Author of Paper Critical of Microsoft is Fired 739
chongo writes "Daniel E. Geer Jr., one of the primary authors of a
report
Reliance
On MS A Danger To National Security,
was fired from @stake Thursday morning.
@stake said that 'The values an opinions of the
report
are not in line with @stake's views' and that Geer's
participation was 'not sanctioned.'
Microsoft, who has worked closely with @stake
in the past, denied that it was involved in @stake's
decision to fire Dan." There might not be anything fishy going on at all, but that's no reason to stop making perfectly good conspiracy theories.
Hey! (Score:5, Funny)
For instance, they have made great strides in improving Calculator and Notepad in recent versions of Windows.
And Paint can finally save as PNG! (Score:3, Funny)
Yes, but... other than roads, sanitation, better medicine and the streets bein' safe at night, what have the Romans ever done for us?
Re:Hey! (Score:3, Informative)
Re:Hey! (Score:3, Funny)
Re:Hey! (Score:3, Funny)
Often they go into a panic, gripping their mouse for dear life.
Re:Hey! (Score:3, Funny)
and watch the all the mIrc users leave the room.
Re:Hey! (Score:3, Insightful)
postfix stop; postfix start
kthxbi
Can they do that? (Score:4, Insightful)
Am I just being naiive, or does this bother other people too?
He wrote it as if it was on @Stake's behalf (Score:5, Insightful)
The report itself [ccianet.org] stated quite clearly in several places that Dr Geer was the Chief Technical Officer of @Stake.
I can't find a disclaimer anywhere in the report saying that he wasn't representing @Stake, and yet he used it to back up his authoritarian position, and intentional or not it appear that he was speaking on behalf of the company he worked for.
Perhaps more details will emerge about what actually went on, but it does seem quite irresponsible to make it appear that you're speaking on behalf of a company if you're not... if that's what happened.
Re:He wrote it as if it was on @Stake's behalf (Score:5, Informative)
When you're CTO of a company and repeatedly use that title and the company name in a publication of that sort, the average reader assumes your represent your company. It's not like being a prof at MIT. Noby would assume a prof officially represents the stance of a University. But companies are a differnt world. Bruce represents Counterpane when he does those sorts of publications, and Dan damned well should have known he'd be representing @Stake when he repeatedly listed the affiliation..
Re:He wrote it as if it was on @Stake's behalf (Score:5, Informative)
The report states clearly on the first page that "Our conclusions have now been confirmed and amplified by the appearance of this important report by leading authorities in the field of cybersecurity: Dan Geer, Rebecca Bace, Peter Gutmann, Perry Metzger, John S. Quarterman, Charles Pfleeger, and Bruce Schneier. CCIA and the report's authors have arrived at their conclusions independently. The views of the authors are their views and theirs alone."
Note that there are no company affiliations in that list, or on the front cover of the report, and that they clearly say that they're speaking as individuals, not as company representatives. The authors do list their current titles and employers in their bio's and on the "authors of the report" page, in order to establish their credibility (and that's a lot of credibility), but clearly don't speak for their employers.
Given that the document expresses the mainstream of security industry thinking, I'm a little amazed that this is even "news" much less something to fire someone over. Does any security professional think that a software monoculture is a good idea, or that Microsoft actually has security as its top priority (as opposed to market share or profitability)?
If we're to be serious about addressing vulnerabilities in our software infrastructure, we have to be willing to discuss these issues honestly, without self-censoring out of fear of stating the obvious when it's inconvenient.
Re:He wrote it as if it was on @Stake's behalf (Score:3, Insightful)
I had a look at the report, and so interpret the situation a bit differently than most here. In my view, it reads more like an amicus brief (statement by a friend of the court) than a technical doc. Look at it, they rant and rave about the "M$ monopoly" throughout.
There are plenty of technical/security aspects of the dominance of M$ platforms, but this report doesn't address them effectively. This can be expected since it looks much more to me like a hack job funded by competitors:
Ed Black, the CEO and pre
There is a problem here. (Score:4, Insightful)
The reason is very simple: a given company needs to keep a reputation, in the case of a security company they need to appear to be open and impartial when assesing different products. By having an employee that clearly has reached his own conclussions and made them public the employer is left in the difficult position to explain how they may be choosing MS stuff or recommending it given that one prominent employee has lambasted those products in a public forum.
Sorry, but I have no pity for this person in spite of broadly agreeing with his conclussions.
Re:There is a problem here. (Score:3, Insightful)
L0pht has allways belived in full disclosure of security vulnerabilities; like they stated in this interwiev. [pbs.org].
There was also a /. story [slashdot.org]. about L0pht, "hypocrisy of hackers" and (possible)connections to FBI and NIPC a year ago.
So it turns out that the hacker philosophy went out the backdoor and the corporate standards fro
Move along...no constitutional isssue here (Score:3, Insightful)
Geer obviously has his first amendment freedom of speech. He freely published the paper, didn't he? He is not in jail, is he?
Please do not confuse Americans' right under the Constitution to speak freely with an obligation on the part of private parties (like Geer's employer) not to react negatively to our speech. You might be able to convince me that @stake's action was
Re:He wrote it as if it was on @Stake's behalf (Score:5, Insightful)
Statements of fact do not imply endorsement.
Terri Welles was, in fact, a Playmate. Playboy cannot restrict her from saying so, even by attempting to apply trademark law against Ms. Welle's use of the trademarked word "Playboy" in for commercial gain.
The fact that being able to claim to have been a Playboy Playmate gives her a certain professional standing in her field (tits) and she is free to use that standing for her own benefit even over the objections of Playboy.
Dr. Geer is (ok, was) the Chief Technical Officer of @Stake. This is a position of authority in a particular field and stating that one has that authority gives one's opinion in that field certain standing. It is a factual statement and does not imply endorsement by his employer. It only imlies that one has recognized special skills.
If people misconstrue that that is a problem of their understanding, just as it is if people believe that Ms. Welles' personal site is an official Playboy site because she lists her employment by Playboy.
That doesn't make her an infringer. It makes them morons.
If the guy down the street who works for a Ford dealership tells me that he thinks Fords suck I too would have to be a moron to believe that was the official position of his employer.
Whether or not that might be legal grounds for firing said employee is another issue. I'd have to review the relevant law in his jurisdiction and make an examination of his contract to have an opinion on that.
I'd think his employer was an asshole for doing it though, if he was otherwise performing his duites satisfactorally. That's just my opinion of course, which is colored by knowing many people who worked for companies they don't like. I've even worked for a few myself. Hell, I even owned one of those companies.
But I didn't fire myself.
KFG
Re:He wrote it as if it was on @Stake's behalf (Score:5, Interesting)
Therefore:
A)He was not actually fired for his public statement
B)At the time of the statement he clearly could not have been speaking for his employer, because he was unemployed and in much the same position as Ms. Welles
If @stake's position in this matter has certain legal implications, well, that's their problem I guess. They chose their actions and statements.
As for Dr. Geer's termination I covered that in my original post. I don't know the terms of his contract or their legality in his legal jurisdiction.
And neither do you.
Unless, of course, you're posting as an AC because you are an officer of @stake.
As for his collegues most of them probably share his opinion but keep private about it. Virtually every government is quite vocal about sharing the same opinion so it's not like it's a big secret or something.
It can be equally applied to nearly any other industry as well. A nearly universal reliance on Boeing for nearly all of our military aircraft would be a tragic mistake for national security.
I'd hazard a guess you could find a Boeing executive who would even be willing to state that for the record -- and not even get fired for it.
KFG
He wrote it as if it was on @Stake's behalf (NOT) (Score:4, Interesting)
Yes, we seem to be living in a world with increasing need to disclaim. In fact, we live in a legal claim/disclaim toxic environment.
If you were to global search-and-replace the company names with the names of universities; and likewise exchange the professional titles with academic ones; this paper would be perfectly kosher.
So now, apparently you can't publish a shcollarly work unless you *don't* have a "real job." How nice.
Remember: The great/golden age of the Arrab Empires collapsed because of one act. They closed their libraries. After that scolarship fell into disrepute. Then learning. Then knowledge. Then "not being an idiot" was against the social norm, and *poof* they lost the initiative.
Let's not repeat that debacle in our age, shall we?
Persons should enjoy the right to freely publish their thoughts and understandings of any issue with greater social ramafications.
Silence == Death... As a slogan it is applicable to far more than the AIDS crisis.
Re:He wrote it as if it was on @Stake's behalf (NO (Score:4, Funny)
Let's not repeat that debacle in our age, shall we?"
Too late.
KFG
This looks like a disclaimer to me (Score:3, Informative)
From p.3 of the report:
Unless they modified the report after it was first posted? The version I'm looking at says mod
Re:Can they do that? (Score:3, Insightful)
Re:Can they do that? (Score:3, Informative)
IANAL, but a quick search for 'work-at-will' via Google produced links by people who are, which explain a little about work-at-will and also how some litigation has made work-at-will a little less 'you can be fired whenever for whatever reason'. But in general, you have less protection as an at-will employee than you might otherwise, and most employment contracts
Re:Can they do that? (Score:3, Insightful)
In the paper [ccianet.org]'s (pdf) list of authors, he is listed as "Daniel Geer, Sc.D -- Chief Technical Officer, @Stake"
Also perhaps of interest is the fact that he is listed first of the paper's seven authors
If your company has a financial stake in the success o
Re:Can they do that? (Score:3, Interesting)
Re:Can they do that? (Score:5, Interesting)
At one time I was working on my Master's degree, and the Professor to whom I submitted a term paper on "LISP on MicroComputers" suggested I submit it to a journal. BUT this was just before the PC came out, so I was using examples like PDP and TRS-80. When the paper got to the division that was preparing to release the PC, they vetoed it instantly.
Some people were so paranoid back then that they would "clear" a term paper through Publications before they dared to give it to the Professor!
So the answer is, "Yes, they can do that."
Re:Can they do that? (Score:4, Interesting)
Actualy yes they are. Where I use to work, just being known to know too much about Linux would put a person on the layoff list. And when the company is laying off 40% of its workforce, little things like that are easy to hide. I would go into more detail on how this company is sucking bills fat FUD, but I am starting to get upset. Basical, in any MS controled company, knowing UNIX is a severe liability, regardless of how well one knows MS stuff. Unless of course, ones knowledge is absolutly instrumental in positioning the company infrastructure, in preparation for MSs penetration.
Why Microsoft now matters more than your job (Score:5, Insightful)
Whistle-blowing is never a popular job, but it's even riskier during bad economic times. Most of the backlash against this employee is due to the spineless quivering, in management, about losing vital business. Once again, we see why monopolies are unhealthy for society.
What are you gonna do, though, if you're canned? The employment-at-will doctrine has essentially always allowed bosses to hire and dump whomever they wish for any reason; dear old kooky Walt Disney used to go nuts with this easily abused freedom, and the 1990s left a trail of shattered lives and communities behind the rapacious "downsizing" of workers. Except where protected by civil rights or state employment law (and good luck bringing a case!), this is where you stand as an employee in America - at the mercy of the Man's whims. Learn to kiss ass; learn to run your own business; learn to work for decent people; these are among the few options for workers, and guess which one is most popular.
But this is also a hysterical time politically. Under the New McCarthyism the pasture of sacred cows has been enlarged: now not only our Glorious Leader is supposed to be beyond reproach, but so are certain corporate entities. And by burrowing like a common bacterial spirochete into the guts of American national security, Microsoft has begun to undergo the transformation - symbolically - from mere lawless and sloppy monopolist to vital U.S. institution. Yesterday, MS merely brought you BSODs, viral weakness and data loss. Today, it defends America against her enemies with its arsenal of...er...BSODs, viral weakness and data loss.
If this transformation continues, it will be more and more costly to criticize Microsoft as it mutates into an adjunct of the security state. HomeSec is already MS's taxpayer-subsidized tech support service, busily issuing warnings about the latest viruses and worms. This relationship should be promptly terminated by the next administration when the adults get to run things again.
Re:Can they do that? (Score:4, Insightful)
I also think that employers can fire employees if they please. Unless he can prove that he was discriminated against then he is pretty much out of luck.
I also don't think that Microsoft had to do anything. @stake just had to believe that Microsoft would never do business with them again.
Think about it this way - if I worked for Fox News and I wrote a scathing book about GWB on my own my own time then I shouldn't be surprised if I was fired the next day.
Re:Can they do that? (Score:3, Funny)
What, you mean the 'free press', the 'watchdog of the government'?
Re:Can they do that? (Score:3, Informative)
Uh... if he was fired, and nobody else was, then he was pretty clearly discriminated against. Why the heck doesn't anybody understand what "discrimination" is? (separation according to characteristics of each individual).
Only some forms of discrimination are illegal. The law says words to the effect of "You may not discriminate on the basis of , , or ". That's it.
You're perfectly allowed to discriminate on the ba
They Already Did That (Score:3, Informative)
Why use Fox News has a hypothetical example, when that did happen... to Bob Zelnick of ABC News, for writing a book about (then) Vice President Al Gore. [junkscience.com]
FYI: Rupert Murdoch, who owns Fox News Channel, also owns Harper Collins, which publishes books by authors like Michael Moore [harpercollins.com].
Re:Can they do that? (Score:3, Insightful)
We already are.
Flip comments aside, many people's employment contracts stipulate "no negative comments about the company, and don't say negative things about anyone while publicly under the corporate banner. Violation is grounds for termination." And typically the higher you go in the company, the more restrictive the clauses become. You should check yours. I had to sign such a contract the last time I received a promotion.
Mr. Geer sat on that dais with a
Re:Can they do that? (Score:3, Insightful)
I am not saying that we are not a corporate slave. I personally said that before. I was simply mad at the fact that so many people support the present state of affairs...
Remember, companies can not VIOLATE your right to free speech...But they also have the right to fire you. You simply have to be willing to trade your voluntary employment contract with them to
Re:Can they do that? (Score:3, Informative)
In a capitalist economy, the only thing that matters is capital - the buying and selling of goods and/or services. Access to votes is just another service. So is access to voters, for that matter. And the information, as we see alot these days - accurate information is a valuable commodity. Therefore, not everyone has access to it, which mean
Re:Can they do that? (Score:4, Insightful)
However, right at the top of the report the author list includes "Daniel Geer, Sc.D - Chief Technical Officer, @Stake". When I read the report, I was under the impression that the company was involved with it or had at least approved it prior to publication.
Even though I agreed with just about every point in the report, I could see that if the report does not reflect the (public) views of the company, then they would have a legitimate reason to fire him. The paper makes strongly worded criticisms of Microsoft, its monopoly status, its business practices, its lock-in tactics and its technical abilities, and a company with a lot of Microsoft-using clients would be nervous being too closely associated with it. If he put his name (along with the name of his company) on this particular paper without clearing it with them up front, that just wasn't very smart. (Or maybe it was smart; it could be a bid for fame and notoriety. I certainly didn't know who this guy was until yesterday.)
Re:Can they do that? (Score:3, Insightful)
Re:Can they do that? (Score:5, Insightful)
OTOH, MS software and national security is probably not a life-or-death issue. At least, I hope it's not.
So, when a U.S. Navy missile cruiser has to be towed back to port because it's computers running MS Windows have crashed it's not life and death? What about the Dept. of Homeland Security using Microsoft products for their servers and workstations? How about the network operations centers and shore bases of the Navy using Microsoft for the servers and workstations?
Come on, Microsoft is wide spread and pervasive throughout the U.S. government. The State Department couldn't issue visa's because Welchia, which could be prevented by patching or anti-virus software, infected their network. An offline nuclear reactor had safety systems fail that were running Windows. Just what OS do you suppose the Army and Marine Corps battle computers are running? What would happen in a war if our enemy penetrated those battle networks with a worm of some sort? How much more do you need to be convinced that depending on seriously flawed software in the government is not only dangerous to national security but also a "matter of life and death".
Re:Can they do that? (Score:3, Insightful)
Apparently, when lots of people die and lots of evidence shows it was because of the software.
Re:Can they do that? (Score:3, Insightful)
You mean "the average Slashdot poster who didn't RTFA assumes...".
Conspiracy theories? (Score:5, Funny)
I bet it was... the Time Terrorists*!
*Time Terrorists also responisble for the destruction of the Titanic, the Hindenburg, and the creation of SCO.Terry Gilliam would be proud... (Score:3, Funny)
Seriously though, that movie is full of great quotes...who remembers the Supreme Being saying "I am the supreme being, I am not entirely dim"? And Evil talking about God:
Evil: God is not interested in technology... He knows nothing of the potential of the micro-chip or the silicon revolution. He's obsessed with making the grass grow and getting rainbows right... Look at what he spends his time on. 43 species of parrot! Nipples for men!
Time for a stupid joke... (Score:5, Funny)
(waits for groans)
Yeah... (Score:3, Funny)
My head hurts... (Score:5, Funny)
OK, if you need to mention a company's gimmicky, non-alphabetical name once, so be it. But all those @s are giving me a headache in a brain region I haven't had to use since we had that run of :CueCat stories.
The scary thing is that you could use 4tst4k3 repeatedly and I wouldn't blink at it. 47s74k3 would require some effort...
Re:My head hurts... (Score:5, Insightful)
Not only can it be viewed as damaging to a big client (Microsoft, in this case), but it can also be viewed as competing with your own company since both @stake and the paper deal with security. I'm sure he signed a non-compete agreement with @stake when he was hired.
Re:My head hurts... (Score:5, Funny)
And then I come home to this. Which part of what I wrote sounded like "Post some complete non-sequitur and write @stake three more times!"?
The other half (Score:5, Funny)
Said Microsoft spokesman: "It's a voluntary contribution, with much at stake. ".
This is why slashdot... (Score:3, Interesting)
You, slashdot editor, member of the press, are actually encouraging and suggesting that false and misleading information be interpolated from a small number of facts. Sure, a healthy skepticism and more investigation is required to determine why he was fired but i think an editorial remark with a message consisting of:
"This isn't really big news, but if we pretend like all sorts of mysterious things are happening that we don't know about, it will be."
Those sorts of things happen on their own more than enough as is; encouraging it is just unecessary.
Re:This is why slashdot... (Score:5, Insightful)
First of all: False and misleading information? Unless you have some magical insider information on what exactly happened, who are you to claim that it's false and misleading? To dismiss it as false without having any facts is no better than accepting it as true without having any of the facts. Different sides of the same coin.
And second, it looks like a pretty tongue-in-cheek comment. You said it yourself:
Those sorts of things happen on their own more than enough as is; encouraging it is just unecessary.
Do you really believe that the editors don't also know this? Contrary to popular opinion they do actually read the site, sometimes. It's pretty clear to me that it's a jab at all the 'perfectly good conspiracy theories' that abound whenever a Microsoft story rolls around. Would you really call them 'perfectly good conspiracy theories' if you weren't against them? Sounds like a pretty sarcastic phrase to me.
But hey, don't let little old me get in the way of Slashdot's readers bashing Slashdot...
No conspiracy theory required (Score:5, Insightful)
I guess that's where the phrase, "power corrupts" comes from, eh?
Re:No conspiracy theory required (Score:3, Insightful)
If they lost that relationship, that could cause the shareholders to bail out because the company would have to recoup that revenue from elsewhere.
@Stake is full of tons of smart people. I'm su
MS influence permeates the industry (Score:4, Insightful)
I can't argue with those points. You're absolutely right. It's just a shame to me that someone who knows a lot about something that affects the security of millions of Americans can't speak out about that threat without being fired by their employer.
It's rare to see a group of people take a stand about something they feel is of more importance than just dollars and cents. These folks are essentially blowing the whistle on something a lot of people have known about for a long time but have been too frightened to say for fear of the wrath of Microsoft.
While I absolutely agree with you that @Stake is just protecting their own interest, their action is proof of how far Microsoft has permeated the fabric of the IT business. Virtually every company in the industry has to be careful about criticizing (or even allowing an employee to criticize) Microsoft, for fear of retribution.
Microsoft blames human nature (Score:5, Insightful)
So basically if humans just would stop being mean or stupid, there wouldn't be any problems.
Isn't that sort of like blaming plane crashes on gravity? I mean, human nature is what it is. There will be virus writers, there will be people who don't always install the patches right away.
What are they suggesting, that we try to change human nature? Genetically engineer better humans? How about they take human nature as a given (like gravity to an aeronautical engineer), and then fix the damn product?
Oh, "Critical"? (Score:5, Funny)
Geer was doing @stake a favor working there (Score:5, Interesting)
Daniel E. Geer, Jr., Sc.D.
Chief Technology Officer
Daniel E. Geer, Jr., Sc.D. oversees the strategy and direction of @stake's approach to digital security. Over the last thirty years, Dr. Geer has led the application of technology in medical computing, distributed systems management, electronic commerce, and digital security. After fifteen years in the Harvard medical establishment, he variously served in senior leadership roles for MIT's groundbreaking Project Athena, Digital Equipment Corporation's External Research Program, Open Market, OpenVision Technologies (now Veritas), CertCo, and now @stake. His security consulting firm, Geer Zolot, was the first of its kind.
An expert in modern security protocols and business metrics, Dr. Geer has been called upon to testify before Congress on multiple occasions. Dr. Geer speaks and publishes regularly on a range of issues in digital security; his November 1998 speech, "Risk Management is Where the Money Is," has been widely quoted, warranting both reprint as a special issue of the RISKS Digest and prompting editorial comment in Wired Magazine. His bibliography is deep and continuing, and with Avi Rubin and Marcus Ranum, he is co-author of The Web Security Sourcebook.
He holds a Sc.D. in Biostatistics from Harvard University's School of Public Health as well as an S.B. in Electrical Engineering and Computer Science from MIT. His professional involvement includes a decade of leadership within USENIX, the advanced computing systems association, of which he is past president. He today serves as an advisor to the board of the Financial Services Information Sharing & Analysis Center (FS/ISAC) under the auspices of the US Dept. of the Treasury, as well as similar fiduciary and non-fiduciary roles for a select number of promising startups.
Wow, bonanza! (Score:5, Insightful)
Gotta love those @stake guys. Here's a relevant quote from their website:
"@stake has assembled the best minds in digital security to help you understand and mitigate the security risks inherent in your business model, so that you can maximize the opportunity in front of you. We help you make the hard decisions about what matters most in your business, so that your security investment has the greatest impact. We work in the space where your business and technology meet, because we believe that this is where security is most powerful."
Talk about blowing it out both ends. You can read their ethical [atstake.com] and guiding principles [atstake.com] as well.
This is what l0pht has turned into?
This shouldn't be a surprise (Score:5, Insightful)
In particular, you shouldn't publish a paper without running it by corporate communications first. You especially shouldn't publish a paper that might be critical of a partner or customer without doing this. You know why? Exactly. You get fired. For violating your employment agreement. If you don't agree with the things that you signed, you shouldn't have signed them. Hell, even if you have permission to publish the paper, you might want to think twice about publishing a paper which is critical of a rather large customer.
When I worked at AOL, I tried to get some of the execs to realize that some of the employees could be a powerful force in the technical community to raise the image of the company. Just the ability to explain some of the things that weren't confidential, correct some of the misconceptions. It wouldn't be a magical transformation, but it would be an effort. And actually joining the community would be a big step. Peer review and PR oversight could both be used to help make sure that more incorrect information didn't go out, or that the wrong things didn't go out.
Noone wanted to talk about it. My assumption is that noone I got to wanted to rock the boat, and noone responsible trusted the employees. It's too bad really. But even with something like that in place, this type of paper would never pass muster. Not through a peer review, and not through PR. You just don't criticize a large customer. Especially a customer with as much money as Microsoft.
-Todd
Re:This shouldn't be a surprise (Score:5, Insightful)
Perhaps this is why he didn't pass the paper through atStake's legal or communications department. He knew they'd never approve it, and they'd do everything to block them if they knew ahead of time that he and his associates were going to publish it. Better to get the message out in the open and risk being fired, than button up what you strongly believe is in the public's best interest.
Do whistleblowers ask their organization's legal department for permission before calling the authorities?
This is why ... (Score:5, Insightful)
This really is something Greer should have seen coming. He published a highly critical, highly-publicized report bashing his consulting company's biggest client. Whether it is true or not is irrelevant; that the client was Microsoft is irrelevant -- replace "MS" with "Sun" or "Oracle" or any other company you like, and I bet his higher-ups still wouldn't be happy about it. You may not like who you work for, but it's not a good idea to bite the hand that feeds you.
Mmm hmmm. And it doesn't work all that great. (Score:4, Informative)
Jump over to James Madison University. It seems that the then president of the university was trying to force through academically impossible changes. [For example, teach upper-level calculus before basic calculus, "to give them a feel for it".] So one of the Physics professors came up with proof of tax fraud. At that point, the president fired the whole Physics department, because although he couldn't fire a tenured professor without cause, he could eliminate the need for the professor by abolishing Physics [impressive stupidity for a university with a medical program, but finding tax fraud was a real threat]. Eventually, the firing was rescinded, and the president retired, but the potential for tax fraud penalties was probably a slightly larger gun than tenure. Jump forward, same university, different president. The tenured professors' contract is the University Handbook; and the administration updated it, taking to itself all the rights of academic free speech, and making the contract unilaterally modifiable. My father caught this, and in the Faculty Senate pointed out that (1) this had no effect without Faculty Senate ratification, (2) they couldn't ratify it because unlaterally modifiable contracts are illegal,
(3) they shouldn't ratify it, and (4) without ratification, they were working either on the old handbook (in which case the old handbook stood), or else without a contract, which implied no particular tenure protection, but also implied no protection for the univeristy against lawsuit.
In the end, he got those clauses struck. But tenure really doesn't protect academic free speech too well.
In reality, tenure and academic free speech were initiated by the university administrations for their own convenience. It seems that, all the time people were coming up and saying "I'll donate X million dollars, if you'll teach this or that." And the problem was that if they taught this or that, 2 other donors would say "I'm not donating any more, because you're teaching nonsense." If they declined, however, then the person who wanted to affect the curriculum would begin a publicity campaign against the administration, and it was a real mess. So the academic free speech became a way that the administration could say "sorry, it's against contracts we've already signed. It's impossible."
More CTO openings at security consultancies...? (Score:5, Interesting)
Re:More CTO openings at security consultancies...? (Score:5, Informative)
Lets hope Bruce still has his job by the end of the week.
As the founder [counterpane.com] of Counterpane, he's probably got a bit more say in his company. Also, @Stake has expanded a lot with VC, I think Counterpane has grown more... carefully.
Re:More CTO openings at security consultancies...? (Score:3, Insightful)
I remember going to one of the MIT Fleas [mit.edu], back when l0pht became @stake, and they had a big van pulled up and were selling off their old junky equipment. Presumably they were buying more modern gear with all that VC. I bought a big brick of a hard drive from them. It had some nice mp3s on it (among other junk), and served me well until I sold it again at the flea, l0pht sticker and all.
Anyway, hung on the side of the van was a big sign reading:
Until
Saw @stake employee on tv... (Score:5, Interesting)
The chairman of the committee asked the Verisign PHB and the two consultants if there were any security benefits in running open-source software, and which was more secure, open or closed. I almost shat myself. Here was the perfect opportunity to hear some glowing reviews of open source. Instead the two consultants, who seemed decently knowledgeable, and long winded on all other issues merely said that there are flaws in all types of software, and they would "guess" that the frequency of security flaws were the same as for closed source. Although the guy from @stake did mention that the theory behind open source security was that "the more eyes, the better", he also countered it with noting that most users of open source wouldn't be able to fix the code when a vulnerability was found.
That was it. No detailed explanation about anything. Just a brush off that was not quite as long as their testimony on why ipv6 wouldn't offer any extra security over ipv4. Luckily the Verisign bastard was there to add his two cents. To paraphrase him - "I would agree with their, (the consultants) testimony, but I would like to add that often the people who write open source software are not professionals". Then he took another shot mentioning "that often worms affect open-source software too". Often... I wonder what he considers "often". How can he even trot out the word "often" to describe the frequency of worms that affect open-source software when there are millions of Windows boxes that are constantly being hit by worms. He then added - "We must resist the temptation to demonize software vendors and other members of the network community. The finger pointing is often misplaced and in most cases does more harm than good." It was quite the interesting hearing, and gives me a bit of insight into what kind of info our Government is getting about open source.
Researchers beware! (Score:5, Insightful)
This is the first overt firing that I've heard of in the IT industry, but I'm sure there have been thousands that we just never heard of.
Just think of those poor researchers at the cigarette companies - you know, the ones where if you found that there was a link between cigarettes and cancer, well, you must be fired.
Or the researchers for pharmacuticals... where if you find that drug X doesn't help cure Y, then you shouldn't expect any grant money next year. Yeah, not fired, but certainly the same net result.
The fact is that research SHOULD be independent. I don't know or care if this guy's paper was right or wrong. But it should be the research community, not MBAs, who decide the quality of research. Period.
I think that firing this guy due to his research is wrong. It looks like he was fired for financial relationship reasons, not because his study was consistently rejected by the research community. Should his employers be considered biased? As a potential customer, should I trust this company? If they are motivated more by their relationship with microsoft versus upholding the truth, I'll never recommend anyone to do business with them. And it looks like they are, and so I'll make sure they're scratched off the list.
Re:Researchers beware! (Score:3, Informative)
That's not exactly fair. The pharmaceuticals would prefer to find out about these things from their own people, as quickly as possible. The entire FDA approval process is essentially designed to eliminate drugs from the pipeline before they reach the market. I've seen many pharmaceutical scientists speak about
Re:Researchers beware! (Score:4, Insightful)
Can't let this go. I'm afraid this is utter crap. I've been in the pharma industry for nearly two decades, and I can assure you it doesn't work this way in the slightest. There are many, many cases of promising potential drugs getting canned each year in just about all but the smallest pharma company. I have never seen or heard about anybody's career being harmed by serendipitous failure. Hell, the company I work for was doing work around PDE V inhibitors about 15 years ago, and we got really close to sildenafil (Viagra), but stopped work in the area. Nobody got canned or carpeted or anything. It just happens. This year already we've had two major compounds drop out of development. Sure, people get pissed off, but so what? That's the way pharma works.
Pharma research just doesn't work in the way you describe. Sorry, but your comment is -1, Bullshit
@Stake code of ethics sez: (Score:5, Interesting)
Interesting. Does that mean that employees should only issue statements in the course of their job responsibilities? Or that job statements must be objective, fact-based and truthful but personal statements can be whatever they want? This latter interpretation seems to conflict with their action.
I don't think Dan Geer will have trouble finding a new job. However, it is an interesting reflection of what @Stake has become. Look at their management team [atstake.com]. Looks awfully VC to me.
Another unmentioned angle to the story.... (Score:5, Interesting)
Leave it to the Mercury News to report with more sordid details [siliconvalley.com].
What caught my eye...
The CCIA trade group also ran into trouble Thursday when it sought to send a paid announcement about its critical Microsoft report to 140,000 subscribers of popular trade magazines for chief security officers and chief information officers.
The publisher for CIO and CSO magazines, CXO Media Inc., offers such announcements ``to target a specific market segment of our audience by designing a list of prospects for direct mail and e-mail purposes.''
But in this case, the subject was too touchy.
``We find it is too sensitive of material to send out. I'm sorry to be the bearer of bad news, but I have to deny your request,'' according to an e-mail from the publisher obtained by The Associated Press.
``We need to try to provide some balance on these issues, and this seemed a little one-sided,'' CXO spokeswoman Karen Fogerty said.
Sheesh! The mags won't even report this story if you pay them!
---
Fight the Power!
@stake == l0pht? (Score:5, Informative)
Re:@stake == l0pht? (Score:4, Informative)
They became the "research and development" division of @stake apparently...
here is the link to an archived press release talking about the merger:
http://www.xent.com/FoRK-archive/jan00/0035.html [xent.com]
From what happened to Dr. Geer we can see that the spirit of the L0pht is really gone now.
Let the Truth be known (Score:5, Interesting)
What?! What exactly wasn't true about what was said?
Quote: Daniel Geer "As fast as the world's computing infrastructure is growing, vulnerability to attack is growing faster still"
Quote: Daniel Geer "Microsoft's attempts to tightly integrate myriad applications with its operating system have significantly contributed to excessive complexity and vulnerability. This deterioration of security compounds when nearly all computers rely on a single operating system subject to the same vulnerabilities the world over"
Quote: Ed Black "Microsoft's monopoly threatens consumers in a number of ways, it it's clear it is now also a threat to our security, our safety, and even our national security."
Quote: Bruce Schneier "The problem is that of monoculture. As long as all computers are running the same OS, they're all vulnerable."
If @stake is saying they don't agree with these statements, then their credibility as a security company is seriously in question. It's one thing to say they fired someone for violating professional protocol, it's quite another to terminate them because what they said was incorrect.
Everything said by Geer, Black and Schneier is correct. What does @stake not agree with?
@stake making power plays w/ microsoft == OIS (Score:5, Interesting)
Additionally, the director of research for @stake, Chris Wysopal, is effectively lobbying congress [atstake.com] to give teeth to the OIS, and more power to microsoft and their buddies.
OIS = @stake, BindView, SCO, Foundstone, Guardent, ISS, Microsoft, NAI, Oracle, SGI, Symantec. sounds like the stone cutter's guild to me.
Eeye seems to be left out for obvious reasons, they oppose this secretive "research." Read eeye's Marc Maiffret's (chief hacking officer) thoughts on things to a congressional subcommittee here [eeye.com].
"windows corrupts, microsoft corrupts absolutely."
Demonstrating one's cluelessness (Score:3, Informative)
@stake, eeye, and iss have all agreed w/ microsoft not to release details of even potential exploits until the microsoft has had 30 days to "evaluate" them, leaving admins and the public unnecessarily exposed to vulnerabilities. This is completely unacceptable, and contrary to the scientific peer-review process of real science.
What an idiotic thing to say. Most legitimate security researchers give any company an agreed upon period of time before making public an exploitable security hole. Many times,
Dan Geer is a respected researcher in infosec (Score:5, Insightful)
It's not so much that @stake doesn't have the right to fire him, but rather that it's a pity that they can't stand up to the truth. Not that corporations are known for their honor anyway. I would not trust a @stake with my business at this point-what's next? MS buying them into using their clearly superior security products?!
I'm sure this man has nothing to worry about (Score:3, Interesting)
I'm sure that some other company will be perfectly happy to snatch him right up, partly as a slap in the face to Microsoft and because he can obviously provide some valuable information about the security risks involved with Windows now and in the future.
Maybe even the CCIA might snatch him up? Personally, I think they owe it to him.
Comment removed (Score:5, Interesting)
Forget conspiracy theories.Remember what @stake is (Score:5, Insightful)
@Stake clearly does not consider themselves to be a news organization, or a news clearing house.
That said, they should, in the future, be held to the standards of advertising agents, with all the benefits of such -- not news agents with their benefits.
Therefore, if they want to come in to cover a software convention, by all means let them [but at full price: no media pass]. If they want to claim first Amendment right to speech, they can, within the bounds and with the protections set by our government for advertisers. Not within the bounds and with the protections set by our government for news media.
I don't see a reason to apply conspiracy here; just treat them as what they consider themselves to be.
His job? (Score:3, Funny)
Sigh.
Talk about putting a finger where it hurts. (Score:3, Insightful)
for the sake of one client (Score:5, Interesting)
If they want MS as their sole client, that's one thing.
Their publically firing a whistleblower for being part of a group writing a negative article about MS software tells me that @stake can never be trusted again in any statement they make about MS software, operating systems, or security procedures. So what's the upside for a non-MS client to hire them?
Is anybody left at @stake from the old l0pht days?
Ethics and Business sans Technology (Score:5, Insightful)
Ethics is going down the tubes. An example, I think was the investment community in the U.S.
If you watch the media, you have this over all impression, well, Enron was just a fluke, they had poor accounting.
But if you read the papers, this fluke, is being practiced by 100's of companies, all screwing over their investors like cheap whores on a Dutch street corner.
I hate to point this out, but these Ivy league trained people were taught and are taught that this is just ducky. How can it not be with so many companies screwing you on a daily basis.
It can't be a fluke when everyone is doing it.
Fluke? I think not, but you decide.
It has become ethical to do business unethically and it is proudly taught that way in our so called finest Universities.
If anyone has any money in US retirement investment funds, when they retire 30-40 years from now, I will be really amazed.
If you are an investor, and you are investing in US companies for retirement, you my friend are a sucker.
Same thing is happening here. Microsoft is not an innovative company, it buys companies.
They do not write good software and if you are stupid enough to buy Microsoft Press books written by PhD's who claim they even have a clue about good Software Engineering principles, you are just another duped "investor".
I would like to point out that Microsoft is one of the largest employers of Computer Science PhD's in the country.
As an example, one must ask this question after looking at these Software Engineering practices books that Microsoft Press publishes as oxymoronic.
My reasoning is as follows:
Exhibit A: Microsoft hires more PhD computer scientists than even IBM has to work on the secure initiative for 2000 and XP. Building and rebuilding the entire OS 2000, and then again with XP, from scratch, at a estimated cost of 2.8 billion dollars.
Exhibit B: A 18 year old in Minnesota, a 16 year old in Malaysia, and a 21 year old in Russia. All with WAY too much time on their hands, with NO source code, find more security holes in 2000, XP than you can possibly say "Code 'in'-Complete" in that past 14 months.
Exhibit C: A University student, in Finland builds a new operating system kernel called Linux, and in just 8 years it is being worked on by almost no PhD's and many testors and code contributors are in their early 20's or teens, and is far more capable than windows, 1.8 billion dollars later.
Is Linux just another Enron? Fluke?
My point is that the way we are being taught code in this country is not the way code should be written. Even if you have a PhD, its business as usual dogma, just like our MBA friends.
Is it a fluke that the best code being written is not through institutionalized learning in this country?
What do these exhibits tell us about our country in general, with regards to ethics?
It doesn't take a rocket scientist to figure out what is going on here.
Fluke?
I think not, but you decide.
-Hack
Chilling effects at @stake after this firing? (Score:3, Interesting)
Wish I had seen this earlier (Score:5, Interesting)
Sure wish I had seen this earlier instead of 300+ replies later. Oh well, I guess thats what happens when you stick your head inside a Hobbit hole for three years and don't come out.
I feel I must reitterate L0phT =! @stake. Please do not confuse what I consider to be the good work of the L0pht with the corporate nonense that is @stake.
As for Dan and everyone else that works there they should have seen the writing on the wall three years ago when they fired my poor ass. Remember me, Space Rogue? HNN? All Gone. Why? I can only speculate but I think they felt that a critical mouthpiece would not be a good thing. Sound familiar? Hard to get someone to sign a big contract if you might call them names the next day.
Dan is a remarkable person. His mind works like no other person I have ever met. Don't feel sorry for him. Trust me, he is in a better place now.
Microsoft has continued its embrace, extend and I assume, extinguish policy with regards to information security. How? By hiring several of the people who were critical of the organization. Yes, that means previous @stake, Guardent, Foundstone, etc employees. That also means hackers, all who now work for the Giant in Redmond. Keep your enemies close. What better way to silence your critics than to hire them. Then you can keep them silent until they no longer pose a threat and dispose of them quietly at a later time when no one is looking.
Oh well, life goes on, the Internet is as insecure as ever, companies are still able to hide thier vulnerability, risks are not taken seriously and hackers still roam free. Nothing has changed, and nothing will until such time that people stop trusting everything that is spoon feed by anyone looking to make a buck. Yeah, I'm cynical. Sue me.
- SR
I got fired testifying the Antitrust (Score:5, Interesting)
Three months later, I had a four day vacation and when I came back, the locks on my office were changed and my personal contents were cleaned out. They gave me a "farewell interview" to express that their sole reason for firing me was "dissatisfactory performance," which is all their employment policy required. My ten year career with them was over, they would not give me opportunity to defend myself, and they wouldn't give me severance or unemployment.
(The Salvation Army, as a church, is not required by Ohio law to pay into unemployment. Compounded with losing my pension settlement for three months, I spent those months at zero income.)
I found out over a year later that Microsoft was behind it... It wasn't a local decision at all, but was enforced by Paul Kelly, IT Director of New York's Territorial HQ, along with policy banning Linux in our ten state territory! Paul normally has no direct dealings with me on the divisional level, but a contact in New York revealed how pivotal Paul considered me in that contraversy.
I haven't pulled together the witnesses and evidence to prove this in court, but the commonly held opinion is that Paul got the call from Microsoft which says "get rid of the problem, or we'll audit your business licenses."
So it seems The Salvation Army, a church, is also a wholy owned and operated subsidiary of Bill Gate's Evil Empire(tm).
Joel 'Twisty' Nye, MCSA, Linux+
Take gun, point at foot, pull trigger (Score:3, Insightful)
Anyone with half brain will realise that running an entire network on a single OS is asking for it. This is why buildings don't tend to have the same key for every lock and the burglar alarm and keep skeleton keys well guarded. If this were the case, someone drops the key in the car park and whoever finds it has free reign and oh boy, the joy of the discovering that it opens every desk, filing cabinet and safe as well.
The headline was that a singular reliance on Windows is a bad thing and I can't see that this argument is flawed. For @stake to sack someone for daring to state the obvious is laughable and makes them look stupid in the same way that Microsoft always looked stupid when they'd claim that there were no reliability issues in Windows despite the fact that even the non-techiest people in an office could tell you what BSOD stands for.
If anyone at MS is thinking that this is a good thing then they should consider that many people watching have already, based on their previous record of dubious behaviour, put this down to their intervention. Whether it's true of not is irrelevant, it just seems most likely.
Re:Is slashdot really any better? (Score:5, Insightful)
Now, if you get fired for reading too much Slashdot on company time, we are absolutely not responsible.
Re:I'm sure he'll find a new job (Score:5, Interesting)
It's a sad state of affairs, but not surprising. It's been a long time since the "CIFS is caca" paper, and I lost respect for the l0pht back when *hobbit* was edged out. Mudge became "Dr. Mudge" (as if), and they all started running after the limelight. Sad, really. The Hacker News Network is long gone, and mudge is Pieter. It sucks for Dan, but it's just more of the same for the rest of us.
It takes a lot of nerve for Chris Wysopal to issue his little statement. Weld Pond would never have said something like that. Man, it's been a long path from BO2K to appeasing Microsoft. What a long, strange trip it's been. Sigh.
Rough Translation (Score:5, Interesting)
CIFS=Common Internet File System. This is a reference to the security flaws highlighted by Hobbit (from memory it was defcon 5, back in 1997) in the microsoft SMB (windows networking) products. A copy is still available from here [ussrback.com].
and I lost respect for the l0pht back when *hobbit* was edged out. Mudge became "Dr. Mudge" (as if), and they all started running after the limelight. Sad, really. The Hacker News Network is long gone, and mudge is Pieter. It sucks for Dan, but it's just more of the same for the rest of us.
L0pht Heavy Industries (creaters of the L0phtcrack suite Pwdump that allowed brute force cracking of windows NT user/passes) went though a period of internal discontent. I cannot provide any details on this. Basically the author seems to be trying to highlight the corporate yes-men culture that has permeated this sector and presumably led to this dismissal for speaking the obvious but unapproved "truth".
It takes a lot of nerve for Chris Wysopal to issue his little statement. Weld Pond would never have said something like that. Man, it's been a long path from BO2K to appeasing Microsoft. What a long, strange trip it's been. Sigh.
I have to admit this part has me stumped. I assume he means that Chris Wysopal of @stake would answer differently to Weld Pond of Lopht. Since they are one and the same person I assume he means to highlight the change over time in Chris's opinions/loyalties... not really surprising in the context of articles like this [theregister.co.uk] (para. headed Who's Who).
It has indeed been a long and strange trip... no end in sight yet.
Q.
Re:Rough Translation (Score:3, Informative)
> > It's a sad state of affairs, but not surprising. It's been a long time since the "CIFS is caca" paper...
> CIFS=Common Internet File System. This is a reference to the security flaws highlighted by Hobbit (from memory it was defcon 5, back in 1997) in the microsoft SMB (windows networking) products.
You're correct on which defcon, but I'd like to remind you that mudge and *hobbit* stood up there together. I was saddened to see how
Re:I'm sure he'll find a new job (Score:4, Insightful)
It's sad that a person who speaks truth gets fired if it is not in the best interest of their companies, but I guess that is why a truly outspoken person must be freelance, because otherwise they WILL be fired eventually for their honesty.
M$OS-less 15" Powerbook G4 [amazon.com]
Re:I'm sure he'll find a new job (Score:4, Funny)
People in Soviet Russia, however, appear to be afflicted with amusing juxtapositions of the aforementioned situation.
Re:I'm sure he'll find a new job (Score:3, Interesting)
I doubt Microsoft made them fire him. (Score:3, Insightful)
I imagine it was just some chickenshit middle management type over at @stake who wet himself when his little pet security project churned out a ton of anti-microsoft press.
Re:I'm sure he'll find a new job (Score:5, Funny)
Watch the disappearing PR (Score:3, Interesting)
@Stake on the other hand...
This is probably going to be a bit of a nightmare for them. The firing is starting to generate a lot of attention in the press. People who may or may not have heard of @Stake before this are now going to remember them as "the company that fired a guy for dissing the security of using all Microsoft."
I for one wouldn't want to hire a company whose line of business is other people's security but
Re:last message (Score:4, Insightful)
If this person was a writer/researcher/whatever for a company, and he made comments that were not only attributed to him, as an individual, but to the company he worked for- yes, they can get rid of him. And, if these comments made by him, under the guise of 'official' statements were contrary to the companies position, then yes, he *should* be fired.
If he wants to say these things on his own time, and not associate them with his company, then fine. Unless of course he has a contract that states he CANNOT do this. This is fairly common for people who are a 'spokesperson' for their company. Or, who are strongly identified with the company.
But, this person wanted to use their company's good name to push his own agenda- that is not a good thing. I work for a major university- I cannot publish papers filled with my opinions, and my own platform, and associate it with my university. In fact, anything that IS published, and associated with the university, needs to get peer-reviewed by at least 3 other people who are experts in the field. This is to ensure that individuals cannot use the university's good name as their own pulpit.
I was with you until you said (Score:3, Insightful)
Re:Would Anyone Like to Take @Stake's Side? (Score:3, Insightful)
Re:Aah! My paper! (Score:5, Funny)
(Mod -1 Horrible)