Anti-Microsoft security report mired in politics

A report that might have been a valuable contribution to the study of the security ramifications of monolithic IT infrastructures has instead become a pawn in the unending political battle between pro- and anti-Microsoft factions. And it has cost one of the co-authors his job.

The controversy stems from a report released last week by seven self-proclaimed independent researchers from the IT security industry that harshly criticised Microsoft's monopoly hold on the software industry. That hold is a fundamental cause of security problems that now confront the entire global Internet community, the report contends.

The day after the report's release, co-author Dan Geer was fired from his job as chief technology officer at @stake Inc., a security company that derives a hefty percentage of its income from Microsoft. Moreover, the firing was made retroactive to September 23 so that @stake could further distance itself from Geer and the report, sources close to the situation said.

An @stake official, who spoke on condition of anonymity, confirmed that Geer was fired and said that as a corporate officer he should have known that Microsoft was a client of the company.

"It's not a matter of the content of the report; it's a matter of ethics and respect for clients," the official said.

Geer couldn't be reached for comment.

@stake's director of research, Chris Wysopal, said the company had no argument with the report's basic premise that technological diversity poses less of a security risk than monolithic architectures.

"But the way the report is positioned and a lot of its conclusions are things we don't agree with," he said.

"The report is a bit one-sided."

In any case, the firing didn't go down well with other authors of the report.

"Its very sad that @stake fired him for this," a report co-author and founder of security consultancy Counterpane Internet Security, Bruce Schneier, said. "We as security researchers regularly speak, write and do reports that express our professional opinions. We assume that companies hire us for our integrity and honesty."

The authors of the report CyberInsecurity: The Cost of Monopoly. How the Dominance of Microsoft's Products Poses a Risk to Security may have actually undermined their independence by teaming with the Computer & Communications Industry Association.

The CCIA is a Washington-based industry group whose members include direct Microsoft competitors such as Sun Microsystems and Oracle, and it has supported the US and European investigations into what the group has called "Microsoft's competitive abuses".

The CCIA not only published and publicised the report on behalf of the researchers, but it has also provided a written introduction to the document.

When asked, last week, about who or what organisations funded the study, Geer, whose firing had not yet been announced at the time, said it was a "personal initiative" by the seven authors that wasn't funded by the CCIA or any third party.

President and CEO of the CCIA, Edward Black, said his organisation had no role in developing the content of the report. "These guys did this on their own, and they contacted us because our expertise is in the policy area, and we had the infrastructure to publicise the report in Washington," he said.

"We didn't write the report for CCIA," an independent security consultant and a report co-author, Perry Metzger, said.

"All of us are computer security people, not politicians," he said, responding to questions about the appearance of partisanship stemming from the group's relationship with the CCIA. "People should try to make up their own minds about whether or not we're right."

Complex Connections

However, users might have a hard time deciphering exactly who the honest broker is in this case. Washington-based Americans for Technology Leadership (ATL) was quick to issue a statement lashing out at the report, calling it a "shameless" campaign by the CCIA to "line the pockets of a handful of large companies."

But ATL's position may have been undermined by the fact that Microsoft is one of the 10 founding members of the organization, which is focused on limiting government regulation of technology.

"Enterprises need to realise that if they haven't heard of an organisation that produces a study, it is probably funded by a vendor or other partisan entity," Gartner analyst, John Pescatore, said.

But in this case, users have found themselves caught in the crossfire with no concrete recommendations from either side. In fact, rather than offering solutions to the problems, the report simply lays blame on a lack of government policy and on senior executives at user companies who insist on purchasing only Microsoft software because of its ease of use and compatibility.

Holiday Retirement CIO, Steve McDowell, cautioned that some of the blame was being misplaced.

"I would agree that Microsoft's dominance creates a single target for all the hackers and other criminally minded people to concentrate on," he said. "But I don't think the blame is anyone's but the people perpetrating these crimes."

And requiring large companies to deploy multiple operating systems throughout their enterprises was simply a recipe for higher costs and more complexity, he said.

(Jaikumar Vijayan contributed to this report.)