September 26, 2003

Strong reactions to CCIA security report give it added credibility

- By Robin 'Roblimo' Miller -

Ed Black, head of the Computer & Communications Industry Association (CCIA) -- the group that released the infamous report titled CyberInsecurity: The Cost of Monopoly (pdf download) -- says, "If it wasn't the truth, they wouldn't react so strongly." And one of the strongest reactions was from @Stake, a computer security company that fired its CTO
, Dan Geer, who was one of the report's authors.

Geer's name has already been removed from @Stake's Web site, and his email there has been disabled. We have tried to contact him, and will keep trying, but two mutual acquaintances have told us he is in no mood to talk to anyone right now.

The funny thing is that @Stake was originally formed in large part to capitalize on the talents of L0pht Heavy Industries, an "underground" group of Boston-area computer grey-hat hackers who were alternately feared and revered by mainstream computer consulting firms.

A BusinessWeek Online story from March 2000 about @Stake's formation started with these words:

Can you trust your company's network to someone you know only as Mudge, Space Rogue, Kingpin, or Brian Oblivion? Would you give security access to Weld Pond, John Tan, and Stefan von Neumann -- all icons in the murky world of cybercrime -- if they promised only to help you find and fix weak spots?

You might not think so. But that's the idea behind @Stake, a Cambridge (Mass.) computer-security startup that teams seven well-known hackers with respected business execs, including a former Compaq executive. The hackers are hoping to transform themselves from back-door artists into bona-fide entrepreneurs so they can offer their expertise to major companies at premium prices. At least, that's the plan. Whether anyone will actually let them in the front door is another matter.

Geer, with a stack of credentials longer than most hackers' arms, was obviously one of the "respected" people. But this is not the first time @Stake has chosen appearance and probity over competence in a employee. Not long after the company was formed, well-known hacker Phiber Optik (AKA Mark Abene) was offered a job by @Stake and had the offer withdrawn after @Stake discovered that (gasp!) Phiber Optik had engaged in illegal hacking activities in his youthful past.

Indeed, the @Stake Web site gives no evidence that any of the old L0pht crowd is still with the company. We're sure this has nothing to do with the fact that Microsoft is a major @Stake client, and that the L0pht people -- as revealed in this December 1999 Slashdot interview -- were never the world's's greatest Microsoft boosters.

Bruce Schneier puzzled by reaction to CCIA report

In a midnight phone conversation about this matter, report co-author Bruce Schneier said he was in no danger of being fired by his employer, Counterpane, for having co-authored a report with such a strong anti-Microsoft bias.

Yes, Bruce founded Counterpane and is therefore hard to fire, but he also says, "They know I don't speak for them when I write Crypto-Gram or security reports." Bruce says his Counterpane coworkers understand that when he collaborates with others on a report of some sort, "we're researchers" and are not willing to subordinate honesty to business goals.

Bruce is a bit nonplussed by the many strong reactions to the CyberInsecurity report. "It doesn't say anything surprising," he notes. "I've said most of this before."

One of the strongest reactions to Bruce's CyberInsecurity report participation came from Ken Brown of the Alexis de'Tocqueville Institution (AdTI), a notorious Microsoft apologist. In a post to the Open Source Initiative's license-discuss email list last night, Brown wrote, "Bruce 'Shyer' is on a -paid for by IBM- team."

Brown also had unkind words to say about CCIA's Ed Black and open source advocate and conference organizer Tony Stanco, who it seems are also IBM-paid anti-Microsoft agitators. Or perhaps Brown was simply jealous. In one license-discuss email he said, "...I see quite of bit of IBM money moving around Washington
these (ie. Ed Black, Bruce Schneir et al.) Let them know that I have no
problem AdTI would be happy to accept far less money than those guys are
getting to support our research."

Bruce Schneier (yes, this is the correct spelling) denies that the CyberInsecurity report was funded at all. "If it was," he says, "I didn't get any."

Bruce notes that he was shocked at the number of respected security researchers who agreed with the report's conclusions but wouldn't sign on. "There was a surprising amount of pressure," he says.

According to Bruce, even tenured university professors you'd think would be immune to corporate pressure were worried about putting their names on a piece with such a strong anti-Microsoft bias.

Honesty in security reporting

When you hire a security consultant for your factory or warehouse, you expect that consultant to tell you if your security fence needs reinforcement, not to defend the fence manufacturer.

And if seven respected consultants tell you a particular make of fence is too weak for your purposes, and "industry associations" and "think tanks" supported heavily by that fence manufacturer lash out at the consultants and claim they being paid off by rival manufacturers even though they aren't, it's the manufacturer of the weak fences that looks bad in the end.

A fence that is fine for home or ornamental use, and easier to install than others, may still not be up to some tasks. This doesn't mean it's a bad fence, just that it is being sold as something it isn't, and industrial customers need to know that they should pick another make.

This seems to be what's going on here. Microsoft has openly admitted that its products have security flaws, and Microsoft execs claim they are working hard to fix as many of them as they can.

Why, then, are we seeing so many efforts by Microsoft and its paid supporters to discredit a report that dares to say plainly that Microsoft's software has inherent security holes?

Why would a spokesperson for Microsoft-financed ACT accuse CCIA's Ed Black of "Marxism" in this statement?

Who does this serve?

Certainly not people, companies, and government agencies who need computers that are hacker-resistant and don't fall prey to a constant string of worms, viruses, and other security problems.

A big question here is whether even Microsoft is served by all the anger being unleashed against the company's security critics.

Ed Black calls these attacks "an over-reaction."

"Methinks they dost protest too much," he adds.

And so they do. Imagine if all the effort currently going into attacking Microsoft critics like Bruce 'Shyer' and Ed Black (who says, "I didn't know I was a Marxist until I read that ACT statement") went into building a more secure computer/network infrastructure instead, with Microsoft cooperating with other companies in the field to improve Internet and general computer security rather than defending itself against them.

Until the dominant company in the computer industry is willing to work closely with others to set high security standards instead of having its paid supporters accuse critics of "mercenary rhetoric" (or simply fire them for speaking out), we will not have the level of computer and Internet security we could and should have as either professional or personal users.

And that's sad.


  • Security
Click Here!