Microsoft Executive Tapped For Top DHS Cyber Post

krebsatwpost writes "The Department of Homeland Security has named Microsoft's 'chief trustworthy infrastructure strategist' Phil Reitinger to be its top cyber security official. Many in the security industry praised him as a smart pick, but said he will need to confront a culture of political infighting and leadership failures at DHS. From the story: 'Reitinger comes to the position with cyber experience in both the public and private sectors. Prior to joining Microsoft in 2003, he was executive director of the Defense Department's Computer Forensics Lab. Before that, he was deputy chief of the Justice Department's Computer Crimes and Intellectual Property section, where he worked under Scott Charney, who is currently corporate vice president for trustworthy computing at Microsoft.'"

Re:

[maxume]

Things that you occasionally compromise are generally called preferences.

Re:There May Be An Upside - but

[INT_QRK]

Bet he still owns MS stock...

Microsoft and Security in the same sentence?

[BadAnalogyGuy]

Boy oh boy. Obama seems to be turning into a big disappointment with some of these appointments.

What'll he do next? Appoint Mike Tyson as head of Department of Heath and Human Services?

Re:Microsoft and Security in the same sentence?

[Praedon]

Nope. New department, which is Department for Cannibal Relations.

Re:

[Ihmhi]

The rest of us refer to that as the Internal Revenue Service.

Re:

[timmarhy]

what do you expect, you people carried on like it was the second comming when you elected him. no one can live up to that kind of hype.

Re:

[BadAnalogyGuy]

What do you mean, "you people"?

Re:

[El Torico]

People who can use punctuation, capitalization, and spell properly. Actually, I think he was referring to those who voted the President into office.

Re:

[mi]

People who can use punctuation, capitalization, and spell properly. Actually, I think he was referring to those who voted the President into office.

Actually, no, most of the people voting for Obama didn't know some very basic things [howobamagotelected.com] about him or the opposition. And what they did know, was often wrong.

In the particularly striking example, the vast majority attributed the infamous I can see Russia from my house! [brisbanetimes.com.au] to Sarah Palin, when, in fact, the phrase was coined by Saturday Night Live, who were mocking her

Re:Try not to be too delusional.

[daemonburrito]

[...] just because this guy worked for Microsoft doesn't mean he lacks intelligence.

No, but it does mean that he was part of the team fighting US-CERT for months over autorun, at least. He likely helped resist an effort by a division of the department he is to head to fix a security problem that was so bad, they felt it endangered national security.

Re:

[jaredmauch]

A sad note on the autorun activity. The challenges US-CERT has are complex as they have little ability to enforce sane standards and are just as the name says a response team. Once you formulate a response, someone has to execute it, and the federal government is one of the largest enterprises out there, certainly if you include all the contractors as well. It will be interesting to see if there is a shift away from bah to career feds.

At the same time, everyone makes mistakes and Phil has always shown hi

Re:Try not to be too delusional.

[daemonburrito]

I don't know. Even if he just did nothing to stop Microsoft's resistance it would be bad.

If guys from CERT called me and said, "Hey, could you make The Autorun and NoDriveTypeAutorun registry values actually do something? We worried about this 10 million strong botnet," I'd probably comply. The reality was even worse; Microsoft wrote instructions for users to mitigate the problem which they knew were not effective.

The last thing I would do would be to start a PR war, which they did only to save face about something that has been criticized for over a decade. It's amazing... some slight marketing concern overrode what they were told was a matter of national security.

Funny... the wikipedia page on autorun was just stealth edited to remove all mention of the problem. [wikipedia.org]

Re:

[mi]

some slight marketing concern overrode what they were told was a matter of national security.

Marketing over national security (as well as other real issues) is how Obama got elected [howobamagotelected.com] in the first place. Even if we continue to give him the benefit of the doubt regarding past nasty associations (racist pastor Wright, terrorists Bill and Bernardine Ayers, governor Blagojevich), and not (yet?) question his personal integrity, the man's lack of experience (or, more harshly, lack of substance) is showing already:

Re:Microsoft and Security in the same sentence?

[Lumpy]

Why do you people think that the next new guy will be any different than the last one? I don't care WHO is elected. If they are Democrat or Republican, they will cater to their interests first and do the right thing last.

MSFT funded a lot of his campaign. This is paying them back by appointing one of their executives, or they use their buddies.
This happens every change of power.

I just get a royal kick out of all the "WOO CHANGE!" people all sitting in their chairs sober now with their mouth open at the TV sets staring in disbelief.

The only advantage is that this time our president is actually educated and articulate.

Re:Microsoft and Security in the same sentence?

[Anonymous Coward]

The only advantage is that this time our president gives great speeches from a teleprompter [politico.com].

There... fixed that for you.

Re:

[migla]

I wonder how long the people will put up with this?

I'd like to think that humanity is progressing (sure, there are setbacks and backlashes, but generally). I'd like to think that teh pendulum swings a little further towards enlightenment.

The internet revolution, not twenty years old yet, should facilitate this. I think a different, better world is possible.

If I'm wrong, at least I'm having a beautiful dream. What do you think?

Re:

[Sj0]

(Score: -1, Keep facts out of this)

... trustworthy computing?

[Anonymous Coward]

Before that, he was deputy chief of the Justice Department's Computer Crimes and Intellectual Property section, where he worked under Scott Charney, who is currently corporate vice president for trustworthy computing at Microsoft

Trust... worthy... computing at Microsoft... Isn't there a law that prohibits the words trustworthy and Microsoft in the same sentence?

Re:

[erroneus]

To be fair, "trustworthy computing" was just a buzzword that meant "DOS with no network card on the PC." It was still a work in progress and clearly has not been released yet.

Alas no

[Mateo_LeFou]

The term might not be used as often, but the concept is alive and well

"the new chips will 'block unauthorized access to the frame buffer.' ...

There is a short list of parties who will be unauthorized to access your frame buffer: You. There is a long list of parties who are authorized to access your frame buffer, and that list includes Microsoft, Apple, AMD, Intel, ATI, NVidia, Sony Pictures, Paramount, HBO, CBS, Macrovision, and all other content owners and enablers that want your machine to themselves whenever youâ(TM)re watching, listening to, reading, or shooting monsters with their products. "

http://www.infoworld.com/article/07/03/28/14OPcurve_1.html [infoworld.com]

Re:

[im_thatoneguy]

You're missing one person on the long list. You. There is no prohibition on you choosing what data you want encrypted. It's not limited to movie companies.

It is possible to create content of your own you know. It's not you vs the world. You're a part of the world.

Here is just one example. (Beside the obvious case where you encrypt a movie file.)

This technology can be used for privacy adovcates as well. Want to make sure that no unauthorized applications are secretly recording your activities? This den

Re:

[spitzak]

Want to make sure that no unauthorized applications are secretly recording your activities? This denies access to the frame buffer from remote viewing.

Wrong. This is only possible if you control the keys to the TPM. If you cannot set the keys you cannot implement any method of making sure unauthorized applications (who do have the keys) are not running.

The reason you cannot set the keys is because it would also allow you to set the keys the same as another machine, and thus play media that is authorized onl

Re:

[gadget junkie]

Before that, he was deputy chief of the Justice Department's Computer Crimes and Intellectual Property section, where he worked under Scott Charney, who is currently corporate vice president for trustworthy computing at Microsoft Trust... worthy... computing at Microsoft... Isn't there a law that prohibits the words trustworthy and Microsoft in the same sentence?

I do not think it's forbidden, but it comes very close to the definition of Oxymoron, [wikipedia.org] i.e. mutually contradictory terms.

Re:

[jaredmauch]

If there was a law, it would be the justice department that prosecuted it.

Re:

[cepayne]

At least the guy will be well aware of the exploits in the
worlds most popular operating system, which is most often
attacked in security breaches.

Having a microsofty on the payroll ensures that your security
breaches will be well accepted.

Keep your friends close, but keep your enemies even closer!

Microsoft and Security in a same sentence?

[Anonymous Coward]

I foresee a lot of Microsoft Security jokes in the following threads.

Here is one

Do you allow Phil Reitinger to be the top cyber security official?

Allow | Deny

Re:Microsoft and Security in a same sentence?

[Narnie]

Do you allow Phil Reitinger to be the top cyber security official?

(Okay)

Fixed that for you.

Re:

[WhiteHorse-The Origi]

Do you allowing Phil Reitinger to top security official?

There, fixed that for ya.

Re:

[lxs]

More like:

Retry, Abort, Fail.

Ah dammit...

[Narnie]

There goes any chance of the DHS switching over to an linux/unix environment in the next decade.

Re:

[je ne sais quoi]

Well, wouldn't a former Microsoft executive be in the best position to know how fucked up Microsoft security really is? You'd think this would be a case of the burned hand learning best, in this case, the burned hand is also the one who turned on the fire.

Well, alright, I'm blowing smoke and I know it. :) Odds are this guy has so much stock in Microsoft and their affiliates that it doesn't matter what he personally believes, his wallet will be speaking for him. Obama is turning out to be fairly disappoi

Re:

[InsertWittyNameHere]

Well they were going to hire a FOSS candidate but M$ came in and offered Phil Reitinger at 75% off.

I hear they also threw in some CAL's and Vista upgrade licenses as well... at least that's how it worked out at my office

que 500 stupid M$ sux0rs posts

[timmarhy]

this guy doesn't seem a half way bad pick. of course if it was my call i'd eliminate the whole DHS nonense and just fund the FBI,NSA,CIA and police properly. if those 4 agencies can't get it done wtf is the DHS going to add?

Re:que 500 stupid M$ sux0rs posts

[timmarhy]

so let me get this right, government departments were shown to be poor are communicating, so your solution is to create yet another goervnment department for them all to mis communicate with?

Re:

[BadAnalogyGuy]

The DHS is the over-arching agency containing the previously separate agencies you listed above.

Prior to the creation of the DHS, communication between agencies like the CIA and FBI was legally difficult because of the lack of transparency. But now that they are under the same umbrella agency, they can share information much more easily.

Re:

[Jane Q. Public]

And you honestly think that is a good thing? How old are you, anyway?

Re:

[CaptainJeff]

Ummm....the CIA and the FBI are not under the same agency now. The FBI is an agency of the Department of Justice and the CIA is an independent agency that quasi-reports to the Director of National Intelligence. The other agencies mentioned, the NSA and the police, are also not part of DHS. NSA is an agency of the Department of Defense and policing is a local function, run by any number of local agencies. But by all means, keep talking about things you obviously don't know anything about and cannot be bo

Re:

[gtall]

How about the Department of Miscommunication. The basic problem, it seems to me, is that miscommunication is spread out over the entire government structure. Now if we were to centralize it into a D. of MC., then all the other departments could rely on that sole department to implement their miscommunication and they would be left to do their jobs in peace.

It wouldn't do to have the other departments communicate with the new D. of MC. (the obvious paradox, eh). Instead, there would be D. of MC. staffers in

Re:que 500 stupid M$ sux0rs posts

[Renraku]

If we could achieve with nuclear fusion what we have achieved with DHS, we'd all be living off of cheap and reliable energy.

Suffice to say, the DHS is rather self-sustaining. If it isn't keeping liquids off aircraft or your electronics in the baggage handlers' pockets, its harassing and keeping us American citizens in fear.

Re:

[Chas]

If we could achieve with nuclear fusion what we have achieved with DHS

What? A parasitic reaction that just consumes and consumes and consumes, is more of a hindrance than a help, and wastes tons of money in the process?

Re:

[Late Adopter]

If we could achieve with nuclear fusion what we have achieved with DHS

What? A parasitic reaction that just consumes and consumes and consumes, is more of a hindrance than a help, and wastes tons of money in the process?

Only to be given up on when another disaster claims the lives of thousands?

Re:

[Arancaytar]

If it isn't keeping liquids off aircraft or your electronics in the baggage handlers' pockets, its harassing and keeping us American citizens in fear.

So "re-settling to Mars now that we've blown the Earth up with fusion bombs" would be a more appropriate analogy than "living off of cheap and reliable energy". ;)

Re:

[Foofoobar]

Suffice to say, the DHS is rather self-sustaining. If it isn't keeping liquids off aircraft or your electronics in the baggage handlers' pockets, its harassing and keeping us American citizens in fear.

Fear them? Why? Because they stand at every gateway in their suits shouting 'YOUR PAPERS!!' with a nazi accent before frisking you and sending you away to some internment camp in a foreign nation where they cant be prosecuted for waterboarding you?

Whats to fear?

Re:

[retech]

Did you mean: Cue or Queue?

Re:

[xouumalperxe]

It's a portmanteau! He's cuing the "500 stupid M$ sux0rs [posters]" to queue up, since there's so many of 'em!

Re:

[retech]

Perhaps you give more credit than is due.

Re:

[xouumalperxe]

Due? Isn't it dueue? I'm confused now.

Re:

[Narnie]

this guy doesn't seem a half way bad pick. of course if it was my call i'd eliminate the whole DHS nonense and just fund the FBI,NSA,CIA and police properly. if those 4 agencies can't get it done wtf is the DHS going to add?

DHS adds funding for the Coast Guard. Before the DHS nonsense, the CG was within the Department of Transportation. Not really enough money in the pot for the CG to keep a modern fleet and perform all of it's various rolls.

Actually, that's about the only good I've seen come out of DHS.

Re:

[sunwukong]

Not really enough money in the pot for the CG to keep a modern fleet and perform all of it's various rolls.

If they'd stop scuttling their vessels they wouldn't have to keep replacing them!

Good Grid!

[Jane Q. Public]

Isn't that like asking the head of AIG to be the officer of "financial responsibility"???

Re:

[Vectronic]

No.

Re:

[antibryce]

it'd be like appointing a tax cheat to head the IRS.

Re:

[mattwarden]

Yikes, you had beaten me to it by many hours. Please forgive the redundancy, but glad someone else was thinking like I was!

Re:

[mattwarden]

LOL!!!!!!11 Or how about a tax cheat as head of the Treasury Department

US-CERT mentioned in article

[daemonburrito]

I wonder if we will be seeing US-CERT standing up to Microsoft the way they did with this [us-cert.gov] (a vector for conficker) with him in charge.

I have a sick feeling about this. This guy was surely part of the Microsoft effort to call this a feature. And what was this "political infighting" that the article alludes to? I hope it wasn't over whether to go after Microsoft for aiding in the creation of the largest botnet to date.

Re:

[_Sprocket_]

And what was this "political infighting" that the article alludes to? I hope it wasn't over whether to go after Microsoft for aiding in the creation of the largest botnet to date.

It's not all about Microsoft. DHS is a new bureaucratic entity that's trying to establish itself by carving in to the fiefdoms of others. That alone leads to political infighting.

The Fine Article alludes to examples of this. A governmental body with a quick leader churn isn't a good sign - that's folks realizing they're in a bad situation and bailing. Effective organizations keep their leadership. Ineffective organizations that are comfy maintain ineffective leadership - yet the leadership remains. Wi

Re:

[daemonburrito]

RTFA. I'm talking about about CERT and conficker.

FWIW, I don't like the very idea of DHS. Also, fuck you.

In all seriousness

[Jane Q. Public]

While anecdotes from Windows users regarding how they tried to make an inherently insecure system secure could be extremely valuable, I doubt that anecdotes about how Microsoft executives tried to make their systems secure will be equally valuable. This was a ridiculous choice, and further undermines my initial hope that Obama might indeed turn out to be a good President.

Re:In all seriousness

[Jane Q. Public]

The choice of an executive officer of a major supplier of operating systems -- Windows of all things -- to this position sends a clear message to those who have been involved in "security" issues for many years. And that message is: "We don't care about 'security' except to the extent that it affects our corporate friends."

I am very saddened by this news.

Re:

[Jane Q. Public]

Why? If you do not already know, then you aren't qualified to be in this discussion.

Re:

[Jane Q. Public]

Pardon me, I should qualify that statement. If you are referring to Vista, which arguably has respectable security, my reply is: maybe the security is okay but nobody wants to use it. If, on the other hand, you are referring to Windows 7, then my reply is: we'll believe it when we see it.

Re:

[drsmithy]

Pardon me, I should qualify that statement. If you are referring to Vista, which arguably has respectable security, my reply is: maybe the security is okay but nobody wants to use it. If, on the other hand, you are referring to Windows 7, then my reply is: we'll believe it when we see it.

Since the fundamental design of Windows security hasn't really changed since Windows NT 3.1, I still want to hear about why it's any more or less "inherently insecure" than other platforms.

Re:

[Jane Q. Public]

And I want to repeat: if you really don't know, then you are not qualified for this discussion.

Re:

[Jane Q. Public]

For some reason that escapes me at the moment, I have changed my mind and decided to be charitable, and explain some things that should be obvious to the merest idiot:

If Microsoft's basic security model has really not changed since NT 3.1, then there was really no reason to implement Vista's UAC... other than to unsuccessfully emulate the default security mode in most Linux distros. And, as so many people have reported in painful and repeated detail, the Vista UAC was indeed something that should have be

Re:

[drsmithy]

If Microsoft's basic security model has really not changed since NT 3.1, then there was really no reason to implement Vista's UAC...

Right. Just like if Linux's "security model" hasn't changed since 1991 there wouldn't be any need for those nice graphical sudo prompts and the like that everyone gets now.

UAC is little more than UI gravy. It's mostly about putting a prettier and more automated face onto "Run As", much like the graphical sudo prompts in OS X and recent Linux distros do. The underlying AC

To Anonymous Coward:

[Jane Q. Public]

You completely missed the point. If the UAC did not actually change the security model, then there was no real reason for its existence other than theater. You are merely confirming what others already know: it was a joke masquerading as "security". And if the security model did not really change, then the interface for it really did not need to change.

The fact is that some basic security assumptions needed to change but they did not. The UAC has little to do with that directly but it illustrates the ext

To THE OTHER Anonymous Coward:

[Jane Q. Public]

I haven't danced around anything. I did not say that the UAC "might" be security theater, or any of these things you accuse me of. Here is simple logic, okay? I guess at this level I have to ask: You accept that simple logic is valid? From what you have stated I am not sure.

*IF* the Windows security model hasn't changed, *THEN* the UAC is a joke. Okay? There is no reason for its existence OTHER THAN show.

Get it?

And the presence of such a major "feature" for nothing but show is ... well, "stupid" c

Re:

[drsmithy]

And I want to repeat: if you really don't know, then you are not qualified for this discussion.

I *do* know, which is why I want to hear what bullshit you're going to make up to pretend *you* know.

Re:

[Macthorpe]

Only on Slashdot could asking a reasonable and polite question be considered 'flamebait' just because someone's simplistic view of the world is being threatened.

Enemy combatants.

[Snufu]

Anticipate all persons attempting to enter the U.S. to be screened for explosives, hazardous chemical agents, firearms, radioactive materials, and open source software.

I'd like to be objective about this. Let's try.

[Anonymous Coward]

I like how this guy, whom I don't know much about, is painted a smart pick, coming as he does from the largest single computer security threat on the planet. Anybody recall that up to not very long ago at all security was not on their agenda? Simply because it made them more money not to care.

Oh, and that is remebering their own words and without mentioning the usual, such as that they are convicted monopolists too, their business practices suck, their code sucks, their customer service and sales techniques reminisces that of office depot, and so on and so forth.

The bottom line is that in politics you usually don't let the guy who fucked it up try and fix it. Unless perhaps the guy has friends in high places.

Re:

[gtall]

How do you explain the Congress then? They cannot all have friends in high places. Watch CSpan when they broadcast hearings sometime. It's amazing how clueless these morons can be, especially the House members. For some odd reason, Senators have two brain cells to rub together instead of a single loner.

Typical Committee Hearing:

Title: Investigation into Why Tarp Funds are being Misused.

Purpose: Figure out if Tarp Funds are being misused.

Dennis Kucinich: Blah, blah, blah, Ohio, blah, blah, I am NOT an idiot

Re:

[roguetrick]

I swear they do that jerry springer shit just to get people to watch them for once.

Re:

[Dragonslicer]

I like how this guy, whom I don't know much about, is painted a smart pick, coming as he does from the largest single computer security threat on the planet.

Yeah, how dare they pick a human that uses a computer.

Re:

[HiThere]

On behalf of Office Depot, I would like to ask you to retract that statement.

Did anyone else misread...

[wayward_bruce]

Many in the security industry praised him as a smart pick, [...]

Did anyone else misread this as "smart prick"?

Re:

[u38cg]

Several times, yes. I didn't actually question it, then I saw it again, and thought, that's a bit harsh...oh, I see.

Re:

[mdm42]

Yes, I did.

Not only that, but

he will need to confront a culture of political infighting and leadership failures

made me think, "He should be totally at home with that, then."

Expect many new ISO standards ..

[Anonymous Coward]

I think choosing someone from a company that is STILL under DoJ supervision for questionable behaviour has a couple of unwanted implications, especially since this guy was at board level.

It's only good news for foreign industrial espionage and botnet herders..

In other news

[Chas]

The president's DHS pick has brought on board a liason from Symantec. Now everything will STILL be insecure, but run twice as slow, cost even MORE "way too much", and bitch, moan and cry about being renewed every year.

If Obama were serious about his duty

[Jane Q. Public]

then he would be hiring Bruce Schneier for this job. I know he is disliked by a lot of industry but he is the man with the facts and the plan.

Re:

[drinkypoo]

If Obama were serious about duty, he would never have become president of the USA. Presidents who want to make a difference are not permitted to do so. A bit more cynically, I would say that presidential candidates who want to make a difference are demonized, like when they said Nader was responsible for the loss of Gore. Did anyone else catch that whole kerfluffle with the ballots in that election? You can't blame the stopping of a completely legal and by-the-book recount on the guy, can you?

Re:

[Jane Q. Public]

Even that was not as blatant as the simple and direct refusal of the media to allow Ron Paul to participate in the more major debates this last election.

Re:

[drinkypoo]

Even that was not as blatant as the simple and direct refusal of the media to allow Ron Paul to participate in the more major debates this last election.

People could reasonably (incorrectly, but whatever) interpret that as media bias. Wielding the new and improved Supreme Court to stop a completely legal ballot recount which almost certainly would have reversed the election, on the other hand, could not be construed by an intelligent individual as anything other than direct manipulation of the election system for the purpose of altering the result. When the well-substantiated reports of ballot fraud started coming in and they universally targeted primarily-

Re:

[Jane Q. Public]

But there was already precedent for that, from the previous election. I was referring to something pretty new.

Re:

[Ozlanthos]

I believe Jane was referring to the no-holds-barred media blackout of Ron Paul coverage in the MSM. I completely empathize as I feel that if he were allowed to participate in a few of the bigger debates he would have DESTROYED Obama, McCain, and Clinton.
-Oz

Re:

[noidentity]

If Obama were serious about his duty then he would be hiring Bruce Schneier for this job.

Actually, Bruce Schneier would probably hire himself by forging a message from Obama that he should be hired, one so good that Obama even believes he wrote it.

Re:

[mattwarden]

He is a paid adviser for the TSA

He could assist in international relations

[Centurix]

You know, with countries like Iceland. They sure need an insight from a Microsoft exec right now...

'smart pick' has one letter missing.

[Anonymous Coward]

...already said it.

Fan the flames...

[bob5972]

Isn't sending Microsoft to fight insecurity like fighting fire with fire?

Re:

[Muad'Dave]

No, it's more like fighting fire with gasoline.

Let the jokes begin

[Master of Transhuman]

DHS calls on Microsoft for computer security.

BWAHAHAHAHAHAHAHAHAHAHAHAH!!!!

please stop!!

[Unlikely_Hero]

prepending "CYBER" to everything!! its so so wrong! *cries*

Where do they get these names?

[Ozlanthos]

With this guys resume, it should be 'chief "Thurstworthy infrastructure strategist'

-Oz

Re:

[retech]

Phil Reitinger is a supermod on /. and hand filters each one of thos posts in the firehose section.

Re:

[HiThere]

I thought it was like preaching to the converted. Why bother? They're not the ones who need to be convinced.

Yes, MS is evil. Yes, I won't work on MS systems (well, not past MSWind98) due to issues with the EULA. This isn't news, and most of Slashdot agrees, so why post about it? (Well, actually, most people on Slashdot have different major issues, but most of use have severe ones.)