Forgot your password?
typodupeerror
News

MS Chief Security Officer to work for White House 355

Posted by chrisd
from the h4x0rs-r3j01c3-m4dl3y dept.
NerveGas writes "An Interesting People message reports that Howard Schmidt, Microsoft's Chief Security Advisor, will be leaving MS to work as a security adviser for the White House. With the track record that Microsoft has in the area of computer security, this strikes me as a very bad move." CD: you'd think people would examine the job someone did at thier previous job before offering them a new one. Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?
This discussion has been archived. No new comments can be posted.

MS Chief Security Officer to work for White House

Comments Filter:
  • by shlong (121504) on Monday December 03, 2001 @03:39AM (#2646462) Homepage
    you'd think people would examine the job someone did at thier previous job before offering them a new one.

    What you mean like the job GW did in Texas? This guy should fit right in.

    • "CD: You'd think people would examine what someone did at his previous job before offering him a new one." [Corrections to grammar and spelling added.]

      It's all part of the same kind of thinking. Bomb Afghanistan to save it. (I'm talking about the first bombing by the U.S. government [1983], not the second and third.)

      Hire someone from a company known for its inability to make secure software, and put him in charge of what his company always did poorly.

      But, of course, maybe he is not really leaving Microsoft, but just working with a government that doesn't believe in privacy to assure that Microsoft software will always be compromised by the government.

      Look on the bright side. With Microsoft in the White House, no one who truly wants software security will be running Microsoft products.

      --
      Links to respected news sources show how U.S. government policy contributed to terrorism: What should be the Response to Violence? [hevanet.com]
      • by b0r1s (170449) on Monday December 03, 2001 @04:58AM (#2646704) Homepage

        Hire someone from a company known for its inability to make secure software, and put him in charge of what his company always did poorly.


        Who would you prefer?

        1. Someone from openssh, which just released a new version to correct a remote exploit? [oreillynet.com]
        2. A linux hacker who cant figure out how to handle syn cookies? [oreillynet.com]
        3. Someone from lotus, who cant protect their documents [oreillynet.com]
        4. A webalizer coder who cant remember to filter out cross site scripting? [oreillynet.com]
        5. Maybe an IBM coder? [oreillynet.com]
        6. Cisco is flawless, right? nope [oreillynet.com]
        7. Redhat must be perfect, they make linux! oh wait [oreillynet.com]
        8. SGI/IRIX is flawless, they never have security proble... oh, nevermind [oreillynet.com]
        9. How about a linux kernel hacker, they sure must be perfect! They'd never allow a root exploit into a stable kernel! [oreillynet.com]


        Getting the point yet? Everyone has holes. Everyone releases patches. It just happens that microsoft designs their code for ease of use, and because of that there happen to be a lot of unqualified microsoft admins. This isnt a MS problem. This is a side effect of their popularity.
        • by Anonymous Coward on Monday December 03, 2001 @05:49AM (#2646778)
          I think you're missing the point. Microsoft consistently releases buggy software and they publicly admit that yes, the UI experience comes before security. Sorry, but that's not for me. In addition, you've forgotten to list OpenBSD. Four years without remote hole in default install.

        • 1. unauthorized user can autheticate.
          2. denial-of-service attack
          3. unauthorized user can read files
          4. Inject HTML tags into the generated reports.
          5. gain root access.
          6. denial-of-service attack
          7. execute arbitrary code when accessing RPM from untrustworthy source.
          8. denial-of-service attack
          9. gain root access

          Every one of 1 through 9 above are stories about people who made mistakes.

          The security problems in Microsoft products, are, in my opinion, not mistakes. They are the result of policies: 1) Only money matters. If you can make more money by being sloppy, then do it. 2) Release software with lots of known shortcomings so that people will want to pay for upgrades later. 3) Relate to your employees by pushing them.

          Items 2, 3, 4, 6, and 8, more than half of those you mentioned, do not allow destruction to the system itself. One or more Microsoft security bugs that allow destruction to the system are announced on the average of every month, if I recall correctly.

          I am not anti-Microsoft. I am more pro-Microsoft than Bill Gates. Microsoft is a company that has $30,000,000,000 dollars in the bank, instead of being used to clear up the problems in their products.

          Today I spent about an hour of my Sunday helping a woman in Brazil clear her computer of the Badtrans worm. Billions of dollars are being wasted by very serious Microsoft bugs. The company is not worrying enough about the quality of its products, in my opinion.

          I installed a security bug fix supplied by Microsoft to Internet Explorer on someone's computer last week, and the security bug fix put all the network settings back to least security. This has been going on for years. Microsoft knows this happens. It is a result of policy, not mistake. Why they do that, I don't know. Maybe it has been dictated by the U.S. government that Microsoft will make their systems insecure.

          We have a problem on Slashdot that many people who read Slashdot don't work with Microsoft products enough to know how bad things really are.
          • by Greyfox (87712) on Monday December 03, 2001 @09:05AM (#2647148) Homepage Journal
            Microsoft has always put user friendliness first. User friendliness and security are usually directly at odds with each other. For instance, if I go over to /boot and try to rm bzImage, Linux won't let me do that (Unless I'm running as root, but we all know you should never run as root, right?) That's not very user friendly. It's my computer after all. Why shouldn't I be allowed to delete any file on the system? Well, we all know why.

            Microsoft's product line evolved from a single user application. Programmers on their product line are still in the mentality that if you're sitting at the console, their programs have sole access to the full resources of the computer. How many Windows application installs demand that you close down all other programs and reboot the system when you're done? How many of them actually need you to do that? How many times has some Windows program opened a modal dialog (Which in the historical past prevents the program from being minimized until you acknowledge the dialog) or worse, a system dialog? When was the last time you saw one on Linux? Completely different programmer mentality.

            Sure Microsoft's been kludgeing user support into Windows for a while now, but they don't enforce its use. It'd take too long for them to explain to every user out there why they should have to log out and log in as the administrator in order to install that new game or those scanner drivers. Most Windows users are perpetually stuck in the running as root mode, despite years of sysadmin experience that dictates that you should never run as root. And Microsoft will never force them to create a user and use it because that would make them a little less user friendly and a little more like UNIX and that's not the direction they've taken.

            BTW: Most Linux dists don't force you to create and use a user ID either, and it's a very common thing to see newbies running as root. They usually stop after the first or second time they manage to trash their entire damn filesystem. And you can never just tell them "Don't run as root -- 30 years of UNIX sysadmin experience can't be wrong!" They seem to have to learn by hard experience.

            • Good points. They're improving things though. I installed Win2K and was sure to create different accounts for everybody. I also made each person a non-power user, so that any exploit can do (theoretically) limited damage. (Though I'm probably deluding myself.)



              To my pleasant surprise, some applications will recognize that you need to be an Admin to install. They'll post a dialog box that essentially does a "su". Enter the admin password, install, and be done. Not bad.



              To my disgust, most applications don't, and most applications (grumbleQUICKENgrrrRIOgrmblPALMgrrr) decide they need unfettered write access all over the place. It takes some hunting and pecking, granting write access to the four or five files (usually log files) that it wants to write to.



              If MS would change their default setup such that users did not have "power" or "admin" privileges, watch how fast software would change to actually install correctly.

            • Microsoft has always put user friendliness first. User friendliness and security are usually directly at odds with each other. For instance, if I go over to /boot and try to rm bzImage, Linux won't let me do that (Unless I'm running as root, but we all know you should never run as root, right?)

              Is this "user friendlyness" or "end user administration". Plenty of the features of Windows are less than "friendly".

              That's not very user friendly. It's my computer after all. Why shouldn't I be allowed to delete any file on the system?

              Is it ment to be your "friend" or your "slave". (The latter of the if you tell it to jump off a cliff it'll go and find one variety.)

          • In my post above, I was making the point that Microsoft is much worse than people realize. Here is a link to a Microsoft Knowledgebase article that eloquently makes that point: User Accounts That You Create During Setup Are Administrator Account Types (Q293834) [microsoft.com]

            This is not Windows 95 the article is discussing. It is Windows XP. Here is a cut-and-paste quote from that article:

            "After you install Windows XP, you have the option to create user accounts. If you create user accounts, by default, they will have an account type of Administrator with no password."

            Even someone who knows how bad Microsoft can be would likely not guess that Windows XP would be designed to be completely and utterly not secure by default. So, we will see a lot of stories about compromised Windows XP systems like this: Some poor guy was testing XP and set up an account to begin using it, and was rooted while he was still looking around.

            --
            Links to respected news sources show how U.S. government policy contributed to terrorism: What should be the Response to Violence? [hevanet.com]
        • by Floris (21037) <kraak&cistron,nl> on Monday December 03, 2001 @06:06AM (#2646808) Homepage Journal

          Nice argument, but let's not forget microsoft themselves have been compromised multiple times over the course of the last few months:

          1) Remember that incident where someone inside microsoft got hit by a macro virus that allowed remote (apparently russian) script kiddies to access their internal network?

          2) How code red hit www.microsoft.com and hotmail?

          3) Same thing happened with nimda.

          3) there were more but this was off the top of my head.

          Of course, bad programming practices happen everywhere but this could be accounted to a) running unpatched boxes and b) microsoft employees opening infected attachments. Both of which were his direct responsibility to prevent.
        • by erroneus (253617) on Monday December 03, 2001 @08:08AM (#2646995) Homepage
          First, I'd like to comment that I'm posting this using AT&T Broadband... They didn't pay me to say this, but I expected to be net-less for a week, so I'm happy.

          Second, MS's infmaous security record doesn't stem from "mishaps." It stems from their insistance on a very flawed set of models. "Drivers at Ring-0" and all that. Among the more popular flaws is in their VBA/VBS integration. Bad enough that These languages have access to the whole machine indescriminantly, but docments from untrusted sources now have access to your whole machine? How many times has this happened? It's not something that requires a patch, it requires a rewrite or complete removal as a feature.

          Javascripting? Why are so many MSIE flaws handled best by disabling client-side scripting? Think about it -- same problem.

          How about their insistance on installing "everything, even if you don't need it?" How many "Nimda" hosts are out there on machines where the owner didn't even know IIS was there? My brother said it best when he said that it was the equivalant of shipping a loaded pistol. It's not dangerous if you know how to use it and if you knew it was loaded, but then again anyone with a finger thinks they can handle a gun... ring true enough?

          It's not that the company's popularity makes a common problem seem worse, it's the company's problem of prioritizing "cool stuff" over "secure stuff."
        • * SGI/IRIX is flawless, they never have security proble... oh, nevermind [oreillynet.com]

          Are you insane, a troll, or do you simply know nothing about Unix? IRIX is by far the most insecure Unix out there (that's still being maintained, anyway, I guess 4.2 BSD might be less secure). It's not meant for network servers, it's meant for graphics workstations and rendering machines.
      • by bribecka (176328) on Monday December 03, 2001 @11:02AM (#2647613) Homepage
        Hire someone from a company known for its inability to make secure software, and put him in charge of what his company always did poorly.

        Or, even better, people could check what in the hell they are talking about! But then again, this is Slashdot, no fact checking [go2vanguard.com] required:

        Mr. Schmidt currently is the Corporate Security Officer for Microsoft Corporation, Redmond, WA. In that capacity he directs the activity of those responsible for security of Microsoft?s Information, personnel and facilities Worldwide.

        Prior to coming to Microsoft, he was a Supervisory Special Agent, Director of the Air Force Office of Special Investigations, Computer Forensic Lab and Computer Crime and Information Warfare. (HQ AFOSI/CCI). Under his direction he established the first dedicated computer forensic lab in the government. The AF specialized in conducting investigations into intrusions in government/military systems by unauthorized persons in counter intelligence and criminal investigations.

        Before AFOSI he was with the FBI at the National Drug Intelligence Center (NDIC) where he headed the Computer Exploitation Team as a Computer Forensic Specialist. As one of the early pioneers in the field of computer forensics and computer evidence collection, he continues to provide training support to an international audience dealing with the new challenges around computer evidence collection and processing.

        He was a City police officer from 1983-1994 with the city of Chandler Police Dept. Arizona. While there he was detailed to the FBI academy teaching classes in the use of computers in criminal investigations for approximately 2 years.

        Mr. Schmidt served with the US Air Force in various roles from 1967-1983 both active duty and in the civil service. He has served in the military reserves since 1989 and currently serves as a Credentialed Special Agent, US Army Reserves, Criminal Investigation Division (CID). He has testified as an expert witness in federal and military courts in the areas of computer crime, computer forensics and Internet activity.

        He holds a Bachelors Degree in Business Administration, (BSBA) and a Master of Arts in Organizational Management (MAOM). He also has a Technician class Ham Radio License, and a Single Engine Land pilots license.

        Mr. Schmidt currently is the International president of the Information Systems Security Association (ISSA) and the recently formed IT-ISAC. He is a former executive board member of the International Organization of Computer Evidence (IOCE), served as the co-chairman of the Federal Computer Investigations Committee (FCIC). He is a member of the American Academy of Forensic Scientist (AAFS). He is an advisory board member for the Technical Research Institute of the National White Collar Crime Center. (NWCCC) and he is a distinguished special lecturer at the University of New Haven, CT teaching a graduate certificate course in Forensic Computing. He served as an augmented member to the President's Committee of Advisors on Science and Technology (PCAST) in the formation of an Institute for Information Infrastructure Protection (I3P) He is a regular international speaker in the fields of computer forensics and information assurance.

        Mr. Schmidt was one of 29 industry leaders called to the White House to meet with President Clinton on cyber security and has testified before a joint committee on Computer Security and has been instrumental in the creation of public/private partnerships and information sharing iniatives.
        • >> Hire someone from a company known for its inability to make secure software, and put him in charge of what his company
          >> always did poorly.
          >
          > Or, even better, people could check what in the hell they are talking about! But then again, this is Slashdot, no fact checking
          > [go2vanguard.com] required:

          [posts resume]

          Yet for many seasoned sysadmins concerned for security, having Microsoft on your resume is what a character in ``Dilbert" once called an indelible stain on your resume: it is going to work against you, rather than for you. And you better be able to do some persuasive talking to explain why under your tenure MS failed implement its own software in a secure manner.

          Geoff
        • So, this guy is in charge of securing MS corporate systems, based on their own insecure OS.

          My thoughts were:
          A) poor bastard.
          B) man, he must be GOOD. MS rarely gets hit as bad as the public, so he must be doing SOMETHING right....

          :/
        • Ok, I get it, so he's a ex-cop not a technologist or computer security expert. Perfect, thats JUST what the government needs. Another so-called "computer security/crime expert" with a 100% police office/federal agent mentality which equals = we need to prosecute more of those "hackers" to make the world a safe place. Because, as we all know, thats worked so well for the world so far and the federal government doesn't have any where near enough of those types.


          I think what you have pointed out about Mr. Schmidt should worry people more, not less, regarding his credentials to provide any expertise on the issue of "cyber" security. Reactionists, such as cops, feds and other "prosecute em!" types are of no use to the computer security discipline. And, until proven otherwise, I see no reason not to assume that Mr. Schmidt is one of those types. Afterall, his entire background is on the reactionary side of the model. He has done nothing to contribute to the discipline of information security and assuramce. In short, he is a cop, at best, not a computer security expert by any means.


          Instead of working on solutions to prevent intrusions and to manage risk, the White House appears to building up yet another totally ineffective effort at punishing wrong doers.


          What the White House needs is real computer security experts at the helm, not another ex-cop. Not to bash Mr. Schmidt, but he just doesn't seem like a real addition to their team. I'm sure the Federal Government has plenty of law enforcement and ex-law enforcement types to guide their decision making, but not enough real experts on the infosec problem.

  • by Chuck Chunder (21021) on Monday December 03, 2001 @03:42AM (#2646473) Homepage Journal
    than one of the people involved in allowing the very exploits you want to exploit to exist in the first place?

    ;)
  • Huh? (Score:3, Troll)

    by Anonymous DWord (466154) on Monday December 03, 2001 @03:42AM (#2646474) Homepage
    Was he responsible for all the holes in Microsoft code over the years? No? But you're going to hold him to that because... Or was that just another random MS flame? How do you figure you know anything about what this guy can or cannot do?
    • Re:Huh? (Score:2, Insightful)

      by Hektor_Troy (262592)
      It's like this:
      Would you rather trust:

      1) The Chief Financial Officer in a company that constantly just breaks even
      2) The Chief Financial Officer in a company that constantly rakes in cash as if they had a money tree AND the Philosopher's Stone.

      or

      1) The head of the local mobster offering you proctection
      2) The local police chief
    • responsibility (Score:5, Insightful)

      by vscjoe (537452) on Monday December 03, 2001 @04:10AM (#2646571)
      Was he responsible for all the holes in Microsoft code over the years?

      As security advisor at Microsoft, his job presumably was to define policies that keep those holes from getting into the software and/or to keep Microsoft's sites secure. Microsoft's products are full of holes and their services have suffered major security compromises, so he can't have been very effective.

      Since his new role will be similar in nature, it seems reasonable to suspect that he will be equally ineffective at defining national policies to protect our national security infrastructure.

      • Re:responsibility (Score:5, Interesting)

        by Anonymous Coward on Monday December 03, 2001 @04:19AM (#2646600)
        I don't think there's any way to know how effective he is as an individual without reading his resume, interviewing him, and talking to a number of his associates. This is something which the government has most likely done, whereas most Slashdot readers simply read the word "Microsoft" and conclude that the man is incompetent, evil, or both.

        In a company that large, there will be both fuck-ups and genuinely good workers. I know some extremely talented people working at Microsoft. I also know some losers there. I don't know which side of things this guy is on, but you have to figure that only a few companies have people with enough experience with huge, varied networks to take on this role for the federal government. And Microsoft it very likely to be one of them.
        • Re:responsibility (Score:3, Insightful)

          by Paul Komarek (794)
          While most of what you say sounds reasonable, one thing really caught my eye: "only a few companies have people with enough experience with huge, varied networks". The problem with Microsoft is that they only have experience with huge, homogenous networks; they were blindsided by the internet; they thought remote admin was a bad idea until recently; their network hacks (netbios, for instance) stink on large networks.

          I think Microsoft is very *unlikely* to have much useful exerperience with "huge, varied networks". What really gets me is that they seem to *like it this way*.

          -Paul Komarek
        • Re:responsibility (Score:3, Insightful)

          by mshomphe (106567)
          But, this is part of a general 'revolving door' phenomenon between business and government: work in one area of the private sector, retire, join the government, work on legislation for that area. This is problematic because it leads to the legislation being skewed towards that business (and away from the consumer), and makes the government appear more insular.

          One has to wonder what effect this person's tenure with Microsoft will have on his job performance; much in the same way that we had to wonder about Dick Cheney's Haliburton/Enron/oil industry ties when he was coming up with the administration's energy policy. It's a valid concern and one that should be raised.
        • If we were talking about some mid-level manager or expert on computer security, I would agree with your statement: there are competent people at Microsoft and you can't blame them for problems throughout Microsoft's product line.

          But Schmidt is just "some guy at Microsoft", he is "Microsoft's Chief Security Advisor". As the Chief Security Advisor, he can't say "I'm really quite good, but I just can't get security at this company under control". Getting the company under control is part of the job. In large, hierarchical organization, the buck stops there, and it is justifiable to equate a top-level position with top-level responsibility. If people feel they can't be judged by the record of their part of the organization, they can always step aside.

          As for expertise, Microsoft doesn't strike me as a company that has a lot of expertise with "huge, varied networks". In fact, their likely lack of extensive in-house expertise with the kinds of computing systems found in the US government is another factor that raises doubts about this choice.

  • by abh (22332) <ahockley@gmail.com> on Monday December 03, 2001 @03:48AM (#2646490) Homepage

    I know how we all love to flame Microsoft, but if the guy was the head of MS Security, odds are he was an executive who never wrote a line of code.


    He's guaranteed not to have anything to do with holes in MS products.


    A better thing to look at would be how often was Microsoft's network hacked.

    • A better thing to look at would be how often was Microsoft's network hacked.

      Oh, you mean like here [nwsource.com] and here [infoworld.com] and here [theregister.co.uk] and here [zdnet.co.uk] and here [zdnet.co.uk] and here [zdnet.co.uk] and ...

    • Don't you remember six months to a year or so ago when Microsoft discovered that a hacker group had had access to their network for over three months and had downloaded just about the entire network from them during that time? Whether or not he's responsible for the security holes, he still isn't right for the job. Microsoft got 0wn3d on his watch, and they got 0wn3d for an extraordinarily long amount of time in comparison to most network intrusions.
  • by nuintari (47926) on Monday December 03, 2001 @03:48AM (#2646492) Homepage
    No one would think a kligon would make a good ship's counseler, and I don't think that an android would make a very good captain.
  • by Rosco P. Coltrane (209368) on Monday December 03, 2001 @03:48AM (#2646493)
    I submit that Schmidt is in fact very very well placed to know about most if not all vulnerabilities and (possibly) backdoors in Micro$oft products. I bet the guy will be working actively on methods to snoop on Windows users, extract their data and intall trojans in their systems (Magic Lantern anyone ?).

    Here's a guy who was working for the largest software monopoly in history and now works as security honcho for the most powerful government in history, with people like Ashcroft in it. Makes my nose bleed just thinking about it. The more I see what's happening in Micro$oft's giant sphere of influence, the more I'm glad to be a Linux user, that's for damn sure.

    • Among other things, the EULA at passport.com/Consumer/PrivacyPolicy.asp?lc=1033.NE T says: Passport will disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to... Act under exigent circumstances to protect the personal safety of users of Microsoft, the .NET Passport Web Site, or the public.

      How interestingly broad, given that in light of recent terrorist activities any "exigent circumstances" could be said to be met as a matter of course. And there is no doubt that all the information that's bound to be stored on .Net servers could be sifted and profiled in many fascinating ways by the intelligence community.

      Kinda makes you wonder how it all fits together, given the walk Microsoft got on the anti-trust case.
  • by Chuck Chunder (21021) on Monday December 03, 2001 @03:50AM (#2646501) Homepage Journal
    CD: you'd think people would examine the job someone did at thier previous job before offering them a new one.
    <cheap shot> Yeah, you might [google.com].</cheap shot>
  • What type of work? (Score:2, Interesting)

    by pjbass (144318)
    So it's easy to flame this guy because of working for the Evil Empire and have been related to things like Code Red and Nimda. But what is his real function going to be? Sure, the article mentions he will be on the cyber-security team for Pentagon global network security, but that is a really broad statement. Is he going to be in charge of firewalls, access lists, high-level network security checks, or making sure that each government employee's Outlook doesn't flood the Pentagon's network (sorry, had to insert a flame...)? I think it would be interesting to find what his specific function is, then allow the flames to burn.
  • more info on Schmidt (Score:3, Informative)

    by Pinball Wizard (161942) on Monday December 03, 2001 @03:57AM (#2646533) Homepage Journal
    Here is some info on Schmidt [microsoft.com] at microsoft.com. Looks like he has an admin-level job rather than a software engineering job. So I wouldn't blame him for how poorly coded Microsoft products are. He's involved with best practices on setting things up securely, not watching over programers making sure there's no buffer overruns in the code. Although administration and programming must overlap when it comes to real security there's only so much you can do if you're not deeply involved with the code.
    • Although administration and programming must overlap when it comes to real security there's only so much you can do if you're not deeply involved with the code.

      I disagree here. Strict policy to include security MUST come from upper management. Otherwise, people down the line will dismiss it as less important and end up taking short cuts. If management allows the time for the design and development of security policies, they will have a better chance of being implemented.

      Software engineers (or anyone for that matter) won't do anything extra that hasn't been earmarked by their bosses.

      Of course, you could argue that adding security is basic common sense - however, given that most programs look identical from the outside with and without security, if you were in a hurry what would you implement? It's a sad state of affairs, but in these days of relatively high turnover and when speed is important, sometimes the 'little' (seemingly) unimportant things get neglected.

      Bottom line is, it's not a few dozen individual software engineers that make this call, it's the CTO or other upper level manager that does - by corporate policy.
  • by SerpentMage (13390)
    I think the guy was not in charge of MS security in terms of software development, but IT infrastructure. And in that case it was a really good find. This guy managed fort Microsoft and MS knew how to keep its internal network in pretty good shape... Even with all of the gadgets and VPN's that they have.
  • Given how badly the government did on its last security evaluation they are hiring the company with about the worse security track record ever to help them? Isn't this like the blind leading the blind? Well I guess this gives a good indication as to what kind of "penalty" MS will get from the trial since it looks like they have managed to buy off the current administration.

    This just seems like one of the most phenomenolly stupid ideas the government could make with respect to computers though given the current adminstration I am sure they could figure out some way to outdo themselves. Though I really don't want to see what they do to outdo themselves.

    Hmm I heard Mars is nice this time of year ;)
  • pretty unfortunate (Score:3, Interesting)

    by vscjoe (537452) on Monday December 03, 2001 @04:03AM (#2646551)
    Well, maybe he quit Microsoft in disgust and is trying to do the right thing: push for open source, peer-reviewed, secure systems. But, more likely, he has been imbued with Microsoft corporate policy, still has a financial and personal interest in the company, and has never known another way of doing things besides the Microsoft way.

    If the latter is the case, there is a good chance that this guy will follow the easy and obvious (to laymen) path and push Windows. After all, NT was created by someone with decades of experience and it is 'C4' certified (or whatever). It has zillions of security features, even more so than VMS, so how could it not be secure? And it is used by some of the most security conscious companies in the world. And what's good for Microsoft is good for America anyway. At least those will be the arguments that will likely be heard around the White House when issues about what software infrastructure the armed services and US government should use.

    This will be followed by calls for keeping source code for criticial infrastructure under wraps, "like Microsoft is already doing", because "we don't want to give the terrorists the blueprints to our advanced technology". He'll probably preach the Microsoft mantra that open source is dangerous, unsafe, and un-American. And he'll likely conflate "security" RIAA style (fair use hijacking) with national security and point to how badly the RIAA and MPAA has been "hurt" by "security problems" resulting from "open source hackers" and how Microsoft, in contrast, keeps content "secure" and protects copyright holder's rights.

    Altogether, this appointment is likely going to hurt open source efforts, as well as national information security.

    • C2 Certification (Score:3, Interesting)

      by CaptainZapp (182233)
      NT was created by someone with decades of experience and it is 'C4' certified

      To the best of my knowledge, NT got a C2 certification umpteen years ago. But (and I'm not making this up), It only achieved C2 when the disk drive was removed and the machine was not attached to any network

      I don't think Microsoft attempted to brag about orange book certification since then.

  • This guy is clueless (Score:5, Informative)

    by Animats (122034) on Monday December 03, 2001 @04:04AM (#2646558) Homepage
    Here's a 1998 interview [washingtonpost.com] with the guy. He's not a technical guy. He used to be a computer crime investigator with the USAF. There's a fair amount of stuff by him on the web, mostly the usual Microsoft line of "it's all your fault, not ours".

    Notice in the 1998 interview that he denies that viruses in mail attachments are a problem.

  • Easy on him guys... (Score:5, Informative)

    by Mustang Matt (133426) on Monday December 03, 2001 @04:05AM (#2646561)
    He was a security ADVISOR...

    He could have given Microsoft all the advice in the world and if they were too lazy to implement the appropriate security measures it's not his fault.

    Maybe the position at the government was his oppourtunity to get to a better place that would actually listen to him.
  • Not really. (Score:5, Funny)

    by ChrisBennett (18205) on Monday December 03, 2001 @04:13AM (#2646577)
    Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?

    Actually, no. Captain Hazelwood was drunk at the wheel before the accident. Apparently he was a fine captain when sober. Microsoft has bad security whether or not you consider them to be drunk.

    • Re:Not really. (Score:5, Informative)

      by Anonymous Coward on Monday December 03, 2001 @09:22AM (#2647196)
      There is plenty of blame to go around for the Exxon Valdez oil spill.

      Capt. Hazelwood was not at the wheel, or even on the bridge, when the Exxon Valdez struck the reef outside Port Valdez. Contrary to popular opinion ship Captains are not required to be "at the wheel" all the time. The ship was in what the USCG had declared was "outside pilotage" waters and a licensed USCG Merchant Marine Officer (the 3rd Mate) and a compliment of documented seamen were on watch - and at the wheel. Some seamen testified to telling the Officer on watch that the red buoy marking the limit of Bligh Reef was on their starboard side. For whatever reasons, he chose to ignore them.

      Capt. Hazelwood had to go down to his office to prepare the flurry of reports that Exxon's yuppie management required every one of their Captains to prepare and send in after loading and as soon as the pilot departs the ship. Prior to leaving the bridge he instructed the Officer on Watch to return to the sea lanes (marked clearly on a radar system on the bridge) after clearing the ice. For whatever reason, this officer declined to follow those instructions.

      The USCG officers who claimed he had alcohol on his breath were in an environment of heavy concentration of evaporating chemicals that was so bad that the Chief Mate (whose watch the 3rd mate was taking because the Ch. Mate had been working 36 hours straight loading the ship) testified that he had considered going back and getting a Scott Air Pack to get up the stairway to the bridge. (Compare to trying to detect alcohol on the breath of a friend while putting your nose next to the fill pipe of your car while fueling at at your corner service station.) (Hazelwood was never convicted nor was his USCG license revoked, btw.)

      The USCG radar observers in Port Valdez did not make any attempt to follow the ship after the pilot disembarked at the west end of the Valdez Narrows despite warning the ship of pack ice and authorizing the ship to divert from the navigation channel to avoid the ice.

      The Exxon Valdez hit Bligh Reef because the ship was undermanned (it was 900 feet long and carried a crew compliment of less than 25 people!), the crew was overworked and exhausted (and many say inexperienced), and Exxon management in Houston was micro-managing the ship with petty requirements, plus the USCG in Port Valdez did not do their jobs.

      One of the after effects of this incident was that the USCG returned to the policy of requiring ships to carry an extra officer to help with navigation and loading due to the heavy burden. A policy abandoned by Exxon and the other oil companies several years prior to the accident. A further after effect was a requirement that tankers entering sensitive waters be double-hulled.

      Another after effect is that the radar observers in Port Valdez now monitor the ships until they depart Cape Hinchinbrook and enter the open Pacific.

      A final after effect is that Port Valdez now allows tanker Captains to return to the Port and tie up in dangerous weather. Prior to the Valdez incident they refused re-entry and required loaded tankers to either stay inside Prince William Sound and motor back and forth in the traffic lanes or depart and suffer damage (and loss of life).

      The oil spill would have never caused as much pollution as it did if British Petroleum hadn't allowed the management of the Valdez terminal to decommission the recovery equipment they had promised the State of Alaska they'd keep on hand for the life of the project. They have recommissioned the oil spill equipment since the incident.
  • ::sigh:: (Score:2, Flamebait)

    by DarkZero (516460)
    So they'll steal the civil liberties of all of their citizens, and even more from immigrants, in the name of security... but do they bother to do a background check on their new computer security advisor? Of course not. That's just... predictable. I wanted to say sad, surprising, or shocking, but really, it's just predictable.

    Oh, and for those that claim that this guy isn't responsible for the holes in Microsoft software, and that thus this guy is actually pretty good at his job of protecting MS's network: You're half right. He DOESN'T have anything to do with the Microsoft software security holes. However, he was the one in charge of protecting Microsoft's network during the incident six months to a year ago when a hacker group hacked into Microsoft's network, completely 0wning the whole thing, and Microsoft didn't find out about it until the group had already been making regular visits to the network for three months, downloading the majority of the network (possibly the entire thing, I don't think anyone's really sure) during that time. And while some may wave that off as "one intrusion in X amount of time", remember that these guys got in and then kept making REGULAR VISITS to the Microsoft network without anyone noticing for three months. So while only one group managed to do it, it sounds like they managed to keep doing it on an almost daily basis. That makes for a pretty bad security record, and it would've been a huge fucking disaster if this had been done during the upcoming era of widespread .NET and Passport services, or only a "somewhat large fucking disaster" during the current era of consumer and business consumer information being regularly logged through XP's activation madness.

    I guess this proves that from now on, the government will be too busy looking at our computers to even take a passing glance at the situation of their own.

    • Well, considering that under new federal regulations the grunt security screeners have to be US Citizens, but the national guardsmen who walk around airports with fully loaded, full auto M-16's don't have to be. . .
      Anyways, enough with government fuckups. BTW, you mentioned the peeps that were hacking into the ms servers for 3 months before being detected - keep in mind that this is the people who were caught and that we heard about, and since it is not in MS's best interests to say they had been ass fucked by hackers . . .
  • by Xeger (20906) <{slashdot} {at} {tracker.xeger.net}> on Monday December 03, 2001 @04:20AM (#2646604) Homepage
    I haven't done any digging yet, but it is my assumption that as head of security he will be in charge of physical security policy at Microsoft installations: who has access to which rooms, and at what times of day. How many cameras to put in the bathroom stalls. How many parabolic surveilance microphones to hide in the trees. How many pits full of punji stakes, vipers and bear traps to place around the Redmond campus.

    In other words, Big Brother stuff. Spook stuff.

    That is what a chief security officer does in the traditional corporate environment. He will have an underling (or several) who handle electronic security for him. If he knows what's good for him he'll realize that he shouldn't try and play a game he knows nothing about, and he'll let his underlings have free reign.

    Not that it will do any good, of course. As long as Microsoft uses its own software, it will always be vulnerable to the same exploits with which it burdens the rest of the world.
    • No, check any of the links posted about this guy, he's an alleged "cybersecurity" expert. He was responsible for the security of Microsoft's own networks when they were thoroughly hacked. I doubt that he had any input to the design decisions that make MS OS's so insecure, but he's put his name on plenty of public statements claiming that there's no problem. In itself, that proves either he's utterly clueless or he'll say anything for a paycheck. Either way, he'll fit right in at the White House. 8-(
  • by Suppafly (179830) <slashdot@sup p a f ly.net> on Monday December 03, 2001 @04:27AM (#2646619)
    CD: you'd think people would examine the job someone did at thier previous job before offering them a new one. Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?


    First off, being the white house I'm sure they throughly examined everything about him.. I had a friend apply for a fairly low position with the DoD and they interviewed his friends and family as well as giving him a lie detector test.


    Secondly, this is hardly compareable to the Exxon Valdez thing..


    Third who are you to say he did a bad job at MS?
    Other then just taking at cheap shot as MS, you have no info about his job performance or even what he specifically did while working at "The Great Evil"


    Maybe its just me, or maybe theres a reason you dont see chrisd listed in the hof anywhere..

  • hahahahahhahahahahaha!!!
    Seriously though, this is rather ominous.
    Take MS's awesome track record and keep it in mind, this isn't going to be a MS flame on their fucked security though. He was an advisor, which meant people didn't necessairly listen to him.

    Now, we all know that the new guy will be completely impartial? Right?
    Bullshit, not only does the DOJ let MS go damn near scott free, but now the white house appoints a former employee to tell them how to work security.
    Great, name him "Director of Computer Honesty" too, rename the DOJ to "The Ministry of Peace" to keep with the theme (or was it truth, it's been a while since I read the book).

    You know, this might not be that bad - if sysadmins can't patch their servers because the government doesn't allow publication of exploits, it will make hackers / skript kiddies jobs easier. It will escalate to a point where there will be so much bullshit, that sysadmins will all just post their shit anyways, consequences be damned - or just host exploits in Rwanda, Iraq, or some other nation.

    This is not to say that his experience will be a total fuckup - he does have a few interesting ideas, and I think that he realizes that what is under his control can never be broken into, which is nice (a realist, instead of some bitch from marketing).
    His administration will be a mix of good and bad things, though his support of ammending the freedom of information act certainly makes my worried.
  • I suppose we can hope for the best. We know this guy wasn't responsible for the code itself, but rather M$'s IT infrastructure. And Microsoft's has been pretty good at not being hacked, (or at least having their websites defaced) Although one intrusion did take place (and it was major)

    Aside from that, though, what bothers me is the security ideology espoused by Microsoft (and as others mentioned, this guy), the whole 'security-through-obscurity' thing. These people seem to think that building software is like building a house, it can't really be secure, just tight enough so that you don't have to worry, but we know that isn't the case. I mean, Microsoft is a successful company, but they're security is just crap. And when they're called on it they blame others. This is not the kind of attitude that we need to manage a secure government system. I mean we can't just send the FBI in to confiscate the computers of 'suspected' hackers if they're funded by another country.

    Bleh, this government sucks. 9/11 has just made them more paranoid and retarded.
  • /. will no longer be regarded as an major anti-MS. Now they will also call us anti-Government!

    Wait a minute...
  • I heard he's going to be in charge of the MS Supreme Court 2002 installation. And there are also rumors of a switch to MS Advanced Senate. Unfortunately, the upgrade to MS President Express has been postponed because it kept dying.
  • I was once a Quality Assurance tester for a dot-com with a really shitty product. My job was to find bugs in the aforementioned pile of shit. And find them I did. I had no control over whether or not these bugs were fixed; my job was merely to make sure the developers were aware of them.

    Likewise, it is not a security advisor's job to fix security issues. It is his job to advise people on ways of preventing security problems. Just like a QA tester, he has no control over whether people actually heed his advice.

  • that we won't have to go on tours to see the whitehouse anymore?

    tourist> yay ... the backdoor's open
    tourist> common guys lets go

    security officer> um sir please don't tell too many people about this ... it is a secure facility

    tourist> er ... ok
    *walks inside*
  • While this may seem a strange move, it is a case of Security Through Obscurity ;)
  • by sluggie (85265)
    yes, it's the typical /. behaviour when it comes comes down to jobs/functions/code/etc from/by/at microsoft.
    This kind of bashing is definitely not ok. You know NOTHING about this guy, I'm sure he is VERY high qualified and he is not to blame for the philosophy of a company.
    Hey chrisd, do you have any idea which education you must have to become a Chief Security Advisor at Microsoft? Do you?

    Demonizing Microsoft, that is what the script kiddies, crackers, etc do. It should not be commited by a sane, open minded community.

    For example I know a guy who teaches ppl how to pass the mcse certificates. I once asked him why he is doing this microsoft stuff. He told me that he no fan of Microsoft itself as a company, but it's good money, a nice job.
    In his free time he is a sun/java developer and truly fan of linux.

    Maybe we shouldn't categorize people because of their jobs. And believe me, Mr. Schmidt knows more OS than win98...

    Saying "w1nd0wz sux0rZ, h4X0r1ng m$ r00lez" is just embarassing...
    • Guilt by association. Most likely you are not spending hours upon hours patching that shitty OS, its shitty Web Server and then watch another HUGE hole that 'script kiddies' can easily exploit crop up the next day requiring you to spend more spend more hours upon hours. I can give you examples of OSes that do not have this problem. Here's [openbsd.org] one.
  • by fyonn (115426) <dave@fyonn.net> on Monday December 03, 2001 @06:47AM (#2646871) Homepage
    that he's not so much leaving microsoft as merely changing departments. it's all the same company isn't it?

    dave
  • ... but he was their security officer, not a product designer. What difference does it make that he worked for MS? Other than that consequentially he worked for a huge, high-profile MS shop that everyone wants to crack and not many have managed.

    The job'll be easier, I'd imagine, since the White House is a smaller and less ambitious (but equally high profile) MS shop and while he now isn't down the hall from the developers (which is not all it's cracked up to be) he is down the hall from the NSA.

    I mean really. If you've got to secure an important *MS* shop, who do you think would be better?
    • You think this guy is a clever troll, but it he is not.

      Men are good.

      Socrates is a man.

      Therefore, Socrates is good.

      This kind of logic has stood up for 2400 years

      We hired an old NSA guy to be the security guy at my University. Things have become demonstrably worse in the past six months. Why? He is a Microsoft weenie. Who ever heard of a security maven who repeatedly gets infected by 3-year-old viruses in his mail because he insists on running Outlook -- unpatched.
  • Use ya head! (Score:2, Interesting)

    Your president and government realise how dependent their economy is on M$ products. Of course, they can't just ask Microsoft what the terrorist-exploitable holes in the code are, because the company is big enough to hang on to their corp. secrets from even the US government.

    So they employ the guy and put him in a safehouse where they can have a long chat, Dubwya gets a clearer picture of what he's up against.
  • by jd (1658)
    I'd say this was closer to putting bin Laden in charge of American Home Security.
  • GWB: what's this computer security stuff?
    Ashcroft: that's computer survellience.
    GWB: well this Texan don't know the difference so why doncha tell me.
    Ashkroft: we need to spy on people to make sure they're not terrorists or having abortions or being queer.
    GWB: so this guy from MS can help us with that
    Ashkroft: yeah he can get MS to put whatever backdoors in so we can spy on whomever we want.
    GWB: backdoors? sounds kinda queer.
    Ashkroft: those nerds are all kinda queer anyway - so here's the deal. we hire this guy and then tell him what to tell Gates to do.
    GWB: why should Gates do what we say - that nerds's got more money than a whorehouse with an oilwell?
    Ashkroft: cause Gates has money but we wants access and prestige like everyone else
    GWB: ok I'll go with it - how we commin with rounding up the ragheads
    Ashkroft: fine, project TexAryan is right on target - all non Christians are being targetted as we speak.
    GWB: well shit howdy, get me a drink then.
  • Maybe if he was chief of the Microsoft PAC, he gets the credit for preventing the breakup of Microsoft. That was a very effective job of security, and so he's therefore highly qualified.

    Depends on what you expect from "security," I guess.

  • It won't be long before they enable scripting in every existing government service. It would be pretty cool to use the scripting "features" to order a drivers license with Micky Mouse's picture! :)

    -
  • If they'd put him in charge of the IRS network security, maybe we could avoid paying any more taxes
  • The point of hiring him away from Microsoft was to make the nation's computers more secure as a whole. He'll sit in a small office somewhere and harass interns while Microsoft goes to the junior colleges to find a more capable replacement.
  • Misleading header. (Score:3, Insightful)

    by Remote (140616) on Monday December 03, 2001 @12:54PM (#2648326) Homepage

    MS tools may not be the best, but once that's what the White House has got, then choosing this guy to advise on security seems to me to be a sound decision, no question about that. But I don't think this move has much to do with White House security at all.

    Now, call me paranoid if you wish, but when I read this piece of news I can't help but ask myself what is this individual really up to within the government structure. He's supposed to know MS security like very few people in the world. Wouldn't he be of great help for the Bureau in their desire to do funny stuff with everyone's machine? Or something along those lines? Reading the article we see that he's not going to do things like helping beef up thw WH website security, he will be working with a taskforce that has many ramifications, chaired by Richard Clarke.

    From the article:

    Clarke was named last month to head a new White House Office of Cyberspace Security that is to focus on developing a plan for protecting the nation's critical infrastructure.

    That could mean a lot of things.

  • by jjohn (2991)

    I actually shrieked out loud in terror when I read this headline. Good lord, I feel like I'm trapped in a bad Dilbert cartoon.

  • by harlows_monkeys (106428) on Monday December 03, 2001 @02:20PM (#2648946) Homepage
    Uhm...free software has as many security problems as Windows. The difference is that Windows has 95% of the users, and so is a much bigger target.
  • by Sax Maniac (88550)
    Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?

    No, it would be like making Capt. Hazelwood the Secretary of Transportation [dot.gov].

    (Uh, he was in charge of an oil tanker.)

  • This is funny because it reminds me of an essay I just read by Andrew Ferguson which is completely, entirely apropos to this story. I quote from his book [amazon.com]:
    "My interest in [Bob] McNamara is intensified because he exemplifies a peculiar Washington phenomenon. In Washington people fail up. The city is exempt from the laws of professional gravity. No other city is so accommodating to failure, so friendly to the people who fail. Large awards await the bunglers and the bobblers, the has-beens and wannabees-who-never-could. Our present mayor, to cite an obvious example, destroyed the city's finances, smoked crack on TV, went to prison--and then got reelected ... Here's The Iron-Contra bungler, awarded a popular radio show for his work destroying the Reagan administration. Over there is the manager of the 1992 Bush campaign, mulling offers from candidates to work his magic again in 1996. And over here is the chief strategist for Jimmy Carter during the Iranian hostage crisis--why, he's the secretary of state!

    "McNamara is the spiritual father of them all. He is the architect of a career breathtaking in the scope of its screwups, a clockwork progression of failure and reward, error and advancement. Imagine a friend who comes to visit. The first night he cooks you dinner and sets fire to the kitchen. The next morning he accidentally electrocutes the cat. He blows his nose in the curtains and never flushes the toilet. He borrows your car and drives through the garage door, then spreads a rare infection to your kids. By the third day you make the decision: You ask him to move in with you.

    "This is the pattern of McNamara's career. At Ford Motors, in the late 1950s, he designed the sclerotic top-down management system that almost sank the American automobile industry; for good measure, he oversaw the production of the Edsel [edsel.com]. Accordingly, JFK handed him the Pentagon. There McNamara got the idea for the Vietnam war--the Edsel of American foreign policy. So awed was the Washington establishment tthat it placed him at the head of the World Bank, in hopes that he might do for the international economy what he had done for the American military. And he did! Within ten years, he had doubled the amount of money loaned, and lost, to third world kleptocracies like Brazil and the Central African Empire. He was Midas in reverse. Wherever he draped his hand, industries wilted, economies collapsed, corpses piled up."

    Looks like Howard Schmidt is the Bob McNamara of our day!
  • At first, I thought, "eh". But then I remembered this post [slashdot.org].

    -Puk
  • by phr1 (211689) on Tuesday December 04, 2001 @02:01AM (#2652725)
    I think /.'s criticism misses the point of what a corporate security officer does. This guy's job had nothing to do with bugs in Windows. Security officiers are generally not programmers or techies. They don't know anything about elliptic curve encryption or SYN cookies.

    Most large companies have security officers. They usually come from a law enforcement or military background. When you see the title "security officer", think Lieutenant Worf, not Wesley Crusher. The security officer is usually in charge of physical plant security, of running background checks on incoming employees, making sure the guards at the parking lot entrance check the right ID's, etc. Their involvement with computers may reach as far as directing that the company firewall filter out incoming .exe email attachments, and that everyone's PC runs a daily virus scan.

    As far as I know, Microsoft didn't have serious problems of that nature, and that guy did perfectly well at his job. The pinhead marketroids who put all the vulnerabilities into Outlook were in a completely different jurisdiction, so to speak. So I don't have a problem with his going to work for the white house.

Optimism is the content of small men in high places. -- F. Scott Fitzgerald, "The Crack Up"

Working...