Microsoft Executive Tapped For Top DHS Cyber Post

krebsatwpost writes "The Department of Homeland Security has named Microsoft's 'chief trustworthy infrastructure strategist' Phil Reitinger to be its top cyber security official. Many in the security industry praised him as a smart pick, but said he will need to confront a culture of political infighting and leadership failures at DHS. From the story: 'Reitinger comes to the position with cyber experience in both the public and private sectors. Prior to joining Microsoft in 2003, he was executive director of the Defense Department's Computer Forensics Lab. Before that, he was deputy chief of the Justice Department's Computer Crimes and Intellectual Property section, where he worked under Scott Charney, who is currently corporate vice president for trustworthy computing at Microsoft.'"

In all seriousness

[Jane Q. Public]

While anecdotes from Windows users regarding how they tried to make an inherently insecure system secure could be extremely valuable, I doubt that anecdotes about how Microsoft executives tried to make their systems secure will be equally valuable. This was a ridiculous choice, and further undermines my initial hope that Obama might indeed turn out to be a good President.

Re:Try not to be too delusional.

[daemonburrito]

[...] just because this guy worked for Microsoft doesn't mean he lacks intelligence.

No, but it does mean that he was part of the team fighting US-CERT for months over autorun, at least. He likely helped resist an effort by a division of the department he is to head to fix a security problem that was so bad, they felt it endangered national security.

Re:... trustworthy computing?

[gadget junkie]

Before that, he was deputy chief of the Justice Department's Computer Crimes and Intellectual Property section, where he worked under Scott Charney, who is currently corporate vice president for trustworthy computing at Microsoft Trust... worthy... computing at Microsoft... Isn't there a law that prohibits the words trustworthy and Microsoft in the same sentence?

I do not think it's forbidden, but it comes very close to the definition of Oxymoron, [wikipedia.org] i.e. mutually contradictory terms.

Re:Try not to be too delusional.

[jaredmauch]

A sad note on the autorun activity. The challenges US-CERT has are complex as they have little ability to enforce sane standards and are just as the name says a response team. Once you formulate a response, someone has to execute it, and the federal government is one of the largest enterprises out there, certainly if you include all the contractors as well. It will be interesting to see if there is a shift away from bah to career feds.

At the same time, everyone makes mistakes and Phil has always shown himself to be a person who generally "gets it" compared to others I've bumped into at GLB. The same is true for any org, fed or not.

Re:Try not to be too delusional.

[daemonburrito]

I don't know. Even if he just did nothing to stop Microsoft's resistance it would be bad.

If guys from CERT called me and said, "Hey, could you make The Autorun and NoDriveTypeAutorun registry values actually do something? We worried about this 10 million strong botnet," I'd probably comply. The reality was even worse; Microsoft wrote instructions for users to mitigate the problem which they knew were not effective.

The last thing I would do would be to start a PR war, which they did only to save face about something that has been criticized for over a decade. It's amazing... some slight marketing concern overrode what they were told was a matter of national security.

Funny... the wikipedia page on autorun was just stealth edited to remove all mention of the problem. [wikipedia.org]