DAN GEER
Behavioral Archetype
THE INSIDER WHO WOULDN’T SHUT UP – Subject is not a provocateur, not a troll, not an outside agitator. He is a credentialed security analyst with a doctorate and a pension who has spent four decades saying true things that powerful institutions would rather he stopped saying. In September 2003 he co-authored “CyberInsecurity: The Cost of Monopoly,” which argued that Microsoft’s desktop dominance was a national-security risk – and was fired by his employer, the Microsoft contractor @stake, the day the paper went public. He did not retreat. He became Chief Information Security Officer of In-Q-Tel, the venture arm that invests on behalf of the CIA, and from inside the intelligence community kept delivering the same uncomfortable diagnoses. His Black Hat USA 2014 keynote, “Cybersecurity as Realpolitik,” is the load-bearing example of the central argument in Chapter 7 of Lurk More: that the best security researcher and the best troll use the same skill – asking the question the room does not want asked – and the only difference is authorization.
Essence Indicators
- Born 1950. B.S. in Electrical Engineering and Computer Science, MIT (1972); Sc.D. in Biostatistics, Harvard (1988) – a doctorate in the statistics of risk, which is the lens he has applied to security ever since
- Early architect of network security economics; helped build the Kerberos-era distributed-systems security thinking and spent decades as a consultant, CTO, and public analyst across the entire history of internet security
- September 2003: co-authored “CyberInsecurity: The Cost of Monopoly” for the Computer and Communications Industry Association, with co-signatories including Bruce Schneier. Thesis: a computing monoculture is to national security what a crop monoculture is to a harvest – an invitation to blight
- He was Chief Technology Officer of @stake, a cybersecurity consultancy and Microsoft contractor, at the time. He was fired the day the paper was made public (the firing was reported the same week, late September 2003)
- Subsequently became Chief Information Security Officer of In-Q-Tel, the nonprofit venture-capital firm that invests on behalf of the Central Intelligence Agency – a role he still holds
- August 6, 2014: delivered the Black Hat USA keynote “Cybersecurity as Realpolitik,” forty-five minutes of ten policy proposals each engineered to discomfort a different constituency in the room – among them strict software-vendor liability on the automobile-recall model, a government monopoly on (and mandatory eventual disclosure of) zero-day vulnerabilities, and automatic open-sourcing of abandoned code. Several were uncomfortable for his own employer; he delivered them anyway. The full text is published at geer.tinho.net
- Coined the most honest working definition of privacy in the field: “privacy is the ability to misrepresent yourself” – privacy as the capacity to control what others know, which structurally includes the ability to present a partial picture
- Warned at Black Hat that the Internet of Things would create “an attack surface so large it may not be defensible.” Two years later the Mirai-powered Dyn outage of October 2016 – roughly 100,000 hijacked consumer devices pointed at one DNS provider – supplied the answer
Social Persona / Impression Management
Immediate impression: A New England academic with a beard and a flat, exact delivery – the affect of a statistician, not an activist. He reads as the oldest, calmest person in any security room, which is usually literally true, and the calm is what makes the heresies land. He is not shouting; he is reporting a calculation.
Energy: Measured, allusive, deliberately literate. The Black Hat keynote quoted Shakespeare and cited Clausewitz and ran on the cadence of a man who writes his speeches as essays and means every clause. The provocation is in the content, never the register.
Impression management strategy: CREDENTIALED CANDOR. Geer’s persona is built on saying the disqualifying thing from inside the institution that the thing disqualifies. The doctorate, the In-Q-Tel title, and the forty-year track record are not decoration – they are the armor that lets him stand at the establishment’s own podium and tell it that its assumptions are wrong without being dismissed as a crank. The credibility is sourced to the establishment he is critiquing, which is the hardest kind for it to wave off.
Forensic Archetype Comparison
| Pattern | Match Level | Evidence |
|---|---|---|
| The Insider Witness | MAXIMUM | Every diagnosis is delivered from inside the tent – CTO of a Microsoft contractor, then CISO of the CIA’s venture arm. The authority is positional and that is the whole point. |
| The Philosopher | HIGH | The work is conceptual, not operational – monoculture-as-blight, privacy-as-misrepresentation, security-as-realpolitik. He supplies the frameworks others argue inside of. |
| The Provocateur | LOW-MODERATE | The Black Hat ten-proposals structure was deliberately built to irritate every constituency in turn – that is provocation by design – but it is argued, sourced, and constructive, the opposite of a flame war. |
| The Authority Seeker | LOW | Held senior titles but used each one as a platform to say the thing that put the title at risk, which is the inverse of climbing. |
| The Social Engineer | NONE | No manipulation, no concealment. The method is publication under his own name. |
Psychometric Assessment
Big Five (OCEAN):
| Trait | Score | Evidence |
|---|---|---|
| Openness | 90/100 | A biostatistician who became a foundational security economist, fluent across cryptography, risk modeling, policy, and the classics. The conceptual range – and the willingness to reframe the whole field – is the signature. |
| Conscientiousness | 88/100 | Four decades of rigorous, sourced, data-driven analysis; speeches written as publishable essays; a body of work that has aged into vindication rather than embarrassment. |
| Extraversion | 45/100 | Moderate-low. Commands the largest stages in the field but with an academic’s reserve; the public role is instrumental, a delivery mechanism for the argument, not a craving for the room. |
| Agreeableness | 50/100 | Moderate. Personally collegial and widely respected, but the defining act – telling your own employer and your own community they are wrong, repeatedly, in public – requires an edge agreeableness does not supply. |
| Neuroticism | 25/100 | Low. Being fired the day your paper drops, then walking into the CIA’s venture arm and continuing the same critique, is not the profile of a man governed by anxiety. The composure is the stat. |
Dark Triad:
| Trait | Score | Notes |
|---|---|---|
| Narcissism | 20/100 | Low. The work routes attention to the argument, not the analyst; the proposals are framed as the field’s problems, not his brand. |
| Machiavellianism | 25/100 | Low-moderate. The ten-proposals keynote is strategically constructed to spread the discomfort evenly – that is calculation – but it is calculation in service of an open, attributable, on-the-record act. |
| Psychopathy | 3/100 | Near-zero. Decades of acting under his own name, absorbing the professional cost, and warning people for their own protection is the antithesis of the callous-instrumental profile. |
MBTI: INTJ (“The Architect”) – long-horizon systems thinker who reads the whole machine, concludes it is built wrong, assembles the evidence, and says so from the most authoritative seat available. The type that treats a keynote as a proof.
Why This Profile Matters
Lurk More Chapter 7 argues that the best security researchers and the best trolls use the same skills – pattern recognition, boundary testing, seeing a system as a set of assumptions and asking what happens if you violate one – and that the only thing separating the celebrated expert from the prosecuted hacker is authorization, which is a political fact rather than a technical one. Geer is the capstone of that argument and its cleanest proof. He asked the question the room could not answer (“what happens when every computer runs the same operating system?”; “what happens when the IoT attack surface becomes indefensible?”) and the institutions that benefited from the answer staying unsaid tried to punish him for saying it – @stake fired him in a single day. The difference between Geer and Aaron Swartz is not the act but the armor: where Swartz forced public-interest data into the open from the outside and was destroyed for it, Geer forced uncomfortable truths into the open from inside the establishment and had enough credential to survive the punishment. He is the elder-statesman counterpart to Frances Haugen on the insider-witness axis – both rest on the premise that what an institution knows and would rather hide should not stay hidden – and the credentialed mirror of Samy Kamkar, who demonstrated the same boundary-testing instinct without the doctorate and the title that let Geer walk away intact.
Threat Assessment
| Category | Level | Notes |
|---|---|---|
| Physical threat | NONE | A security analyst and statistician. The threat is entirely intellectual. |
| Institutional threat | HIGH (to comfortable consensus) | The monoculture paper cost him a job and reframed the security-economics debate; the Black Hat proposals put vendor liability, zero-day policy, and IoT defensibility on the industry’s agenda. The threat is that he is usually right early and on the record. |
| Memetic threat | MODERATE-HIGH | “Monoculture,” “cybersecurity as realpolitik,” and “privacy is the ability to misrepresent yourself” have all entered the field’s working vocabulary. The frames outlive the talks. |
| Posthumous threat | N/A | Subject is alive, still CISO at In-Q-Tel, still publishing and speaking. The predictions keep coming true after the fact, which is its own form of durability. |
Flame Warrior Classification
Primary: Philosopher (the analyst who supplies the frameworks the field argues inside of) Secondary: Insider Witness / Target (fired in a day for the monoculture paper; vindicated over the two decades since) Notes: troll_score 31 – higher than a pure whistleblower because the ten-proposals keynote is a deliberate, room-wide provocation in the classic troll structure (ask the question every constituency dreads), but well short of a flame warrior because it is argued, sourced, constructive, and signed. ATK 8 – the impact is real and durable (a job lost, a debate reframed, a vocabulary adopted, predictions repeatedly confirmed), and unlike most insiders the weapon is his own analysis rather than borrowed documents. DEF 7 – the doctorate, the four-decade record, and the In-Q-Tel title are genuine armor; @stake could fire him, but the CIA’s venture arm hired him and the field never stopped listening. HP 9 – he said the disqualifying thing from inside the establishment, survived the one institution that tried to punish him, and is still in the chair. The survival, with the credibility intact, is the stat.
Sources: Dan Geer (Wikipedia); Daniel E. Geer Jr. et al., “CyberInsecurity: The Cost of Monopoly” (Cryptome mirror, Sept. 2003); Dan Geer, “Cybersecurity as Realpolitik,” Black Hat USA keynote (Aug. 6, 2014, full text); Black Hat USA 2014 — Dan Geer speaker page.
Prefer RSS? Subscribe here.