Firing Spurs Unease

Security experts voice concern over Geer's ouster.

As the fallout from the firing of a security researcher over his authorship of a controversial paper continued last week, other researchers and security experts said the incident could cast a pall over their work, making it difficult to speak their minds on important topics.

A security researcher and scientist with more than 30 years of experience that includes work on some groundbreaking projects, Dan Geer was let go by @Stake Inc. a day after the publication of a paper he co-authored that was sharply critical of Microsoft Corp.—one of @Stakes customers—and the effects that its dominant position have on Internet security.

The paper argues that the dominance of Windows in the marketplace has created a monoculture in which all systems are more vulnerable to widespread attacks and viruses. Part of the answer to the problem, Geer and his collaborators wrote, is for enterprises to diversify their infrastructures with products from other vendors.

Software diversity in the name of security is by no means a new idea, but Geer and the other authors are all very visible in the high-tech industry, especially within the security community, and their opinions carry a certain weight. However, Geer said the opinions in the paper were no more controversial or edgy than many of the things hes said in speeches, interviews and other papers during his time with @Stake.

"People say that if he was surprised [by being fired], hes an idiot. Well, I was surprised in this sense: I do this kind of thing all the time," Geer said. "My job was to be out in front far enough that a company the size of @Stake could be at the front of an industry like this."

Microsoft, based in Redmond, Wash., has used @Stakes services for several years. Officials at @Stake, in Cambridge, Mass., deny Microsoft influenced their decision to fire Geer. Microsoft officials also denied that the company had any involvement in Geers firing.

But Geer and many of his colleagues arent convinced.

"The best influence is subtle," said Bruce Schneier, chief technology officer and founder of Counterpane Internet Security Inc., in Cupertino, Calif., and one of Geers co-authors. "What it means is they didnt have to call. Were all researchers, and we dont speak for our companies."

The company said Geers last day as an employee was Sept. 23, but the announcement wasnt made until Sept. 25, the day after the paper was published. Geer went on a conference call with reporters Sept. 24, identified himself as an @Stake employee and added that the opinions in the paper were his own and not the companys.

"The fact is, I never had any other problems like this. It actually works the other way, where they would hear something Id said and come to me and say, Nice work. It will sound immodest, but my reputation was more valuable to them than theirs was to me," Geer said.

The paper generated a fair amount of controversy, with Microsoft officials defending the companys security practices and corporate policies and @Stake employees making the media rounds to distance the company from Geers statements.

Whether Microsoft had a hand in his demise "will be forever impossible to ascertain," Geer said. "One might say communication wasnt necessary."

As an example of the kind of behind-the-scenes influence that large vendors have, Geer cited his efforts to find an academic security expert or two to sign on to the paper on software diversity. After contacting nine people and striking out each time, he gave up. "All of them said it was too hot for their position," Geer said.

One of the researchers Geer spoke with said he decided not to join the project for other reasons but was nonetheless appalled by Geers firing. Avi Rubin, associate professor of computer science at Johns Hopkins University, in Baltimore, and technical director of the universitys Information Security Institute, is currently serving as an expert witness in a lawsuit against Microsoft and looked over drafts of the paper, but he declined to add his name to the paper. Still, Rubin was upset by the implications of Geer losing his job.

"I think there should be a huge outcry over his firing. It is that kind of intimidation against scientists speaking their minds that can be extremely dangerous to our society," Rubin said.