The chief technology officer of @stake, an IT security company with close ties to Microsoft, was reportedly sacked by his company just after he released a report critical of the Redmond, Washington-based software vendor.
Daniel Geer, also one of the founders of the company, is principal author of the paper “Cyberinsecurity: The Cost of Monopoly,” which was first made public at the Computers & Communications Industry Association’s 30th annual Washington Caucus on Wednesday.
The report asserted that Microsoft’s monopoly of most of the world’s computer operating systems creates a monoculture that leaves IT infrastructures critically vulnerable to attack. Therefore, it warned, antitrust is a security issue as well as an economic one.
“Microsoft’s attempts to tightly integrate myriad applications with its operating system have significantly contributed to excessive complexity and vulnerability,” Geer said. “The deterioration of security compounds when nearly all computers rely on a single operating system subject to the same vulnerabilities the world over.”
He added, “Ironically, Microsoft’s efforts to deny interoperability of Windows with legitimate non-Microsoft applications have created an environment in which Microsoft programs interoperate efficiently only with Internet viruses.”
Nothing Much from @stake
On Thursday, the day after the paper’s release, @stake issued a brief statement noting that, as of last Tuesday, Geer no longer is associated with the company.
“Although Dr. Geer announced that his CCIA-sponsored report was an independent research study, participation in and release of the report was not sanctioned by @stake, [and] the values and opinions of the report are not in line with @stake’s views,” the company said. “Any use of his title or current affiliation with @stake should be corrected.”
Will Rodger, director of public policy at the CCIA, told the E-Commerce Times that although he does not know what happened beyond what news publishers have reported, @stake’s action “bears all the hallmarks of revenge and makes us all wonder.”
Shooting the Messenger?
As Rodger put it: “Here is the founder of one of the most prominent security companies in the field, [who] is one of the most prominent security specialists in the field, issuing a report that has been the consensus for some time that the main threat [to IT infrastructures] is monoculture.
“Nothing Geer said was particularly radical,” Rodger added. “But what is news is that for the first time a group of really renowned researchers have gotten together to write a paper about dangers of monoculture [that tells] policy makers that they have got to do something about it.”
Crock of Garbage
Jim Hurley, vice president of security and privacy at Aberdeen Group, told the E-Commerce Times that the theory behind Geer’s paper puts forth a biological model that says a monoculture is more susceptible to infectious disease and mutations that can threaten the species as a whole.
However, Hurley said he does not accept this analogy.
“This model is a crock of garbage for the simpletons in the world who don’t want to deal with underlying technological problems….” he said. “It will only serve to cause further confusion.”
Watch the Access Policies
Instead, Hurley said, discretionary access control policies — which determine how security policy and security itself is implemented in everything from operating systems to routers and switches — are at the root of the design flaws that make systems vulnerable to attack. According to him, the fundamental security design in all of these products led to problems in maintaining security.
However, Hurley did note that although he knows only what is contained in published reports of Geer’s firing, one can infer that @stake is telling people it can be bought — which does not cast the company in a good light.
“Based on reports to date without substantive comments from @stake about Geer leaving, it doesn’t sound right,” Hurley said.