad I once knew told me: "One Aw Shit wipes out a thousand Atta Boys." IF @stake acted without pressure from the upper left of CONUS, they are cutting off their nose to spite their collective face. Folks of Dan Geer's stature and experience don't just grow on trees. (See: http://www.counterpane.com/board-geer.html and/or http://www.cio.com/archive/010103/22.html). At least it shows a lack of business acumen. Timing means something. Even if this was an action previously in the works, the timing suggests that Mr. Geer was axed for stepping on Microsoft's toes. That suggests repercussion. A company that issues reports relied upon by others needs to avoid the very suggestion of repercussion and/or reward, almost at all costs. Any Audits, reviews, vulnerability assessments, or other reports are now called into question by the action of shooting the messenger. Any current or new employees will see that action and ask themselves who will stand behind them when they report the true state of a product. Talk about Fear, Uncertainty, and Doubt! Will independence reduce the amount of money deposited by the whole of security firms? I wish I could say NO with certainty. The fact is that products reviewed by softer firms appear more secure than those with strict adherence to currently accepted practices. This allows for corner cutting, and the appearance of higher productivity. This gives an unfair advantage to those reviewed by softer firms, and calls into question the entire industry. Ultimately, that was the subject of Dan Geer's last @stake report. (see: http://www.atstake.com/research/reports/acrobat/ieee_quant.pdf). Quantification of security issues is extremely difficult. I haven’t even brushed excessive leverage. Excessive leverage is also known as corruption. In the long run, security firms and researchers should guard their independence at least as closely as Certified Public Accountants. We issue reports, ostensibly for action. That implies trust. Trust requires objectivity. Objectivity requires independence. Where are we without independence. B. PS> What if Dan and Chris are in cahoots to pump up the report and @stake? Ohh - conspiracy theorist's headache!!!! On 30 Sep 2003, this text appeared purporting to belong to InfoSec Date sent: Tue, 30 Sep 2003 05:18:54 -0500 (CDT) From: InfoSec News <isn@private> To: isn@private Subject: Re: [ISN] Technology Firm With Ties to Microsoft Fires Executive Over Criticism Send reply to: InfoSec News <isn@private> > Forwarded from: Jason Coombs <jasonc@private> > Cc: paul@private;, Dan_Verton@private;, > rforno@private;, full-disclosure@private > > InfoSec News wrote: > > Forwarded from: Paul Robichaux <paul@private> > > 1. Geer claimed to be speaking for @stake. He wasn't. > > I do hope that all of you actually read the report before forming > any opinions about it, the people who wrote it, or the manner in > which those people portrayed themselves as authors of it. It is > simply impossible to interpret Geer's role in authoring this report > as anything close to "speaking for @Stake" -- it was clearly the > "speaking" part that got him canned, and one need not be paranoid in > order to see Microsoft's direct or indirect influence in the growing > "punishment for speech" phenomenon within the United States. > @Stake's own political bias in advancing the so-called "responsible > disclosure" process is a crucial element of criminalizing speech... > We can't put speakers in prison unless we can prove that they > violated the rules with their speech, so @Stake is busy trying to > define the rules. > > The whole business makes me feel sick. What we really need is > freedom, and the ability to defend ourselves adequately from anyone > who might choose to exercise theirs in a way that doesn't conform to > other people's arbitrary definition of "responsible". There was a > time in the past when there was little doubt that we had freedom. > > Freedom must be one of the costs of monopoly. > > CyberInsecurity: The Cost of Monopoly > How the Dominance of Microsoft's Products Poses a Risk to Security > http://www.ccianet.org/papers/cyberinsecurity.pdf > > Sincerely, > > Jason Coombs > jasonc@private Bill Scherr IV, GSEC, GCIA EWA / Information & Infrastructure Technologies National Guard Regional Technology Center / Norwich Campus Northfield, VT 05663 802-485-1962 - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 01 2003 - 04:00:06 PDT