Re: [ISN] Technology Firm With Ties to Microsoft Fires Executive Over Criticism

From: InfoSec News (isn@private)
Date: Wed Oct 01 2003 - 01:42:26 PDT

  • Next message: InfoSec News: "Re: [ISN] Swen identification and response"

    Forwarded from: "Bill Scherr IV, GSEC, GCIA" <bschnzl@private>
    
    People...
    
       I think we are missing the point here!  As security researchers we
    would be remiss in ignoring the big picture, part of which Dan's
    report is trying to relay.  It is not that Mr. Geer is unemployed.  
    It is not that a monolithic network allows mal-users to traipse thru
    the digital landscape using the same exploits over and over again.  
    It is that @stake has just blown any modicum of objectivity, spraying
    doubt on all it's reports.
    
       In the interests of disclosure, the biggest splash I ever made on
    the security scene was a mention in an @stake report.  Not that
    splashing is good mind you!
    
       The big picture here is that objective reports require
    independence.  Anyone who reviews a thing to issue an opinion on that
    thing, can not have repercussions brought upon him by folks involved
    in creating that thing.  Likewise, if the product is good, and the
    reporter calls it good, no reward can be realized by that reporter,
    other than his normal fee.  How else can we trust his word?  How else
    can we trust that researcher not to hide a bad product behind his good
    reputation?
    
       The report issued an opinion on a technical issue, relating to a
    business practice.  The business practice is tweaking code, APIs and
    error messages, etc. to "lock" current customers into the Microsoft
    suite.  That is how M$ became the "sole source supplier" for Uncle
    Sam's desktops.  The technical issue was the monolithic network
    mentioned above.  Whether @stake acted on their own, or were levered
    into that action, is immaterial.  @stake should have stuck by Mr.
    Geer, even to the extent of holding any resignation until the heat
    died down.
    
       The issue that Microsoft may or may not have levered @stake into
    firing Mr Geer should not come as a surprise to any with experience in
    the business.  That is in keeping with how they operate.  One needs
    only look at scandisk and how they wrenched it from Norton.  (DOS v5 I
    believe, pre-Symantec).  I think many of you could come up with better
    examples of questionable leverage.
    
       IF M$ did apply leverage, Mr. Wysopal (see:  
    http://www.itoc.usma.edu/workshop/2002/documents/Wysopal_Bio.ht m)  
    should have waved evidence of such an action for all the world to see.  
    It may have been taken as another affront to the boys from Redmond,
    but it would have saved his firms' reputation.  Mr. Wysopal's silence
    is deafening.  As a USMA grad I once knew told me: "One Aw Shit wipes
    out a thousand Atta Boys."
    
       IF @stake acted without pressure from the upper left of CONUS, they
    are cutting off their nose to spite their collective face.  Folks of
    Dan Geer's stature and experience don't just grow on trees.  (See:  
    http://www.counterpane.com/board-geer.html and/or
    http://www.cio.com/archive/010103/22.html).  At least it shows a lack
    of business acumen.  Timing means something.  Even if this was an
    action previously in the works, the timing suggests that Mr. Geer was
    axed for stepping on Microsoft's toes.
    
       That suggests repercussion.  A company that issues reports relied
    upon by others needs to avoid the very suggestion of repercussion
    and/or reward, almost at all costs.  Any Audits, reviews,
    vulnerability assessments, or other reports are now called into
    question by the action of shooting the messenger.  Any current or new
    employees will see that action and ask themselves who will stand
    behind them when they report the true state of a product.  Talk about
    Fear, Uncertainty, and Doubt!
    
       Will independence reduce the amount of money deposited by the whole
    of security firms?  I wish I could say NO with certainty.  The fact is
    that products reviewed by softer firms appear more secure than those
    with strict adherence to currently accepted practices.  This allows
    for corner cutting, and the appearance of higher productivity.  This
    gives an unfair advantage to those reviewed by softer firms, and calls
    into question the entire industry.  Ultimately, that was the subject
    of Dan Geer's last @stake report.  (see:  
    http://www.atstake.com/research/reports/acrobat/ieee_quant.pdf).  
    Quantification of security issues is extremely difficult.  I haven’t
    even brushed excessive leverage.  Excessive leverage is also known as
    corruption.
    
       In the long run, security firms and researchers should guard their
    independence at least as closely as Certified Public Accountants.  We
    issue reports, ostensibly for action.  That implies trust.  Trust
    requires objectivity.  Objectivity requires independence.  Where are
    we without independence.
    
    B.
    
    PS>  What if Dan and Chris are in cahoots to pump up the report and 
    @stake?   Ohh - conspiracy theorist's headache!!!!
    
    
    
    On 30 Sep 2003, this text appeared purporting to belong to InfoSec
    
    Date sent:      	Tue, 30 Sep 2003 05:18:54 -0500 (CDT)
    From:           	InfoSec News <isn@private>
    To:             	isn@private
    Subject:        	Re: [ISN] Technology Firm With Ties to Microsoft Fires 
    Executive
    	Over Criticism 
    Send reply to:  	InfoSec News <isn@private>
    
    > Forwarded from: Jason Coombs <jasonc@private>
    > Cc: paul@private;, Dan_Verton@private;,
    >    rforno@private;, full-disclosure@private
    > 
    > InfoSec News wrote:
    > > Forwarded from: Paul Robichaux <paul@private>
    > > 1. Geer claimed to be speaking for @stake. He wasn't.
    > 
    > I do hope that all of you actually read the report before forming
    > any opinions about it, the people who wrote it, or the manner in
    > which those people portrayed themselves as authors of it. It is
    > simply impossible to interpret Geer's role in authoring this report
    > as anything close to "speaking for @Stake" -- it was clearly the
    > "speaking" part that got him canned, and one need not be paranoid in
    > order to see Microsoft's direct or indirect influence in the growing
    > "punishment for speech" phenomenon within the United States.  
    > @Stake's own political bias in advancing the so-called "responsible
    > disclosure" process is a crucial element of criminalizing speech...
    > We can't put speakers in prison unless we can prove that they
    > violated the rules with their speech, so @Stake is busy trying to
    > define the rules.
    > 
    > The whole business makes me feel sick. What we really need is
    > freedom, and the ability to defend ourselves adequately from anyone
    > who might choose to exercise theirs in a way that doesn't conform to
    > other people's arbitrary definition of "responsible". There was a
    > time in the past when there was little doubt that we had freedom.
    > 
    > Freedom must be one of the costs of monopoly.
    > 
    > CyberInsecurity: The Cost of Monopoly
    > How the Dominance of Microsoft's Products Poses a Risk to Security
    > http://www.ccianet.org/papers/cyberinsecurity.pdf
    > 
    > Sincerely,
    > 
    > Jason Coombs
    > jasonc@private
    
    
    Bill Scherr IV, GSEC, GCIA
    EWA / Information & Infrastructure Technologies
    National Guard Regional Technology Center / Norwich Campus
    Northfield, VT  05663
    802-485-1962
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Oct 01 2003 - 04:00:06 PDT