MS Chief Security Officer to work for White House 355
NerveGas writes "An Interesting People message reports that Howard Schmidt, Microsoft's Chief Security Advisor, will be leaving MS to work as a security adviser for the White House. With the track record that Microsoft has in the area of computer security, this strikes me as a very bad move." CD: you'd think people would examine the job someone did at thier previous job before offering them a new one. Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?
So you think the White House chose him at random ? (Score:5, Interesting)
Here's a guy who was working for the largest software monopoly in history and now works as security honcho for the most powerful government in history, with people like Ashcroft in it. Makes my nose bleed just thinking about it. The more I see what's happening in Micro$oft's giant sphere of influence, the more I'm glad to be a Linux user, that's for damn sure.
What type of work? (Score:2, Interesting)
pretty unfortunate (Score:3, Interesting)
If the latter is the case, there is a good chance that this guy will follow the easy and obvious (to laymen) path and push Windows. After all, NT was created by someone with decades of experience and it is 'C4' certified (or whatever). It has zillions of security features, even more so than VMS, so how could it not be secure? And it is used by some of the most security conscious companies in the world. And what's good for Microsoft is good for America anyway. At least those will be the arguments that will likely be heard around the White House when issues about what software infrastructure the armed services and US government should use.
This will be followed by calls for keeping source code for criticial infrastructure under wraps, "like Microsoft is already doing", because "we don't want to give the terrorists the blueprints to our advanced technology". He'll probably preach the Microsoft mantra that open source is dangerous, unsafe, and un-American. And he'll likely conflate "security" RIAA style (fair use hijacking) with national security and point to how badly the RIAA and MPAA has been "hurt" by "security problems" resulting from "open source hackers" and how Microsoft, in contrast, keeps content "secure" and protects copyright holder's rights.
Altogether, this appointment is likely going to hurt open source efforts, as well as national information security.
Re:responsibility (Score:5, Interesting)
In a company that large, there will be both fuck-ups and genuinely good workers. I know some extremely talented people working at Microsoft. I also know some losers there. I don't know which side of things this guy is on, but you have to figure that only a few companies have people with enough experience with huge, varied networks to take on this role for the federal government. And Microsoft it very likely to be one of them.
Corporate security != electronic security (Score:3, Interesting)
In other words, Big Brother stuff. Spook stuff.
That is what a chief security officer does in the traditional corporate environment. He will have an underling (or several) who handle electronic security for him. If he knows what's good for him he'll realize that he shouldn't try and play a game he knows nothing about, and he'll let his underlings have free reign.
Not that it will do any good, of course. As long as Microsoft uses its own software, it will always be vulnerable to the same exploits with which it burdens the rest of the world.
It's all part of the same kind of thinking. (Score:5, Interesting)
"CD: You'd think people would examine what someone did at his previous job before offering him a new one." [Corrections to grammar and spelling added.]
It's all part of the same kind of thinking. Bomb Afghanistan to save it. (I'm talking about the first bombing by the U.S. government [1983], not the second and third.)
Hire someone from a company known for its inability to make secure software, and put him in charge of what his company always did poorly.
But, of course, maybe he is not really leaving Microsoft, but just working with a government that doesn't believe in privacy to assure that Microsoft software will always be compromised by the government.
Look on the bright side. With Microsoft in the White House, no one who truly wants software security will be running Microsoft products.
--
Links to respected news sources show how U.S. government policy contributed to terrorism: What should be the Response to Violence? [hevanet.com]
Re:huh? (Score:1, Interesting)
Gore's pretty much publicly agreed with everything Bush has done about 9/11 so far, so Gore voters don't have much room to complain that their guy would do any better.
C2 Certification (Score:3, Interesting)
To the best of my knowledge, NT got a C2 certification umpteen years ago. But (and I'm not making this up), It only achieved C2 when the disk drive was removed and the machine was not attached to any network
I don't think Microsoft attempted to brag about orange book certification since then.
Re:It's all part of the same kind of thinking. (Score:1, Interesting)
We are talking the difference between a multi billion dollar Organization that doesn't just have a few glitches. But millions of lines of poorly written code that lead to exploits that make little script kiddies jizz their shorts.
By your justification if you were running a soup kitchen and you had 1 person that was on payroll. You paid them every week for their services. And you had 4 other people who were volunteering. The one person your paying never seems to doing anything right. They are always half assing everything you ask them to do. Very rarely do they get it right on the first time. Then you have the 4 people who are volunteering their time who occasionally have issues they don't get it right. But they are self starters who don't always wait to be told and sometimes they just surprise you with what they have done.
Now your ass would fire the 4 volunteers and keep the idiot on payroll wouldn't you. Hell you might be that idiot.
BTW Most people are asking the right questions what are his qualifications. He worked at Microsoft as head of security doesn't say much. Defending Ms here shows you really don't understand what the underlying conundrum is. Also I gotta ask do you work for MS cause the releasing a patch thing is sorta for the birds. Commercial products shouldn't be works in progress.
Use ya head! (Score:2, Interesting)
So they employ the guy and put him in a safehouse where they can have a long chat, Dubwya gets a clearer picture of what he's up against.
The Problem With Microsoft (Score:5, Interesting)
Microsoft's product line evolved from a single user application. Programmers on their product line are still in the mentality that if you're sitting at the console, their programs have sole access to the full resources of the computer. How many Windows application installs demand that you close down all other programs and reboot the system when you're done? How many of them actually need you to do that? How many times has some Windows program opened a modal dialog (Which in the historical past prevents the program from being minimized until you acknowledge the dialog) or worse, a system dialog? When was the last time you saw one on Linux? Completely different programmer mentality.
Sure Microsoft's been kludgeing user support into Windows for a while now, but they don't enforce its use. It'd take too long for them to explain to every user out there why they should have to log out and log in as the administrator in order to install that new game or those scanner drivers. Most Windows users are perpetually stuck in the running as root mode, despite years of sysadmin experience that dictates that you should never run as root. And Microsoft will never force them to create a user and use it because that would make them a little less user friendly and a little more like UNIX and that's not the direction they've taken.
BTW: Most Linux dists don't force you to create and use a user ID either, and it's a very common thing to see newbies running as root. They usually stop after the first or second time they manage to trash their entire damn filesystem. And you can never just tell them "Don't run as root -- 30 years of UNIX sysadmin experience can't be wrong!" They seem to have to learn by hard experience.
Re:Huh? (Score:4, Interesting)
First off, not to single you out, but this is so friggin typical of slashdot. Everyone (including chrisd from
Finally, apparently this guy knows his shit. From this PBS interview [pbs.org]
He is Chief of Information Security for the Microsoft Corporation. Prior to this he was a Supervisory Special Agent, Director of the Air Force Office of Special Investigations, Computer Forensic Lab and Computer Crime and Information Warfare.
Now, does it seem like a mistake to hire him? After all, he is *leaving* MSFT to go back to the government. Enjoy your crow, everyone!
Doesn't anyone here subscribe to bugtraq? (Score:3, Interesting)
What a security officer does (Score:3, Interesting)
Most large companies have security officers. They usually come from a law enforcement or military background. When you see the title "security officer", think Lieutenant Worf, not Wesley Crusher. The security officer is usually in charge of physical plant security, of running background checks on incoming employees, making sure the guards at the parking lot entrance check the right ID's, etc. Their involvement with computers may reach as far as directing that the company firewall filter out incoming
As far as I know, Microsoft didn't have serious problems of that nature, and that guy did perfectly well at his job. The pinhead marketroids who put all the vulnerabilities into Outlook were in a completely different jurisdiction, so to speak. So I don't have a problem with his going to work for the white house.