Anti-monopoly report sparks major feud

A report which debated the security ramifications of monolithic IT infrastructures has become a pawn in the unending political...

A report which debated the security ramifications of monolithic IT infrastructures has become a pawn in the unending political battle between pro- and anti-Microsoft factions, and has cost one of the co-authors his job.

The report, "CyberInsecurity: The Cost of Monopoly. How the Dominance of Microsoft's Products Poses a Risk to Security" released last week by seven self-proclaimed independent researchers from the IT security industry, harshly criticised Microsoft's monopoly hold on the software industry. It claimed that hold is a fundamental cause of security problems that now confront the entire global internet community. 

The day after the report's release, co-author Dan Geer was fired from his job as chief technology officer at @stake, a security company which derives a hefty percentage of its income from Microsoft.

Moreover, sources claimed the firing was made retroactive to 23 September, so that @stake could further distance itself from Geer and the report. 

An @stake official, who spoke on condition of anonymity, confirmed that Geer was fired and said that as a corporate officer he should have known that Microsoft was a client of the company. "It's not a matter of the content of the report; it's a matter of ethics and respect for clients," the official said. 

Geer couldn't be reached for comment. 

Chris Wysopal, @stake's director of research, said the company had no argument with the report's basic premise that technological diversity poses less of a security risk than monolithic architectures. "But the way the report is positioned and a lot of its conclusions are things we don't agree with. The report is a bit one-sided," he said. 

The firing didn't go down well with other authors of the report. 

"Its very sad that @stake fired him for this," said Bruce Schneier, a report co-author and founder of security consultancy Counterpane Internet Security. "We as security researchers regularly speak, write and do reports that express our professional opinions. We assume that companies hire us for our integrity and honesty." 

The authors of the report may have actually undermined their independence by teaming with the Computer & Communications Industry Association. 

The CCIA is a Washington-based industry group whose members include direct Microsoft competitors such as Sun Microsystems and Oracle, and it has supported the US and European investigations into what the group has called "Microsoft's competitive abuses". The CCIA not only published and publicised the report on behalf of the researchers, it has also provided a written introduction to the document. 

When asked during a teleconference on Wednesday about who or what organisations funded the study, Geer, whose firing had not yet been announced, said it was a "personal initiative" by the seven authors that was not funded by the CCIA or any third party. 

Edward Black, president and chief executive officer of the CCIA, said his organisation had no role in developing the content of the report.

"These guys did this on their own, and they contacted us because our expertise is in the policy area, and we had the infrastructure to publicise the report in Washington," he said. 

"We didn't write the report for CCIA," said Perry Metzger, an independent security consultant and a report co-author. 

"All of us are computer security people, not politicians," he said, responding to questions about the appearance of partisanship stemming from the group's relationship with the CCIA. "People should try to make up their own minds about whether or not we're right." 

However, users might have a hard time deciphering exactly who the honest broker is in this case. Washington-based Americans for Technology Leadership (ATL) was quick to call the report a "shameless" campaign by the CCIA to "line the pockets of a handful of large companies". 

But ATL's position may have been undermined by the fact that Microsoft is one of the 10 founding members of the organisation, which is focused on limiting government regulation of technology. 

"Enterprises need to realise that if they haven't heard of an organisation that produces a study, it is probably funded by a vendor or other partisan entity," said Gartner analyst John Pescatore. 

But in this case, users have found themselves caught in the crossfire with no concrete recommendations from either side. Rather than offering solutions to the problems, the report simply blames a lack of government policy and senior executives at user companies who insist on purchasing only Microsoft software because of its ease of use and compatibility. 

Dan Verton writes for Computerworld

Read more on IT risk management