Security Expert Geer Sounds Off on Dismissal

Former @stake CTO Dan Geer was fired last week only one day after the release of a paper critical of Microsoft. The pink slip raised an outcry in professional security circles. In an interview, Geer presents his side of the events.

When @stake Inc. on Thursday announced that it had fired its CTO Dan Geer, no one was more surprised than Geer himself.

A security researcher and scientist with more than 30 years of experience, including work on some groundbreaking projects, Geer was let go just a day after the publication of a paper he co-authored that was sharply critical of Microsoft Corp.—one of @stakes customers. The paper covered the effects that Microsofts monopolistic position have on the security of the Internet.

The paper argues that the dominance of Windows in the marketplace has created a monoculture in which all systems are more vulnerable to widespread attacks and viruses. Part of the answer to the problem, Geer and his collaborators wrote, is for enterprises to diversify their infrastructures with products from other vendors.


More on the report and its co-authors.

Software diversity in the name of security is by no means a new idea, but Geer and the other authors are all very visible in the high-tech industry, especially within the security community, and their opinions carry a certain weight. However, Geer said Monday that the opinions in the paper were no more controversial or edgy than many of the things hes said in speeches, interviews and other papers during his time with @stake.

"People say that if he was surprised [by being fired], hes an idiot. Well, I was surprised in this sense: I do this kind of thing all the time," Geer said in an interview from his home. "My job was to be out in front far enough that a company the size of @stake could be at the front of an industry like this."

Microsoft, based in Redmond, Wash., has used @stakes services for several years. Officials at @stake, in Cambridge, Mass., flatly deny any connection between this fact and Geers firing and say that no one from Microsoft influenced their decision whatsoever.

But Geer isnt convinced. The company said Geers last day as an employee was Tuesday, but the announcement wasnt made until Thursday, the day after the paper was published. Geer went on a conference call with reporters Wednesday morning and identified himself as an @stake employee and added that the opinions in the paper were his own and not the companys.

"The Venn diagram of facts doesnt intersect. The intersection of all of those statements is the null set," Geer said.

The paper generated a fair amount of controversy, with Microsoft officials defending the companys security practices and corporate policies and @stake employees making the media rounds to distance the company from Geers statements.

Whether Microsoft had a hand in his demise "will be forever impossible to ascertain," Geer said. "One might say communication wasnt necessary. Theres a school of thought that says that a phone call wasnt needed. The more powerful you are, the less likely you are to have to pick up the phone. At most, you could call it plausible deniability."

As an example of the kind of behind-the-scenes influence that large vendors have, Geer cited his efforts to find an academic security expert or two to sign on to the paper on software diversity. After contacting nine people and striking out each time, he gave up.

"All of them said it was too hot for their position," Geer said. "They enjoy the free speech benefits of tenure but not necessarily those of funding."

One of the researchers that Geer spoke with said he decided not to join the project for other reasons, but was nonetheless appalled by Geers firing. Avi Rubin, associate professor of computer science at Johns Hopkins University in Baltimore, Md., and technical director of the universitys Information Security Institute, is currently serving as an expert witness in a lawsuit against Microsoft and looked over drafts of the paper during its development, but ultimately felt that adding his name to the paper wasnt the best idea at the time. Still, he said he was upset by the implications of Geer losing his job.

"I think there should be a huge outcry over his firing. It is that kind of intimidation against scientists speaking their minds that can be extremely dangerous to our society," Rubin said.

Microsoft spokesmen denied that the company had any involvement in Geers firing.

As for future projects, Geer said hes been inundated with offers and ideas. After all, he essentially created the security consulting industry more than a decade ago with his firm Geer-Zolot Associates and also oversaw the development on the Massachusetts Institute of Technologys Project Athena.

"The mail is still coming in fast and furious. No ones showed up with a boatload of money and said, Take it. But the question now is, whats the wise thing to do," he said.

Discuss this in the eWEEK forum.