A report which debated the security ramifications of
monolithic IT infrastructures has become a pawn in the unending
political battle between pro- and anti-Microsoft factions, and has
cost one of the co-authors his job.
The report, "CyberInsecurity: The Cost of Monopoly. How the
Dominance of Microsoft's Products Poses a Risk to Security"
released last week by seven self-proclaimed independent researchers
from the IT security industry, harshly criticised Microsoft's
monopoly hold on the software industry. It claimed that hold is a
fundamental cause of security problems that now confront the entire
global internet community.
The day after the report's release, co-author Dan Geer was fired
from his job as chief technology officer at @stake, a security
company which derives a hefty percentage of its income from
Microsoft.
Moreover, sources claimed the firing was made retroactive to 23
September, so that @stake could further distance itself from Geer
and the report.
An @stake official, who spoke on condition of anonymity,
confirmed that Geer was fired and said that as a corporate officer
he should have known that Microsoft was a client of the company.
"It's not a matter of the content of the report; it's a matter of
ethics and respect for clients," the official said.
Geer couldn't be reached for comment.
Chris Wysopal, @stake's director of research, said the company
had no argument with the report's basic premise that technological
diversity poses less of a security risk than monolithic
architectures. "But the way the report is positioned and a lot of
its conclusions are things we don't agree with. The report is a bit
one-sided," he said.
The firing didn't go down well with other authors of the
report.
"Its very sad that @stake fired him for this," said Bruce
Schneier, a report co-author and founder of security consultancy
Counterpane Internet Security. "We as security researchers
regularly speak, write and do reports that express our professional
opinions. We assume that companies hire us for our integrity and
honesty."
The authors of the report may have actually undermined their
independence by teaming with the Computer & Communications
Industry Association.
The CCIA is a Washington-based industry group whose members
include direct Microsoft competitors such as Sun Microsystems and
Oracle, and it has supported the US and European investigations
into what the group has called "Microsoft's competitive abuses".
The CCIA not only published and publicised the report on behalf of
the researchers, it has also provided a written introduction to the
document.
When asked during a teleconference on Wednesday about who or
what organisations funded the study, Geer, whose firing had not yet
been announced, said it was a "personal initiative" by the seven
authors that was not funded by the CCIA or any third party.
Edward Black, president and chief executive officer of the CCIA,
said his organisation had no role in developing the content of the
report.
"These guys did this on their own, and they contacted us because
our expertise is in the policy area, and we had the infrastructure
to publicise the report in Washington," he said.
"We didn't write the report for CCIA," said Perry Metzger, an
independent security consultant and a report co-author.
"All of us are computer security people, not politicians," he
said, responding to questions about the appearance of partisanship
stemming from the group's relationship with the CCIA. "People
should try to make up their own minds about whether or not we're
right."
However, users might have a hard time deciphering exactly who
the honest broker is in this case. Washington-based Americans for
Technology Leadership (ATL) was quick to call the report a
"shameless" campaign by the CCIA to "line the pockets of a handful
of large companies".
But ATL's position may have been undermined by the fact that
Microsoft is one of the 10 founding members of the organisation,
which is focused on limiting government regulation of
technology.
"Enterprises need to realise that if they haven't heard of an
organisation that produces a study, it is probably funded by a
vendor or other partisan entity," said Gartner analyst John
Pescatore.
But in this case, users have found themselves caught in the
crossfire with no concrete recommendations from either side. Rather
than offering solutions to the problems, the report simply blames a
lack of government policy and senior executives at user companies
who insist on purchasing only Microsoft software because of its
ease of use and compatibility.
Dan Verton writes for Computerworld