Forgot your password?
typodupeerror
Microsoft Security

Author of Paper Critical of Microsoft is Fired 739

Posted by CowboyNeal
from the suspicious-coincidences dept.
chongo writes "Daniel E. Geer Jr., one of the primary authors of a report Reliance On MS A Danger To National Security, was fired from @stake Thursday morning. @stake said that 'The values an opinions of the report are not in line with @stake's views' and that Geer's participation was 'not sanctioned.' Microsoft, who has worked closely with @stake in the past, denied that it was involved in @stake's decision to fire Dan." There might not be anything fishy going on at all, but that's no reason to stop making perfectly good conspiracy theories.
This discussion has been archived. No new comments can be posted.

Author of Paper Critical of Microsoft is Fired

Comments Filter:
  • Hey! (Score:5, Funny)

    by B3ryllium (571199) on Thursday September 25, 2003 @11:04PM (#7060564) Homepage
    Can I have his job? I can write well, and I can be non-critical of Microsoft software.

    For instance, they have made great strides in improving Calculator and Notepad in recent versions of Windows.
    • One day, I'm sure IE will get around to displaying them correctly.

      Yes, but... other than roads, sanitation, better medicine and the streets bein' safe at night, what have the Romans ever done for us?
  • Can they do that? (Score:4, Insightful)

    by connsmythe96 (576445) <slashdot@@@adamkemp...com> on Thursday September 25, 2003 @11:07PM (#7060580) Homepage
    Did he do this on his own, or as an @stake employee? I find it rather disturbing that a company can fire you for something you do of your own accord. What's next, are companies who like to suck up to MS gonna fire you for developing a linux program?

    Am I just being naiive, or does this bother other people too?
    • by jesterzog (189797) on Thursday September 25, 2003 @11:16PM (#7060674) Homepage Journal

      Did he do this on his own, or as an @stake employee?

      The report itself [ccianet.org] stated quite clearly in several places that Dr Geer was the Chief Technical Officer of @Stake.

      I can't find a disclaimer anywhere in the report saying that he wasn't representing @Stake, and yet he used it to back up his authoritarian position, and intentional or not it appear that he was speaking on behalf of the company he worked for.

      Perhaps more details will emerge about what actually went on, but it does seem quite irresponsible to make it appear that you're speaking on behalf of a company if you're not... if that's what happened.

      • by eschasi (252157) on Thursday September 25, 2003 @11:33PM (#7060785)
        I've seen Geer off and on for quite a number of years. He's damned smart, and has damned little people and organizational sense. IMHO it's perfectly reasonable that he'd not consider that his statements in the forum would be taken as representing his employer, doubly so when he lists his affiliation repeatedly.

        When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company. It's not like being a prof at MIT. Noby would assume a prof officially represents the stance of a University. But companies are a differnt world. Bruce represents Counterpane when he does those sorts of publications, and Dan damned well should have known he'd be representing @Stake when he repeatedly listed the affiliation..

        • by laird (2705) <lairdp@nOSPAm.gmail.com> on Friday September 26, 2003 @12:06AM (#7060996) Journal
          "When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company."

          The report states clearly on the first page that "Our conclusions have now been confirmed and amplified by the appearance of this important report by leading authorities in the field of cybersecurity: Dan Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, John S. Quarterman, Charles Pfleeger, and Bruce Schneier. CCIA and the report's authors have arrived at their conclusions independently. The views of the authors are their views and theirs alone."

          Note that there are no company affiliations in that list, or on the front cover of the report, and that they clearly say that they're speaking as individuals, not as company representatives. The authors do list their current titles and employers in their bio's and on the "authors of the report" page, in order to establish their credibility (and that's a lot of credibility), but clearly don't speak for their employers.

          Given that the document expresses the mainstream of security industry thinking, I'm a little amazed that this is even "news" much less something to fire someone over. Does any security professional think that a software monoculture is a good idea, or that Microsoft actually has security as its top priority (as opposed to market share or profitability)?

          If we're to be serious about addressing vulnerabilities in our software infrastructure, we have to be willing to discuss these issues honestly, without self-censoring out of fear of stating the obvious when it's inconvenient.

          • I had a look at the report, and so interpret the situation a bit differently than most here. In my view, it reads more like an amicus brief (statement by a friend of the court) than a technical doc. Look at it, they rant and rave about the "M$ monopoly" throughout.

            There are plenty of technical/security aspects of the dominance of M$ platforms, but this report doesn't address them effectively. This can be expected since it looks much more to me like a hack job funded by competitors:

            Ed Black, the CEO and pre

          • by jotaeleemeese (303437) on Friday September 26, 2003 @04:11AM (#7061884) Homepage Journal
            If you talk as an individual in a matter in which your employer may have a stake (think a financial analyst working for a bank) you better make sure your employer does not have a problem with what you are going to say, no matter how many disclaimers you put around your words.

            The reason is very simple: a given company needs to keep a reputation, in the case of a security company they need to appear to be open and impartial when assesing different products. By having an employee that clearly has reached his own conclussions and made them public the employer is left in the difficult position to explain how they may be choosing MS stuff or recommending it given that one prominent employee has lambasted those products in a public forum.

            Sorry, but I have no pity for this person in spite of broadly agreeing with his conclussions.
            • The irony is that this company's research division originally consisted of people that came in by a merger. L0pht Heavy Industries an old hacker group from Boston merged with @stake.

              L0pht has allways belived in full disclosure of security vulnerabilities; like they stated in this interwiev. [pbs.org].

              There was also a /. story [slashdot.org]. about L0pht, "hypocrisy of hackers" and (possible)connections to FBI and NIPC a year ago.

              So it turns out that the hacker philosophy went out the backdoor and the corporate standards fro

      • by kfg (145172) on Friday September 26, 2003 @12:07AM (#7061008)
        See Playboy vs. Terri Welles.

        Statements of fact do not imply endorsement.

        Terri Welles was, in fact, a Playmate. Playboy cannot restrict her from saying so, even by attempting to apply trademark law against Ms. Welle's use of the trademarked word "Playboy" in for commercial gain.

        The fact that being able to claim to have been a Playboy Playmate gives her a certain professional standing in her field (tits) and she is free to use that standing for her own benefit even over the objections of Playboy.

        Dr. Geer is (ok, was) the Chief Technical Officer of @Stake. This is a position of authority in a particular field and stating that one has that authority gives one's opinion in that field certain standing. It is a factual statement and does not imply endorsement by his employer. It only imlies that one has recognized special skills.

        If people misconstrue that that is a problem of their understanding, just as it is if people believe that Ms. Welles' personal site is an official Playboy site because she lists her employment by Playboy.

        That doesn't make her an infringer. It makes them morons.

        If the guy down the street who works for a Ford dealership tells me that he thinks Fords suck I too would have to be a moron to believe that was the official position of his employer.

        Whether or not that might be legal grounds for firing said employee is another issue. I'd have to review the relevant law in his jurisdiction and make an examination of his contract to have an opinion on that.

        I'd think his employer was an asshole for doing it though, if he was otherwise performing his duites satisfactorally. That's just my opinion of course, which is colored by knowing many people who worked for companies they don't like. I've even worked for a few myself. Hell, I even owned one of those companies.

        But I didn't fire myself.

        KFG
      • by IBitOBear (410965) on Friday September 26, 2003 @12:19AM (#7061085) Homepage Journal
        First off, "they" wrote it. Each of the contributors listed their position and company with equal emphasis. No representations were made about the "official" positions of the respecitve and multiple companies listed.

        Yes, we seem to be living in a world with increasing need to disclaim. In fact, we live in a legal claim/disclaim toxic environment.

        If you were to global search-and-replace the company names with the names of universities; and likewise exchange the professional titles with academic ones; this paper would be perfectly kosher.

        So now, apparently you can't publish a shcollarly work unless you *don't* have a "real job." How nice.

        Remember: The great/golden age of the Arrab Empires collapsed because of one act. They closed their libraries. After that scolarship fell into disrepute. Then learning. Then knowledge. Then "not being an idiot" was against the social norm, and *poof* they lost the initiative.

        Let's not repeat that debacle in our age, shall we?

        Persons should enjoy the right to freely publish their thoughts and understandings of any issue with greater social ramafications.

        Silence == Death... As a slogan it is applicable to far more than the AIDS crisis.
      • I can't find a disclaimer anywhere in the report saying that he wasn't representing @Stake, and yet he used it to back up his authoritarian position, and intentional or not it appear that he was speaking on behalf of the company he worked for.

        From p.3 of the report:

        CCIA and the report's authors have arrived at their conclusions independently. Indeed, the views of the authors are their views and theirs alone.

        Unless they modified the report after it was first posted? The version I'm looking at says mod

    • @stake was acting in their own interest. For them, Microsoft is a potential customer and keeping good relations is what they had in mind.
    • Re:Can they do that? (Score:3, Informative)

      by Sparks23 (412116)
      Many businesses are 'work-at-will' businesses, meaning both that the employee or the employer can terminate the employment contract at any time.

      IANAL, but a quick search for 'work-at-will' via Google produced links by people who are, which explain a little about work-at-will and also how some litigation has made work-at-will a little less 'you can be fired whenever for whatever reason'. But in general, you have less protection as an at-will employee than you might otherwise, and most employment contracts
    • by turg (19864) *

      Did he do this on his own, or as an @stake employee?

      In the paper [ccianet.org]'s (pdf) list of authors, he is listed as "Daniel Geer, Sc.D -- Chief Technical Officer, @Stake"

      Also perhaps of interest is the fact that he is listed first of the paper's seven authors

      I find it rather disturbing that a company can fire you for something you do of your own accord. What's next, are companies who like to suck up to MS gonna fire you for developing a linux program?

      If your company has a financial stake in the success o

      • Re:Can they do that? (Score:3, Interesting)

        by laird (2705)
        @stake's primary responsibility should be to secure their client's systems; prodding the players in the marketplace to produce more secure systems is their job. If I were a client of @stake I'd be very concerned that they placed a higher value on not offending a vendor than in providing security to their clients.
    • Re:Can they do that? (Score:5, Interesting)

      by xjimhb (234034) on Thursday September 25, 2003 @11:34PM (#7060793) Homepage
      Way back when I worked for IBM, there were very stringent rules about publishing anything even vaguely computer-related, and I doubt it is any better nowadays. Stuff had to be run through the Publications department, which sent it all over the company for approval/disapproval.

      At one time I was working on my Master's degree, and the Professor to whom I submitted a term paper on "LISP on MicroComputers" suggested I submit it to a journal. BUT this was just before the PC came out, so I was using examples like PDP and TRS-80. When the paper got to the division that was preparing to release the PC, they vetoed it instantly.

      Some people were so paranoid back then that they would "clear" a term paper through Publications before they dared to give it to the Professor!

      So the answer is, "Yes, they can do that."

    • Re:Can they do that? (Score:4, Interesting)

      by Mooncaller (669824) on Friday September 26, 2003 @12:38AM (#7061183)
      are companies who like to suck up to MS gonna fire you for developing a linux program?

      Actualy yes they are. Where I use to work, just being known to know too much about Linux would put a person on the layoff list. And when the company is laying off 40% of its workforce, little things like that are easy to hide. I would go into more detail on how this company is sucking bills fat FUD, but I am starting to get upset. Basical, in any MS controled company, knowing UNIX is a severe liability, regardless of how well one knows MS stuff. Unless of course, ones knowledge is absolutly instrumental in positioning the company infrastructure, in preparation for MSs penetration.

    • by Zhe Mappel (607548) on Friday September 26, 2003 @01:31AM (#7061432)
      I find it rather disturbing that a company can fire you for something you do of your own accord. What's next, are companies who like to suck up to MS gonna fire you for developing a linux program?

      Am I just being naiive, or does this bother other people too?

      Oh, it had better bother other people. Tomorrow, it might be them.

      Whistle-blowing is never a popular job, but it's even riskier during bad economic times. Most of the backlash against this employee is due to the spineless quivering, in management, about losing vital business. Once again, we see why monopolies are unhealthy for society.

      What are you gonna do, though, if you're canned? The employment-at-will doctrine has essentially always allowed bosses to hire and dump whomever they wish for any reason; dear old kooky Walt Disney used to go nuts with this easily abused freedom, and the 1990s left a trail of shattered lives and communities behind the rapacious "downsizing" of workers. Except where protected by civil rights or state employment law (and good luck bringing a case!), this is where you stand as an employee in America - at the mercy of the Man's whims. Learn to kiss ass; learn to run your own business; learn to work for decent people; these are among the few options for workers, and guess which one is most popular.

      But this is also a hysterical time politically. Under the New McCarthyism the pasture of sacred cows has been enlarged: now not only our Glorious Leader is supposed to be beyond reproach, but so are certain corporate entities. And by burrowing like a common bacterial spirochete into the guts of American national security, Microsoft has begun to undergo the transformation - symbolically - from mere lawless and sloppy monopolist to vital U.S. institution. Yesterday, MS merely brought you BSODs, viral weakness and data loss. Today, it defends America against her enemies with its arsenal of...er...BSODs, viral weakness and data loss.

      If this transformation continues, it will be more and more costly to criticize Microsoft as it mutates into an adjunct of the security state. HomeSec is already MS's taxpayer-subsidized tech support service, busily issuing warnings about the latest viruses and worms. This relationship should be promptly terminated by the next administration when the adults get to run things again.

  • by paroneayea (642895) on Thursday September 25, 2003 @11:07PM (#7060584) Homepage

    I bet it was... the Time Terrorists*!

    *Time Terrorists also responisble for the destruction of the Titanic, the Hindenburg, and the creation of SCO.
    • ...of the work of his fellow bandits [imdb.com].

      Seriously though, that movie is full of great quotes...who remembers the Supreme Being saying "I am the supreme being, I am not entirely dim"? And Evil talking about God:

      Evil: God is not interested in technology... He knows nothing of the potential of the micro-chip or the silicon revolution. He's obsessed with making the grass grow and getting rainbows right... Look at what he spends his time on. 43 species of parrot! Nipples for men!

      /me goes out to buy on DVD...

  • by eu_neke (415715) <c2104479@@@stude ... astle...edu...au> on Thursday September 25, 2003 @11:07PM (#7060587) Homepage
    Looks like there was more "@stake" than he expected =p

    (waits for groans)
  • Yeah... (Score:3, Funny)

    by fsterman (519061) on Thursday September 25, 2003 @11:07PM (#7060594) Homepage
    "Linux would be just as insecure, we swear!"- @stake.
  • by Otter (3800) on Thursday September 25, 2003 @11:08PM (#7060599) Journal
    @stake said that 'The values an opinions of the report are not in line with @stake's views' and that Geer's participation was 'not sanctioned.' Microsoft, who has worked closely with @stake in the past, denied that it was involved in @stake's decision to fire Dan.

    OK, if you need to mention a company's gimmicky, non-alphabetical name once, so be it. But all those @s are giving me a headache in a brain region I haven't had to use since we had that run of :CueCat stories.

    The scary thing is that you could use 4tst4k3 repeatedly and I wouldn't blink at it. 47s74k3 would require some effort...

    • by ChazeFroy (51595) on Thursday September 25, 2003 @11:12PM (#7060631) Homepage
      He put his company and title in the paper. If he did not clear that with his company before publishing this paper, @stake has every reason to fire him.

      Not only can it be viewed as damaging to a big client (Microsoft, in this case), but it can also be viewed as competing with your own company since both @stake and the paper deal with security. I'm sure he signed a non-compete agreement with @stake when he was hired.
      • by Otter (3800) on Thursday September 25, 2003 @11:40PM (#7060834) Journal
        I posted that last comment, got on my bike and started home and got stuck at a red light across the street from the freaking @stake office!

        And then I come home to this. Which part of what I wrote sounded like "Post some complete non-sequitur and write @stake three more times!"?

  • by mcrbids (148650) on Thursday September 25, 2003 @11:10PM (#7060613) Journal
    And, in other news, in an SEC filing, Microsoft has disclosed a cash "gift" to a company called @stake.

    Said Microsoft spokesman: "It's a voluntary contribution, with much at stake. ".
  • by rritterson (588983) * on Thursday September 25, 2003 @11:11PM (#7060617)
    While the firing was unecessary and I don't agreee with it in the slightest. (How can your participation be 'unauthorized'?), it's the editorial tagline that really irks me.

    You, slashdot editor, member of the press, are actually encouraging and suggesting that false and misleading information be interpolated from a small number of facts. Sure, a healthy skepticism and more investigation is required to determine why he was fired but i think an editorial remark with a message consisting of:

    "This isn't really big news, but if we pretend like all sorts of mysterious things are happening that we don't know about, it will be."

    Those sorts of things happen on their own more than enough as is; encouraging it is just unecessary.

    • by Cecil (37810) on Thursday September 25, 2003 @11:49PM (#7060891) Homepage
      What the hell?

      First of all: False and misleading information? Unless you have some magical insider information on what exactly happened, who are you to claim that it's false and misleading? To dismiss it as false without having any facts is no better than accepting it as true without having any of the facts. Different sides of the same coin.

      And second, it looks like a pretty tongue-in-cheek comment. You said it yourself:

      Those sorts of things happen on their own more than enough as is; encouraging it is just unecessary.

      Do you really believe that the editors don't also know this? Contrary to popular opinion they do actually read the site, sometimes. It's pretty clear to me that it's a jab at all the 'perfectly good conspiracy theories' that abound whenever a Microsoft story rolls around. Would you really call them 'perfectly good conspiracy theories' if you weren't against them? Sounds like a pretty sarcastic phrase to me.

      But hey, don't let little old me get in the way of Slashdot's readers bashing Slashdot...
  • by Infonaut (96956) <infonaut@gmail.com> on Thursday September 25, 2003 @11:12PM (#7060629) Homepage Journal
    @the Stake fired him because they didn't want to piss off Microsoft. From their point of view it was better to sacrifice an obviously capable and smart employee at the altar of commerce than potentially endanger their working relationship with Microsoft.

    I guess that's where the phrase, "power corrupts" comes from, eh?

    • And would you? Think about it. They have an awesome working relationship with Microsoft. They get to do exactly what they love to do (finding exploits) in code that is supposedly riddled with problems and get paid tons of money to do it. In addition, they help the world by helping MS identify and fix these bugs.

      If they lost that relationship, that could cause the shareholders to bail out because the company would have to recoup that revenue from elsewhere.

      @Stake is full of tons of smart people. I'm su
      • by Infonaut (96956) <infonaut@gmail.com> on Friday September 26, 2003 @12:18AM (#7061081) Homepage Journal
        They have an awesome working relationship with Microsoft. They get to do exactly what they love to do (finding exploits) in code that is supposedly riddled with problems and get paid tons of money to do it. In addition, they help the world by helping MS identify and fix these bugs.

        I can't argue with those points. You're absolutely right. It's just a shame to me that someone who knows a lot about something that affects the security of millions of Americans can't speak out about that threat without being fired by their employer.

        It's rare to see a group of people take a stand about something they feel is of more importance than just dollars and cents. These folks are essentially blowing the whistle on something a lot of people have known about for a long time but have been too frightened to say for fear of the wrath of Microsoft.

        While I absolutely agree with you that @Stake is just protecting their own interest, their action is proof of how far Microsoft has permeated the fabric of the IT business. Virtually every company in the industry has to be careful about criticizing (or even allowing an employee to criticize) Microsoft, for fear of retribution.

  • by catbutt (469582) on Thursday September 25, 2003 @11:13PM (#7060640)
    Well actually it was Computing Technology Industry Association, but they are funded by MS. The say "the report is flawed by "myopically looking to technology (i.e., 'bad' software OS) instead of addressing the underlying cause -- human behavior -- for cyber breaches." "

    So basically if humans just would stop being mean or stupid, there wouldn't be any problems.

    Isn't that sort of like blaming plane crashes on gravity? I mean, human nature is what it is. There will be virus writers, there will be people who don't always install the patches right away.

    What are they suggesting, that we try to change human nature? Genetically engineer better humans? How about they take human nature as a given (like gravity to an aeronautical engineer), and then fix the damn product?
  • by Karpe (1147) on Thursday September 25, 2003 @11:15PM (#7060655) Homepage
    I read that as "Author of Paper Clip of Microsoft is Fired". It sounded much more exciting.
  • by Dunedain (16942) on Thursday September 25, 2003 @11:16PM (#7060664) Homepage
    Thanks to Google's cache, this is Dr. Geer's bio from @stake. I had the opportunity to hear him speak once, and he sounded about as brilliant as the following description would make you think:

    Daniel E. Geer, Jr., Sc.D.

    Chief Technology Officer

    Daniel E. Geer, Jr., Sc.D. oversees the strategy and direction of @stake's approach to digital security. Over the last thirty years, Dr. Geer has led the application of technology in medical computing, distributed systems management, electronic commerce, and digital security. After fifteen years in the Harvard medical establishment, he variously served in senior leadership roles for MIT's groundbreaking Project Athena, Digital Equipment Corporation's External Research Program, Open Market, OpenVision Technologies (now Veritas), CertCo, and now @stake. His security consulting firm, Geer Zolot, was the first of its kind.

    An expert in modern security protocols and business metrics, Dr. Geer has been called upon to testify before Congress on multiple occasions. Dr. Geer speaks and publishes regularly on a range of issues in digital security; his November 1998 speech, "Risk Management is Where the Money Is," has been widely quoted, warranting both reprint as a special issue of the RISKS Digest and prompting editorial comment in Wired Magazine. His bibliography is deep and continuing, and with Avi Rubin and Marcus Ranum, he is co-author of The Web Security Sourcebook.

    He holds a Sc.D. in Biostatistics from Harvard University's School of Public Health as well as an S.B. in Electrical Engineering and Computer Science from MIT. His professional involvement includes a decade of leadership within USENIX, the advanced computing systems association, of which he is past president. He today serves as an advisor to the board of the Financial Services Information Sharing & Analysis Center (FS/ISAC) under the auspices of the US Dept. of the Treasury, as well as similar fiduciary and non-fiduciary roles for a select number of promising startups.
  • Wow, bonanza! (Score:5, Insightful)

    by mveloso (325617) on Thursday September 25, 2003 @11:16PM (#7060667)
    I'm sure the author can sue for unlawful termination. He might even get triple damages!

    Gotta love those @stake guys. Here's a relevant quote from their website:

    "@stake has assembled the best minds in digital security to help you understand and mitigate the security risks inherent in your business model, so that you can maximize the opportunity in front of you. We help you make the hard decisions about what matters most in your business, so that your security investment has the greatest impact. We work in the space where your business and technology meet, because we believe that this is where security is most powerful."

    Talk about blowing it out both ends. You can read their ethical [atstake.com] and guiding principles [atstake.com] as well.

    This is what l0pht has turned into?

  • by signe (64498) on Thursday September 25, 2003 @11:17PM (#7060680) Homepage
    If you sign an employment agreement, you'd better stick to it.

    In particular, you shouldn't publish a paper without running it by corporate communications first. You especially shouldn't publish a paper that might be critical of a partner or customer without doing this. You know why? Exactly. You get fired. For violating your employment agreement. If you don't agree with the things that you signed, you shouldn't have signed them. Hell, even if you have permission to publish the paper, you might want to think twice about publishing a paper which is critical of a rather large customer.

    When I worked at AOL, I tried to get some of the execs to realize that some of the employees could be a powerful force in the technical community to raise the image of the company. Just the ability to explain some of the things that weren't confidential, correct some of the misconceptions. It wouldn't be a magical transformation, but it would be an effort. And actually joining the community would be a big step. Peer review and PR oversight could both be used to help make sure that more incorrect information didn't go out, or that the wrong things didn't go out.

    Noone wanted to talk about it. My assumption is that noone I got to wanted to rock the boat, and noone responsible trusted the employees. It's too bad really. But even with something like that in place, this type of paper would never pass muster. Not through a peer review, and not through PR. You just don't criticize a large customer. Especially a customer with as much money as Microsoft.

    -Todd
    • by quacking duck (607555) on Thursday September 25, 2003 @11:32PM (#7060773)
      But even with something like that in place, this type of paper would never pass muster. Not through a peer review, and not through PR. You just don't criticize a large customer. Especially a customer with as much money as Microsoft.

      Perhaps this is why he didn't pass the paper through atStake's legal or communications department. He knew they'd never approve it, and they'd do everything to block them if they knew ahead of time that he and his associates were going to publish it. Better to get the message out in the open and risk being fired, than button up what you strongly believe is in the public's best interest.

      Do whistleblowers ask their organization's legal department for permission before calling the authorities?

  • This is why ... (Score:5, Insightful)

    by tessaiga (697968) on Thursday September 25, 2003 @11:18PM (#7060685)
    university professors are tenured. Speaking your mind on controversial topics can have hazardous consequences for your career.

    This really is something Greer should have seen coming. He published a highly critical, highly-publicized report bashing his consulting company's biggest client. Whether it is true or not is irrelevant; that the client was Microsoft is irrelevant -- replace "MS" with "Sun" or "Oracle" or any other company you like, and I bet his higher-ups still wouldn't be happy about it. You may not like who you work for, but it's not a good idea to bite the hand that feeds you.

    • by MickLinux (579158) on Friday September 26, 2003 @01:58AM (#7061516) Journal
      Look at the history of Virginia Commonwealth University. See that point where they were completely shut down? That's because they *were* firing their tenured professors, and in the end completely shutting down the university was all that the state could do to stop it. When they sent examiners to interview the professors about the situation, the president would not let them alone with the professors. Anyhow, the state discovered that they couldn't do anything except close the university and fire everyone.

      Jump over to James Madison University. It seems that the then president of the university was trying to force through academically impossible changes. [For example, teach upper-level calculus before basic calculus, "to give them a feel for it".] So one of the Physics professors came up with proof of tax fraud. At that point, the president fired the whole Physics department, because although he couldn't fire a tenured professor without cause, he could eliminate the need for the professor by abolishing Physics [impressive stupidity for a university with a medical program, but finding tax fraud was a real threat]. Eventually, the firing was rescinded, and the president retired, but the potential for tax fraud penalties was probably a slightly larger gun than tenure. Jump forward, same university, different president. The tenured professors' contract is the University Handbook; and the administration updated it, taking to itself all the rights of academic free speech, and making the contract unilaterally modifiable. My father caught this, and in the Faculty Senate pointed out that (1) this had no effect without Faculty Senate ratification, (2) they couldn't ratify it because unlaterally modifiable contracts are illegal,
      (3) they shouldn't ratify it, and (4) without ratification, they were working either on the old handbook (in which case the old handbook stood), or else without a contract, which implied no particular tenure protection, but also implied no protection for the univeristy against lawsuit.

      In the end, he got those clauses struck. But tenure really doesn't protect academic free speech too well.

      In reality, tenure and academic free speech were initiated by the university administrations for their own convenience. It seems that, all the time people were coming up and saying "I'll donate X million dollars, if you'll teach this or that." And the problem was that if they taught this or that, 2 other donors would say "I'm not donating any more, because you're teaching nonsense." If they declined, however, then the person who wanted to affect the curriculum would begin a publicity campaign against the administration, and it was a real mess. So the academic free speech became a way that the administration could say "sorry, it's against contracts we've already signed. It's impossible."

  • by slashdot_commentator (444053) on Thursday September 25, 2003 @11:20PM (#7060699) Journal

    Bruce Schneier, the chief technology officer for Counterpane Systems Inc., worked with Geer on the report. He said security experts contacted to help work on the report critical of Microsoft indicated their support but couldn't participate publicly. ``There is a huge chilling effect based on Microsoft's monopoly position,'' Schneier said. ``It's unfortunate that AtStake put its private agenda ahead of intellectual integrity.''

    Lets hope Bruce still has his job by the end of the week.

    • by bourne (539955) on Thursday September 25, 2003 @11:28PM (#7060750)

      Lets hope Bruce still has his job by the end of the week.

      As the founder [counterpane.com] of Counterpane, he's probably got a bit more say in his company. Also, @Stake has expanded a lot with VC, I think Counterpane has grown more... carefully.

      • @Stake has expanded a lot with VC

        I remember going to one of the MIT Fleas [mit.edu], back when l0pht became @stake, and they had a big van pulled up and were selling off their old junky equipment. Presumably they were buying more modern gear with all that VC. I bought a big brick of a hard drive from them. It had some nice mp3s on it (among other junk), and served me well until I sold it again at the flea, l0pht sticker and all.

        Anyway, hung on the side of the van was a big sign reading:

        L0PHT SELLS OUT

        Until

  • by Read Icculus (606527) on Thursday September 25, 2003 @11:21PM (#7060709)
    I was watching a US House of Reps "Worms and cyber security" subcommmitee on C-SPAN the other day. Testifying before the Congressmen were the following - Microsoft Corp senior security strategist Philip Reitinger, VeriSign VP Kenneth Silva, Lawrence Hale, director of the Federal Computer Incident Response Center, Christoper Wysopal consultant for @stake Inc, some other Russian security consultant, and a few other random folks.

    The chairman of the committee asked the Verisign PHB and the two consultants if there were any security benefits in running open-source software, and which was more secure, open or closed. I almost shat myself. Here was the perfect opportunity to hear some glowing reviews of open source. Instead the two consultants, who seemed decently knowledgeable, and long winded on all other issues merely said that there are flaws in all types of software, and they would "guess" that the frequency of security flaws were the same as for closed source. Although the guy from @stake did mention that the theory behind open source security was that "the more eyes, the better", he also countered it with noting that most users of open source wouldn't be able to fix the code when a vulnerability was found.

    That was it. No detailed explanation about anything. Just a brush off that was not quite as long as their testimony on why ipv6 wouldn't offer any extra security over ipv4. Luckily the Verisign bastard was there to add his two cents. To paraphrase him - "I would agree with their, (the consultants) testimony, but I would like to add that often the people who write open source software are not professionals". Then he took another shot mentioning "that often worms affect open-source software too". Often... I wonder what he considers "often". How can he even trot out the word "often" to describe the frequency of worms that affect open-source software when there are millions of Windows boxes that are constantly being hit by worms. He then added - "We must resist the temptation to demonize software vendors and other members of the network community. The finger pointing is often misplaced and in most cases does more harm than good." It was quite the interesting hearing, and gives me a bit of insight into what kind of info our Government is getting about open source.
  • by ljavelin (41345) on Thursday September 25, 2003 @11:22PM (#7060712)
    As many, many researchers know, this is why so much commercial research is flawed - there are too many strong influences out there that taint the data.

    This is the first overt firing that I've heard of in the IT industry, but I'm sure there have been thousands that we just never heard of.

    Just think of those poor researchers at the cigarette companies - you know, the ones where if you found that there was a link between cigarettes and cancer, well, you must be fired.

    Or the researchers for pharmacuticals... where if you find that drug X doesn't help cure Y, then you shouldn't expect any grant money next year. Yeah, not fired, but certainly the same net result.

    The fact is that research SHOULD be independent. I don't know or care if this guy's paper was right or wrong. But it should be the research community, not MBAs, who decide the quality of research. Period.

    I think that firing this guy due to his research is wrong. It looks like he was fired for financial relationship reasons, not because his study was consistently rejected by the research community. Should his employers be considered biased? As a potential customer, should I trust this company? If they are motivated more by their relationship with microsoft versus upholding the truth, I'll never recommend anyone to do business with them. And it looks like they are, and so I'll make sure they're scratched off the list.
    • by the gnat (153162)
      Or the researchers for pharmacuticals... where if you find that drug X doesn't help cure Y, then you shouldn't expect any grant money next year. Yeah, not fired, but certainly the same net result.

      That's not exactly fair. The pharmaceuticals would prefer to find out about these things from their own people, as quickly as possible. The entire FDA approval process is essentially designed to eliminate drugs from the pipeline before they reach the market. I've seen many pharmaceutical scientists speak about
    • by jpetts (208163) on Friday September 26, 2003 @12:31AM (#7061139)
      Or the researchers for pharmacuticals... where if you find that drug X doesn't help cure Y, then you shouldn't expect any grant money next year. Yeah, not fired, but certainly the same net result.

      Can't let this go. I'm afraid this is utter crap. I've been in the pharma industry for nearly two decades, and I can assure you it doesn't work this way in the slightest. There are many, many cases of promising potential drugs getting canned each year in just about all but the smallest pharma company. I have never seen or heard about anybody's career being harmed by serendipitous failure. Hell, the company I work for was doing work around PDE V inhibitors about 15 years ago, and we got really close to sildenafil (Viagra), but stopped work in the area. Nobody got canned or carpeted or anything. It just happens. This year already we've had two major compounds drop out of development. Sure, people get pissed off, but so what? That's the way pharma works.

      Pharma research just doesn't work in the way you describe. Sorry, but your comment is -1, Bullshit
  • by bourne (539955) on Thursday September 25, 2003 @11:23PM (#7060726)
    "[employees] agree to: Issue public statements, advisories, and the like only in an objective, fact-based and truthful manner while in the course of our job responsibilities." [atstake.com]

    Interesting. Does that mean that employees should only issue statements in the course of their job responsibilities? Or that job statements must be objective, fact-based and truthful but personal statements can be whatever they want? This latter interpretation seems to conflict with their action.

    I don't think Dan Geer will have trouble finding a new job. However, it is an interesting reflection of what @Stake has become. Look at their management team [atstake.com]. Looks awfully VC to me.

  • by slashdot_commentator (444053) on Thursday September 25, 2003 @11:30PM (#7060761) Journal

    Leave it to the Mercury News to report with more sordid details [siliconvalley.com].

    What caught my eye...

    The CCIA trade group also ran into trouble Thursday when it sought to send a paid announcement about its critical Microsoft report to 140,000 subscribers of popular trade magazines for chief security officers and chief information officers.

    The publisher for CIO and CSO magazines, CXO Media Inc., offers such announcements ``to target a specific market segment of our audience by designing a list of prospects for direct mail and e-mail purposes.''

    But in this case, the subject was too touchy.

    ``We find it is too sensitive of material to send out. I'm sorry to be the bearer of bad news, but I have to deny your request,'' according to an e-mail from the publisher obtained by The Associated Press.

    ``We need to try to provide some balance on these issues, and this seemed a little one-sided,'' CXO spokeswoman Karen Fogerty said.

    Sheesh! The mags won't even report this story if you pay them!

    ---

    Fight the Power!

  • @stake == l0pht? (Score:5, Informative)

    by autopr0n (534291) on Thursday September 25, 2003 @11:42PM (#7060848) Homepage Journal
    Wasn't @stake the security company that grew out of the l0pht? Or am I on crack?
  • by Ridgelift (228977) on Friday September 26, 2003 @12:00AM (#7060964)
    "Participation in and release of the report was not sanctioned by @Stake," the security and consulting company said. "The values and opinions of the report are not in line with @Stake's views."

    What?! What exactly wasn't true about what was said?

    Quote: Daniel Geer "As fast as the world's computing infrastructure is growing, vulnerability to attack is growing faster still"

    Quote: Daniel Geer "Microsoft's attempts to tightly integrate myriad applications with its operating system have significantly contributed to excessive complexity and vulnerability. This deterioration of security compounds when nearly all computers rely on a single operating system subject to the same vulnerabilities the world over"

    Quote: Ed Black "Microsoft's monopoly threatens consumers in a number of ways, it it's clear it is now also a threat to our security, our safety, and even our national security."

    Quote: Bruce Schneier "The problem is that of monoculture. As long as all computers are running the same OS, they're all vulnerable."

    If @stake is saying they don't agree with these statements, then their credibility as a security company is seriously in question. It's one thing to say they fired someone for violating professional protocol, it's quite another to terminate them because what they said was incorrect.

    Everything said by Geer, Black and Schneier is correct. What does @stake not agree with?
  • by SkewlD00d (314017) on Friday September 26, 2003 @12:06AM (#7061001)
    @stake, eeye, and iss have all agreed w/ microsoft not to release details of even potential exploits until the microsoft has had 30 days to "evaluate" them, leaving admins and the public unnecessarily exposed to vulnerabilities. This is completely unacceptable, and contrary to the scientific peer-review process of real science. If you know there's a problem, you speak out, suggest a fix, and hopefully the appropriate parties will be responsible enough to take action. Additionally, others have to be able to VERIFY and REPRODUCE findings, a critical part of *real* research. But microsoft's tactic is to force so-called security "research" companies (who are in it for money, not necessarily for altruistic research or making things more secure) into a lop-sided, biases "standards" NGO, the "Organization for Internet Safety" (OIS), which Microsoft is a member [oisafety.org]. (read this [securityfocus.com]). What they are proposing is censorship, hiding information until they can find a fix, so that only the hackers will know what's broken. Talk about the fox guarding the hen-house!!!

    Additionally, the director of research for @stake, Chris Wysopal, is effectively lobbying congress [atstake.com] to give teeth to the OIS, and more power to microsoft and their buddies.

    OIS = @stake, BindView, SCO, Foundstone, Guardent, ISS, Microsoft, NAI, Oracle, SGI, Symantec. sounds like the stone cutter's guild to me.

    Eeye seems to be left out for obvious reasons, they oppose this secretive "research." Read eeye's Marc Maiffret's (chief hacking officer) thoughts on things to a congressional subcommittee here [eeye.com].

    "windows corrupts, microsoft corrupts absolutely."
    • @stake, eeye, and iss have all agreed w/ microsoft not to release details of even potential exploits until the microsoft has had 30 days to "evaluate" them, leaving admins and the public unnecessarily exposed to vulnerabilities. This is completely unacceptable, and contrary to the scientific peer-review process of real science.

      What an idiotic thing to say. Most legitimate security researchers give any company an agreed upon period of time before making public an exploitable security hole. Many times,

  • by The Infamous TommyD (21616) on Friday September 26, 2003 @12:07AM (#7061006)
    For him to be canned over this report (which is excellent by the way), is awful. Other heavy hitters in infosec also collaborated on this report e.g. Schneier, Becky Bace, and Charles Pfleeger.

    It's not so much that @stake doesn't have the right to fire him, but rather that it's a pity that they can't stand up to the truth. Not that corporations are known for their honor anyway. I would not trust a @stake with my business at this point-what's next? MS buying them into using their clearly superior security products?!
  • Its sad that @Stake would be so scared of Microsoft to fire someone for telling the truth.

    I'm sure that some other company will be perfectly happy to snatch him right up, partly as a slap in the face to Microsoft and because he can obviously provide some valuable information about the security risks involved with Windows now and in the future.

    Maybe even the CCIA might snatch him up? Personally, I think they owe it to him.
  • by HBI (604924) <kparadine AT gmail DOT com> on Friday September 26, 2003 @12:13AM (#7061049) Homepage Journal
    @stake has demonstrated that nothing, absolutely nothing, will get in the way of satisfying their clients. While this is admirable from a capitalist viewpoint, how much do you trust any information that they disseminate?

    Thought so.

    Tarring yourself as a Microsoft shill might be good for the bottom line but I doubt @stake's long term viability was helped by this move. Particularly since the point that Mr. Geer was making is patently obvious to anyone with a clue.

    I'm sure going to tune out anything they say in the future.
  • by MickLinux (579158) on Friday September 26, 2003 @01:26AM (#7061411) Journal
    Simple point here: whether or not @stake is involved in a conspiracy, @stake clearly considers themselves to be a advertising/publicity agent of Microsoft.

    @Stake clearly does not consider themselves to be a news organization, or a news clearing house.

    That said, they should, in the future, be held to the standards of advertising agents, with all the benefits of such -- not news agents with their benefits.

    Therefore, if they want to come in to cover a software convention, by all means let them [but at full price: no media pass]. If they want to claim first Amendment right to speech, they can, within the bounds and with the protections set by our government for advertisers. Not within the bounds and with the protections set by our government for news media.

    I don't see a reason to apply conspiracy here; just treat them as what they consider themselves to be.
  • His job? (Score:3, Funny)

    by tconnors (91126) on Friday September 26, 2003 @02:00AM (#7061522) Homepage Journal
    So, it looks like his job was @stake?

    Sigh.
  • by miffo.swe (547642) <daniel,hedblom&gmail,com> on Friday September 26, 2003 @02:16AM (#7061567) Homepage Journal
    Daniel E. Geer Jr must have really hit a sensitive area of Microsoft. Its really sad to see them so unwilling to realize that the report isnt a hit on MS but more about monoculture in the internet. Monoculture is bad, ask any biologist and hell tell you why. Diversity is much better but it demands open standards and interopability, something Microsoft have been successfully avoiding since day one.
  • by alizard (107678) <alizard AT ecis DOT com> on Friday September 26, 2003 @02:37AM (#7061624) Homepage
    @Stake just blew off a big chunk of their credibility. Is there anybody around here who was thinking about hiring them who hasn't changed their minds yet?

    If they want MS as their sole client, that's one thing.

    Their publically firing a whistleblower for being part of a group writing a negative article about MS software tells me that @stake can never be trusted again in any statement they make about MS software, operating systems, or security procedures. So what's the upside for a non-MS client to hire them?

    Is anybody left at @stake from the old l0pht days?

  • by hackus (159037) on Friday September 26, 2003 @04:54AM (#7062001) Homepage
    I hate to be a rant...but I can't help myself. :-)

    Ethics is going down the tubes. An example, I think was the investment community in the U.S.

    If you watch the media, you have this over all impression, well, Enron was just a fluke, they had poor accounting.

    But if you read the papers, this fluke, is being practiced by 100's of companies, all screwing over their investors like cheap whores on a Dutch street corner.

    I hate to point this out, but these Ivy league trained people were taught and are taught that this is just ducky. How can it not be with so many companies screwing you on a daily basis.

    It can't be a fluke when everyone is doing it.

    Fluke? I think not, but you decide.

    It has become ethical to do business unethically and it is proudly taught that way in our so called finest Universities.

    If anyone has any money in US retirement investment funds, when they retire 30-40 years from now, I will be really amazed.

    If you are an investor, and you are investing in US companies for retirement, you my friend are a sucker.

    Same thing is happening here. Microsoft is not an innovative company, it buys companies.

    They do not write good software and if you are stupid enough to buy Microsoft Press books written by PhD's who claim they even have a clue about good Software Engineering principles, you are just another duped "investor".

    I would like to point out that Microsoft is one of the largest employers of Computer Science PhD's in the country.

    As an example, one must ask this question after looking at these Software Engineering practices books that Microsoft Press publishes as oxymoronic.

    My reasoning is as follows:

    Exhibit A: Microsoft hires more PhD computer scientists than even IBM has to work on the secure initiative for 2000 and XP. Building and rebuilding the entire OS 2000, and then again with XP, from scratch, at a estimated cost of 2.8 billion dollars.

    Exhibit B: A 18 year old in Minnesota, a 16 year old in Malaysia, and a 21 year old in Russia. All with WAY too much time on their hands, with NO source code, find more security holes in 2000, XP than you can possibly say "Code 'in'-Complete" in that past 14 months.

    Exhibit C: A University student, in Finland builds a new operating system kernel called Linux, and in just 8 years it is being worked on by almost no PhD's and many testors and code contributors are in their early 20's or teens, and is far more capable than windows, 1.8 billion dollars later.

    Is Linux just another Enron? Fluke?

    My point is that the way we are being taught code in this country is not the way code should be written. Even if you have a PhD, its business as usual dogma, just like our MBA friends.

    Is it a fluke that the best code being written is not through institutionalized learning in this country?

    What do these exhibits tell us about our country in general, with regards to ethics?

    It doesn't take a rocket scientist to figure out what is going on here.

    Fluke?

    I think not, but you decide.

    -Hack
  • by Uninvited Guest (237316) on Friday September 26, 2003 @08:22AM (#7062603)
    Microsoft hired @stake to improve security in Windows. In order to improve security (or most anything), you have to recognize what is wrong with that security. @stake just fired someone for publishing independent research related to what @stake paid this person to do: be critical of Microsoft Windows security. This firing leads me to believe that @stake wants it's employees to be critical --but not too critical-- of Windows. And while @stake can surely find people to fill this mediocre requirement, they probably won't find the "best" people. Indeed, there might be a quiet exodus of talent from @stake after this, and @stake might have trouble naming a replacement CTO that has the same level of competence in Windows security. Perhaps, an Anonymous Coward from @stake will update us on the chilling effects, if any, inside the company.
  • by spacerog (692065) <spacerogNO@SPAMspacerogue.net> on Friday September 26, 2003 @08:33AM (#7062644) Homepage Journal

    Sure wish I had seen this earlier instead of 300+ replies later. Oh well, I guess thats what happens when you stick your head inside a Hobbit hole for three years and don't come out.

    I feel I must reitterate L0phT =! @stake. Please do not confuse what I consider to be the good work of the L0pht with the corporate nonense that is @stake.

    As for Dan and everyone else that works there they should have seen the writing on the wall three years ago when they fired my poor ass. Remember me, Space Rogue? HNN? All Gone. Why? I can only speculate but I think they felt that a critical mouthpiece would not be a good thing. Sound familiar? Hard to get someone to sign a big contract if you might call them names the next day.

    Dan is a remarkable person. His mind works like no other person I have ever met. Don't feel sorry for him. Trust me, he is in a better place now.

    Microsoft has continued its embrace, extend and I assume, extinguish policy with regards to information security. How? By hiring several of the people who were critical of the organization. Yes, that means previous @stake, Guardent, Foundstone, etc employees. That also means hackers, all who now work for the Giant in Redmond. Keep your enemies close. What better way to silence your critics than to hire them. Then you can keep them silent until they no longer pose a threat and dispose of them quietly at a later time when no one is looking.

    Oh well, life goes on, the Internet is as insecure as ever, companies are still able to hide thier vulnerability, risks are not taken seriously and hackers still roam free. Nothing has changed, and nothing will until such time that people stop trusting everything that is spoon feed by anyone looking to make a buck. Yeah, I'm cynical. Sue me.

    - SR

  • by twisty (179219) on Friday September 26, 2003 @08:50AM (#7062745) Homepage Journal
    I was the IT Specialist of The divisional headquarters of The Salvation Army in Cincinnati - the 'go to' guy for half of Ohio and Norther Kentucky. I was one of the 30,000+ people sending letters to the DoJ regarding Microsoft's anticompetitive pratices. (I shared account of how they tried charging us twice for Office licenses.)

    Three months later, I had a four day vacation and when I came back, the locks on my office were changed and my personal contents were cleaned out. They gave me a "farewell interview" to express that their sole reason for firing me was "dissatisfactory performance," which is all their employment policy required. My ten year career with them was over, they would not give me opportunity to defend myself, and they wouldn't give me severance or unemployment.

    (The Salvation Army, as a church, is not required by Ohio law to pay into unemployment. Compounded with losing my pension settlement for three months, I spent those months at zero income.)

    I found out over a year later that Microsoft was behind it... It wasn't a local decision at all, but was enforced by Paul Kelly, IT Director of New York's Territorial HQ, along with policy banning Linux in our ten state territory! Paul normally has no direct dealings with me on the divisional level, but a contact in New York revealed how pivotal Paul considered me in that contraversy.

    I haven't pulled together the witnesses and evidence to prove this in court, but the commonly held opinion is that Paul got the call from Microsoft which says "get rid of the problem, or we'll audit your business licenses."

    So it seems The Salvation Army, a church, is also a wholy owned and operated subsidiary of Bill Gate's Evil Empire(tm).

    Joel 'Twisty' Nye, MCSA, Linux+
  • by mormop (415983) on Friday September 26, 2003 @09:04AM (#7062833)
    All this does is shoots down @stake's credibility.

    Anyone with half brain will realise that running an entire network on a single OS is asking for it. This is why buildings don't tend to have the same key for every lock and the burglar alarm and keep skeleton keys well guarded. If this were the case, someone drops the key in the car park and whoever finds it has free reign and oh boy, the joy of the discovering that it opens every desk, filing cabinet and safe as well.

    The headline was that a singular reliance on Windows is a bad thing and I can't see that this argument is flawed. For @stake to sack someone for daring to state the obvious is laughable and makes them look stupid in the same way that Microsoft always looked stupid when they'd claim that there were no reliability issues in Windows despite the fact that even the non-techiest people in an office could tell you what BSOD stands for.

    If anyone at MS is thinking that this is a good thing then they should consider that many people watching have already, based on their previous record of dubious behaviour, put this down to their intervention. Whether it's true of not is irrelevant, it just seems most likely.

...when fits of creativity run strong, more than one programmer or writer has been known to abandon the desktop for the more spacious floor. - Fred Brooks, Jr.

Working...