I do not work closely on computer security. As I've noted in my review of the book Stealing the Network: How to Own the Box, computer security is not an area of computer science that I find fascinating, since in many cases security problems could be avoided by applying knowledge we had twenty years ago. Having said this, I do try to stay educated on computer security so that I understand basic security principles and pitfalls. In addition to reading books and articles, I've followed the history of the folks at the Cult of the Dead Cow (CdC) and L0pht (see my note Subversive Software Developers).
Unlike the script kiddies, the folks at CdC and L0pht have written some elegant software which has shown insight into networking. L0pht became part of a computer security company called @Stake. Given the somewhat radical history of the folks at L0pht, I was very surprised to read that @Stake had fired their chief technology officer, Daniel Geer, for authoring a report critical of Microsoft (this associated press article details Daniel Geer's firing). Before joining @Stake Geer was a manager at CertCo, an apparently defunct network and transaction security firm.
I'm not exactly up on hacker circles, but as far as I know the L0pht people were also some of the people who authored Back Orifice. While they certainly understood the Microsoft operating systems, it is hard to imagine that the Cult of the Dead Cow and L0pht people were big Microsoft fans. So what happened? How did they go from Back Orifice to being "Owned" by Microsoft to the extent that they fired Geer?
"Mudge"'s was a VP of R&D at @Stake apparently said, at a US Senate hearing (full text can be found here ):
What we are learning now is that knee-jerk reactions and short-term planning still rule the corporate mindset.
The cry of people to remove offensive information from the Internet shows a lack of understanding in the mechanics of how the Internet operates. The Internet guarantees that information moves from where it is -- to where it is not. As such, you cannot stop information after the fact. If a piece of information is released the price of copying and redistributing it is nothing. Once it has been released it has essentially been irrevocably published. You cannot go back and stop it from being published at this point.
You cannot make it illegal to publish information or block the information that is being presented on the 'as you call them' hacker sites. You cannot even tell if this information is a tool of healing or a tool of destruction. In this case I will argue that more often than not the information is good.
Steal their thunder! Do research into finding the security problems and shortcomings of these networks. Publish the results! If you wait for other people to find the problems then they get to slant how the information is presented, and ultimately used... not you. You are, at that point, relegated to cleaning up the mess that they have created. Would it not be a better situation to have released the information on your own and been able to slant its uses towards beneficent goals?
To close, allow me to point to our actions instead of my words. The organization that I have been involved with since 1992 - the L0pht, now the R&D component of a newer company called @Stake, has been sharing our discoveries and methodologies since our inception. We have come out with descriptions of problems, how we found them, how people can test for them, and how to solve them. We decided that if information can be presented without encouraging people to misuse it then people use it for laudable purposes.
The @Stake web site is definitely a corporate style web site. There is nothing wrong with this, per se. However, the corporate look of the @Stake web site is mirrored by the corporate background of the people who are running @Stake (who are computer industry executive types, rather than computer security experts).
The firing of Daniel Geer is discussed in this slashdot article. The number of Cult of the Dead Cow/L0pht people who still work at @Stake seems to be a matter of question, at least on SlashDot. Mudge (quoted above) is one of the most famous L0pht people. Mudge's given name is Peiter Mudge Zatko. He was an Executive VP of Research and Development and Chief Scientist at @Stake. In a note Mudge kindly sent me clearing up some factual errors in an earlier version of this web page he notes that "I have not had active business association with @stake for quite some time now and officially left around a year ago" (Mudge's note is dated Dec. 13, 2003).
Apparently Chris Wysopal (known as "Weld Pond") who was recently given the position of Vice President at @Stake is one of the L0pht people who still remains.
I am the sole source of income for my family. There are compromises that I sometimes have to make so that there is a steady stream of money to pay our bills. There is another level, however, when people compromise so that they have more money than they actually need to pay for housing, food, etc... Compromise on this level is selling out.
Anyone who uses computers must have noticed that e-mail viruses are a huge computer security problem. These viruses simply could not exist on a system like UNIX or Linux. Microsoft and their world view has been a huge source of security problems (see my note Why are there still e-mail viruses?). @Stake's firing of Daniel Geer, apparently for publicly stating what so many in the computer industry believe, suggests that they are compromised by their association with Microsoft. This may spell the demise of @Stake as an unbiased source of computer security information and consulting.
The story of friends, lovers and siblings who are driven apart when they found a company together is an old one. From the little I know of the @Stake saga, it has this feel. There can be terrible pressures when it comes to keeping a company going. And when a company succeeds, greed can surface like the lust for gold in The Treasure of the Sierra Madre. What can I say? Life is hard.
September 17, 2004
The company @Stake has been purchased by Symantec, a software publisher of anti-virus software (among other things). What exactly Symantec purchased is not clear. The creativity the produced software like Backorifice seemed to have been long gone from @Stake, replaced by "the suits". One things seems certain: if @Stake was not dead, it is now. RIP. I hope that the L0pht folk made some money on all this.
Security Expert Geer Sounds Off on Dismissal by Dennis Fisher, eWeek, September 29, 2003
Slashdot discussion of Symantec's acquisition of @stake, September 17, 2004
Ian Kaplan, September, 2003
Revised: September 2004