Dan Geer was fired from his job as chief technology officer at @stake Inc. on Sept. 25, one day after he and six other security researchers released a report that criticized Microsoft Corp.'s dominance of the software industry as a fundamental cause of IT security problems .
The report was published by the Computer & Communications Industry Association (CCIA), a Washington-based trade group that includes some of Microsoft's top rivals. @stake, a Cambridge, Mass.-vendor of security software and consulting services, gets a significant portion of its revenue from Microsoft. Geer last week spoke to Computerworld about his firing and the controversy surrounding the report.
What happened on Sept. 25? I'm still cautioned by my attorney not to be too precise about anything. But I learned I was fired from a press release. When I did eventually speak to the CEO [James Mobley of @stake], it was cold and short, and he had nothing to say but, "Your services are no longer required." And there was and has been nothing else beyond that.
@stake has said that you should have known Microsoft was a client and that, although other @stake officials didn't necessarily disagree with everything in the report, your participation showed lack of respect for a major customer. Is that unreasonable? If you knew my history, you would know that I'm a commentator on lots of things a lot of the time. It's not as if there's a procedure to check everything with marketing. The reason I was recruited into [@stake] in the first place was precisely for my ability to look over the horizon, to see the big picture and to umpire the game, if you will.
I once had someone explain to me that the way you could tell the difference between a young umpire, an experienced umpire and an old umpire was that the young umpire would say, "I call them as I see them." And the middle-aged umpire would say, "It's not a ball or a strike until I say it's a ball or a strike." And the old hand would say, "I make it a ball, or I make it a strike."
If you don't mind me being a little immodest, I like to think that I'm approaching the latter. I comment on everything that I'm capable of commenting on as frankly as I am able to do so. It's what I am. So from my point of view, this report was business as usual and unremarkable. The only thing that made it remarkable was the reaction of the CEO.
Why did you choose to align the study with a clearly partisan group like the CCIA when you could have approached any number of organizations that have a reputation for being evenhanded? I had a satellite to put into orbit, and they had a launch vehicle. I went to an organization that I was relatively certain would ensure that the report couldn't be ignored. I think that was an unqualified success, and [it] was made more of an unqualified success by adding the publicity engine of dissing me in the process. It was almost a gift.
 |  |
Dan Geer former CTO at @stake Inc. Credit: Furnald/Gray | |
A lot of people say they agree with the report's main premise that monolithic IT infrastructures inherently are less secure than multivendor ones. But some also say that multivendor environments may pose just as many security problems because of poor system configurations. There is that point, frankly. But if I had to choose between which [approach] we could have in the future, there is no question in my mind. As far as configuration difficulty, the reason one has [that] is because most large systems have too many knobs to adjust. When you have too many knobs to adjust, you don't adjust them. What are your plans now? I'm being inundated by people who want to do my planning for me. But there seems to be no shortage of things one can do with the rest of one's life.