Author of Paper Critical of Microsoft is Fired

chongo writes "Daniel E. Geer Jr., one of the primary authors of a report Reliance On MS A Danger To National Security, was fired from @stake Thursday morning. @stake said that 'The values an opinions of the report are not in line with @stake's views' and that Geer's participation was 'not sanctioned.' Microsoft, who has worked closely with @stake in the past, denied that it was involved in @stake's decision to fire Dan." There might not be anything fishy going on at all, but that's no reason to stop making perfectly good conspiracy theories.

SCO acquires a new business partner - GNAA

[Anonymous Coward]

Darl here, with another fine Fr1st P0st. After all -- SCO did everything first, and the rest of the responses to this story will owe their heritage to a foundation built on SCO's staff of talented programmers.

You may be wondering why SCO salesmen are not answering your numerous calls while you try to order more SCO licenses. Well, we aren't answering the phones because we're too busy celebrating our newest business partner. Rather than explaining it myself, I'll let our formal press release do the talking. Take it away, Mr. Reuters...

LINDON, Utah, Sept. 8/PRNewswire - FirstCall/ -- The SCO Group, Inc. (Nasdaq: SCOX [yahoo.com] - News [yahoo.com]), the owner and licensor of the core UNIX operating system source code, today announced its second Fortune 500 clent for the SCO Linux IP license, the GNAA (Nasdaq: RHAT [yahoo.com] - News [yahoo.com]), developer of fine Slashdot trolls on irc.efnet.net #GNAA, also well-known for revolutionizing small business development with its "Step 2: ??????" profit model. The availability of the SCO Intellectual Property License for Linux affords Linux deployments to come into compliance with international law for the use of all 2.4 and future kernels. The run-time license permits the use of SCO's intellectual property, in binary form only, as contained in Linux distributions.

By purchasing a SCO Intellectual Property License, customers avoid infringement of SCO's intellectual property rights in Linux 2.4 and Linux 2.5 kernels and assure Darl financial security for the purchase of his second home. Because the SCO license authorizes run-time use only, customers also comply with the General Public License, under which Linux is distributed. Source may still be distributed under the terms of the GPL, however source distributors are held accountable for all violation of SCO's IP. Indemnification is provided for customers of runtime clients only. Read that twice, dirty hippy. You're not in the clear yet.

GNAA spokesperson penisbird said of the licensure, "coming into compliance affords us a new competitive advantage with the other Slashdot authors. By being in the right, we can thumb down our noses at not only the Windows users and the BSD-thieving Mac Users, but also the unwashed Linux hippies running stolen code on their parents' PCs." VP of anus enlargement goat-see added, "fr1st p0st? damn i miss. how do i next story?"

Mr. Darl McBride concurred with GNAA's analysis, adding "We soon hope to convince additional clients such as Trollklore and Cabal of Logged In Trolls of the benefits of licensing SCO's valuable IP. Also, I <3 GNAA bunny. (@.@)" JesuitX clarified the nature of the SCO and GNAA alliance, adding "We're more than just a licensing client. We're also going to be helping to bring these other potential licensors into compliance. We can break them in little by little as paying sublicensors. The alternative is pretty horrible. Our lawyers can take a reticent client from virgin to hello.jpg [figure 2 [yahoo.com]] in under an hour, and believe me -- it is not pleasant."

Commander Taco was unavailable for comment, however Cowboy Kneel was said to ask for a print of [figure 2] for his basement apartment. Simoniker remained British and unable to spell "color," while Timothy responded by posting the same story six times, and Hemos reposted a seventh time, the submission differing only from his application of that damned Einstein icon.

If you have mod points and would like to support GNAA, please moderate this post up.

________________________________________________
| ______________________________________._a,____ |
| _______a_._______a_______aj#0s_____aWY!400.___ |
| __ad#

Re:Hey!

[bigberk]

They also boosted the memory limitation of Notepad so that it can open files larger than 60 kilobytes

That limitation was due to the inherent maximum capacity of 'edit controls' (64 K) in the Win95 stream of operating systems. Windows NT 4.0, though as old as Windows 95, never had such Notepad limitations.

Whither l0pht Heavy Industries?

[Citizen_Kang]

Just so everybody knows:

This is the same @stake that was formed from the l0pht heavy industries (www.l0pht.com) of old. Says itsecurity.com's Computer Security Dictionary of l0pht:

L0pht Heavy Industries
"A Boston-based group of hackers interested in free information distribution, finding alternatives to the Internet and testing the security of various products. Their web site houses the archives of the Whacked Mac Archives, Black Crawling Systems, Dr. Who's Radiophone, the Cult of the Dead Cow, and others. Current membership includes Mudge, Space Rogue, Brian Oblivion, Kingpin, Weld Pond, Tan, Stefan von Neumann and Megan A. Haquer. They can be reached at info@l0pht.com and maintain a web site at http://www.l0pht.com."

Hacker's Encyclopedia, by Logik Bomb (FOA), http://www.xmission.com/~ryder/hack.html, (1997- Revised Second Edition)

I wonder if good old mudge still works there? It's amazing what a little money'll do, eh?

Re:Can they do that?

[RedLeg]

You are, depending on the labor laws in the state in question, and more importantly, in YOUR state, being EXTREMELY naive.

There is a concept known as "at-will employment", which basically states

"

that an employee is hired at-will and that employment can be terminated at the will of either party."

Almost every state in the US recognizes this concept in one form or another.

ObDisclaimer: IITGNAL (I Am, Thank Gawd, Not A Lawyer), this does not constitute legal advice, yada-yada-yada....
ObLinkage: Google [google.com] is your friend.

Re:More CTO openings at security consultancies...?

[bourne]

Lets hope Bruce still has his job by the end of the week.

As the founder [counterpane.com] of Counterpane, he's probably got a bit more say in his company. Also, @Stake has expanded a lot with VC, I think Counterpane has grown more... carefully.

Re:Can they do that?

[Sparks23]

Many businesses are 'work-at-will' businesses, meaning both that the employee or the employer can terminate the employment contract at any time.

IANAL, but a quick search for 'work-at-will' via Google produced links by people who are, which explain a little about work-at-will and also how some litigation has made work-at-will a little less 'you can be fired whenever for whatever reason'. But in general, you have less protection as an at-will employee than you might otherwise, and most employment contracts are work-at-will. So they likely could indeed fire him, though he might have grounds to challenge his dismissal.

One example:
http://writ.news.findlaw.com/grossman/20010911.htm l [findlaw.com] :)

Re:He wrote it as if it was on @Stake's behalf

[eschasi]

I've seen Geer off and on for quite a number of years. He's damned smart, and has damned little people and organizational sense. IMHO it's perfectly reasonable that he'd not consider that his statements in the forum would be taken as representing his employer, doubly so when he lists his affiliation repeatedly.

When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company. It's not like being a prof at MIT. Noby would assume a prof officially represents the stance of a University. But companies are a differnt world. Bruce represents Counterpane when he does those sorts of publications, and Dan damned well should have known he'd be representing @Stake when he repeatedly listed the affiliation..

@stake == l0pht?

[autopr0n]

Wasn't @stake the security company that grew out of the l0pht? Or am I on crack?

Re:Researchers beware!

[the gnat]

Or the researchers for pharmacuticals... where if you find that drug X doesn't help cure Y, then you shouldn't expect any grant money next year. Yeah, not fired, but certainly the same net result.

That's not exactly fair. The pharmaceuticals would prefer to find out about these things from their own people, as quickly as possible. The entire FDA approval process is essentially designed to eliminate drugs from the pipeline before they reach the market. I've seen many pharmaceutical scientists speak about drug development, and they've all emphasized their efforts to rule out as many drugs as possible even before Phase I trials. It costs a shitload if they make it to Phase III before discovering that their drug is crap.

Now, once a drug has actually been released, it's much worse for the company to find that it's ineffective. However, it's still much better for them if one of their own people finds out, because if they don't, someone else will sooner or later. They'll lose money in the short term, but they'll probably save far more in the long run, and they'll definitely look better. Hopefully they can even avoid the class action lawsuit entirely.

As far as I'm aware, the problem (well, one of them) with drug companies is generally not that they push drugs they know to be ineffective, but rather that they push drugs that genuinely are effective on people that don't need them. A huge number of mood-altering pharmaceuticals fall into this category; I refer you to the South Park episode about Ritalin for details.

Just a clarification - pharma researchers do not get grants; they have contracts. A corporation would not keep an expensive PhD biochemist on staff while discontinuing his research. Some academics do get pharmaceutical grants, but not many, and they almost always have other sources of funding which are completely unconnected.

Re:He wrote it as if it was on @Stake's behalf

[laird]

"When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company."

The report states clearly on the first page that "Our conclusions have now been confirmed and amplified by the appearance of this important report by leading authorities in the field of cybersecurity: Dan Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, John S. Quarterman, Charles Pfleeger, and Bruce Schneier. CCIA and the report's authors have arrived at their conclusions independently. The views of the authors are their views and theirs alone."

Note that there are no company affiliations in that list, or on the front cover of the report, and that they clearly say that they're speaking as individuals, not as company representatives. The authors do list their current titles and employers in their bio's and on the "authors of the report" page, in order to establish their credibility (and that's a lot of credibility), but clearly don't speak for their employers.

Given that the document expresses the mainstream of security industry thinking, I'm a little amazed that this is even "news" much less something to fire someone over. Does any security professional think that a software monoculture is a good idea, or that Microsoft actually has security as its top priority (as opposed to market share or profitability)?

If we're to be serious about addressing vulnerabilities in our software infrastructure, we have to be willing to discuss these issues honestly, without self-censoring out of fear of stating the obvious when it's inconvenient.

Re:@stake == l0pht?

[Anonymous Coward]

L0pht is dead. L0pht died the moment @stake was started. Most of the people involved in the L0pht were either fired or quit from @stake long, long ago. Those who are there now have their own agendas. Mudge got fired because he flipped out. I guess you could call that personal reasons.

Dan Geer was the technical lynchpin of @stake. I think they just slit their own wrists to keep their clients or potential clients happy. Sounds typical for the security indsutry.

Re:Is slashdot really any better?

[HanzoSan]

Yeah but what about the moderation system? Don't you know that Linux users make up about 99% of all the mods?

Re:Hey!

[Anonymous Coward]

Windows NT 3.1 was released in 1993 and had the fancy no-limit notepad.

Another good article -- Washington Post

[gothicpoet]

Here's another good article on this subject: Washington Post [washingtonpost.com]

According to the Washington Post, Lona Therrien, the @Stake spokesperson, "said the company had no conversations with Microsoft about Geer or the report."

However (same article), Sean Sundwell of @Stake said that on Tuesday night, when notice of the report's pending release was circulated, "Microsoft was contacted by @Stake officials . . . expressing their disappointment in the report and saying that Dan Geer's opinion did not reflect the position of @Stake and its commitment to an ongoing relationship with Microsoft."

So... which is it? Did they discuss the report directly with Microsoft or not??

Mmm hmmm. And it doesn't work all that great.

[MickLinux]

Look at the history of Virginia Commonwealth University. See that point where they were completely shut down? That's because they *were* firing their tenured professors, and in the end completely shutting down the university was all that the state could do to stop it. When they sent examiners to interview the professors about the situation, the president would not let them alone with the professors. Anyhow, the state discovered that they couldn't do anything except close the university and fire everyone.

Jump over to James Madison University. It seems that the then president of the university was trying to force through academically impossible changes. [For example, teach upper-level calculus before basic calculus, "to give them a feel for it".] So one of the Physics professors came up with proof of tax fraud. At that point, the president fired the whole Physics department, because although he couldn't fire a tenured professor without cause, he could eliminate the need for the professor by abolishing Physics [impressive stupidity for a university with a medical program, but finding tax fraud was a real threat]. Eventually, the firing was rescinded, and the president retired, but the potential for tax fraud penalties was probably a slightly larger gun than tenure. Jump forward, same university, different president. The tenured professors' contract is the University Handbook; and the administration updated it, taking to itself all the rights of academic free speech, and making the contract unilaterally modifiable. My father caught this, and in the Faculty Senate pointed out that (1) this had no effect without Faculty Senate ratification, (2) they couldn't ratify it because unlaterally modifiable contracts are illegal,
(3) they shouldn't ratify it, and (4) without ratification, they were working either on the old handbook (in which case the old handbook stood), or else without a contract, which implied no particular tenure protection, but also implied no protection for the univeristy against lawsuit.

In the end, he got those clauses struck. But tenure really doesn't protect academic free speech too well.

In reality, tenure and academic free speech were initiated by the university administrations for their own convenience. It seems that, all the time people were coming up and saying "I'll donate X million dollars, if you'll teach this or that." And the problem was that if they taught this or that, 2 other donors would say "I'm not donating any more, because you're teaching nonsense." If they declined, however, then the person who wanted to affect the curriculum would begin a publicity campaign against the administration, and it was a real mess. So the academic free speech became a way that the administration could say "sorry, it's against contracts we've already signed. It's impossible."

Re:Can they do that?

[Dr. Zowie]

Unless he can prove that he was discriminated against then he is pretty much out of luck.

Uh... if he was fired, and nobody else was, then he was pretty clearly discriminated against. Why the heck doesn't anybody understand what "discrimination" is? (separation according to characteristics of each individual).

Only some forms of discrimination are illegal. The law says words to the effect of "You may not discriminate on the basis of , , or ". That's it.

You're perfectly allowed to discriminate on the basis of how smart people are, or how bad they smell, or whether they understand the language they are trying to use. Just not by race or religion, usually, and even then only in matters of real estate and employment.

Re:@stake == l0pht?

[Skilf]

Indeed, L0pht heavy Industries was the hacker group who had merged with @stake a few years back.

They became the "research and development" division of @stake apparently...

here is the link to an archived press release talking about the merger:
http://www.xent.com/FoRK-archive/jan00/0035.html [xent.com]

From what happened to Dr. Geer we can see that the spirit of the L0pht is really gone now.

This looks like a disclaimer to me

[Peter Eckersley]

I can't find a disclaimer anywhere in the report saying that he wasn't representing @Stake, and yet he used it to back up his authoritarian position, and intentional or not it appear that he was speaking on behalf of the company he worked for.

From p.3 of the report:

CCIA and the report's authors have arrived at their conclusions independently. Indeed, the views of the authors are their views and theirs alone.

Unless they modified the report after it was first posted? The version I'm looking at says modified 24/09/2003, 7:03 EST

Re:Ethics and Business sans Technology

[insomaniac]

Uhm not to nitpick, but we here in the netherlands don't have much whores on streetcorners. We have more of them behind glass with red lights.

Re:Can they do that?

[arkanes]

Simple logic dictates that capitalism, if unregulated (all those Free Market doofs out there), will erode democracy - or any other form of government, for that matter.

In a capitalist economy, the only thing that matters is capital - the buying and selling of goods and/or services. Access to votes is just another service. So is access to voters, for that matter. And the information, as we see alot these days - accurate information is a valuable commodity. Therefore, not everyone has access to it, which means that a company who controls access to information can manipulate markets. The ability to manipulate markets is just another commodity to be bought and sold on the open market.

They Already Did That

[Mad Man]

was "Re: Can they do that? [slashdot.org]"

Think about it this way - if I worked for Fox News and I wrote a scathing book about GWB on my own my own time then I shouldn't be surprised if I was fired the next day.

Why use Fox News has a hypothetical example, when that did happen... to Bob Zelnick of ABC News, for writing a book about (then) Vice President Al Gore. [junkscience.com]

FYI: Rupert Murdoch, who owns Fox News Channel, also owns Harper Collins, which publishes books by authors like Michael Moore [harpercollins.com].

Demonstrating one's cluelessness

[slashdot_commentator]

@stake, eeye, and iss have all agreed w/ microsoft not to release details of even potential exploits until the microsoft has had 30 days to "evaluate" them, leaving admins and the public unnecessarily exposed to vulnerabilities. This is completely unacceptable, and contrary to the scientific peer-review process of real science.

What an idiotic thing to say. Most legitimate security researchers give any company an agreed upon period of time before making public an exploitable security hole. Many times, this period is longer than a month. This allows a company time to create and distribute a patch against the hole. No legitimate researcher wants the internet to melt down or information compromised in the desire to rush to make a statement.

In professional ("real") scientific circles, there might not be a built-in delay before disseminating information, but you certainly jeopardize your career if you state anything in your publication that might be quickly interpreted as incorrect. (Just ask Pons & Fleischmann.) Many scientists will delay publication of information to be dead certain of their facts, and there can be a year of delay before a scientific journal will publish the information. (This is part of the peer review process.)

Microsoft may engage in egregious policies concerning disclosure of security vulnerabilities (but none that I'm immediately aware of), but requesting a researcher to delay public announcement before evaluating and producing a security patch is not one of them.

Re:Rough Translation

[shrdlu]

I'm posting my own translation, to clear up a couple of things.

> > It's a sad state of affairs, but not surprising. It's been a long time since the "CIFS is caca" paper...

> CIFS=Common Internet File System. This is a reference to the security flaws highlighted by Hobbit (from memory it was defcon 5, back in 1997) in the microsoft SMB (windows networking) products.

You're correct on which defcon, but I'd like to remind you that mudge and *hobbit* stood up there together. I was saddened to see how quickly mudge compromised his principles for cash. I have nothing but respect for *hobbit*, who has retained his.

> > and I lost respect for the l0pht back when *hobbit* was edged out. Mudge became "Dr. Mudge" (as if), and they all started running after the limelight. Sad, really. The Hacker News Network is long gone, and mudge is Pieter. It sucks for Dan, but it's just more of the same for the rest of us.

> L0pht Heavy Industries (creaters of the L0phtcrack suite Pwdump that allowed brute force cracking of windows NT user/passes) went though a period of internal discontent. I cannot provide any details on this.

It was more than just a bit of internal discontent. I'd say it was a basic separation into two camps; the old school hackers, and the group that felt it would be good to take advantage of the notoriety, and cash in. The original Back Orifice product was written by cult of the dead cow, and only ran on windows 95/98. It was a (soon to be) member of the l0pht that rewrote it to work on win NT. L0phtcrack was not the only thing interesting that came out of that group. Wish I'd made a mirror of the old site. There was plenty of MS bashing.

> > It takes a lot of nerve for Chris Wysopal to issue his little statement. Weld Pond would never have said something like that. Man, it's been a long path from BO2K to appeasing Microsoft. What a long, strange trip it's been. Sigh.

> I have to admit this part has me stumped. I assume he means that Chris Wysopal of @stake would answer differently to Weld Pond of Lopht. Since they are one and the same person I assume he means to highlight the change over time in Chris's opinions/loyalties... not really surprising in the context of articles like this (para. headed Who's Who).

Yeah, I was perfectly aware that Weld Pond == Chris Wysopal. The comment was expressing my sadness at just how much he's changed. Thanks for the link to the Register, I'd forgotten that article. That grouping never came off, BTW, but there's still the pay early version of CERT that doesn't much make me happy.

> It has indeed been a long and strange trip... no end in sight yet.

Re:Wish I had seen this earlier

[spacerog]

I'm not surprised they didn't tell you anything. They didn't tell me anything either. A big part of the secret was not to upset anyone else. Immediately from the start I had been seperated from the rest of the original L0pht folks. My guess is to make it easier to let me go later on. If they had kept us together and tried to fire one of us it would not have gone so smoothly. The old divide and conquer strategy. Consider your time at @stake a valuble lesson. never again will you allow yourself to be brainwashed when they tell you that their company is different, that they will suceed where others have failed, that they will change the world. Remember it _ALL_ about the dollar. Anything else just gets in the way. - SR

Re:@stake == l0pht?

[EllF]

Mudge was not fired. Mudge did not flip out. Mudge cut his hair, started wearing suits, and now goes by his given name instead of by his handle.

Re:@stake actions double plus ungood!

[Frobnicator]

The link now goes to their 404 error page ... What kind of pull does @stake have with C|Net news to make that happen?

Perhaps it is because they moved the link? http://news.com.com/2100-1009-5082649.html [com.com] is the link that works right now. Or just enter "@stake" on the search bar of their error 404 page.

If you are going to start a conspiracy theory, at least make one that stands up to a little bit of reason. Or not so easily discoverable by the public.

frob