Is It Dan Geer's Fault Microsoft Products Have So Many Security Holes?

Of course not. If it was easier to trick people into buying security, there'd be more of it. But if you actually have to put some intellectual elbow grease into it, then the world's largest software manufacturer would rather depend on “security through obscurity”.

Apparently it's so easy to get people fired when they point out dangers that there's not much incentive to work on fixing those dangers. In fact, a phone call was probably not even necessary. And of course truth in firing is not required like truth in advertising, as eWeek's Dennis Fisher noted:

Microsoft, based in Redmond, Wash., has used @stake's services for several years. Officials at @stake, in Cambridge, Mass., flatly deny any connection between this fact and Geer's firing and say that no one from Microsoft influenced their decision whatsoever.

But Geer isn't convinced. The company said Geer's last day as an employee was Tuesday, but the announcement wasn't made until Thursday, the day after the paper was published. Geer went on a conference call with reporters Wednesday morning and identified himself as an @stake employee and added that the opinions in the paper were his own and not the company's.

"The Venn diagram of facts doesn't intersect. The intersection of all of those statements is the null set," Geer said.

It may not be a social positive to say this, but I admire someone who can speak in terms of Venn diagrams at such a moment. Of course, he probably didn't even apply for unemployment compensation, unlike so many Silicon Valley refugees. And he surely knows that there aren't a lot of American corporations interested in retaining someone who compares Microsoft to a drug dealer:

"Heroin addicts shouldn't buy heroin. But neither should their dealers sell it," he said. "We wrote this paper for people who are willing to think. Policy changes have to involve people who know something, not just people who have power."

My claim is that the danger of a monoculture is not limited to the problems involved in a single line of defense against software attacks. Given the current situation, the software industry itself is vulnerable from many directions because so much of it depends on one actor, and that actor is not honest.

True, corporations do not manifest on the moral plane of existence, which is why we used to limit their existence on the temporal plane. If we were as smart as our forebears, we would do so again. In a quarter-century of working in the software industry, I never saw a company that didn't ossify and become bureaucratic and unwieldy. (Even the one that held its path the longest, Digital Equipment, lost significant ground, and lost it rapidly, when the founder retired.) On the other hand, I saw many companies that started with a vision, realized some or all of the vision, and deteriorated into little more than engines for enriching a new batch of officers every few years—Hewlett-Packard comes to mind. So it's not at all clear to me why we need eternal corporations.

Still, in the here and now there's a difference between cut-throat competition and blatant dishonesty, and it sure looks to this observer like the current situation crosses that line. Rather than addressing the points made in the paper, and improving the software, Microsoft prefers a Nixonian cover-up. Perhaps they're really more concerned that people might realize the best defense to attacks on their Windows system is not to have one.

You're welcome to use this form for private as well as public comments; but if you don't want your comments posted to this site, please say so explicitly. As far as I know, this form works in every case, unless you're running XP (and if so, why?). If you have problems with this form, send your comment to count_belisarius@earthlink.net.

All fields are optional.