Dan Geer, the principal author of a recent report on the security risks of Microsoft Corp.s monopoly, has lost his job as the chief technology officer of security consultant @stake Inc. because of his involvement with the report.
Geer, a well-known and respected security expert, wrote the paper along with several other famous security figures, including Bruce Schneier, CTO and founder of Counterpane Internet Security Inc., and Rebecca Bace, CEO of Infidel Inc. The report criticizes the dominance of Windows in the marketplace and cites it as one of the main causes of the security problems on the Internet. While rapping Microsoft for the vulnerabilities in its products, the paper in fact lays much of the blame for the situation at the feet of customers who continue to buy Windows without investigating other options.
The paper was released by the Computer and Communications Industry Association, although the authors said the CCIA did not pay them or fund the writing of the paper in any other way. Some of Geers collaborators were appalled by his firing.
“There was a lot of pressure here. It might not have been overt, but it was there,” said Schneier, who also sits on @stakes advisory board. “Were all researchers. We dont speak for our companies. One of the weird things is that he got fired for saying things that security researchers have been saying for 10 years. We said the same thing when the Morris worm hit. Its not that its Microsoft thats bad, its that theres one company thats so dominant. Its really sad that theres that much pressure.”
Officials at Microsoft, which has worked closely with @stake in the past, said the report did not reflect the companys commitment to security and protecting customers.
“I certainly agreed with the first sentence of it, that software will never be perfect,” said Sean Sundwell, a spokesman for Microsoft, based in Redmond, Wash. “Anything that affects our customers is our problem. Our biggest problem with the report is the idea of the monoculture. It points out the problems and fails to point out the advantages. It sends a message that by somehow diversifying their environments, customers are suddenly more secure.”
The authors of the report, including Geer, discussed the paper in a conference call with reporters Wednesday, during which Geer identified himself as working for @stake. However, he said that the paper represented his own opinions and not those of @stake. Most of the other authors made similar disclaimers.
However, @stake officials said they did not know about the paper or its contents until it was published and they said Geers last day at the company was Tuesday. They also denied that there was any pressure from Microsoft to fire Geer.
“Absolutely not,” said Lona Therrien, a spokeswoman for @stake.
Geers information and picture have already been deleted from the companys Web site. Before joining @stake, Geer had his own security consulting firm, worked for a time at Digital Equipment Corp. and was also in charge of all of the technical development on MITs famed Project Athena, where he was instrumental in the development of both X and the Kerberos authentication protocol.
Chris Wysopal, director of research and development for @stake, said the company mainly took issue with the way the points in the paper were presented.
“There are definitely points in the paper that are very widely held security tenets, like diversity is a part of defense in depth,” Wysopal said. “But we just dont agree with the way the paper framed it. The problems in TCP/IP affect all of the computers on the Internet, but we didnt rip out TCP/IP.”
Discuss this in the eWEEK forum.