No More Than the Obvious

The epiphany that cost Dan Geer his job

. What's this?

By

September 30, 2003CSO — Last Monday, the security consultancy @Stake learned that its CTO, Dan Geer, had authored a white paper, Cyberinsecurity: The Cost of Monopoly, which codifies what everyone already thinksthat Microsofts outsized market share and business practices represent a "clear and present danger" to security.

Last Tuesday, Geer was fired, and Geer-supporters throughout the security community assailed @Stake for its failure to place principles above profit-motive. Microsoft, it turns out, is one of @Stakes biggest clients.

Six days later, this reporter finally got someone from @Stake to answer the disparaging question: Did the company really fire Geer out of fear of reprisal from Microsoft?

Their answer: Of course.

"It was no more than the obvious," says spokeswoman Lona Therrien. "There was an obvious concern that this was a risk to our business because of the client's trust. If we did not react, what would that say to our clients? This is not an academic forum, it's a business forum. It was a bad business decision [on Geer's part], not an academic one."

Speaking of the obvious, lets take a quick read through the report that cost Geer his job. The argument is as follows: Microsoft is a monopoly, and the company reinforces that monopoly through aggressive integration. Integration creates highly complex systems and complexity diminishes security. Microsoft's vulnerable platform, coupled with its monopoly control, can lead to cascading and/or catastrophic failure, which compromises security. Even national security.

Geer calls the problematic system a technological "monoculture," a term borrowed from agricultural vernacular. The less diversity there is in a system, he says, the more likely something will cause its total failure. Think of Ireland's potato blight, or the cotton-growing states economic ruin by the boll weevil.

"Nature has shown us that biodiversity has immense survivability value," says Geer. I don't see why the analogy doesn't hold."

Neither do some other security experts. Six of them, no slouches included, added their own thoughts and signatures to the paper, and the Computer and Communications Industry Association (CCIA), a lobbying group made up of Microsoft competitors, supplied an introduction and help with distribution.

In fact, the pro-diversity thesis of Geers writing is not even controversial. These days, it's hard to find any security expert who doesn't think that platform diversity is a no-brainer, accepted security strategy.

Even at @Stake, Geers ideas are held in high regard. Chris Wysopal, the companys research director, said after the incident that diversity is a defense-in-depth strategy. Diversity is part of what we do and a lack of diversity negatively impacts security."

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER