Re: Technology Firm With Ties to Microsoft Fires Executive Over Criticism

[InfoSec News <isn () c4i org>]

Forwarded from: "Bill Scherr IV, GSEC, GCIA" <bschnzl () cotse net>

People...

   I think we are missing the point here!  As security researchers we
would be remiss in ignoring the big picture, part of which Dan's
report is trying to relay.  It is not that Mr. Geer is unemployed.  
It is not that a monolithic network allows mal-users to traipse thru
the digital landscape using the same exploits over and over again.  
It is that @stake has just blown any modicum of objectivity, spraying
doubt on all it's reports.

   In the interests of disclosure, the biggest splash I ever made on
the security scene was a mention in an @stake report.  Not that
splashing is good mind you!

   The big picture here is that objective reports require
independence.  Anyone who reviews a thing to issue an opinion on that
thing, can not have repercussions brought upon him by folks involved
in creating that thing.  Likewise, if the product is good, and the
reporter calls it good, no reward can be realized by that reporter,
other than his normal fee.  How else can we trust his word?  How else
can we trust that researcher not to hide a bad product behind his good
reputation?

   The report issued an opinion on a technical issue, relating to a
business practice.  The business practice is tweaking code, APIs and
error messages, etc. to "lock" current customers into the Microsoft
suite.  That is how M$ became the "sole source supplier" for Uncle
Sam's desktops.  The technical issue was the monolithic network
mentioned above.  Whether @stake acted on their own, or were levered
into that action, is immaterial.  @stake should have stuck by Mr.
Geer, even to the extent of holding any resignation until the heat
died down.

   The issue that Microsoft may or may not have levered @stake into
firing Mr Geer should not come as a surprise to any with experience in
the business.  That is in keeping with how they operate.  One needs
only look at scandisk and how they wrenched it from Norton.  (DOS v5 I
believe, pre-Symantec).  I think many of you could come up with better
examples of questionable leverage.

   IF M$ did apply leverage, Mr. Wysopal (see:  
http://www.itoc.usma.edu/workshop/2002/documents/Wysopal_Bio.ht m)  
should have waved evidence of such an action for all the world to see.  
It may have been taken as another affront to the boys from Redmond,
but it would have saved his firms' reputation.  Mr. Wysopal's silence
is deafening.  As a USMA grad I once knew told me: "One Aw Shit wipes
out a thousand Atta Boys."

   IF @stake acted without pressure from the upper left of CONUS, they
are cutting off their nose to spite their collective face.  Folks of
Dan Geer's stature and experience don't just grow on trees.  (See:  
http://www.counterpane.com/board-geer.html and/or
http://www.cio.com/archive/010103/22.html).  At least it shows a lack
of business acumen.  Timing means something.  Even if this was an
action previously in the works, the timing suggests that Mr. Geer was
axed for stepping on Microsoft's toes.

   That suggests repercussion.  A company that issues reports relied
upon by others needs to avoid the very suggestion of repercussion
and/or reward, almost at all costs.  Any Audits, reviews,
vulnerability assessments, or other reports are now called into
question by the action of shooting the messenger.  Any current or new
employees will see that action and ask themselves who will stand
behind them when they report the true state of a product.  Talk about
Fear, Uncertainty, and Doubt!

   Will independence reduce the amount of money deposited by the whole
of security firms?  I wish I could say NO with certainty.  The fact is
that products reviewed by softer firms appear more secure than those
with strict adherence to currently accepted practices.  This allows
for corner cutting, and the appearance of higher productivity.  This
gives an unfair advantage to those reviewed by softer firms, and calls
into question the entire industry.  Ultimately, that was the subject
of Dan Geer's last @stake report.  (see:  
http://www.atstake.com/research/reports/acrobat/ieee_quant.pdf).  
Quantification of security issues is extremely difficult.  I haven’t
even brushed excessive leverage.  Excessive leverage is also known as
corruption.

   In the long run, security firms and researchers should guard their
independence at least as closely as Certified Public Accountants.  We
issue reports, ostensibly for action.  That implies trust.  Trust
requires objectivity.  Objectivity requires independence.  Where are
we without independence.

B.

PS>  What if Dan and Chris are in cahoots to pump up the report and 
@stake?   Ohh - conspiracy theorist's headache!!!!



On 30 Sep 2003, this text appeared purporting to belong to InfoSec

Date sent:              Tue, 30 Sep 2003 05:18:54 -0500 (CDT)
From:                   InfoSec News <isn () c4i org>
To:                     isn () attrition org
Subject:                Re: [ISN] Technology Firm With Ties to Microsoft Fires 
Executive
        Over Criticism 
Send reply to:          InfoSec News <isn () c4i org>

> Forwarded from: Jason Coombs <jasonc () science org>
> Cc: paul () robichaux net;, Dan_Verton () computerworld com;,
>    rforno () infowarrior org;, full-disclosure () lists netsys com
>
> InfoSec News wrote:
> > Forwarded from: Paul Robichaux <paul () robichaux net>
> > 1. Geer claimed to be speaking for @stake. He wasn't.
>
> I do hope that all of you actually read the report before forming
> any opinions about it, the people who wrote it, or the manner in
> which those people portrayed themselves as authors of it. It is
> simply impossible to interpret Geer's role in authoring this report
> as anything close to "speaking for @Stake" -- it was clearly the
> "speaking" part that got him canned, and one need not be paranoid in
> order to see Microsoft's direct or indirect influence in the growing
> "punishment for speech" phenomenon within the United States.  
> @Stake's own political bias in advancing the so-called "responsible
> disclosure" process is a crucial element of criminalizing speech...
> We can't put speakers in prison unless we can prove that they
> violated the rules with their speech, so @Stake is busy trying to
> define the rules.
>
> The whole business makes me feel sick. What we really need is
> freedom, and the ability to defend ourselves adequately from anyone
> who might choose to exercise theirs in a way that doesn't conform to
> other people's arbitrary definition of "responsible". There was a
> time in the past when there was little doubt that we had freedom.
>
> Freedom must be one of the costs of monopoly.
>
> CyberInsecurity: The Cost of Monopoly
> How the Dominance of Microsoft's Products Poses a Risk to Security
> http://www.ccianet.org/papers/cyberinsecurity.pdf
>
> Sincerely,
>
> Jason Coombs
> jasonc () science org


Bill Scherr IV, GSEC, GCIA
EWA / Information & Infrastructure Technologies
National Guard Regional Technology Center / Norwich Campus
Northfield, VT  05663
802-485-1962



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.