Security Expert Geer Sounds Off on Dismissal

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,4149,1304909,00.asp

By Dennis Fisher 
September 29, 2003

When @stake Inc. on Thursday announced that it had fired its CTO Dan 
Geer, no one was more surprised than Geer himself. 

A security researcher and scientist with more than 30 years of
experience, including work on some groundbreaking projects, Geer was
let go just a day after the publication of a paper he co-authored that
was sharply critical of Microsoft Corp. - one of @stake's customers.  
The paper covered the effects that Microsoft's monopolistic position
have on the security of the Internet.

The paper argues that the dominance of Windows in the marketplace has 
created a monoculture in which all systems are more vulnerable to 
widespread attacks and viruses. Part of the answer to the problem, 
Geer and his collaborators wrote, is for enterprises to diversify 
their infrastructures with products from other vendors. 

Software diversity in the name of security is by no means a new idea, 
but Geer and the other authors are all very visible in the high-tech 
industry, especially within the security community, and their opinions 
carry a certain weight. However, Geer said Monday that the opinions in 
the paper were no more controversial or edgy than many of the things 
he's said in speeches, interviews and other papers during his time 
with @stake. 

"People say that if he was surprised [by being fired], he's an idiot. 
Well, I was surprised in this sense: I do this kind of thing all the 
time," Geer said in an interview from his home. "My job was to be out 
in front far enough that a company the size of @stake could be at the 
front of an industry like this." 

Microsoft, based in Redmond, Wash., has used @stake's services for 
several years. Officials at @stake, in Cambridge, Mass., flatly deny 
any connection between this fact and Geer's firing and say that no one 
from Microsoft influenced their decision whatsoever. 

But Geer isn't convinced. The company said Geer's last day as an 
employee was Tuesday, but the announcement wasn't made until Thursday, 
the day after the paper was published. Geer went on a conference call 
with reporters Wednesday morning and identified himself as an @stake 
employee and added that the opinions in the paper were his own and not 
the company's. 

"The Venn diagram of facts doesn't intersect. The intersection of all 
of those statements is the null set," Geer said. 

The paper generated a fair amount of controversy, with Microsoft 
officials defending the company's security practices and corporate 
policies and @stake employees making the media rounds to distance the 
company from Geer's statements. 

Whether Microsoft had a hand in his demise "will be forever impossible 
to ascertain," Geer said. "One might say communication wasn't 
necessary. There's a school of thought that says that a phone call 
wasn't needed. The more powerful you are, the less likely you are to 
have to pick up the phone. At most, you could call it plausible 
deniability." 

As an example of the kind of behind-the-scenes influence that large 
vendors have, Geer cited his efforts to find an academic security 
expert or two to sign on to the paper on software diversity. After 
contacting nine people and striking out each time, he gave up. 

"All of them said it was too hot for their position," Geer said. "They 
enjoy the free speech benefits of tenure but not necessarily those of 
funding." 

One of the researchers that Geer spoke with said he decided not to 
join the project for other reasons, but was nonetheless appalled by 
Geer's firing. Avi Rubin, associate professor of computer science at 
Johns Hopkins University in Baltimore, Md., and technical director of 
the university's Information Security Institute, is currently serving 
as an expert witness in a lawsuit against Microsoft and looked over 
drafts of the paper during its development, but ultimately felt that 
adding his name to the paper wasn't the best idea at the time. Still, 
he said he was upset by the implications of Geer losing his job. 

"I think there should be a huge outcry over his firing. It is that 
kind of intimidation against scientists speaking their minds that can 
be extremely dangerous to our society," Rubin said. 

Microsoft spokesmen denied that the company had any involvement in 
Geer's firing. 

As for future projects, Geer said he's been inundated with offers and 
ideas. After all, he essentially created the security consulting 
industry more than a decade ago with his firm Geer-Zolot Associates 
and also oversaw the development on the Massachusetts Institute of 
Technology's Project Athena. 

"The mail is still coming in fast and furious. No one's showed up with 
a boatload of money and said, 'Take it.' But the question now is, 
what's the wise thing to do," he said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.