Author of Paper Critical of Microsoft is Fired 739
chongo writes "Daniel E. Geer Jr., one of the primary authors of a
report
Reliance
On MS A Danger To National Security,
was fired from @stake Thursday morning.
@stake said that 'The values an opinions of the
report
are not in line with @stake's views' and that Geer's
participation was 'not sanctioned.'
Microsoft, who has worked closely with @stake
in the past, denied that it was involved in @stake's
decision to fire Dan." There might not be anything fishy going on at all, but that's no reason to stop making perfectly good conspiracy theories.
SCO acquires a new business partner - GNAA (Score:-1, Informative)
Darl here, with another fine Fr1st P0st. After all -- SCO did everything first, and the rest of the responses to this story will owe their heritage to a foundation built on SCO's staff of talented programmers.
You may be wondering why SCO salesmen are not answering your numerous calls while you try to order more SCO licenses. Well, we aren't answering the phones because we're too busy celebrating our newest business partner. Rather than explaining it myself, I'll let our formal press release do the talking. Take it away, Mr. Reuters...
LINDON, Utah, Sept. 8/PRNewswire - FirstCall/ -- The SCO Group, Inc. (Nasdaq: SCOX [yahoo.com] - News [yahoo.com]), the owner and licensor of the core UNIX operating system source code, today announced its second Fortune 500 clent for the SCO Linux IP license, the GNAA (Nasdaq: RHAT [yahoo.com] - News [yahoo.com]), developer of fine Slashdot trolls on irc.efnet.net #GNAA, also well-known for revolutionizing small business development with its "Step 2: ??????" profit model. The availability of the SCO Intellectual Property License for Linux affords Linux deployments to come into compliance with international law for the use of all 2.4 and future kernels. The run-time license permits the use of SCO's intellectual property, in binary form only, as contained in Linux distributions.
By purchasing a SCO Intellectual Property License, customers avoid infringement of SCO's intellectual property rights in Linux 2.4 and Linux 2.5 kernels and assure Darl financial security for the purchase of his second home. Because the SCO license authorizes run-time use only, customers also comply with the General Public License, under which Linux is distributed. Source may still be distributed under the terms of the GPL, however source distributors are held accountable for all violation of SCO's IP. Indemnification is provided for customers of runtime clients only. Read that twice, dirty hippy. You're not in the clear yet.
GNAA spokesperson penisbird said of the licensure, "coming into compliance affords us a new competitive advantage with the other Slashdot authors. By being in the right, we can thumb down our noses at not only the Windows users and the BSD-thieving Mac Users, but also the unwashed Linux hippies running stolen code on their parents' PCs." VP of anus enlargement goat-see added, "fr1st p0st? damn i miss. how do i next story?"
Mr. Darl McBride concurred with GNAA's analysis, adding "We soon hope to convince additional clients such as Trollklore and Cabal of Logged In Trolls of the benefits of licensing SCO's valuable IP. Also, I <3 GNAA bunny. (@.@)" JesuitX clarified the nature of the SCO and GNAA alliance, adding "We're more than just a licensing client. We're also going to be helping to bring these other potential licensors into compliance. We can break them in little by little as paying sublicensors. The alternative is pretty horrible. Our lawyers can take a reticent client from virgin to hello.jpg [figure 2 [yahoo.com]] in under an hour, and believe me -- it is not pleasant."
Commander Taco was unavailable for comment, however Cowboy Kneel was said to ask for a print of [figure 2] for his basement apartment. Simoniker remained British and unable to spell "color," while Timothy responded by posting the same story six times, and Hemos reposted a seventh time, the submission differing only from his application of that damned Einstein icon.
If you have mod points and would like to support GNAA, please moderate this post up.
________________________________________________
| ______________________________________._a,____ |
| _______a_._______a_______aj#0s_____aWY!400.___ |
| __ad#
Re:Hey! (Score:3, Informative)
Whither l0pht Heavy Industries? (Score:2, Informative)
This is the same @stake that was formed from the l0pht heavy industries (www.l0pht.com) of old. Says itsecurity.com's Computer Security Dictionary of l0pht:
L0pht Heavy Industries
"A Boston-based group of hackers interested in free information distribution, finding alternatives to the Internet and testing the security of various products. Their web site houses the archives of the Whacked Mac Archives, Black Crawling Systems, Dr. Who's Radiophone, the Cult of the Dead Cow, and others. Current membership includes Mudge, Space Rogue, Brian Oblivion, Kingpin, Weld Pond, Tan, Stefan von Neumann and Megan A. Haquer. They can be reached at info@l0pht.com and maintain a web site at http://www.l0pht.com."
Hacker's Encyclopedia, by Logik Bomb (FOA), http://www.xmission.com/~ryder/hack.html, (1997- Revised Second Edition)
I wonder if good old mudge still works there? It's amazing what a little money'll do, eh?
Re:Can they do that? (Score:2, Informative)
There is a concept known as "at-will employment", which basically states
ObDisclaimer: IITGNAL (I Am, Thank Gawd, Not A Lawyer), this does not constitute legal advice, yada-yada-yada....
ObLinkage: Google [google.com] is your friend.
Re:More CTO openings at security consultancies...? (Score:5, Informative)
Lets hope Bruce still has his job by the end of the week.
As the founder [counterpane.com] of Counterpane, he's probably got a bit more say in his company. Also, @Stake has expanded a lot with VC, I think Counterpane has grown more... carefully.
Re:Can they do that? (Score:3, Informative)
IANAL, but a quick search for 'work-at-will' via Google produced links by people who are, which explain a little about work-at-will and also how some litigation has made work-at-will a little less 'you can be fired whenever for whatever reason'. But in general, you have less protection as an at-will employee than you might otherwise, and most employment contracts are work-at-will. So they likely could indeed fire him, though he might have grounds to challenge his dismissal.
One example:
http://writ.news.findlaw.com/grossman/20010911.ht
Re:He wrote it as if it was on @Stake's behalf (Score:5, Informative)
When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company. It's not like being a prof at MIT. Noby would assume a prof officially represents the stance of a University. But companies are a differnt world. Bruce represents Counterpane when he does those sorts of publications, and Dan damned well should have known he'd be representing @Stake when he repeatedly listed the affiliation..
@stake == l0pht? (Score:5, Informative)
Re:Researchers beware! (Score:3, Informative)
That's not exactly fair. The pharmaceuticals would prefer to find out about these things from their own people, as quickly as possible. The entire FDA approval process is essentially designed to eliminate drugs from the pipeline before they reach the market. I've seen many pharmaceutical scientists speak about drug development, and they've all emphasized their efforts to rule out as many drugs as possible even before Phase I trials. It costs a shitload if they make it to Phase III before discovering that their drug is crap.
Now, once a drug has actually been released, it's much worse for the company to find that it's ineffective. However, it's still much better for them if one of their own people finds out, because if they don't, someone else will sooner or later. They'll lose money in the short term, but they'll probably save far more in the long run, and they'll definitely look better. Hopefully they can even avoid the class action lawsuit entirely.
As far as I'm aware, the problem (well, one of them) with drug companies is generally not that they push drugs they know to be ineffective, but rather that they push drugs that genuinely are effective on people that don't need them. A huge number of mood-altering pharmaceuticals fall into this category; I refer you to the South Park episode about Ritalin for details.
Just a clarification - pharma researchers do not get grants; they have contracts. A corporation would not keep an expensive PhD biochemist on staff while discontinuing his research. Some academics do get pharmaceutical grants, but not many, and they almost always have other sources of funding which are completely unconnected.
Re:He wrote it as if it was on @Stake's behalf (Score:5, Informative)
The report states clearly on the first page that "Our conclusions have now been confirmed and amplified by the appearance of this important report by leading authorities in the field of cybersecurity: Dan Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, John S. Quarterman, Charles Pfleeger, and Bruce Schneier. CCIA and the report's authors have arrived at their conclusions independently. The views of the authors are their views and theirs alone."
Note that there are no company affiliations in that list, or on the front cover of the report, and that they clearly say that they're speaking as individuals, not as company representatives. The authors do list their current titles and employers in their bio's and on the "authors of the report" page, in order to establish their credibility (and that's a lot of credibility), but clearly don't speak for their employers.
Given that the document expresses the mainstream of security industry thinking, I'm a little amazed that this is even "news" much less something to fire someone over. Does any security professional think that a software monoculture is a good idea, or that Microsoft actually has security as its top priority (as opposed to market share or profitability)?
If we're to be serious about addressing vulnerabilities in our software infrastructure, we have to be willing to discuss these issues honestly, without self-censoring out of fear of stating the obvious when it's inconvenient.
Re:@stake == l0pht? (Score:2, Informative)
Dan Geer was the technical lynchpin of @stake. I think they just slit their own wrists to keep their clients or potential clients happy. Sounds typical for the security indsutry.
Re:Is slashdot really any better? (Score:2, Informative)
Re:Hey! (Score:1, Informative)
Another good article -- Washington Post (Score:2, Informative)
According to the Washington Post, Lona Therrien, the @Stake spokesperson, "said the company had no conversations with Microsoft about Geer or the report."
However (same article), Sean Sundwell of @Stake said that on Tuesday night, when notice of the report's pending release was circulated, "Microsoft was contacted by @Stake officials . . . expressing their disappointment in the report and saying that Dan Geer's opinion did not reflect the position of @Stake and its commitment to an ongoing relationship with Microsoft."
So... which is it? Did they discuss the report directly with Microsoft or not??
Mmm hmmm. And it doesn't work all that great. (Score:4, Informative)
Jump over to James Madison University. It seems that the then president of the university was trying to force through academically impossible changes. [For example, teach upper-level calculus before basic calculus, "to give them a feel for it".] So one of the Physics professors came up with proof of tax fraud. At that point, the president fired the whole Physics department, because although he couldn't fire a tenured professor without cause, he could eliminate the need for the professor by abolishing Physics [impressive stupidity for a university with a medical program, but finding tax fraud was a real threat]. Eventually, the firing was rescinded, and the president retired, but the potential for tax fraud penalties was probably a slightly larger gun than tenure. Jump forward, same university, different president. The tenured professors' contract is the University Handbook; and the administration updated it, taking to itself all the rights of academic free speech, and making the contract unilaterally modifiable. My father caught this, and in the Faculty Senate pointed out that (1) this had no effect without Faculty Senate ratification, (2) they couldn't ratify it because unlaterally modifiable contracts are illegal,
(3) they shouldn't ratify it, and (4) without ratification, they were working either on the old handbook (in which case the old handbook stood), or else without a contract, which implied no particular tenure protection, but also implied no protection for the univeristy against lawsuit.
In the end, he got those clauses struck. But tenure really doesn't protect academic free speech too well.
In reality, tenure and academic free speech were initiated by the university administrations for their own convenience. It seems that, all the time people were coming up and saying "I'll donate X million dollars, if you'll teach this or that." And the problem was that if they taught this or that, 2 other donors would say "I'm not donating any more, because you're teaching nonsense." If they declined, however, then the person who wanted to affect the curriculum would begin a publicity campaign against the administration, and it was a real mess. So the academic free speech became a way that the administration could say "sorry, it's against contracts we've already signed. It's impossible."
Re:Can they do that? (Score:3, Informative)
Uh... if he was fired, and nobody else was, then he was pretty clearly discriminated against. Why the heck doesn't anybody understand what "discrimination" is? (separation according to characteristics of each individual).
Only some forms of discrimination are illegal. The law says words to the effect of "You may not discriminate on the basis of , , or ". That's it.
You're perfectly allowed to discriminate on the basis of how smart people are, or how bad they smell, or whether they understand the language they are trying to use. Just not by race or religion, usually, and even then only in matters of real estate and employment.
Re:@stake == l0pht? (Score:4, Informative)
They became the "research and development" division of @stake apparently...
here is the link to an archived press release talking about the merger:
http://www.xent.com/FoRK-archive/jan00/0035.html [xent.com]
From what happened to Dr. Geer we can see that the spirit of the L0pht is really gone now.
This looks like a disclaimer to me (Score:3, Informative)
From p.3 of the report:
Unless they modified the report after it was first posted? The version I'm looking at says modified 24/09/2003, 7:03 EST
Re:Ethics and Business sans Technology (Score:2, Informative)
Re:Can they do that? (Score:3, Informative)
In a capitalist economy, the only thing that matters is capital - the buying and selling of goods and/or services. Access to votes is just another service. So is access to voters, for that matter. And the information, as we see alot these days - accurate information is a valuable commodity. Therefore, not everyone has access to it, which means that a company who controls access to information can manipulate markets. The ability to manipulate markets is just another commodity to be bought and sold on the open market.
They Already Did That (Score:3, Informative)
Why use Fox News has a hypothetical example, when that did happen... to Bob Zelnick of ABC News, for writing a book about (then) Vice President Al Gore. [junkscience.com]
FYI: Rupert Murdoch, who owns Fox News Channel, also owns Harper Collins, which publishes books by authors like Michael Moore [harpercollins.com].
Demonstrating one's cluelessness (Score:3, Informative)
@stake, eeye, and iss have all agreed w/ microsoft not to release details of even potential exploits until the microsoft has had 30 days to "evaluate" them, leaving admins and the public unnecessarily exposed to vulnerabilities. This is completely unacceptable, and contrary to the scientific peer-review process of real science.
What an idiotic thing to say. Most legitimate security researchers give any company an agreed upon period of time before making public an exploitable security hole. Many times, this period is longer than a month. This allows a company time to create and distribute a patch against the hole. No legitimate researcher wants the internet to melt down or information compromised in the desire to rush to make a statement.
In professional ("real") scientific circles, there might not be a built-in delay before disseminating information, but you certainly jeopardize your career if you state anything in your publication that might be quickly interpreted as incorrect. (Just ask Pons & Fleischmann.) Many scientists will delay publication of information to be dead certain of their facts, and there can be a year of delay before a scientific journal will publish the information. (This is part of the peer review process.)
Microsoft may engage in egregious policies concerning disclosure of security vulnerabilities (but none that I'm immediately aware of), but requesting a researcher to delay public announcement before evaluating and producing a security patch is not one of them.
Re:Rough Translation (Score:3, Informative)
> > It's a sad state of affairs, but not surprising. It's been a long time since the "CIFS is caca" paper...
> CIFS=Common Internet File System. This is a reference to the security flaws highlighted by Hobbit (from memory it was defcon 5, back in 1997) in the microsoft SMB (windows networking) products.
You're correct on which defcon, but I'd like to remind you that mudge and *hobbit* stood up there together. I was saddened to see how quickly mudge compromised his principles for cash. I have nothing but respect for *hobbit*, who has retained his.
> > and I lost respect for the l0pht back when *hobbit* was edged out. Mudge became "Dr. Mudge" (as if), and they all started running after the limelight. Sad, really. The Hacker News Network is long gone, and mudge is Pieter. It sucks for Dan, but it's just more of the same for the rest of us.
> L0pht Heavy Industries (creaters of the L0phtcrack suite Pwdump that allowed brute force cracking of windows NT user/passes) went though a period of internal discontent. I cannot provide any details on this.
It was more than just a bit of internal discontent. I'd say it was a basic separation into two camps; the old school hackers, and the group that felt it would be good to take advantage of the notoriety, and cash in. The original Back Orifice product was written by cult of the dead cow, and only ran on windows 95/98. It was a (soon to be) member of the l0pht that rewrote it to work on win NT. L0phtcrack was not the only thing interesting that came out of that group. Wish I'd made a mirror of the old site. There was plenty of MS bashing.
> > It takes a lot of nerve for Chris Wysopal to issue his little statement. Weld Pond would never have said something like that. Man, it's been a long path from BO2K to appeasing Microsoft. What a long, strange trip it's been. Sigh.
> I have to admit this part has me stumped. I assume he means that Chris Wysopal of @stake would answer differently to Weld Pond of Lopht. Since they are one and the same person I assume he means to highlight the change over time in Chris's opinions/loyalties... not really surprising in the context of articles like this (para. headed Who's Who).
Yeah, I was perfectly aware that Weld Pond == Chris Wysopal. The comment was expressing my sadness at just how much he's changed. Thanks for the link to the Register, I'd forgotten that article. That grouping never came off, BTW, but there's still the pay early version of CERT that doesn't much make me happy.
> It has indeed been a long and strange trip... no end in sight yet.
Re:Wish I had seen this earlier (Score:2, Informative)
Re:@stake == l0pht? (Score:3, Informative)
Re:@stake actions double plus ungood! (Score:3, Informative)
If you are going to start a conspiracy theory, at least make one that stands up to a little bit of reason. Or not so easily discoverable by the public.
frob