[ISN] Oh Dan Geer, where art thou?

Tue Dec 30 12:47:57 EST 2003

--- begin forwarded text

Date: Tue, 30 Dec 2003 09:30:58 -0600 (CST)
From: InfoSec News <isn at c4i.org>
To: isn at attrition.org
Subject: [ISN] Oh Dan Geer, where art thou?
Sender: owner-isn at attrition.org
Reply-To: InfoSec News <isn at c4i.org>
Status:

http://napps.nwfusion.com/weblogs/security/003879.html

By Ellen Messmer
Network World Fusion
12/22/03

Remember Dan Geer-Dr. Dan Geer to you-who was fired from security firm
@stake in late September for sounding off against Microsoft as a
"national security threat" in the report "CyberSecurity: The Cost of
Monopoly"? (If not, check out the 9/29/03 Security Notes column).
Well, Geer is back in action as the chief scientist for Verdasys, a
security start-up that makes a product called Digital Guardian. And he
vows to continue to be as outspoken as he has been in the past, come
hell or high water.

Geer's previous employer, @stake, has declined to discuss the
particulars about how Geer suddenly departed his post as chief
technical officer the very week the Microsoft-bashing report he
authored appeared under the sponsorship of the Computer and
Communications Industry Association.

Whether you agree with the conclusions of that report or not, it can
certainly be counted as one of the better-argued essays on the dangers
of software monoculture and the possibility of security becoming the
means for vendor product lock-in. However, @stake, which counts
Microsoft as a client customer, apparently didn't find it amusing.
Geer "went missing" from his job the week the report was published,
with @stake only willing to say it was all a private personnel matter.

Of course, nothing like this stays private for too long, and word got
out from some of Geer's pals that he had been axed at @stake. Geer,
who started his new job as Veradys' chief scientist last week, had
this to say about the Microsoft-as-monoculture episode: "I was fired
for saying the emperor is naked."

Geer, the main author of the report that had six other contributors,
acknowledges he didn't exactly brief @stake on what he was going to
say about Microsoft. He went straight to CCIA, which has long sought
to have Microsoft brought to heel under anti-trust laws, to back it as
a major trade organization with a megaphone to reach the press.

He added that it's ironic that "three weeks after I'm shot for saying
the emperor has no clothes, the National Science Foundation awards
Mike Reiter a multi-million NSF grant to study software monoculture."

(Mike Reiter is professor of electrical and computer engineering at
Carnegie-Mellon and associate director of its CyLab to advance
cybersecurity. "We are looking at computers the way a physician would
look at genetically related patients, each susceptible to the same
disorder," Reiter is quoted as saying in NSF's November 25 press
release about the grant he and his colleagues were awarded. They are
trying to find a way to keep computers that are basically the same
from being infected by the same thing, like Code Red and Blaster
worms. Sounds like a search for safe sex for computers, and we wish
them well in their quixotic quest.)

Geer is still somewhat bitter about his experience with @stake, where
he says his job was "to make @stake look bigger than it actually is.
And I was successful at it." But now it's time to move on.

Besides assisting Waltham, Mass.-based Veradsys in developing its
data-integrity products, Geer's official job description now says
he'll have a role in "customer and market evangelism." So expect the
outspoken and erudite Geer -- who cut his teeth at MIT's Project
Athena where Kerberos and X Windows System were developed--to be seen
at conferences and at customer locations pulling for Verdasys.

"The future is at the data layer," Geer says with his Veradsys hat on.
Putting limits to file use -- what Veradysys has "nailed," says Geer
-- is "the right place to be right now."

As a scientist, one idea Geer hopes to pursue is studying file use on
a statistical basis for live times and transit patterns, perhaps to be
able to detect anomalies. Geer earlier was on the Verdasys board of
advisors, which also includes Bob Blakley, chief scientist for
security and privacy at IBM Tivoli Software and Dennis Devlin, vice
president and chief security officer at Thomson Corp. The privately
funded company was started earlier this year by its CEO Seth Birnbaum.

But just because But Geer has a day job (though he'll still also be an
"independent risk management consultant for Geer Risk Services") don't
expect him to suddenly go soft. He says he frets just as much about
the problems of open-source code as he does about Microsoft's more
proprietary software.

"The most interesting question right now is the sanctity of the
open-source code pool and attempts to subvert it," he says, by those
that may want to insert Trojan horses or do other damage by breaking
into Web sites. He said there needs to be a lot more work on that
subject.

Whatever happens, don't expect this loose cannon of the Internet to go
quietly into that dark night.

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo at attrition.org with 'unsubscribe isn'
in the BODY of the mail.

--- end forwarded text

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com