MS Chief Security Officer to work for White House

NerveGas writes "An Interesting People message reports that Howard Schmidt, Microsoft's Chief Security Advisor, will be leaving MS to work as a security adviser for the White House. With the track record that Microsoft has in the area of computer security, this strikes me as a very bad move." CD: you'd think people would examine the job someone did at thier previous job before offering them a new one. Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?

Re:Huh?

[Hektor_Troy]

It's like this:
Would you rather trust:

1) The Chief Financial Officer in a company that constantly just breaks even
2) The Chief Financial Officer in a company that constantly rakes in cash as if they had a money tree AND the Philosopher's Stone.

or

1) The head of the local mobster offering you proctection
2) The local police chief

Actually a good find

[SerpentMage]

I think the guy was not in charge of MS security in terms of software development, but IT infrastructure. And in that case it was a really good find. This guy managed fort Microsoft and MS knew how to keep its internal network in pretty good shape... Even with all of the gadgets and VPN's that they have.

responsibility

[vscjoe]

Was he responsible for all the holes in Microsoft code over the years?

As security advisor at Microsoft, his job presumably was to define policies that keep those holes from getting into the software and/or to keep Microsoft's sites secure. Microsoft's products are full of holes and their services have suffered major security compromises, so he can't have been very effective.

Since his new role will be similar in nature, it seems reasonable to suspect that he will be equally ineffective at defining national policies to protect our national security infrastructure.

/. home of the stupid anology

[Suppafly]

CD: you'd think people would examine the job someone did at thier previous job before offering them a new one. Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?

First off, being the white house I'm sure they throughly examined everything about him.. I had a friend apply for a fairly low position with the DoD and they interviewed his friends and family as well as giving him a lie detector test.

Secondly, this is hardly compareable to the Exxon Valdez thing..

Third who are you to say he did a bad job at MS?
Other then just taking at cheap shot as MS, you have no info about his job performance or even what he specifically did while working at "The Great Evil"

Maybe its just me, or maybe theres a reason you dont see chrisd listed in the hof anywhere..

Re:responsibility

[Paul Komarek]

While most of what you say sounds reasonable, one thing really caught my eye: "only a few companies have people with enough experience with huge, varied networks". The problem with Microsoft is that they only have experience with huge, homogenous networks; they were blindsided by the internet; they thought remote admin was a bad idea until recently; their network hacks (netbios, for instance) stink on large networks.

I think Microsoft is very *unlikely* to have much useful exerperience with "huge, varied networks". What really gets me is that they seem to *like it this way*.

-Paul Komarek

security is not a technical position

[Anonymous Coward]

security positions in governments and corporations alike are always political, never involving an ounce of technical clue. he'll fit right in.

Re:responsibility

[mshomphe]

But, this is part of a general 'revolving door' phenomenon between business and government: work in one area of the private sector, retire, join the government, work on legislation for that area. This is problematic because it leads to the legislation being skewed towards that business (and away from the consumer), and makes the government appear more insular.

One has to wonder what effect this person's tenure with Microsoft will have on his job performance; much in the same way that we had to wonder about Dick Cheney's Haliburton/Enron/oil industry ties when he was coming up with the administration's energy policy. It's a valid concern and one that should be raised.

Re:It's all part of the same kind of thinking.

[b0r1s]

Hire someone from a company known for its inability to make secure software, and put him in charge of what his company always did poorly.


Who would you prefer?

1. Someone from openssh, which just released a new version to correct a remote exploit? [oreillynet.com]
2. A linux hacker who cant figure out how to handle syn cookies? [oreillynet.com]
3. Someone from lotus, who cant protect their documents [oreillynet.com]
4. A webalizer coder who cant remember to filter out cross site scripting? [oreillynet.com]
5. Maybe an IBM coder? [oreillynet.com]
6. Cisco is flawless, right? nope [oreillynet.com]
7. Redhat must be perfect, they make linux! oh wait [oreillynet.com]
8. SGI/IRIX is flawless, they never have security proble... oh, nevermind [oreillynet.com]
9. How about a linux kernel hacker, they sure must be perfect! They'd never allow a root exploit into a stable kernel! [oreillynet.com]

Getting the point yet? Everyone has holes. Everyone releases patches. It just happens that microsoft designs their code for ease of use, and because of that there happen to be a lot of unqualified microsoft admins. This isnt a MS problem. This is a side effect of their popularity.

You're missing the point, as well as OpenBSD

[Anonymous Coward]

I think you're missing the point. Microsoft consistently releases buggy software and they publicly admit that yes, the UI experience comes before security. Sorry, but that's not for me. In addition, you've forgotten to list OpenBSD. Four years without remote hole in default install.

that is what I hate.

[sluggie]

yes, it's the typical /. behaviour when it comes comes down to jobs/functions/code/etc from/by/at microsoft.
This kind of bashing is definitely not ok. You know NOTHING about this guy, I'm sure he is VERY high qualified and he is not to blame for the philosophy of a company.
Hey chrisd, do you have any idea which education you must have to become a Chief Security Advisor at Microsoft? Do you?

Demonizing Microsoft, that is what the script kiddies, crackers, etc do. It should not be commited by a sane, open minded community.

For example I know a guy who teaches ppl how to pass the mcse certificates. I once asked him why he is doing this microsoft stuff. He told me that he no fan of Microsoft itself as a company, but it's good money, a nice job.
In his free time he is a sun/java developer and truly fan of linux.

Maybe we shouldn't categorize people because of their jobs. And believe me, Mr. Schmidt knows more OS than win98...

Saying "w1nd0wz sux0rZ, h4X0r1ng m$ r00lez" is just embarassing...

Readers often don't have much experience with MS.

[Futurepower(tm)]

1. unauthorized user can autheticate.
2. denial-of-service attack
3. unauthorized user can read files
4. Inject HTML tags into the generated reports.
5. gain root access.
6. denial-of-service attack
7. execute arbitrary code when accessing RPM from untrustworthy source.
8. denial-of-service attack
9. gain root access

Every one of 1 through 9 above are stories about people who made mistakes.

The security problems in Microsoft products, are, in my opinion, not mistakes. They are the result of policies: 1) Only money matters. If you can make more money by being sloppy, then do it. 2) Release software with lots of known shortcomings so that people will want to pay for upgrades later. 3) Relate to your employees by pushing them.

Items 2, 3, 4, 6, and 8, more than half of those you mentioned, do not allow destruction to the system itself. One or more Microsoft security bugs that allow destruction to the system are announced on the average of every month, if I recall correctly.

I am not anti-Microsoft. I am more pro-Microsoft than Bill Gates. Microsoft is a company that has $30,000,000,000 dollars in the bank, instead of being used to clear up the problems in their products.

Today I spent about an hour of my Sunday helping a woman in Brazil clear her computer of the Badtrans worm. Billions of dollars are being wasted by very serious Microsoft bugs. The company is not worrying enough about the quality of its products, in my opinion.

I installed a security bug fix supplied by Microsoft to Internet Explorer on someone's computer last week, and the security bug fix put all the network settings back to least security. This has been going on for years. Microsoft knows this happens. It is a result of policy, not mistake. Why they do that, I don't know. Maybe it has been dictated by the U.S. government that Microsoft will make their systems insecure.

We have a problem on Slashdot that many people who read Slashdot don't work with Microsoft products enough to know how bad things really are.

Re:It's all part of the same kind of thinking.

[Floris]

Nice argument, but let's not forget microsoft themselves have been compromised multiple times over the course of the last few months:

1) Remember that incident where someone inside microsoft got hit by a macro virus that allowed remote (apparently russian) script kiddies to access their internal network?

2) How code red hit www.microsoft.com and hotmail?

3) Same thing happened with nimda.

3) there were more but this was off the top of my head.

Of course, bad programming practices happen everywhere but this could be accounted to a) running unpatched boxes and b) microsoft employees opening infected attachments. Both of which were his direct responsibility to prevent.

A side effect of popularity?

[erroneus]

First, I'd like to comment that I'm posting this using AT&T Broadband... They didn't pay me to say this, but I expected to be net-less for a week, so I'm happy.

Second, MS's infmaous security record doesn't stem from "mishaps." It stems from their insistance on a very flawed set of models. "Drivers at Ring-0" and all that. Among the more popular flaws is in their VBA/VBS integration. Bad enough that These languages have access to the whole machine indescriminantly, but docments from untrusted sources now have access to your whole machine? How many times has this happened? It's not something that requires a patch, it requires a rewrite or complete removal as a feature.

Javascripting? Why are so many MSIE flaws handled best by disabling client-side scripting? Think about it -- same problem.

How about their insistance on installing "everything, even if you don't need it?" How many "Nimda" hosts are out there on machines where the owner didn't even know IIS was there? My brother said it best when he said that it was the equivalant of shipping a loaded pistol. It's not dangerous if you know how to use it and if you knew it was loaded, but then again anyone with a finger thinks they can handle a gun... ring true enough?

It's not that the company's popularity makes a common problem seem worse, it's the company's problem of prioritizing "cool stuff" over "secure stuff."

Do you even know what a C2 certification entails?

[dave-fu]

Here's a starting point for you to consider: "The Orange Book C2 specification is for standalone, nondistributed computing environments and non-networked devices." [win2000mag.com]
There's no security without physical security and a floppy/CD attached to a computer giving you a workaround from the single pathflow of username/password login to an ACL-controlled environment fails the C2 spec by default. No one brags about Orange Book certifications because no one enforces it because it's freaking useless in every conceivable work environment. No network + no disk drives == no sneakernet == why bother?

Misleading header.

[Remote]

MS tools may not be the best, but once that's what the White House has got, then choosing this guy to advise on security seems to me to be a sound decision, no question about that. But I don't think this move has much to do with White House security at all.

Now, call me paranoid if you wish, but when I read this piece of news I can't help but ask myself what is this individual really up to within the government structure. He's supposed to know MS security like very few people in the world. Wouldn't he be of great help for the Bureau in their desire to do funny stuff with everyone's machine? Or something along those lines? Reading the article we see that he's not going to do things like helping beef up thw WH website security, he will be working with a taskforce that has many ramifications, chaired by Richard Clarke.

From the article:

Clarke was named last month to head a new White House Office of Cyberspace Security that is to focus on developing a plan for protecting the nation's critical infrastructure.

That could mean a lot of things.