Former @stake CTO speaks out on dismissal

Dan Geer, the former chief technology officer at @stake, lost his job last week as a result of his participation in an...

Dan Geer, the former chief technology officer at @stake, lost his job last week as a result of his participation in an independent study of the security implications of Microsoft's monopoly hold on the software industry.

Can you tell me in your own words what happened on 25 September? I'm still cautioned by my attorney not to be too precise about anything. But I learned I was fired from a press release.

When I did eventually speak to the chief executive officer, it was cold and short, and he had nothing to say but, "your services are no longer required." And there was and has been nothing else beyond that.

One thing that your former employer has said is that you should have known that Microsoft was a client of the company and that, although it didn't necessarily disagree with everything in the report, your participation in the study showed lack of respect for a major client. Is that unreasonable? If you knew my history, you would know that I am a commentator at the limit of my professional skill and integrity on lots of things a lot of the time.

It's not as if there's a procedure to check everything with marketing. The reason I was recruited into this company in the first place was precisely for my ability to look over the horizon, to see the big picture and to umpire the game, if you will.

I once had someone explain to me that the way you could tell the difference between a young umpire, an experienced umpire and an old umpire was that the young umpire would say, "I call them as I see them." And the middle-aged umpire would say, "It's not a ball or a strike until I say it's a ball or a strike." And the old hand would say, "I make it a ball, or I make it a strike." If you don't mind me being a little immodest, I like to think that I'm approaching the latter. I comment on everything that I'm capable of commenting on as frankly as I am able to do so. It's what I am. So from my point of view, this report was business as usual and unremarkable. The only thing that made it remarkable was the reaction of the CEO [of @stake].

Why did you choose to align the study with an organisation - the Computer & Communications Industry Association (CCIA) - that's clearly partisan when you could have approached any number of organisations or media outlets that have a reputation for being even-handed? I had a satellite to put into orbit, and they had a launch vehicle. I went to an organisation that I was relatively certain would ensure that the report couldn't be ignored. I think that was an unqualified success, and made more of an unqualified success by adding the publicity engine of dissing me in the process. It was almost a gift.

A lot of people tend to agree with the general premise of the report, which is that monolithic IT environments aren't as secure as heterogeneous environments. But do you think you did yourself and the report a disservice by aligning with the Washington-based CCIA and giving it the appearance of partisanship? I was recruited because I have a name, a reputation and a following, and @stake didn't. What makes this particularly surprising is that @stake got more out of my reputation than I did of its.

A lot of people say that while they agree with the fundamental premise of the report, some point out that heterogeneous IT environments may pose just as many security problems from poor configurations. There is that point, frankly. One could overcorrect. But if I had to choose between which one we could have today versus which one we could have in the future, there is no question in my mind.

As far as configuration difficulty, the reason one has configuration difficulty is because most large systems have too many knobs to adjust. When you have too many knobs to adjust, you don't adjust them.

The reason default settings [aren't] changed is because there are too many of them. If my car looked like the front end of a 747, I'd be afraid to drive down the street. That's half the problem. But people are correct, if everybody had a different version of something and the front end looked like a 747, I don't know what we would do. Speaking as an engineer, simplicity is a goal of good design, it is never the starting point.

What are your plans now, with respect to your former employer as well as future employment? I'm being inundated by people who want to do my planning for me. But there seems to be no shortage of things one can do with the rest of one's life.

Dan Verton writes for Computerworld

Read more on IT risk management