http://napps.nwfusion.com/weblogs/security/003879.html By Ellen Messmer Network World Fusion 12/22/03 Remember Dan Geer-Dr. Dan Geer to you-who was fired from security firm @stake in late September for sounding off against Microsoft as a "national security threat" in the report "CyberSecurity: The Cost of Monopoly"? (If not, check out the 9/29/03 Security Notes column). Well, Geer is back in action as the chief scientist for Verdasys, a security start-up that makes a product called Digital Guardian. And he vows to continue to be as outspoken as he has been in the past, come hell or high water. Geer's previous employer, @stake, has declined to discuss the particulars about how Geer suddenly departed his post as chief technical officer the very week the Microsoft-bashing report he authored appeared under the sponsorship of the Computer and Communications Industry Association. Whether you agree with the conclusions of that report or not, it can certainly be counted as one of the better-argued essays on the dangers of software monoculture and the possibility of security becoming the means for vendor product lock-in. However, @stake, which counts Microsoft as a client customer, apparently didn't find it amusing. Geer "went missing" from his job the week the report was published, with @stake only willing to say it was all a private personnel matter. Of course, nothing like this stays private for too long, and word got out from some of Geer's pals that he had been axed at @stake. Geer, who started his new job as Veradys' chief scientist last week, had this to say about the Microsoft-as-monoculture episode: "I was fired for saying the emperor is naked." Geer, the main author of the report that had six other contributors, acknowledges he didn't exactly brief @stake on what he was going to say about Microsoft. He went straight to CCIA, which has long sought to have Microsoft brought to heel under anti-trust laws, to back it as a major trade organization with a megaphone to reach the press. He added that it's ironic that "three weeks after I'm shot for saying the emperor has no clothes, the National Science Foundation awards Mike Reiter a multi-million NSF grant to study software monoculture." (Mike Reiter is professor of electrical and computer engineering at Carnegie-Mellon and associate director of its CyLab to advance cybersecurity. "We are looking at computers the way a physician would look at genetically related patients, each susceptible to the same disorder," Reiter is quoted as saying in NSF's November 25 press release about the grant he and his colleagues were awarded. They are trying to find a way to keep computers that are basically the same from being infected by the same thing, like Code Red and Blaster worms. Sounds like a search for safe sex for computers, and we wish them well in their quixotic quest.) Geer is still somewhat bitter about his experience with @stake, where he says his job was "to make @stake look bigger than it actually is. And I was successful at it." But now it's time to move on. Besides assisting Waltham, Mass.-based Veradsys in developing its data-integrity products, Geer's official job description now says he'll have a role in "customer and market evangelism." So expect the outspoken and erudite Geer -- who cut his teeth at MIT's Project Athena where Kerberos and X Windows System were developed--to be seen at conferences and at customer locations pulling for Verdasys. "The future is at the data layer," Geer says with his Veradsys hat on. Putting limits to file use -- what Veradysys has "nailed," says Geer -- is "the right place to be right now." As a scientist, one idea Geer hopes to pursue is studying file use on a statistical basis for live times and transit patterns, perhaps to be able to detect anomalies. Geer earlier was on the Verdasys board of advisors, which also includes Bob Blakley, chief scientist for security and privacy at IBM Tivoli Software and Dennis Devlin, vice president and chief security officer at Thomson Corp. The privately funded company was started earlier this year by its CEO Seth Birnbaum. But just because But Geer has a day job (though he'll still also be an "independent risk management consultant for Geer Risk Services") don't expect him to suddenly go soft. He says he frets just as much about the problems of open-source code as he does about Microsoft's more proprietary software. "The most interesting question right now is the sanctity of the open-source code pool and attempts to subvert it," he says, by those that may want to insert Trojan horses or do other damage by breaking into Web sites. He said there needs to be a lot more work on that subject. Whatever happens, don't expect this loose cannon of the Internet to go quietly into that dark night. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Dec 30 2003 - 10:08:02 PST