MS Chief Security Officer to work for White House

NerveGas writes "An Interesting People message reports that Howard Schmidt, Microsoft's Chief Security Advisor, will be leaving MS to work as a security adviser for the White House. With the track record that Microsoft has in the area of computer security, this strikes me as a very bad move." CD: you'd think people would examine the job someone did at thier previous job before offering them a new one. Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?

Job qualifications

[shlong]

you'd think people would examine the job someone did at thier previous job before offering them a new one.

What you mean like the job GW did in Texas? This guy should fit right in.

Re:Job qualifications

In that case, he should be the right man for the job. Sure wouldn't want Al Gore handling this crisis..."We mourn for the potted ferns lost in the terrible attacks by humans on Sept 11..." Sheesh...

Re:Job qualifications

In that case, he should be the right man for the job. Sure wouldn't want Al Gore handling this crisis..."We mourn for the potted ferns lost in the terrible attacks by humans on Sept 11..." Sheesh...

Yeah. Wanting to get us off oil so we wouldn't have to be in Saudi Arabia in the first place is another kooky left-wing socialist tree-hugging conspiracy, right? Here, I'll speak to you in language you can understand: You have misoverestimated your ability to remove your head from your Clymer.

BTW, it was humans who attacked us, you idiot, not space aliens or hobgoblins or beavers or monkeys with four asses or pixies or santa claus(TM) or the tooth fairy or jesus or allah or the easter bunny. Sheesh? Go fuck yourself.

Re:Job qualifications

The crackheads come out at night, yes the crackheads come out at night.

I'm sure your some sort of poli sci major. Go back to your Cracker Jacks and quite spouting off at the mouth like a moron. Colorado is a long way from Texas ya freak a geek nothing.

Re:Job qualifications

[Raistlin99]

yeah, if we had Gore in office then we would be relying on oil from the Amazon Basin. Gore and his dad own quite a bit of stock in companies interested in drilling there. Oh, well noone is perfect.

Re:Job qualifications

[nomadic]

Yeah, Bush has done a bang-up job so far, getting rid of all those pesky civil rights that get in the way of security.

Re:Job qualifications

[nomadic]

Sure wouldn't want Al Gore handling this crisis

Hell, I'd prefer if Gore were handling this crisis, instead of someone with no foreign policy understanding who is quite possibly the least inspiring President we've ever had.

Re:Job qualifications

I've seen Gore called a lot of things, but never "inspiring".

Re:Job qualifications

[nomadic]

I know, but that's the sad part; GW is even less inspiring than Gore...

Re:Job qualifications

Yep. None of us have any civil rights anymore.

Why, just yesterday I was prevented from.... wait... I wasn't prevented from doing anything yesterday. Neither were any of you.

Re:Job qualifications

[nomadic]

Why, just yesterday I was prevented from.... wait... I wasn't prevented from doing anything yesterday. Neither were any of you.

So the loss of civil rights is only a negative thing if it happens to you personally? Real nice.

And maybe yesterday it wasn't me or you, but tomorrow it might be.

Re:Job qualifications

[volkris]

Hell, I'd prefer if Gore were handling this crisis, instead of someone with no foreign policy understanding who is quite possibly the least inspiring President we've ever had.

Don't worry. It's ok. Bill Clinton is out of office now. You can stop cowering.

Re:Job qualifications

Like the job Slick Willy did as Governor of Arkansas? Give me a break. People were saying shit like "The only experience he has is being governor of Texas". Well what experience did Clinton have? He was governor of Arkansas! That's much much worse.

Re:Job qualifications

[Wakko+Warner]

Way to refute all his points. You must be from Texas, because you sound dumb as fuck.

Re:Job qualifications

[Jucius+Maximus]

Actually I'm surprised they didn't post this article under the 'It's Funny. Laugh' section.

Re:Job qualifications

When Gore won the nomination, he inspired me to have a 80w31 movement.

Re:Job qualifications

You know, now that I think about it, this Micro$oft slob might actually be the most qualified person for the job. Afterall, he had to get a mountain of experience at Micro$oft closing the billions of security holes in their glorified betaware. Certainly no one else on the planet could possibly have more experience patching leaks than he does. Of course, no one else has that kind of experience because most companies actually bother to ATTEMPT to put out a quality product, but I digress...

Re:Job qualifications

[CovertOperative]

He's ideal for the job! The U.S. Governments security is just as bad if not worse then Micro$oft's security. He'll go from working for one bully to another.

First policy: Dump Windows

[rjamestaylor]

Or at least firewall all Windows computers away from the Internet and outlaw Outlook (except, maybe, crippled Outlook 97 running on a WinNT 3.51 server -- no chance for MIME-header virms there).

It'll b interesting to see what he does.

Re:First policy: Dump Windows

[b0r1s]

You people (anti ms zealots) really do amaze me sometimes. You assume everything has holes because it's windows. You assume anything that isnt windows is perfect and immune from exploits.

Let's look at pure facts.

This week, a remote root exploit was discovered in wu-ftpd. Have ALL of you patched your servers? Also last week, another windows worm surfaced. Looking at the two, which is more serious? Obviously the remote root exploit is far worse, chalk one up for windows.

You might say: "but you can patch wu-ftpd" or "you can run other ftp servers", to which I can respond "you can patch windows" and "you dont have to use outlook, nor do you have to use the 'preview panel'".

Everyone at slashdot is going to laugh and point fingers, sit back and say that windows is not secure so this man must be a fool. Why wont the people at slashdot, who are supposed to be intelligent free thinkers consider that windows, like EVERY OTHER OPERATING SYSTEM ON THE PLANET, is only as secure as the admin running the system, and any untrained staff running bad code with extra privileges can ruin any system?

Windows has flaws and exploits. So do linux, *bsd, and solaris. Patches come out. People who patch are survive, those that do not get rooted. This isnt something limited just to unix: it holds true for windows as well. A knowledgable admin, who keeps up with security updates, can keep any system sufficiently secure. Microsoft products are no exception.

Re:First policy: Dump Windows

[Osty]

outlaw Outlook

<rant>God damned hippy bleeding-heart liberal socialist bastards. Everytime there's something you don't like or agree with, you start shouting, "There should be a law!", and, "Let's outlaw that!" But as soon as something you feel is vital is threatened by law (oh, I dunno, say anything threatened by the DMCA?), you start whining about government. You can't have it both ways.</rant>

And on a side note, Outlook has had patches that will strip executable content from messages (Outlook XP does this by default). Outlook is a very good PIM app (it's more than just e-mail. Perhaps you're thinking of Outlook Express?), and there's really nothing that compares (okay, so Evolution has pretty much copied the look&feel straight from Outlook, but it's beta software, and still doesn't support all that Outlook does).

Re:First policy: Dump Windows

[Almace]

Mod this up please!!!!
20 sec rule can suck on it

Re:First policy: Dump Windows

There are some of us that have our names in the source code that won't even run wu-ftp on a live production system. Its been hacked, trojend and exploited more than any other program in the unix world.

And thouse exploits... they only work for very specifc version that ususaly came in an RPM. Anyone that compiled it them selves won't get hit by the scrip kiddie tools unlike every windows box out there.

So a wu-ftp exploit is going to allow holes in less than 1% of unix boxes. A exploit for any thing MS is going to let your root a much larger precentage of boxes.

Re:First policy: Dump Windows

[byran+lei]

>ou people (anti ms zealots) really do amaze me sometimes. You assume
>everything has holes because it's windows. You assume anything that
>isnt windows is perfect and immune from exploits.
>Let's look at pure facts.
>This week, a remote root exploit was discovered in wu-ftpd. Have ALL
>of you patched your servers? Also last week, another windows worm
>surfaced.
>
>
Do you know what wu-ftpd is? Apprently not. Most of the linux and bsd severs don't even run wu-ftpd. All the warning was about informing people about a problem with wu-ftpd in case someone might want to use it for some reason. Wu-ftpd wasn't even installed on my Redhat 7.1 machine so I don't even have to worry about it loser.

Re:First policy: Dump Windows

[rjamestaylor]

This week, a remote root exploit was discovered in wu-ftpd. Have ALL of you patched your servers? Also last week, another windows worm surfaced. Looking at the two, which is more serious? Obviously the remote root exploit is far worse, chalk one up for windows.

First, yes, my servers are patched (if they're running wu-ftpd at all). I'm a RedHat Network subscriber and recieved the update automatically.

Second, Windows XP Home/9x don't have a true "root" versus user distinction meaning the user has complete root access on their machine so when a virm (virus/worm) attacks through the wide-wide hole that is Windows, the attacker has complete control. This is how a local judge in Orange County was found dealing in child porn -- a exploiting hacker rummaged through the guy's hard drive and planted, er, found a ton of indecent sexually explicit photos of young boys (*shudder*).

Hmmmm...maybe I like Windows after all...

Oh Great

"Howard Schmidt, Microsoft's Chief Security Advisor"

oxymoron?

we're in trouble if he's helping at the while house.

Who better to help you implement Magic Lantern

[Chuck+Chunder]

than one of the people involved in allowing the very exploits you want to exploit to exist in the first place?

;)

Huh?

[Anonymous+DWord]

Was he responsible for all the holes in Microsoft code over the years? No? But you're going to hold him to that because... Or was that just another random MS flame? How do you figure you know anything about what this guy can or cannot do?

Re:Huh?

[Hektor_Troy]

It's like this:
Would you rather trust:

1) The Chief Financial Officer in a company that constantly just breaks even
2) The Chief Financial Officer in a company that constantly rakes in cash as if they had a money tree AND the Philosopher's Stone.

or

1) The head of the local mobster offering you proctection
2) The local police chief

Re:Huh?

[Hermanetta]

mod this down please :-)

Re:Huh?

What do you find so terrible about my post? Even someone who likes Slashdot must admit that they often do not check facts, and that they wear their bias rather openly.

--Due to excessive bad posting from this IP or Subnet, comment posting has temporarily been disabled. If it's you, consider this a chance to sit in the timeout corner. If it's someone else, this is a chance to hunt them down. If you think this is unfair, please email jamie@mccarthy.vg.

Re:Huh?

[Suppafly]

yet another wonderfully stupid anology brought to you by the faithful readers at /.

Re:Huh?

[Hektor_Troy]

"yet another wonderfully stupid anology"

Yup - I'm an expert in making those up as I go.

Re:huh?

Yeah, 8 years of experience letting Osama bin Laden blow up whatever he wanted. 8 years of experience passing the DMCA.

Gore's pretty much publicly agreed with everything Bush has done about 9/11 so far, so Gore voters don't have much room to complain that their guy would do any better.

Re:huh?

[Nikau]

Hah. Gore's hopped on the bandwagon, so to speak. He sees Bush's approval rating going through the roof for what he's doing in the wake of 9/11, and trying to convince people that he can do as good a job as GW. Whether or not that makes him a better leader remains to be seen - if Gore was occupying the Oval Office he may not have done the same things.

It's pure politics, although this is a not-so-subtle attempt to boost popularity. This has shades of the "I created the Internet" thing all over it.

Re:Huh?

[keefebert]

I agree. I don't know what this guy's job was, but I don't think he had the responsibility of making all the software secure. I am assuming his job was to keep the company secure. While I am sure he was in some way involved in securing their product, I don't think that was his primary job.

Re:huh?

[jrockway]

And hey! He created the internet!

(Just to dispell a popular rumor, Al Gore invented HTTP, TCP/IP, UDP, UNIX, and everything else. Not computer people... oh no...)

Re:Huh?

[bribecka]

I don't know what this guy's job was, but I don't think he had the responsibility of making all the software secure.

First off, not to single you out, but this is so friggin typical of slashdot. Everyone (including chrisd from ./) is posting all this stuff, taking their shots, and not having a clue who the guy is and what he does. Second, it is pretty damn irresponsible of slashdot to post an article based off a message on a mailing list.

Finally, apparently this guy knows his shit. From this PBS interview

He is Chief of Information Security for the Microsoft Corporation. Prior to this he was a Supervisory Special Agent, Director of the Air Force Office of Special Investigations, Computer Forensic Lab and Computer Crime and Information Warfare.

Now, does it seem like a mistake to hire him? After all, he is *leaving* MSFT to go back to the government. Enjoy your crow, everyone!

Re:Huh?

This is one of the most intelligent and accurate messages in this thread,...too bad it will be modded down, instead of given the 5, informative, it deserves.

Re:huh?

[volkris]

I'd say that experience under the Clinton mockery is a negative thing...

Re:Huh?

The Chief Financial Officer of (2) probably doesn't know jack shit, as he's able to ride along like a monkey on a successful organisation.

Re:Huh?

[schlach]

Well, it's just kind of funny that the White House is looking for the same kind of security experts as Microsoft. =)

Re:huh?

I grow weary of having to explain this again and again. Do you really not know what he actually said, or are you just ignoring it for cheap /. laughs?
The actual quotation from Mr. Gore: "...I took the initiative in creating the Internet..." (italics mine). Not that he invented anything, just that he created. Which, from a lay perspective, is true. If not for Gore using his political stroke to push through initiatives for expanding the infrastructure thet today comprises the 'net during the 80s (when VERY few people not affiliated with the military or research universities had anything appraoching access), neither you nor your cross-eyed mommy would be using the Internet from your webTV consoles today.
So which is it: are you a troll or just an idiot?

Re:huh?

You do realize that, at this point, most people have heard the truth about Al Gore and his claim to have "created" the internet, right? You do realize he never claimed that, right? You do realize that trotting that old bullshit bad joke out makes you look like a complete idiot, right?

Re:Huh?

[HiThere]

He seems somewhat knowledgeable. Unfortunately, he seems quite committed to centralized control by big business organizations. I'm not really sure that he would favor MS over IBM, but he appearently would favor one large organization over an appearently superior collection of smaller organizations. And he appearantly would favor a commercial entity over a non-commercial entity regardless of their merits.

So I don't like him as a choice. But I also expect that he will find himself among compatible people. Except that he appears to be technically competent.
.

Re:Huh?

Great, now we know 2 things about him: jack and shit. We still don't know how successful he was in his various positions. We do know that Microsoft's security still sucks. I'm having a really hard time believing this guy is the best person for the job. Granted I am inclined to distrust anyone who works for Microsoft, but that's only because they've proven themselves to be untrustworthy as an organization.

The only possible upside I see to this is the possibility that it could put Microsoft's (lack of) security in the spotlight. Maybe then they'll spend more of that 30 billion, or whatever they have in the bank, to build some decent security into their products. Then again, maybe not. I seriously doubt that the government will switch to a more secure OS, even if Microsoft continues on its path of adding more bells and whistles instead of security.

Re:Huh?

I commend you for actually doing research.
You should probably be running slashdot instead of the idiots who are these days.. what, it took you maybe 2 minutes to look that up didnt it. Why can't they? They're fucking lazy and the quality of slashdot is suffering because of it.

Anyhow, my only point is that I'm not sure the air force is a good example of a secure environment. A lot of what I know about their security isn't too impressive, very old-school tactics. I'm sure they could have found a better candidate.

Re:Huh?

[keefebert]

I agree with you on this. While my comment was not researched, it was meant to point out that people are coming up here and taking their shots while not informed. I was trying to inject some common sense into the discussion, nothing more. I realize you were not singling out my post, but your comment may have been better posted elsewhere, like with all the Anti-hire posts. I think the guy is a great addition.

Re:huh?

My assumption is that if Gore was in the White House, we would have had a dialog (or Bin Laden might have tried to dialog). With Jr. and his isolationist, we're #1, kiss my ass attitude we get bombings.

Well

[sllort]

I'm a dirty karma whore for posting it, but, here's a web interview with Harold Schmidt I recall from the Washington Post.

I'll spare you reading it for the best quote:

"Howard Schmidt: The security threat I most often see is failing to install security patches on a timely basis. Weak passwords is next inline ".

I wonder if he meant hotfixes or just Service Packs.

Good decision :)

[joonasl]

"Know your enemy"

time to relocate

[SonofRage]

I think it's about time I move to Canada.

Lookout for the helicopters at DEF CON 10

[mlafranc]

Honest George! It's ALL their fault!

I can just see it happening.

MS Security Guy probably didn't write code...

[abh]

I know how we all love to flame Microsoft, but if the guy was the head of MS Security, odds are he was an executive who never wrote a line of code.

He's guaranteed not to have anything to do with holes in MS products.

A better thing to look at would be how often was Microsoft's network hacked.

Re:MS Security Guy probably didn't write code...

[Ridge2001]

A better thing to look at would be how often was Microsoft's network hacked.

Oh, you mean like here and here and here and here and here and here and ...

Re:MS Security Guy probably didn't write code...

[DarkZero]

Don't you remember six months to a year or so ago when Microsoft discovered that a hacker group had had access to their network for over three months and had downloaded just about the entire network from them during that time? Whether or not he's responsible for the security holes, he still isn't right for the job. Microsoft got 0wn3d on his watch, and they got 0wn3d for an extraordinarily long amount of time in comparison to most network intrusions.

Re:MS Security Guy probably didn't write code...

[linzeal]

They got owned in europe are you sure europe is under this guy's reign?

Re:MS Security Guy probably didn't write code...

But as head of security, he is responsible for the code that others produce. As the M$ CSO he is responsible, regardless of whether he's a coder or not. M$ has not made secutiry a corporate priority. That may not be his fault, but it's his job to make sure they do.

Reminds me of star trek TNG.

[nuintari]

No one would think a kligon would make a good ship's counseler, and I don't think that an android would make a very good captain.

Re:Reminds me of star trek TNG.

[Suppafly]

how does this get a score 3? its not even a good anology..

Re:Reminds me of star trek TNG.

[kiwaiti]

Doesn't matter - it's STAR TREK.

Kiwaiti

Re:Reminds me of star trek TNG.

[nuintari]

I know, I don't get it either, and I don't even like trek.

Re:Reminds me of star trek TNG.

[Suppafly]

I get a -1 troll because I put out that the stupid anology doesnt fit the situation and you get a 2 for agreeing with me and also saying you dont even like trek... gotta love /. groupthink..

Re:Reminds me of star trek TNG.

[nuintari]

nah, my karma is high, so my posts start at 2, main one only got one point, which completely confuses me, but here. I'll see if I can make the universe balance out a little.

ONLY LOSERS WATCH TREK!

So you think the White House chose him at random ?

[Rosco+P.+Coltrane]

I submit that Schmidt is in fact very very well placed to know about most if not all vulnerabilities and (possibly) backdoors in Micro$oft products. I bet the guy will be working actively on methods to snoop on Windows users, extract their data and intall trojans in their systems (Magic Lantern anyone ?).

Here's a guy who was working for the largest software monopoly in history and now works as security honcho for the most powerful government in history, with people like Ashcroft in it. Makes my nose bleed just thinking about it. The more I see what's happening in Micro$oft's giant sphere of influence, the more I'm glad to be a Linux user, that's for damn sure.

Sounds similar to the Blood banks idea...

[ConsumedByTV]

That idea: To have all people with AIDS give blood to help 9/11 victims...

Re:Sounds similar to the Blood banks idea...

Huh? And who's idea is that?

Re:Sounds similar to the Blood banks idea...

[khuber]

ac>Huh? And who's idea is that?

Bob's Quick Guide to the Apostrophe, You Idiots

-Kevin

Re:Sounds similar to the Blood banks idea...

Are you trying to say that "who's" is wrong? If so, you're an idiot.

Re:Sounds similar to the Blood banks idea...

[posmon]

i think you'll find that it's whose.

Re:Sounds similar to the Blood banks idea...

[khuber]

ac>Are you trying to say that "who's" is wrong? If so, you're an idiot.

Who's should have been whose of course, but actually I was just ignoring AC's actual content to mess with AC for totally missing the original joke.

I'm not quite sure how that makes me an idiot, but I guess I'll just be on my merry idiot way and leave the thinking up to you geniuses.

-Kevin

New Opportunity

[stealthyburrito]

Perhaps Schmidt sees this as an opportunity to have leadership role assigned to him, and obtain actual results.

Can you blame one person for the security holes in an entire company (well, maybe you can...)? Maybe he wasn't getting cooperation at M$, and thinks the public sector is where the real thrills are.

Then again, maybe he is an idiot.

Checking on someone's previous work.

[Chuck+Chunder]

CD: you'd think people would examine the job someone did at thier previous job before offering them a new one.

<cheap shot> Yeah, you might.</cheap shot>

Re:Checking on someone's previous work.

Well done. Someone should spider and track whether "their" is ever used by Chris ;). Still, CD reports with flair. Kudos.

Re:Checking on someone's previous work.

its spelt fliar.

What type of work?

[pjbass]

So it's easy to flame this guy because of working for the Evil Empire and have been related to things like Code Red and Nimda. But what is his real function going to be? Sure, the article mentions he will be on the cyber-security team for Pentagon global network security, but that is a really broad statement. Is he going to be in charge of firewalls, access lists, high-level network security checks, or making sure that each government employee's Outlook doesn't flood the Pentagon's network (sorry, had to insert a flame...)? I think it would be interesting to find what his specific function is, then allow the flames to burn.

Re:What type of work?

[Ridge2001]

He's going to be working with Richard Clarke, which probably means he's going to make a lot of dramatic speeches about how "cyberattacks" could cause economic damage that is the "functional equivalent of 767's crashing into buildings".

See here for the kind of stuff this guy's going to be working on.

Look on the bright side.

[Murmer]

It will be the cracker community's first real chance to affect government policy in years.

Bad move? Has MS ever been

[t0qer]

Hacked? (a little)
Ransacked?
Attacked? (yes im sure it has)
Blown up?? No????

I've read many of hackers pages that m$.com is the Ultimate challenge. Although some sub sites have been hacked, they've never really managed to kill the front page.

Same thing goes with the campus itself. Bill Gates office was built with 6 foot concrete walls to double as a bomb shelter. It is fully equipped with enough food, water, and electricity to keep it fully self contained for 100 years.

STRANGELOVE
Mr. President, I would not rule out the chance to preserve a nucleus of human
specimens. It would be quite easy... heh heh...
(rolls forward into the light)
at the bottom of ah ... some of our deeper mineshafts. The radioactivity would
never penetrate a mine some thousands of feet deep. And in a matter of
weeks, sufficient improvements in dwelling space could easily be provided.
MUFFLEY
How long would you have to stay down there?

STRANGELOVE
Well let's see now ah,
(searches within his lapel)
cobalt thorium G.
(notices circular slide rule in his gloved hand)
aa...nn... Radioactive halflife of uh,... hmm.. I would think that uh...
possibly uh... one hundred years.

On finishing his calculations, he pulls the slide rule roughly from his gloved
hand, and returns it to within his jacket.

MUFFLEY
You mean, people could actually stay down there for a hundred years?
STRANGELOVE
It would not be difficult mein Fuhrer! Nuclear reactors could, heh... I'm
sorry. Mr. President. Nuclear reactors could provide power almost
indefinitely. Greenhouses could maintain plantlife. Animals could be bred
and slaughtered. A quick survey would have to be made of all the available
mine sites in the country. But I would guess... that ah, dwelling space
for several hundred thousands of our people could easily be provided.

MUFFLEY
Well I... I would hate to have to decide.. who stays up and.. who goes down.

STRANGELOVE
Well, that would not be necessary Mr. President. It could easily be
accomplished with a computer. And a computer could be set and programmed to
accept factors from youth, health, sexual fertility, intelligence, and a cross
section of necessary skills. Of course it would be absolutely vital that our
top government and military men be included to foster and impart the required
principles of leadership and tradition.

Slams down left fist. Right arm rises in stiff Nazi salute.

STRANGELOVE
Arrrrr!
(restrains right arm with left)
Naturally, they would breed prodigiously, eh? There would bemuch time, and
little to do. But ah with the proper breeding techniques and a ratio of
say, ten females to each male, I would guess that they could then work their
way back to the present gross national product within say, twenty years.
MUFFLEY
But look here doctor, wouldn't this nucleus of survivors be so grief stricken
and anguished that they'd, well, envy the dead and not want to go on
living?

STRANGELOVE
No sir...

No surprise here, really.

[amphgobb]

Um, your capitalist overlords are not interested in which product has the better security. They are interested in forming strategic partnerships with other evil organizations. Like, when the ID card implementation comes, do you really want some wacko cryptome-reading Linux hacker running the show? No, you want the Borg.

The cheap and easy joke:

...and one that I'll probably get bitch-slapped for making:

"It's like asking the terrorists where they want to go today."

more info on Schmidt

[Pinball+Wizard]

Here is some info on Schmidt at microsoft.com. Looks like he has an admin-level job rather than a software engineering job. So I wouldn't blame him for how poorly coded Microsoft products are. He's involved with best practices on setting things up securely, not watching over programers making sure there's no buffer overruns in the code. Although administration and programming must overlap when it comes to real security there's only so much you can do if you're not deeply involved with the code.

Re:more info on Schmidt

[linzeal]

Correct, thats why security freaks like theo are the only way to go. Humane or not to the people below.

Re:more info on Schmidt

[rlowe69]

Although administration and programming must overlap when it comes to real security there's only so much you can do if you're not deeply involved with the code.

I disagree here. Strict policy to include security MUST come from upper management. Otherwise, people down the line will dismiss it as less important and end up taking short cuts. If management allows the time for the design and development of security policies, they will have a better chance of being implemented.

Software engineers (or anyone for that matter) won't do anything extra that hasn't been earmarked by their bosses.

Of course, you could argue that adding security is basic common sense - however, given that most programs look identical from the outside with and without security, if you were in a hurry what would you implement? It's a sad state of affairs, but in these days of relatively high turnover and when speed is important, sometimes the 'little' (seemingly) unimportant things get neglected.

Bottom line is, it's not a few dozen individual software engineers that make this call, it's the CTO or other upper level manager that does - by corporate policy.

Re:more info on Schmidt

[haizi_23]

I thought the point about "eating your own dog food" was that by being forced to use the products you develop, you develop a good feedback loop and are brought face to face with your design flaws. If you're the Chief Security Officer of MS and you have any balls, wouldn't it make sense that you should spend at least some of your time screaming at the engineers who are developing the security policies for the products for putting out total shit?

Re:more info on Schmidt

Are you completely NUTS?

Put Ted the Rat in charge of something REAL???

Please, oh please, tell me you were making a joke...

Re:more info on Schmidt

What the fuck did you think Security Officer meant?

Linux kiddies are ignorant.

Re:more info on Schmidt

Seems like a highly qualified guy - before MS he worked for the Air Force Office of Special Investigations (AFOSI), Computer Forensic Lab and Computer Crime and Information Warfare department. Surely you could argue that MS is a blip on his otherwise unblemished record?

A view that most people haven't taken: MS poach good people for high up jobs. If he was poached, because they had security issues, then he's probably damn good at what he does, and whatever he was poached for. Now he's leaving to work in government. So what? This is just Slashdotter FUD. Seriously, if some of the dolts who post stories on here were to repeat those stories on the real world, you'd sound like idiots, not /. readers... I suggest you actually find out about Schmidt like the guy above did before you go running to get your name in lights.

The Slashdotter who cried Microsoft!!!

Re:more info on Schmidt

[Danse]

Seems like a highly qualified guy - before MS he worked for the Air Force Office of Special Investigations (AFOSI), Computer Forensic Lab and Computer Crime and Information Warfare department. Surely you could argue that MS is a blip on his otherwise unblemished record?

Actually, we have little evidence that he was good at his previous jobs either. Government systems get cracked constantly. Just because he had impressive titles, it doesn't mean he's the best guy for the job.

Re:more info on Schmidt

[Tony-A]

Yep, whether you use it
or buy the CDs.
Death to all bugs
or 'tis the bugs you appease.

Christ

Chris, you're a fucking idiot. Welcome to my killfile (where you'll be joining Michael, Katz and Jamie). Seriously, sir: get a motherfucking life.

Re:Christ

[Hermanetta]

mod this down :-)

Actually a good find

[SerpentMage]

I think the guy was not in charge of MS security in terms of software development, but IT infrastructure. And in that case it was a really good find. This guy managed fort Microsoft and MS knew how to keep its internal network in pretty good shape... Even with all of the gadgets and VPN's that they have.

Re:Actually a good find

uk-security-
I agree completely, How many network penetrations of MS did the press anounce over the past 10 years?. Not many. MS products might be rushed through and full of bugs, but their network isn't. Can you imagine your site/net being so secure?, having a red-cross planted on every IP...

Anyone who runs Snort as an IDS and has a /24 will know how many script-kiddie attacks, and manual hands on attacks you can get, without the cross-hairs!...

Also, I think the US GOV might have just checked his background out too...

Biggles

Not sure whether to laugh or cry

[Ambassador+Kosh]

Given how badly the government did on its last security evaluation they are hiring the company with about the worse security track record ever to help them? Isn't this like the blind leading the blind? Well I guess this gives a good indication as to what kind of "penalty" MS will get from the trial since it looks like they have managed to buy off the current administration.

This just seems like one of the most phenomenolly stupid ideas the government could make with respect to computers though given the current adminstration I am sure they could figure out some way to outdo themselves. Though I really don't want to see what they do to outdo themselves.

Hmm I heard Mars is nice this time of year ;)

Re:Not sure whether to laugh or cry

[Hermanetta]

mod this up please, informative :-)

In Other News

[Satai]

This is fairly reminiscient of other stupid crossover attempts by "artists" speaking outside their medium.

pretty unfortunate

[vscjoe]

Well, maybe he quit Microsoft in disgust and is trying to do the right thing: push for open source, peer-reviewed, secure systems. But, more likely, he has been imbued with Microsoft corporate policy, still has a financial and personal interest in the company, and has never known another way of doing things besides the Microsoft way.

If the latter is the case, there is a good chance that this guy will follow the easy and obvious (to laymen) path and push Windows. After all, NT was created by someone with decades of experience and it is 'C4' certified (or whatever). It has zillions of security features, even more so than VMS, so how could it not be secure? And it is used by some of the most security conscious companies in the world. And what's good for Microsoft is good for America anyway. At least those will be the arguments that will likely be heard around the White House when issues about what software infrastructure the armed services and US government should use.

This will be followed by calls for keeping source code for criticial infrastructure under wraps, "like Microsoft is already doing", because "we don't want to give the terrorists the blueprints to our advanced technology". He'll probably preach the Microsoft mantra that open source is dangerous, unsafe, and un-American. And he'll likely conflate "security" RIAA style (fair use hijacking) with national security and point to how badly the RIAA and MPAA has been "hurt" by "security problems" resulting from "open source hackers" and how Microsoft, in contrast, keeps content "secure" and protects copyright holder's rights.

Altogether, this appointment is likely going to hurt open source efforts, as well as national information security.

Give him a little credit

[StarTux]

Why is he leaving? Who knows what he might of wanted to be done, only to be over ruled by some higher authority or senior department.

If the security at the White House goes to hell we'd know why probably.

Matt

Re:Bad move? Has MS ever been

[Pinball+Wizard]

interestingly enough, back in the days when the DDOS attacks were taking yahoo and amazon down, MS managed to stay up. Then again there was that escapade where it was discovered their four DNS servers were on the same class C network segment. Its a big company. They undoubtedly have both people who know what they are doing and others who need a cluestick application.

At least we're safe from pirated ham!

[Jartan]

"He holds a Bachelors Degree in Business Administration, (BSBA) and a Master of Arts in Organizational Management (MAOM). He also has a Technician class Ham Radio License, and a Single Engine Land pilots license." quoted from this site on Mr. Schmidt.
How exactly does someone with college education like that get to become a cyber security advisor? He was a police officer too. Maybe I'm reading to much into stereotypes but this sure dosn't sound like the kind of guy I'd want protecting me from a nerdy kid who lives in his basement with a cafinee IV making root kits.
Jartan

Re:At least we're safe from pirated ham!

You're clearly reading too much into stereotypes. And you've bought into the Hollywood version of what a 'cyber hacker' is.

Let's face it. It's not pimply-faced kids who are the big risk, no matter how many pimply faced kids on Slashdot want to pretend they're the big risk.

Re:At least we're safe from pirated ham!

[Happy+go+Lucky]

How exactly does someone with college education like that get to become a cyber security advisor? He was a police officer too. Maybe I'm reading to much into stereotypes but this sure dosn't sound like the kind of guy I'd want protecting me from a nerdy kid who lives in his basement with a cafinee IV making root kits.

You are reading too much into stereotypes.

People like to tell themselves that cops are dumb. It makes them feel better about getting speeding tickets-"Sure, I now owe the state fifty bucks, but I'd kick his ass at Unreal Tournament!"

The problem is, that's generally untrue and generally far less true than it was twenty years ago. The average police department in my state has a larger education requirement than the average IT job with the same starting pay. You can become a junior-something making $2400/month[1] as a high school dropout, but the entry-level sworn position is going to require two years of college. (Except in the capital's suburbs, where at least two of the major departments are requiring BA's/BS's now)

Also, this guy has put in a lot of training in computer-related investigations. Presumably, he's had a lot of the USAF's internal training as well, being in the AFOSI. Now, the training on the outside can be pretty good, and the science and research stuff is great. However, in terms of practical applications, the stuff available to cops but not civilians is far ahead. Between FBI, AFOSI, and being long-service with Chandler, AZ, he probably went to more than a little of that.

As for the degrees: senior management types don't deal so much with technical problems. They deal with people and organizations. Would you ask a board member at GM to be an ASE Master Mechanic who spends his off-time on the stock-car circuit? Maybe it might be nice, but IMHO it's good enough that he knows why he has employees with that qualification and why those things are important.

[1] I started as a cop at about the same-inflation adjusted from 1990, but my department didn't require an associates back then. It was far enough in the past that my BA in biology and fish manager experience actually impressed them.

This guy is clueless

[Animats]

Here's a 1998 interview with the guy. He's not a technical guy. He used to be a computer crime investigator with the USAF. There's a fair amount of stuff by him on the web, mostly the usual Microsoft line of "it's all your fault, not ours".

Notice in the 1998 interview that he denies that viruses in mail attachments are a problem.

Re:This guy is clueless

Well, it IS mid-1998 we're talking about here...

Re:This guy is clueless

I like his MS software insecurity answer much better. All I have to do now is figure out how another installed software package is responsible for a buffer overflow problem...

Re:This guy is clueless

[kiwaiti]

When did viruses in mail attachments become a problem? I'd guess it started with W98, probably some time after it was introduced (for W98 to gain installed base, and for crackers to realize the new opportunities introduced). At the time, he may have been right. However, M$ soon changed the rules in favour of crackability...

Kiwaiti

Re:This guy is clueless

[Deadplant]

good grief. This guy is a dumbass, I wouldn't hire him as a security advisor. All his answers sucked, he gave CEO answers, not security advisor answers.

Re:This guy is clueless

And your qualifications as someone to hire a security advisor are......??

Well, we're waiting....?

Re:This guy is clueless

[dmelomed]

This guy will be inventing new ways to cover-up MS holes, and establish better MS image within U.S. government. What else?

Re:This guy is clueless

[Jucius+Maximus]

C'mon people, this is a WASHINGTON POST interview! It would have done no good for him in that interview to talk in technical terms - he's gotta sound like a regular guy before the average readship pays attention to him.

Think about it ... if you were interviewed by a mainstream magazine or newspaper to talk about computer security, you wouldn't be able to talk about closing off port 139 (windows SMB) or configuring a firewall. They wouldn't let you because the regular readership wouldn't know what you were talking about. You'd sound just as un-technical as Schmidt does here.

Re:This guy is clueless

[The+Ape+With+No+Name]

I work with an ex-mil/NSA security "guru" who finds out about the latest worm/virus by clicking on attachments. He considers us all fools for using Mutt to read our mail.

Easy on him guys...

[Mustang+Matt]

He was a security ADVISOR...

He could have given Microsoft all the advice in the world and if they were too lazy to implement the appropriate security measures it's not his fault.

Maybe the position at the government was his oppourtunity to get to a better place that would actually listen to him.

Re:Easy on him guys...

[philipsblows]

Actually, that "Advisor" title is just a misstatement in the slashdot posting. Read the Microsoft bio on the guy (already pointed to in another post here, but I'll copy it... here), which starts off with

As chief security officer for Microsoft Corp., Howard Schmidt...

Re:Easy on him guys...

yeah maybe..

Re:Easy on him guys...

[scott-thomason]

Perhaps the guy just realized M$ was a bad place for a security professional to hang out?

look at our current state of affairs

[xavii]

he can't do any worse in the area of computer security than our president and his administration are doing for national security.

xavii aka bob

Finally

[Vspirit]

Maybe now we can have an OPEN Government :)

Whitehouse defacing

[iconian]

Maybe finally he'll stop the defacing of whitehouse.com with pornographic images.

Re:Whitehouse defacing

[Sarcasm_Orgasm]

He better not, I have a subscription there.

responsibility

[vscjoe]

Was he responsible for all the holes in Microsoft code over the years?

As security advisor at Microsoft, his job presumably was to define policies that keep those holes from getting into the software and/or to keep Microsoft's sites secure. Microsoft's products are full of holes and their services have suffered major security compromises, so he can't have been very effective.

Since his new role will be similar in nature, it seems reasonable to suspect that he will be equally ineffective at defining national policies to protect our national security infrastructure.

Re:responsibility

I don't think there's any way to know how effective he is as an individual without reading his resume, interviewing him, and talking to a number of his associates. This is something which the government has most likely done, whereas most Slashdot readers simply read the word "Microsoft" and conclude that the man is incompetent, evil, or both.

In a company that large, there will be both fuck-ups and genuinely good workers. I know some extremely talented people working at Microsoft. I also know some losers there. I don't know which side of things this guy is on, but you have to figure that only a few companies have people with enough experience with huge, varied networks to take on this role for the federal government. And Microsoft it very likely to be one of them.

Re:responsibility

[Paul+Komarek]

While most of what you say sounds reasonable, one thing really caught my eye: "only a few companies have people with enough experience with huge, varied networks". The problem with Microsoft is that they only have experience with huge, homogenous networks; they were blindsided by the internet; they thought remote admin was a bad idea until recently; their network hacks (netbios, for instance) stink on large networks.

I think Microsoft is very *unlikely* to have much useful exerperience with "huge, varied networks". What really gets me is that they seem to *like it this way*.

-Paul Komarek

Re:responsibility

[mshomphe]

But, this is part of a general 'revolving door' phenomenon between business and government: work in one area of the private sector, retire, join the government, work on legislation for that area. This is problematic because it leads to the legislation being skewed towards that business (and away from the consumer), and makes the government appear more insular.

One has to wonder what effect this person's tenure with Microsoft will have on his job performance; much in the same way that we had to wonder about Dick Cheney's Haliburton/Enron/oil industry ties when he was coming up with the administration's energy policy. It's a valid concern and one that should be raised.

Re:responsibility

[ArminK]

The problem is that if M$ ex-managers get into management of other companies, they push
M$ products. And then leave quickly before the company finds out how bad the software actually is.

That way we got an Exchange system which looses
mails and where transfer from/to UNIX and the internet sometimes takes up to 5 hours :-(

So guess what the whitehouse will use for safe
software next year.

But on the good side, this gets you access to top secret documents.

Re:responsibility

[vscjoe]

If we were talking about some mid-level manager or expert on computer security, I would agree with your statement: there are competent people at Microsoft and you can't blame them for problems throughout Microsoft's product line.

But Schmidt is just "some guy at Microsoft", he is "Microsoft's Chief Security Advisor". As the Chief Security Advisor, he can't say "I'm really quite good, but I just can't get security at this company under control". Getting the company under control is part of the job. In large, hierarchical organization, the buck stops there, and it is justifiable to equate a top-level position with top-level responsibility. If people feel they can't be judged by the record of their part of the organization, they can always step aside.

As for expertise, Microsoft doesn't strike me as a company that has a lot of expertise with "huge, varied networks". In fact, their likely lack of extensive in-house expertise with the kinds of computing systems found in the US government is another factor that raises doubts about this choice.

Re:responsibility

[vscjoe]

Sorry, typo. Meant to say:

But Schmidt is NOT just "some guy at Microsoft", he is "Microsoft's Chief Security Advisor".

Re:responsibility

[madenosine]

As security advisor at Microsoft, his job presumably was to define policies that keep those holes from getting into the software and/or to keep Microsoft's sites secure. Well your presumption is wrong (along with apparently half of /.'s). He was more of an administrator than a software engineer.

Re:responsibility

[Mark+Bainter]

As security advisor at Microsoft, his job presumably was to define policies that keep those holes from getting into the software and/or to keep Microsoft's sites secure. Microsoft's products are full of holes and their services have suffered major security compromises, so he can't have been very effective.

While I largely agree with your point, I'll make one in his defense anyway. He /did/ work for Microsoft. So his hands were pretty much tied, and he would've been forced to use inferior tools (MS products) to accomplish his goals. So I'd say you have to adjust the scale you judge him on. Perhaps by the remarkably small number of comprimises considering the products he was forced to use?

Re:responsibility

[hetairoi]

"most Slashdot readers simply read the word "Microsoft" and conclude that the man is incompetent, evil, or both."

if he were incompetent at being evil i wouldn't be worried ;)

Not really.

[ChrisBennett]

Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?

Actually, no. Captain Hazelwood was drunk at the wheel before the accident. Apparently he was a fine captain when sober. Microsoft has bad security whether or not you consider them to be drunk.

Re:Not really.

I just wanted to point out, ChrisBennet, that your post made me chuckle more than anything I've seen on Slashdot for the past year. Points are deserved for subtlety alone.

Re:Not really.

[Karl_Hungus]

Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?

Actually, no. Captain Hazelwood was drunk at the wheel before the accident. Apparently he was a fine captain when sober. Microsoft has bad security whether or not you consider them to be drunk.


I think it's more like promoting him to captain of a nuclear-powered ICBM-equipped submarine after showing us what he could do with the Valdez.

Re:Not really.

There is plenty of blame to go around for the Exxon Valdez oil spill.

Capt. Hazelwood was not at the wheel, or even on the bridge, when the Exxon Valdez struck the reef outside Port Valdez. Contrary to popular opinion ship Captains are not required to be "at the wheel" all the time. The ship was in what the USCG had declared was "outside pilotage" waters and a licensed USCG Merchant Marine Officer (the 3rd Mate) and a compliment of documented seamen were on watch - and at the wheel. Some seamen testified to telling the Officer on watch that the red buoy marking the limit of Bligh Reef was on their starboard side. For whatever reasons, he chose to ignore them.

Capt. Hazelwood had to go down to his office to prepare the flurry of reports that Exxon's yuppie management required every one of their Captains to prepare and send in after loading and as soon as the pilot departs the ship. Prior to leaving the bridge he instructed the Officer on Watch to return to the sea lanes (marked clearly on a radar system on the bridge) after clearing the ice. For whatever reason, this officer declined to follow those instructions.

The USCG officers who claimed he had alcohol on his breath were in an environment of heavy concentration of evaporating chemicals that was so bad that the Chief Mate (whose watch the 3rd mate was taking because the Ch. Mate had been working 36 hours straight loading the ship) testified that he had considered going back and getting a Scott Air Pack to get up the stairway to the bridge. (Compare to trying to detect alcohol on the breath of a friend while putting your nose next to the fill pipe of your car while fueling at at your corner service station.) (Hazelwood was never convicted nor was his USCG license revoked, btw.)

The USCG radar observers in Port Valdez did not make any attempt to follow the ship after the pilot disembarked at the west end of the Valdez Narrows despite warning the ship of pack ice and authorizing the ship to divert from the navigation channel to avoid the ice.

The Exxon Valdez hit Bligh Reef because the ship was undermanned (it was 900 feet long and carried a crew compliment of less than 25 people!), the crew was overworked and exhausted (and many say inexperienced), and Exxon management in Houston was micro-managing the ship with petty requirements, plus the USCG in Port Valdez did not do their jobs.

One of the after effects of this incident was that the USCG returned to the policy of requiring ships to carry an extra officer to help with navigation and loading due to the heavy burden. A policy abandoned by Exxon and the other oil companies several years prior to the accident. A further after effect was a requirement that tankers entering sensitive waters be double-hulled.

Another after effect is that the radar observers in Port Valdez now monitor the ships until they depart Cape Hinchinbrook and enter the open Pacific.

A final after effect is that Port Valdez now allows tanker Captains to return to the Port and tie up in dangerous weather. Prior to the Valdez incident they refused re-entry and required loaded tankers to either stay inside Prince William Sound and motor back and forth in the traffic lanes or depart and suffer damage (and loss of life).

The oil spill would have never caused as much pollution as it did if British Petroleum hadn't allowed the management of the Valdez terminal to decommission the recovery equipment they had promised the State of Alaska they'd keep on hand for the life of the project. They have recommissioned the oil spill equipment since the incident.

Re:Not really.

Hmmm... Goes to show that disasters aren't caused by one slip. Always a chain of mishaps.

"passport" control

[AtomicBomb]

In the future, I wonder if people will need to authenticate themselves using .net when passing through custom. :-)

Serious, I do not really think Schimdt's appointment is that bad. Esp in the past, it is not at all difficult to find CEO/senior managers etc with a military background. Many of them can still do a good job without turning the companies to a barrack... For people as higher up, personal character may be more important...

::sigh::

[DarkZero]

So they'll steal the civil liberties of all of their citizens, and even more from immigrants, in the name of security... but do they bother to do a background check on their new computer security advisor? Of course not. That's just... predictable. I wanted to say sad, surprising, or shocking, but really, it's just predictable.

Oh, and for those that claim that this guy isn't responsible for the holes in Microsoft software, and that thus this guy is actually pretty good at his job of protecting MS's network: You're half right. He DOESN'T have anything to do with the Microsoft software security holes. However, he was the one in charge of protecting Microsoft's network during the incident six months to a year ago when a hacker group hacked into Microsoft's network, completely 0wning the whole thing, and Microsoft didn't find out about it until the group had already been making regular visits to the network for three months, downloading the majority of the network (possibly the entire thing, I don't think anyone's really sure) during that time. And while some may wave that off as "one intrusion in X amount of time", remember that these guys got in and then kept making REGULAR VISITS to the Microsoft network without anyone noticing for three months. So while only one group managed to do it, it sounds like they managed to keep doing it on an almost daily basis. That makes for a pretty bad security record, and it would've been a huge fucking disaster if this had been done during the upcoming era of widespread .NET and Passport services, or only a "somewhat large fucking disaster" during the current era of consumer and business consumer information being regularly logged through XP's activation madness.

I guess this proves that from now on, the government will be too busy looking at our computers to even take a passing glance at the situation of their own.

Re:::sigh::

[loraksus]

Well, considering that under new federal regulations the grunt security screeners have to be US Citizens, but the national guardsmen who walk around airports with fully loaded, full auto M-16's don't have to be. . .
Anyways, enough with government fuckups. BTW, you mentioned the peeps that were hacking into the ms servers for 3 months before being detected - keep in mind that this is the people who were caught and that we heard about, and since it is not in MS's best interests to say they had been ass fucked by hackers . . .

Re:::sigh::

And being a US citizen automatically means somebody is a better bet to be a security guard for WHAT reason?

I am not sure on this, but I think the National Guard is a pretty honorable organization and trains and screens their soldiers pretty closely. A civillian 'security screener' is someone who walks in off the street.

MSGS 2K

[Lawst]

You will soon need a Passport account to contact your senator's office. You will also need a Pentium 4 with 256MB of RAM and WinXP so that, once you do connect to your senator's office, you will be able to run Microsoft Government Simulator 2002 without locking up ;)

Re:MSGS 2K

[Graspee_Leemoor]

"...you will be able to run Microsoft Government Simulator 2002..."

That program is already running

graspee

Fantasic

Just fucking great. Put all of my hatred for M$ on the ethical side away, and they definitely suck with security. You know, this is the kind of shit that makes me wanna go fuck a hentai chick.

Corporate security != electronic security

[Xeger]

I haven't done any digging yet, but it is my assumption that as head of security he will be in charge of physical security policy at Microsoft installations: who has access to which rooms, and at what times of day. How many cameras to put in the bathroom stalls. How many parabolic surveilance microphones to hide in the trees. How many pits full of punji stakes, vipers and bear traps to place around the Redmond campus.

In other words, Big Brother stuff. Spook stuff.

That is what a chief security officer does in the traditional corporate environment. He will have an underling (or several) who handle electronic security for him. If he knows what's good for him he'll realize that he shouldn't try and play a game he knows nothing about, and he'll let his underlings have free reign.

Not that it will do any good, of course. As long as Microsoft uses its own software, it will always be vulnerable to the same exploits with which it burdens the rest of the world.

Re:Corporate security != electronic security

[big_nipples]

Are you really an idiot?

Had you read the writeup (not even the article), you would realize that this story is about a guy LEAVING Microsoft to work for the government.

Anybody care to explain why this got modded up to 3?

Re:Corporate security != electronic security

[markmoss]

No, check any of the links posted about this guy, he's an alleged "cybersecurity" expert. He was responsible for the security of Microsoft's own networks when they were thoroughly hacked. I doubt that he had any input to the design decisions that make MS OS's so insecure, but he's put his name on plenty of public statements claiming that there's no problem. In itself, that proves either he's utterly clueless or he'll say anything for a paycheck. Either way, he'll fit right in at the White House. 8-(

Re:So you think the White House chose him at rando

[doodleboy]

Among other things, the EULA at passport.com/Consumer/PrivacyPolicy.asp?lc=1033.NE T says: Passport will disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to... Act under exigent circumstances to protect the personal safety of users of Microsoft, the .NET Passport Web Site, or the public.

How interestingly broad, given that in light of recent terrorist activities any "exigent circumstances" could be said to be met as a matter of course. And there is no doubt that all the information that's bound to be stored on .Net servers could be sifted and profiled in many fascinating ways by the intelligence community.

Kinda makes you wonder how it all fits together, given the walk Microsoft got on the anti-trust case.

/. home of the stupid anology

[Suppafly]

CD: you'd think people would examine the job someone did at thier previous job before offering them a new one. Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?

First off, being the white house I'm sure they throughly examined everything about him.. I had a friend apply for a fairly low position with the DoD and they interviewed his friends and family as well as giving him a lie detector test.

Secondly, this is hardly compareable to the Exxon Valdez thing..

Third who are you to say he did a bad job at MS?
Other then just taking at cheap shot as MS, you have no info about his job performance or even what he specifically did while working at "The Great Evil"

Maybe its just me, or maybe theres a reason you dont see chrisd listed in the hof anywhere..

Re:/. home of the stupid anology

[SmittyTheBold]

Technically, it was the NSA, but whatever ;)

(KARMA WHORE!)

Re:/. home of the stupid anology

[Froqen]

Third who are you to say he did a bad job at MS?
Other then just taking at cheap shot as MS, you have no info about his job performance or even what he specifically did while working at "The Great Evil"

More to the point, Most of the comments I've read is talking about product design which is not the same as operations security. His track record there has been the semi high profile breakin a few months ago which was a case of stolen credentials from what I know, and the occasional minor web server defacement on secondary (not centrally managed) web servers.

Re:/. home of the stupid anology

Haha, I can't believe that the posting I am responding to was mod'd up to a 5!

Shows you how stupid this Karma can be.

Re:/. home of the stupid anology

[Suppafly]

Yeh but you aren't allowed to call them the NSA or acknowledge the existance of the NSA or something..

Re:/. home of the stupid anology

[Suppafly]

thats ok.. everything else I post is almost auto-modded to -1 or 0..

Re:/. home of the stupid anology

[SmittyTheBold]

What? Who said anything about any "NSA?"

What is this "government" thing you speak of?

Choice of words?

[Iamthefallen]

From linked article:

BV: Is there an Echelon?
RC: No. I don't know anything called Echelon. I've never seen anything called Echelon. ...

Isn't it funny that he uses "anything called" instead of "anything like" or "anything such as what echelon is supposed to do"?

Pro MS Voice Inside Administration

[i1984]

Irrespective of whether or not he is/was any good at security, and aside from any inside knowledge he may have as an MS security advisor, it's hard to believe that he is not well steeped in MS corporate culture. Now with an apparently strong voice inside the Bush Administration, it's logical to assume that the Administration will be even more pro-MS. Even if his position doesn't directly set policy, a Microsoft-aligned philosopy may seep in to policy decisions.

Microsoft and the Administration both seem to think they're each about the best things that have ever happened to eachother, and now they may be even better friends.

MS security, of all things...

I wish...

[maunleon]

We could moderate topics. Yet another random Anti-MS flame. What does have a person in charge of internal IT infrastructure have to do with security holes in IIS and Outlook?

I wonder if the whole topic would be marked offtopic. It's too silly to qualify as Troll.

Re:I wish...

[NerveGas]

What does have a person in charge of internal IT infrastructure have to do with security holes in IIS and Outlook?

Ultimately, he's one of the people that dictates where they will draw their balance between cost and security. Sure, they could spend time and money educating their programmers about security concepts, and sure, they could spend a lot of time and money doing code reviews - but do they? Only a little. And he's one of the people that make those decisions.

Is that who you want handling national security policies? "Well, yeah, there's a pretty big hole there, but we don't think that most people will find out about it, especially if we don't tell them about it."

steve

It's all part of the same kind of thinking.

[Futurepower(tm)]

"CD: You'd think people would examine what someone did at his previous job before offering him a new one." [Corrections to grammar and spelling added.]

It's all part of the same kind of thinking. Bomb Afghanistan to save it. (I'm talking about the first bombing by the U.S. government [1983], not the second and third.)

Hire someone from a company known for its inability to make secure software, and put him in charge of what his company always did poorly.

But, of course, maybe he is not really leaving Microsoft, but just working with a government that doesn't believe in privacy to assure that Microsoft software will always be compromised by the government.

Look on the bright side. With Microsoft in the White House, no one who truly wants software security will be running Microsoft products.

--
Links to respected news sources show how U.S. government policy contributed to terrorism: What should be the Response to Violence?

Re:It's all part of the same kind of thinking.

[b0r1s]

Hire someone from a company known for its inability to make secure software, and put him in charge of what his company always did poorly.


Who would you prefer?

1. Someone from openssh, which just released a new version to correct a remote exploit?
2. A linux hacker who cant figure out how to handle syn cookies?
3. Someone from lotus, who cant protect their documents
4. A webalizer coder who cant remember to filter out cross site scripting?
5. Maybe an IBM coder?
6. Cisco is flawless, right? nope
7. Redhat must be perfect, they make linux! oh wait
8. SGI/IRIX is flawless, they never have security proble... oh, nevermind
9. How about a linux kernel hacker, they sure must be perfect! They'd never allow a root exploit into a stable kernel!

Getting the point yet? Everyone has holes. Everyone releases patches. It just happens that microsoft designs their code for ease of use, and because of that there happen to be a lot of unqualified microsoft admins. This isnt a MS problem. This is a side effect of their popularity.

Re:It's all part of the same kind of thinking.

Perhaps your confused on the concepts of oversights and inability. I can tell by your post your confused on Linux which RedHat doesn't make btw, but that's another class.

We are talking the difference between a multi billion dollar Organization that doesn't just have a few glitches. But millions of lines of poorly written code that lead to exploits that make little script kiddies jizz their shorts.

By your justification if you were running a soup kitchen and you had 1 person that was on payroll. You paid them every week for their services. And you had 4 other people who were volunteering. The one person your paying never seems to doing anything right. They are always half assing everything you ask them to do. Very rarely do they get it right on the first time. Then you have the 4 people who are volunteering their time who occasionally have issues they don't get it right. But they are self starters who don't always wait to be told and sometimes they just surprise you with what they have done.

Now your ass would fire the 4 volunteers and keep the idiot on payroll wouldn't you. Hell you might be that idiot.

BTW Most people are asking the right questions what are his qualifications. He worked at Microsoft as head of security doesn't say much. Defending Ms here shows you really don't understand what the underlying conundrum is. Also I gotta ask do you work for MS cause the releasing a patch thing is sorta for the birds. Commercial products shouldn't be works in progress.

Re:It's all part of the same kind of thinking.

[Floris]

Nice argument, but let's not forget microsoft themselves have been compromised multiple times over the course of the last few months:

1) Remember that incident where someone inside microsoft got hit by a macro virus that allowed remote (apparently russian) script kiddies to access their internal network?

2) How code red hit www.microsoft.com and hotmail?

3) Same thing happened with nimda.

3) there were more but this was off the top of my head.

Of course, bad programming practices happen everywhere but this could be accounted to a) running unpatched boxes and b) microsoft employees opening infected attachments. Both of which were his direct responsibility to prevent.

Re:It's all part of the same kind of thinking.

[sjoperkin]

Exactly. Just because the guy is from M$ doesn't mean he is totally incompetent.
What you have here is a 'real world example'. This is how it works. The good guys don't get to rule, the nice guys don't get the hot chicks. You can bitch about it all you want, but that won't make a difference. Patience and hard work usually gets you where you want, but not always.

Re:It's all part of the same kind of thinking.

[frozenray]

I beg to differ. First of all, finger-pointing at linux/open source incidents is inappropriate: nobody (at least nobody in their right mind) says that open source has no holes, but from my experience, security problems are spotted earlier, discussed openly and fixed immediately. All this in stark contrast to Microsoft's disgusting "security through obscurity" view of disclosure.

Your shifting the blame to "unqualified microsoft admins" (like, every Unix is qualified - right!) is quite telling. May I suggest the problem lies a bit closer to Redmond than you think?

Raymond

Re:It's all part of the same kind of thinking.

[Lumpy]

because of that there happen to be a lot of unqualified microsoft admins.

Yes, they are called MCSE's

Ohhh that was a really low blow, sorry for that . I just cant help myself.

Re:It's all part of the same kind of thinking.

[nyteroot]

the really sad part, of course, is that when the white house got wind of all those Code Red machines aimed at them, they changed their IP and moved their webserver to linux -- the one and only time i have ever considered that someone in washington may actually *gasp* have a clue. then they do this, and all my hopes are dashed -- not only will their server go back to IIS, but no, no one in washington has a clue. at all. never will. *sigh* its so sad when one's dreams are dashed to bits on the rocks of reality..

Re:It's all part of the same kind of thinking.

[bribecka]

Hire someone from a company known for its inability to make secure software, and put him in charge of what his company always did poorly.

Or, even better, people could check what in the hell they are talking about! But then again, this is Slashdot, no fact checking required:

Mr. Schmidt currently is the Corporate Security Officer for Microsoft Corporation, Redmond, WA. In that capacity he directs the activity of those responsible for security of Microsoft?s Information, personnel and facilities Worldwide.

Prior to coming to Microsoft, he was a Supervisory Special Agent, Director of the Air Force Office of Special Investigations, Computer Forensic Lab and Computer Crime and Information Warfare. (HQ AFOSI/CCI). Under his direction he established the first dedicated computer forensic lab in the government. The AF specialized in conducting investigations into intrusions in government/military systems by unauthorized persons in counter intelligence and criminal investigations.

Before AFOSI he was with the FBI at the National Drug Intelligence Center (NDIC) where he headed the Computer Exploitation Team as a Computer Forensic Specialist. As one of the early pioneers in the field of computer forensics and computer evidence collection, he continues to provide training support to an international audience dealing with the new challenges around computer evidence collection and processing.

He was a City police officer from 1983-1994 with the city of Chandler Police Dept. Arizona. While there he was detailed to the FBI academy teaching classes in the use of computers in criminal investigations for approximately 2 years.

Mr. Schmidt served with the US Air Force in various roles from 1967-1983 both active duty and in the civil service. He has served in the military reserves since 1989 and currently serves as a Credentialed Special Agent, US Army Reserves, Criminal Investigation Division (CID). He has testified as an expert witness in federal and military courts in the areas of computer crime, computer forensics and Internet activity.

He holds a Bachelors Degree in Business Administration, (BSBA) and a Master of Arts in Organizational Management (MAOM). He also has a Technician class Ham Radio License, and a Single Engine Land pilots license.

Mr. Schmidt currently is the International president of the Information Systems Security Association (ISSA) and the recently formed IT-ISAC. He is a former executive board member of the International Organization of Computer Evidence (IOCE), served as the co-chairman of the Federal Computer Investigations Committee (FCIC). He is a member of the American Academy of Forensic Scientist (AAFS). He is an advisory board member for the Technical Research Institute of the National White Collar Crime Center. (NWCCC) and he is a distinguished special lecturer at the University of New Haven, CT teaching a graduate certificate course in Forensic Computing. He served as an augmented member to the President's Committee of Advisors on Science and Technology (PCAST) in the formation of an Institute for Information Infrastructure Protection (I3P) He is a regular international speaker in the fields of computer forensics and information assurance.

Mr. Schmidt was one of 29 industry leaders called to the White House to meet with President Clinton on cyber security and has testified before a joint committee on Computer Security and has been instrumental in the creation of public/private partnerships and information sharing iniatives.

Re:It's all part of the same kind of thinking.

Also I gotta ask do you work for MS cause the releasing a patch thing is sorta for the birds. Commercial products shouldn't be works in progress.

And when I wake up each morning there should be a pot of gold on the kitchen table.

What the hell alternative universe did YOU come from? There isn't a commercial software product out there for which patches aren't needed during the life cycle.

Please flagrantly parade your ignorance elsewhere.

Thank you.

Re:It's all part of the same kind of thinking.

[Tackhead]

> Prior to coming to Microsoft, he was [ ... ]

A blimp named Hindenburg, a car named Edsel, and a security officer named...

No, wait a minute, this guy's credentials make it sound like he might actually be qualified to do the job, in that he at least understands security.

Perhaps the reason he's leaving for the White House is that, unlike his career MSFT, he might actually be able to implement security.

My only worry is that maybe he's worked at Micros~1 for too long and absorbed too much of its culture when it comes to security.

I mean, I can see the design meeting now -- "Well, we'd like to have the aircraft cockpit doors locked, but that'd increase security at the expense of ease of use. How 'bout we make 'em open automatically with a proximity sensor like they do in Star Trek? That'd be easy to use, and look real cool! And because the door wouldn't make the right sound by itself, we'd have to use WinXP Embedded in the door to play back a 'swish' sound like in the old Trek series. Yeah, I know that could be done with at $3.99 single-chip solution, but my way would sell at least one XP license per airplane! If that works, we could do all doors at all airports, even the normally-locked ones that go to the secured areas! Wouldn't that sell a lot of XP licenses?")

Re:It's all part of the same kind of thinking.

[bribecka]

Micros~1

ROFL--that is about the funniest thing I've seen in a while.

Re:It's all part of the same kind of thinking.

'hot chicks' to me implies disease and instability.

I am not talking like a prude. I, personally, have a woman who considers herself My slave who I can fuck any which way I want any time I want.

But 'hot chick' to me implies anonymous empty sex with a stranger. Kind of like enhanced jerking off.

Think about it for a minute. If a petri dish is 'hot' that means it's infected. 'Hot Zone' was a book about the Ebola virus.

Find somebody to settle down with (if you're lucky she'll be a pliable sex slave you can tie up). Don't fuck around with 'hot chicks.' They're syphilitic or worse.

Re:It's all part of the same kind of thinking.

Yeah, but can he recompile his own kernel?

Yuk yuk yuk yuk

Re:It's all part of the same kind of thinking.

[jon_c]

I dono, he still looks like a moron

Re:It's all part of the same kind of thinking.

[mrseth]

Almost none of these are Linux. Linux is just a kernel. For a more realistic comparison why not compare the security records of Apache against IIS. I think that is about all you need to do to illustrate that MS seems to have never heard of input validation or something.

Re:It's all part of the same kind of thinking.

[ret]

Exactly, I'm glad to see someone else who realizes this. There's also several things that contribute both to MS having extra security holes and it seeming that there is far more than there really is.

1. Stability, security, and useability for your average jackass on the street don't go together. You can be stable and secure OR you can be easy to use and backwards compatible so that joe smith doesn't have to upgrade every couple months or even more often like with linux, bsd, etc. To make software truly backwards compatible, that unfortunately means leaving old, crappy, code in, which causes bloatware and may cause problems mixed with the newer code, but to be compatible, it must be there.

2. "rushed" releases... if I remember right, MS often tries to hold back their releases to fix the bugs, then the public gets pissed off at them for being late on the release, so they release the buggy software, and the public gets pissed off because the software has bugs.

3. Everyone hates MS so every jackass in the world talks about how crappy their software is whether they know what makes it crappy or not. This means a lot of things that are NOT ms problems, but user problems or other companies writing crap software to run within windows, get blamed on MS. It also means that everyone makes 10x as much noise as needed about each MS hole and then bitches again because it needed patched to fix it, whereas linux, etc, it is made known that there is a hole in some program, but no one cares, then a patch is made (oh my, that sounds like MS) and then people applaud them for patching it instead of getting pissed off.

Now don't get me wrong, I'm not some lame ms fanboy, they've got problems, I'd never use them for an internet server, at least not with a default setup (but what OS would I do that with... certainly none of the linux distros, maybe obsd though)... But, they aren't as bad as a lot of people seem to think, it's just a lot of crap blown out of proportion because most people don't know any better and just repeat what they heard without stopping and thinking before letting the nonsense flow from their mouth.
--

Re:It's all part of the same kind of thinking.

[Dr.+Cam]

In other words, maybe the guy went to M$ because they promised him lots of scope, a chance to have some real influence, and a good chunk of dough. Now disillusioned at the gap between reality and M$ hype, he's going back to where he's comfortable, and might actually have an impact.

Re:It's all part of the same kind of thinking.

[nexthec]

you dont get out much then do yah....thats about ohhh 6 years old ;->

Re:It's all part of the same kind of thinking.

[Muad'Dave]

Here's a link to a picture of him and another copy of his bio at a ham radio site. His callsign is WB7NUV. His address of record is in Issaquah, WA. His website is www.schmidt.org.

Re:It's all part of the same kind of thinking.

[clovis]

I would prefer any of these to a vendor that ever thought that making an email product with a default setting of executing embedded code on opening an email was a good idea. And don't get me started on the default install of IIS.

The idea that "unqualified microsoft admins" should be to blame is ludicrous.
Are you not aware that Microsoft sells it products for people to use at home?

How many years of experience and what certifications do you think would be the minimum for my mom to be able to configure her system for safe operation? I ask because it doesn't come that way out of the box. A safe system is not what Microsoft sells.

Re:It's all part of the same kind of thinking.

[RollingThunder]

So, this guy is in charge of securing MS corporate systems, based on their own insecure OS.

My thoughts were:
A) poor bastard.
B) man, he must be GOOD. MS rarely gets hit as bad as the public, so he must be doing SOMETHING right....

:/

Re:It's all part of the same kind of thinking.

[clovis]

Nice checkup in Mr Schmidt.
Thanks for relevant post.

Re:It's all part of the same kind of thinking.

Hire someone from a company known for its inability to make secure software, and put him in charge of what his company always did poorly.

Hey, lets cut MS some slack -- they only want to make their systems easy to use. Unfortunately you don't have to be an authorised user on any given system to enjoy this ease of use.

Re:It's all part of the same kind of thinking.

[mamba-mamba]

Actually, outlook, by default, has a preview pane so you don't even have to actively open the email in order to get hosed. Just put the cursor on it. And of course, when you open outlook the cursor goes to the newest message...

MM
--

Re:It's all part of the same kind of thinking.

[Toomel]

well, its also a fact that even if you apply all the M$ patches, you still have an OS with holes in it.

With linux though, if you put on very security measure, your box will be pretty secure. I think /. had a story a couple of times about someone testing out the theory. His linux box has not been cracked.

Re:It's all part of the same kind of thinking.

[Python]

Ok, I get it, so he's a ex-cop not a technologist or computer security expert. Perfect, thats JUST what the government needs. Another so-called "computer security/crime expert" with a 100% police office/federal agent mentality which equals = we need to prosecute more of those "hackers" to make the world a safe place. Because, as we all know, thats worked so well for the world so far and the federal government doesn't have any where near enough of those types.

I think what you have pointed out about Mr. Schmidt should worry people more, not less, regarding his credentials to provide any expertise on the issue of "cyber" security. Reactionists, such as cops, feds and other "prosecute em!" types are of no use to the computer security discipline. And, until proven otherwise, I see no reason not to assume that Mr. Schmidt is one of those types. Afterall, his entire background is on the reactionary side of the model. He has done nothing to contribute to the discipline of information security and assuramce. In short, he is a cop, at best, not a computer security expert by any means.

Instead of working on solutions to prevent intrusions and to manage risk, the White House appears to building up yet another totally ineffective effort at punishing wrong doers.

What the White House needs is real computer security experts at the helm, not another ex-cop. Not to bash Mr. Schmidt, but he just doesn't seem like a real addition to their team. I'm sure the Federal Government has plenty of law enforcement and ex-law enforcement types to guide their decision making, but not enough real experts on the infosec problem.

Re:It's all part of the same kind of thinking.

[randombit]

* SGI/IRIX is flawless, they never have security proble... oh, nevermind [oreillynet.com]

Are you insane, a troll, or do you simply know nothing about Unix? IRIX is by far the most insecure Unix out there (that's still being maintained, anyway, I guess 4.2 BSD might be less secure). It's not meant for network servers, it's meant for graphics workstations and rendering machines.

Re:It's all part of the same kind of thinking.

Um, that bit about IRIX being secure looked like sarcasm to me, dude...

Job Opening at Microsoft?

[Newt-dog]

There's a (hehe) job opening at Microsoft (hehe) for a Chief Security Advisor. (hehe)
Any Takers! (all Linux moles please apply!)

Newt-dog

My comment.

[loraksus]

hahahahahhahahahahaha!!!
Seriously though, this is rather ominous.
Take MS's awesome track record and keep it in mind, this isn't going to be a MS flame on their fucked security though. He was an advisor, which meant people didn't necessairly listen to him.

Now, we all know that the new guy will be completely impartial? Right?
Bullshit, not only does the DOJ let MS go damn near scott free, but now the white house appoints a former employee to tell them how to work security.
Great, name him "Director of Computer Honesty" too, rename the DOJ to "The Ministry of Peace" to keep with the theme (or was it truth, it's been a while since I read the book).

You know, this might not be that bad - if sysadmins can't patch their servers because the government doesn't allow publication of exploits, it will make hackers / skript kiddies jobs easier. It will escalate to a point where there will be so much bullshit, that sysadmins will all just post their shit anyways, consequences be damned - or just host exploits in Rwanda, Iraq, or some other nation.

This is not to say that his experience will be a total fuckup - he does have a few interesting ideas, and I think that he realizes that what is under his control can never be broken into, which is nice (a realist, instead of some bitch from marketing).
His administration will be a mix of good and bad things, though his support of ammending the freedom of information act certainly makes my worried.

Re:Bad move? Has MS ever been

[Guy+Innagorillasuit]

You're giving them good marks for not having their front page defaced? I'd much rather have a web page defaced than have an intruder on my network downloading my company's code.

Give him a break

[jhealy]

Holy Lord, Slashdot... give the dude a break. He's the security advisor for their stuff, he doesn't write the code... and on top of it, he was in charge of security for some of the highest traffic sites ever! TOUGH!

This is just insane

[autopr0n]

I suppose we can hope for the best. We know this guy wasn't responsible for the code itself, but rather M$'s IT infrastructure. And Microsoft's has been pretty good at not being hacked, (or at least having their websites defaced) Although one intrusion did take place (and it was major)

Aside from that, though, what bothers me is the security ideology espoused by Microsoft (and as others mentioned, this guy), the whole 'security-through-obscurity' thing. These people seem to think that building software is like building a house, it can't really be secure, just tight enough so that you don't have to worry, but we know that isn't the case. I mean, Microsoft is a successful company, but they're security is just crap. And when they're called on it they blame others. This is not the kind of attitude that we need to manage a secure government system. I mean we can't just send the FBI in to confiscate the computers of 'suspected' hackers if they're funded by another country.

Bleh, this government sucks. 9/11 has just made them more paranoid and retarded.

Laughing myself to sleep tonight.

That's the funniest, most subversive post I've ever read. You're beautiful, man.

Suspicious

[Conspire]

Well, as a classical conspiry freak, I reckon:

1. All the real influence and decisions that this guy has in the white house will not be made public, so we won't really ever know what he is doing.

2. He will still be loyal to MS, afterall, most government people don't stay in government forever. What better way to climb the MS corporate ladder than to leave, get lots of power in the government, and then go back to MS. Not to mention the great signing bonus that is actually a payoff for how much he helped get MS into lucrative government software contracts.

3. What better way to kill open source, than send in an MS general onto a government security council?

Unfortunately, we will probably all never know the real effects, due to statement one.

huh?

[autopr0n]

What does Gore's (supposed) affinity for potted plants have to do with 9/11?

Gore had a hell of a lot more experience then Bush Jr before the election, which was the point of the above poster.

That's a good news

[jsse]

/. will no longer be regarded as an major anti-MS. Now they will also call us anti-Government!

Wait a minute...

Software upgrades for everyone!

[austad]

I heard he's going to be in charge of the MS Supreme Court 2002 installation. And there are also rumors of a switch to MS Advanced Senate. Unfortunately, the upgrade to MS President Express has been postponed because it kept dying.

There goes the ...

[nil5]

neighborhood...err... nation state.

security is not a technical position

security positions in governments and corporations alike are always political, never involving an ounce of technical clue. he'll fit right in.

Move to *nix

[Robert+Frazier]

Perhaps he simply got tired dealing with windows security and sees this as a way to broaden his horizens without appearing negative about windows.

Or, being charitable, perhaps he has made a bundle, and wants to make a public contribution.

Best wishes,
Bob

Look Ma, I'm a moron

[Wonko42]

I was once a Quality Assurance tester for a dot-com with a really shitty product. My job was to find bugs in the aforementioned pile of shit. And find them I did. I had no control over whether or not these bugs were fixed; my job was merely to make sure the developers were aware of them.

Likewise, it is not a security advisor's job to fix security issues. It is his job to advise people on ways of preventing security problems. Just like a QA tester, he has no control over whether people actually heed his advice.

So does this mean ...

[jstockdale]

that we won't have to go on tours to see the whitehouse anymore?

tourist> yay ... the backdoor's open
tourist> common guys lets go

security officer> um sir please don't tell too many people about this ... it is a secure facility

tourist> er ... ok
*walks inside*

C2 Certification

[CaptainZapp]

NT was created by someone with decades of experience and it is 'C4' certified

To the best of my knowledge, NT got a C2 certification umpteen years ago. But (and I'm not making this up), It only achieved C2 when the disk drive was removed and the machine was not attached to any network

I don't think Microsoft attempted to brag about orange book certification since then.

Re:C2 Certification

[thogard]

Wow C2. That standard was set by a group the threw away the orange book because it was severely lacking long before NT was even a bad dream.

Re:C2 Certification

[LinuxHam]

It only achieved C2 when the disk drive was removed and the machine was not attached to any network

can't speak to the network, but it was the floppy disk that needed to be removed. How did you plan to run the system with no hard disk and no network? Bootable CD? People do it with Linux every day, but I've never heard of a fully functioning NT system running off a CD.

While this may seem a strange move

[Daath]

While this may seem a strange move, it is a case of Security Through Obscurity ;)

You're missing the point, as well as OpenBSD

I think you're missing the point. Microsoft consistently releases buggy software and they publicly admit that yes, the UI experience comes before security. Sorry, but that's not for me. In addition, you've forgotten to list OpenBSD. Four years without remote hole in default install.

Re:You're missing the point, as well as OpenBSD

[pmz]

Microsoft consistently releases buggy software and they publicly admit that yes, the UI experience comes before security.

Funny, I first "experienced" Windows XP this weekend, and the UI is nothing special. It was just the old Windows with some eye candy and CPU-sucking animated menus. I never saw a 900MHz PC react so slowly.

Re:You're missing the point, as well as OpenBSD

You're supposed to upgrade more than the CPU tard-boy.

Get rid of that ISA Trident 8900 video card.

We know you have a deep attachment to it. Just get rid of it. Now.

Re:You're missing the point, as well as OpenBSD

His motherboard doesn't have ISA slots. He was using serial console.

Re:You're missing the point, as well as OpenBSD

[kraig]

... which makes a chief of security at Microsoft incompetent how? I'm sure he personally reviews every single line of code himself, oh yes. This is not to say he's necessarily competent, but sheesh. (Having said that, I'd quit my job before I was forced to use MS-anything in a server role, without at least hiding it behind a firewall running on a real os.)

Re:You're missing the point, as well as OpenBSD

Everybody consistently releases buggy software.

I think you miss the point.

Re:You're missing the point, as well as OpenBSD

I use a serial console connected to an ISA serial card, so you are both right.

Re:You're missing the point, as well as OpenBSD

Yeah, you're right. In strict purist terms, we all do. But MS is the least shameless about it. They'll take weeks to patch something if they do at all.

Re:You're missing the point, as well as OpenBSD

"Four years without remote hole in default install."

Is it? I've seen a few openssh vulnerabilities (remote holes!) that affected openbsd as well. And openssh IS part of their default install. So keep those lies on their website, and stop spreading them.

Re:You're missing the point, as well as OpenBSD

[dup_account]

And he also doesn't say "Hey! let's not release this new Win because we haven't done enough security checking on it" Plus, how large is his staff? They could be spot checking, looking for exploits, actually reviewing code, providing guidelines to other coders, getting involved in all levels of code development.

But you're right. M$ has (had) one guy who was doing all of the security work for M$.

His job should have been to prevent code going out that was insecure. His job was to fight to have VBA disabled by default (and not after the fact, doesn't count).

Re:You're missing the point, as well as OpenBSD

[kraig]

I think the next thing he'd be saying after that would be: "Would you like fries with that?" If he's lucky.

Re:WHAT CNN DOESNT TELL YOU

[tom1974]

I wish i could fire that $2 million missile into that $10 tent you live in, and hit you in the butt.

that is what I hate.

[sluggie]

yes, it's the typical /. behaviour when it comes comes down to jobs/functions/code/etc from/by/at microsoft.
This kind of bashing is definitely not ok. You know NOTHING about this guy, I'm sure he is VERY high qualified and he is not to blame for the philosophy of a company.
Hey chrisd, do you have any idea which education you must have to become a Chief Security Advisor at Microsoft? Do you?

Demonizing Microsoft, that is what the script kiddies, crackers, etc do. It should not be commited by a sane, open minded community.

For example I know a guy who teaches ppl how to pass the mcse certificates. I once asked him why he is doing this microsoft stuff. He told me that he no fan of Microsoft itself as a company, but it's good money, a nice job.
In his free time he is a sun/java developer and truly fan of linux.

Maybe we shouldn't categorize people because of their jobs. And believe me, Mr. Schmidt knows more OS than win98...

Saying "w1nd0wz sux0rZ, h4X0r1ng m$ r00lez" is just embarassing...

Re:that is what I hate.

[sluggie]

I really try not to flame now.

first "How do you know?" answer:
No matter how insecure some products of Microsoft are, they won'T hire an idiot as secadv.

"I don't know. Please tell me." answer:
see answer "first 'How do you know?' answer"

second "How do you know?" answer:
see answer "first 'How do you know?' answer"

About that incoherent, far-fetched bomb stuff you wrote:
It's pretty sick and immature to compare a software company to a terroristic organisation.

You are exactly the type of person to make the whole open source movement look like a bunch of script kiddies.

Re:that is what I hate.

[The+Ape+With+No+Name]

Guilt by association. Most likely you are not spending hours upon hours patching that shitty OS, its shitty Web Server and then watch another HUGE hole that 'script kiddies' can easily exploit crop up the next day requiring you to spend more spend more hours upon hours. I can give you examples of OSes that do not have this problem. Here's one.

Re:that is what I hate.

[sluggie]

Hmmm.. as the name says "Security Advisor".

Giving advice to the programmers/testers/etc...
I'm afraid what they do with it is more or less beyond the scope of the secadv...

I'm just trying to tell that not everybody who works at microsoft is an idiot...
Sure, in the aspects of security win is sometimes shitty.

But think about handling, hardware compatibility or the speed of IIS when delivering static HTMl...

Re:that is what I hate.

[TheAwfulTruth]

Guilt by association is not guilt! It's predjudice. nothing else.

Re:that is what I hate.

[Tony-A]

Nope. Guilt by association is experience.

Danger Will Robinson

[dazdaz]

This imply's to me the White House think security is something that is corporate and so they understand it more than anyone else.

Dangerous line of thinking.

maybe this is a blessing in disguise

[Indy1]

think about it, if the government gets owned and rooted on a regular basis, we wont have to worry about what the government is up to. We can just go to our favorite script kiddie/warez/black hat web site and read all those top secret CIA documents we've so dearly wanted to see. Heck in 6 months, we can just go to something like astalavista.box.sk and search for anything we want :)

Or if we're really lucky, the feds will be too busy fixing exploits in their systems to foist laws like the DMCA on us.

Readers often don't have much experience with MS.

[Futurepower(tm)]

1. unauthorized user can autheticate.
2. denial-of-service attack
3. unauthorized user can read files
4. Inject HTML tags into the generated reports.
5. gain root access.
6. denial-of-service attack
7. execute arbitrary code when accessing RPM from untrustworthy source.
8. denial-of-service attack
9. gain root access

Every one of 1 through 9 above are stories about people who made mistakes.

The security problems in Microsoft products, are, in my opinion, not mistakes. They are the result of policies: 1) Only money matters. If you can make more money by being sloppy, then do it. 2) Release software with lots of known shortcomings so that people will want to pay for upgrades later. 3) Relate to your employees by pushing them.

Items 2, 3, 4, 6, and 8, more than half of those you mentioned, do not allow destruction to the system itself. One or more Microsoft security bugs that allow destruction to the system are announced on the average of every month, if I recall correctly.

I am not anti-Microsoft. I am more pro-Microsoft than Bill Gates. Microsoft is a company that has $30,000,000,000 dollars in the bank, instead of being used to clear up the problems in their products.

Today I spent about an hour of my Sunday helping a woman in Brazil clear her computer of the Badtrans worm. Billions of dollars are being wasted by very serious Microsoft bugs. The company is not worrying enough about the quality of its products, in my opinion.

I installed a security bug fix supplied by Microsoft to Internet Explorer on someone's computer last week, and the security bug fix put all the network settings back to least security. This has been going on for years. Microsoft knows this happens. It is a result of policy, not mistake. Why they do that, I don't know. Maybe it has been dictated by the U.S. government that Microsoft will make their systems insecure.

We have a problem on Slashdot that many people who read Slashdot don't work with Microsoft products enough to know how bad things really are.

Is anybody surprised?

[global_diffusion]

This is George "C Average" Bush making the decisions. Maybe now instead of a missile defense system we can have a blue screen of death system that crashes the guidence systems of incoming missles.

Henchman: "Missile fired, sir."

Evil Leader: "Good work. Keep me inform-"

H: "Wait! WTF? The missile crashed - I mean it froze up. Some sort of 'protection fault.'"

EL: "Well, reboot then!"

H: "I can't find the delete key. Damn these curvey MS keyboards!"

[missile falls harmlessly to the ground]
Howard Schmidt, GWB: "That's great - who wants ice cream?!"

more security holes = greater Fed Service Packs :)

[bodyborg]

hey if this guy kept all them Micorserf bees busy making service packs for other service packs for security patches for other security patches to patch the latest buggy update of the last bug, just imagine how much he can solidify the Bush-Dick-Colon trinity's hold on power. he he he ;)

Outlaw Open Source software

[joeler]

One of the first and most important recommendations will be to outlar open source software, everyone in America must use Microsoft supported products for security reasons. Microsoft will impliment backdoors so every computer can be viewed easily by Askkkroft and his group. No computer can be left untouched, they need to know who you are and what you are foing every minute of the day. Open Source can be hacked to easily and users could remove back doors- this is no good, it is unpatriotic to not allow the governement to snoop around your computers at will.

Is this good or bad ?

[Quazion]

Will Windows Security get better or worse out of this is the question....

Now i dont really know if this person was good in his job or not, but i read some article about him from 1998 and it didnt look to good....

So probably this is a good step for Windows, which would be bad from my perspective...

Anyways i have quit using MS products anyways, so i dont really care, except for my Goverment who is using MS products i hope they switch to a secure system like OpenBSD or MS gets wise and secures its SHIT......

Quazion.

I can just imagine it!

[joebp]

Aide: Mr Schmidt, our 30 top-secret servers have been 0wn3d by a 3 year-old russian toddler!
Howard Schmidt: Quick, upgrade them to NetBSD!

it seems to me

[fyonn]

that he's not so much leaving microsoft as merely changing departments. it's all the same company isn't it?

dave

Irresponsibility?

[Kibo]

While most of what you say sounds like preaching to the chior, one thing really caught my eye: "problem with Microsoft is that they only have experience with huge, homogenous networks; they were blindsided by the internet; they thought remote admin was a bad idea until recently; their network hacks (netbios, for instance) stink on large networks. "

You might be interested to know that Microsoft has an active directory with over 2 million objects in it. Microsoft might have been caught off guard by the internet, but reducing their network expertise to a remark about netbios is shockingly ignorant, even for slashdot. More over the US government is probably the biggest target for those cracking into computers, Microsoft is probably number two. No one else faces problems on the scale microsoft does. IBM likes to pretend, they'll even send you a free book about "What Hackers Don't Want You To Know", and they certainly have experience, but not like microsoft. It's a matter of scale.

You think so little of Microsoft's accumen. I invite you to take a look around. Microsoft, as you rightly point out, was nearly last on the internet bandwagon, a scant decade later where are they? For better or for worse they have beat down, out competed, and embarised their competition. The free market made its decision. Obviously marketing had something to do with it, but if their products weren't at least good enough Adam Smith would be proved wrong and we'd eating Borsht.

Don't even pretend to whine about anti-competitive tactics. My tax dollars helped pay for Mosaic, Microsoft got access to the source for free.... And don't get me started on ticketmaster.

Re:Irresponsibility?

[hearingaid]

More over [sic] the US government is probably the biggest target for those cracking into computers, Microsoft is probably number two

No.

The biggest targets for those cracking computers are banks and telcos. Increasing your bank account and getting free long distance/cellphones, that's what phreakers and other crackers want.

Re:Irresponsibility?

My tax dollars helped pay for Mosaic, Microsoft got access to the source for free....

Whereas Netscape just stole the development team and ran off to create an empire based on closing the source. They only opened the source after they lost, badly, to Microsoft.

But everybody likes cute little Marc. What a fucker.

Re:Irresponsibility?

[Paul+Komarek]

Ticketmaster -- agreed! My knowledge of Microsoft networking comes mainly down to my experience, and various whitepapers at Carnegie Mellon University about why they disallow several Microsoft network services. Active Directory is a new thing for MS, and you're right that I'm ignorant on that account. But I have good reason to "think so little of Microsoft's accumen". They've stunk up networking for years.

As for being one of the most targetted networks, I'd agree. However, I'm not so sure they're number 2. I expect that other governments, Yahoo, and places like CERT (hosted by Carnegie Mellon) are also big targets.

As for Adam Smith, he *was* wrong. That's why the US (and every other 'capitalist' economy) uses a regulated implementation of capitalism. The free market makes its decisions based on marketing. If it made decisions based on research and development, then R&D would get 50% of revenues and marketing would get the 5% that R&D gets now.

Where is Microsoft today? Using hundreds of programmers to slowly reinvent unix networking. Why slowly? Because they're waiting for people to forget all the FUD they've put out about how bad unix networking is.

And I don't care about Microsoft's 2 million object directory. Why? Because I can piss farther than you!

-Paul Komarek

Re:Irresponsibility?

[Kibo]

Naturally I don't have any proof their number 2, just a guess. Between people exploiting their sites, and their products, they're a huge worldwide target. Ammusingly enough some of the Nimda stuff I've seen comes from small buisness owners who know essentially nothing about computers setting up small networks and leaving them wide open on DSL. Then the stuff some of the users would do.... I hardly can blame Microsoft when they make a fairly complex family of products that are so intuitive that people can make small networks without really knowing anything about what they're doing.

I would also make the observation that marketing serves an important purpose. It helps keep the public informed about their dazzeling array of choices. It's even ok that most of it is bullshit, because the intent of the advertisement is clear, we can usually fillter out what the truth is. But it helps the market more quickly sort out where the money should go. Course, that's just how I see the world.

You might be surprised to learn under some circumstances DNS replication under windows can be more secure that its UNIX kin, and in software so early in its life too. I suspect UNIX will be better for a couple more years, though MS does have an advantage or two, but everyone who has had a head start on MS has fallen by the wayside when MS decided to compete with them. But with all things it's never about how bad or how good something is. It's whether it's good enough and how popular, something MS seems to understand better than anyone else.

I don't know who told you I squat to pee, but they were lying.

And to the moderators: "Feel free to mod me down, it's going to take a while to get rid of my +1 bonus, cheers."

Highlighing security flaws

[blibbleblobble]

It's interesting to read the 1998 interview:

• [Interviewer from] Palo Alto, CA: "in several cases, university researchers have shown security flaws in Microsoft products,and microsoft released a path. Why couldn't release a more product first time? In some cases, the releases are very buggy."
• Howard Schmidt [Microsoft directory of security]: All software developers wish it could be done right the first time but with all of the different configurations,software packages and programs that might conflict it doesn't always happen the first time. We work closely with the universities to correct them ASAP "

Interesting because of course, new laws make it illegal to tell anyone about the security flaws in software products.

The importance of monkeymen.

[DarkHelmet]

The Government versus Microsoft is a lot like...
The Government versus The Taliban.

The Government has a tendency to want to break up things they don't have a liason to/for.

When Clinton was in office, was anyone working for Microsoft offered a spot to work there? I doubt it. What did Clinton do? He whipped out his 800 pound Gorilla Janet Reno.

Now look what happens? As soon as there's a liason, everything's friendly again, and all the "Arms Trading" can commence again.

I bet all our Passport passwords are being handed over as we speak...

Thoughts?

Excuse me....

[biglig2]

... but he was their security officer, not a product designer. What difference does it make that he worked for MS? Other than that consequentially he worked for a huge, high-profile MS shop that everyone wants to crack and not many have managed.

The job'll be easier, I'd imagine, since the White House is a smaller and less ambitious (but equally high profile) MS shop and while he now isn't down the hall from the developers (which is not all it's cracked up to be) he is down the hall from the NSA.

I mean really. If you've got to secure an important *MS* shop, who do you think would be better?

Re:Excuse me....

[The+Ape+With+No+Name]

You think this guy is a clever troll, but it he is not.

Men are good.

Socrates is a man.

Therefore, Socrates is good.

This kind of logic has stood up for 2400 years

We hired an old NSA guy to be the security guy at my University. Things have become demonstrably worse in the past six months. Why? He is a Microsoft weenie. Who ever heard of a security maven who repeatedly gets infected by 3-year-old viruses in his mail because he insists on running Outlook -- unpatched.

Re:Excuse me....

[TheAwfulTruth]

And your experience means that everything else is the same way? The article poster asked if anyone looked into his background before giving him a job. Have any of YOU looked into his background before flaming him to death? This is the /. hypocrisy at full bore.

Re:Excuse me....

[The+Ape+With+No+Name]

Mod this M$ shill down. How's your stock options, bro? Just fine, I am sure.
Don't you see the irony of an employee of the bane of IT security getting a White House level position for IT security issues? I bet the WH shifts from Lotus Notes (which is very secure) to Exchange (which is a festering security nightmare) within six months.

A side effect of popularity?

[erroneus]

First, I'd like to comment that I'm posting this using AT&T Broadband... They didn't pay me to say this, but I expected to be net-less for a week, so I'm happy.

Second, MS's infmaous security record doesn't stem from "mishaps." It stems from their insistance on a very flawed set of models. "Drivers at Ring-0" and all that. Among the more popular flaws is in their VBA/VBS integration. Bad enough that These languages have access to the whole machine indescriminantly, but docments from untrusted sources now have access to your whole machine? How many times has this happened? It's not something that requires a patch, it requires a rewrite or complete removal as a feature.

Javascripting? Why are so many MSIE flaws handled best by disabling client-side scripting? Think about it -- same problem.

How about their insistance on installing "everything, even if you don't need it?" How many "Nimda" hosts are out there on machines where the owner didn't even know IIS was there? My brother said it best when he said that it was the equivalant of shipping a loaded pistol. It's not dangerous if you know how to use it and if you knew it was loaded, but then again anyone with a finger thinks they can handle a gun... ring true enough?

It's not that the company's popularity makes a common problem seem worse, it's the company's problem of prioritizing "cool stuff" over "secure stuff."

Use ya head!

[Boiling_point_]

Your president and government realise how dependent their economy is on M$ products. Of course, they can't just ask Microsoft what the terrorist-exploitable holes in the code are, because the company is big enough to hang on to their corp. secrets from even the US government.

So they employ the guy and put him in a safehouse where they can have a long chat, Dubwya gets a clearer picture of what he's up against.

Not quite

[jd]

I'd say this was closer to putting bin Laden in charge of American Home Security.

The Problem With Microsoft

[Greyfox]

Microsoft has always put user friendliness first. User friendliness and security are usually directly at odds with each other. For instance, if I go over to /boot and try to rm bzImage, Linux won't let me do that (Unless I'm running as root, but we all know you should never run as root, right?) That's not very user friendly. It's my computer after all. Why shouldn't I be allowed to delete any file on the system? Well, we all know why.

Microsoft's product line evolved from a single user application. Programmers on their product line are still in the mentality that if you're sitting at the console, their programs have sole access to the full resources of the computer. How many Windows application installs demand that you close down all other programs and reboot the system when you're done? How many of them actually need you to do that? How many times has some Windows program opened a modal dialog (Which in the historical past prevents the program from being minimized until you acknowledge the dialog) or worse, a system dialog? When was the last time you saw one on Linux? Completely different programmer mentality.

Sure Microsoft's been kludgeing user support into Windows for a while now, but they don't enforce its use. It'd take too long for them to explain to every user out there why they should have to log out and log in as the administrator in order to install that new game or those scanner drivers. Most Windows users are perpetually stuck in the running as root mode, despite years of sysadmin experience that dictates that you should never run as root. And Microsoft will never force them to create a user and use it because that would make them a little less user friendly and a little more like UNIX and that's not the direction they've taken.

BTW: Most Linux dists don't force you to create and use a user ID either, and it's a very common thing to see newbies running as root. They usually stop after the first or second time they manage to trash their entire damn filesystem. And you can never just tell them "Don't run as root -- 30 years of UNIX sysadmin experience can't be wrong!" They seem to have to learn by hard experience.

Re:The Problem With Microsoft

Who has 30 years of UNIX sysadmin experience?

I imagine there are two or three people who can make that claim, and that's it.

The whole 'deep lineage' thing with regard to UNIX is ridiculous. It's not a UNIX-only thing. People have had shitty jobs as computer operators (also known as 'administrator' or tape-mount-monkey) for years. Long before the UNIX time sharing system existed.

Re:The Problem With Microsoft

[Sax+Maniac]

Good points. They're improving things though. I installed Win2K and was sure to create different accounts for everybody. I also made each person a non-power user, so that any exploit can do (theoretically) limited damage. (Though I'm probably deluding myself.)

To my pleasant surprise, some applications will recognize that you need to be an Admin to install. They'll post a dialog box that essentially does a "su". Enter the admin password, install, and be done. Not bad.

To my disgust, most applications don't, and most applications (grumbleQUICKENgrrrRIOgrmblPALMgrrr) decide they need unfettered write access all over the place. It takes some hunting and pecking, granting write access to the four or five files (usually log files) that it wants to write to.

If MS would change their default setup such that users did not have "power" or "admin" privileges, watch how fast software would change to actually install correctly.

Re:The Problem With Microsoft

[oldays]

This don't run as root thing is *WAY* overestimated. I mean.. a newbie installs linux. He's got a bunch of cds sitting nearby, ready to reinstall it all in 30 minutes. In his home dir, he's got tons of his work, that could not possibly be replaced in any amount of time. (Well, okay, he's not that kind of newbie, he's spent enough time to fill ~ with valuable work). So, who gives a shit about rm -rf / when rm -rf ~ is just as bad and requires no root? I think the trouble is that this piece of wisdom trickled down to us from admins who deal with 10,000 user systems, where root *IS* far totally dangerous, but on a single user system it don't make much difference. In fact, I hope some distro will finally figure out that linux could be made much more desktop-friendlier if it was strickly single-user.

Re:The Problem With Microsoft

[Sheetrock]

Having separate levels of security access for different user accounts/programs is still a very nice thing even when running single-user systems. True, it won't stop a temporarily-not-thinking individual or malfunctioning script from having the potential to toast every accessible file, but the situation would probably not be improved by permitting everything on the system to be wiped out as well.

On the plus side of things, having to log in as root to make important changes reminds users to pay more careful attention. Having the ability to run programs under dummy accounts like 'web' firewalls the rest of the system from potential damage from malfunction. One can't set up a chroot jail in a Windows environment AFAIK, but you can run programs that must run as root in their own little sandbox in most (all?) Unix environments to prevent useful exploitation of remote-accessible security flaws that might be discovered later. Even desktop systems will probably end up running servers or daemons that benefit from user-level security features, such as IRC bots, game servers, Gnutella clients, DHCP clients, FTP servers, Samba, or NTP (network time protocol) synchronizers. It's one more layer available to protect the system from things going horribly wrong.

I used BeOS for a while. It felt more-or-less like a single-user always-root Unix system. I can't say that it seemed any more friendly because of this, but I did miss being able to lock down a server application from time to time. I think that a free-as-in-beer version is still available on Be's site for download if you want to try it out. There are other parts in a Linux/*BSD-based system that could be improved on to make the desktop experience more enjoyable and seamless, such as a concentrated effort to make interfaces more consistent across applications yet themeable by the user or encouraging a compatible configuration template for applications that could be fed into a GUI form to make it easier for new users to configure their system and again make things more consistent yet still permit easy editing from a command line. Current window managers seem to be making progress in both areas, though apparently not always in ways compatible with each other... which kind of defeats the purpose.

Re:The Problem With Microsoft

[mpe]

Microsoft has always put user friendliness first. User friendliness and security are usually directly at odds with each other. For instance, if I go over to /boot and try to rm bzImage, Linux won't let me do that (Unless I'm running as root, but we all know you should never run as root, right?)

Is this "user friendlyness" or "end user administration". Plenty of the features of Windows are less than "friendly".

That's not very user friendly. It's my computer after all. Why shouldn't I be allowed to delete any file on the system?

Is it ment to be your "friend" or your "slave". (The latter of the if you tell it to jump off a cliff it'll go and find one variety.)

Re:The Problem With Microsoft

[dup_account]

books, passed on information, etc, etc (you moron) We learn, we publish, others learn

Re:The Problem With Microsoft

[dup_account]

another piece of (unix, mainframe, i'm not sure about M$ even thou it is most likely to need it) admin wisedom is to make a backup before doing some thing potentially dangerous as changing OS.

I make a backup of all my import data before I even think about changing M$ Win.

Do any of the distros autodetect partions when you select new install?

DEF CON 10?

That didn't even make sense. Do you know what DEFCON is? It doesn't even go to 10 anyway.

Re:DEF CON 10?

[mlafranc]

From DEFCON.org

DEF CON 10 will be August 2nd-4th, 2002 in Las Vegas. More details soon.

Re:DEF CON 10?

The only reason it doesn't go to ten is that those little boys are used to their mommie tucking them in by nine. They'd be all tuckered out at ten.

It's a matter of trust

[Greyfox]

After the last round of format string vulnerabilities, I went out and looked at the source code to several FTP servers. What I found was so horrifying that I disabled FTP completely on my system. I didn't really need it anyway.

I didn't need that functionality anyway -- there are other ways to move files around. But what about a server that I really need? Well I don't trust bind farther than I can spit a rat but I run the damn thing. I compiled it statically and run it chrooted as a user other than root. Although a previous release of the kernel would still have allowed a compromise of my system, I'm not running that kernel and so I'm willing to trust bind nominally in that configuration. I was able to secure it although I don't trust it.

Windows evolved from a single user operating system and those roots are still very much evident in every application for it that I've ever seen. It is highly in need of clueful administrative staff in order to keep a user base secure, but the lack of a need for a really clueful administrative staff is one of the selling points of Windows -- we were supposed to be able to install NT on all our servers, 95/98 on all our desktops and fire all those high paid UNIX sysadmins, replacing them with chimpanzees. And somehow the CIO doesn't take any flak for this when the company spends a billion dollars trying to clear code red out of the network. The attitudes are more flawed than anything else and that is why I don't trust Windows.

For the record I don't trust Linux or BSD either, but I trust them a lot more. I'd be much happier if the various servers I used were coded in some language where it was harder to make such fatal mistakes, such as Java, Haskell or LISP, but I expect we'll get there eventually.

Marcus Sachs is a better choice

[Helevius]

The article also mentions Marcus Sachs will help the White House. I worked with him when I was in the Air Force. Marcus appeared to be the most clueful person working at the Joint Task Force for Computer Network Defense. (That's what it was called when I was still in uniform, before it became the JTF-CNO.) Marcus has been teaching "Security Essentials" for SANS for the last several months. I believe he planned to retire from the Army any time now, so he must be happy to have a follow-on job ready. He's no Microsoft guy either, from what I remember!

Helevius

Up to no good

Looks like Microsoft may have gotten more than just a break on the anti-trust suit.

THE TRUTH!

Microsoft never listens to the government.

So, in a brilliant move, the White House has usurped their security chief.

How is this brilliant? Won't the government be annihilated by l33+ h@x0rZ?!

No - you see, this man will be stuck in the basement near the boiler room, unable to harm anyone. :)

So why'd they do it?

Simple - now Microsoft needs a new head of security, and there's a good chance they'll get someone with a clue this time. If they do - look out, running Windows may no longer be equatable to pulling down your pants and bending over in a shower room in a prison.

Here's how the conversation went

[gelfling]

GWB: what's this computer security stuff?
Ashcroft: that's computer survellience.
GWB: well this Texan don't know the difference so why doncha tell me.
Ashkroft: we need to spy on people to make sure they're not terrorists or having abortions or being queer.
GWB: so this guy from MS can help us with that
Ashkroft: yeah he can get MS to put whatever backdoors in so we can spy on whomever we want.
GWB: backdoors? sounds kinda queer.
Ashkroft: those nerds are all kinda queer anyway - so here's the deal. we hire this guy and then tell him what to tell Gates to do.
GWB: why should Gates do what we say - that nerds's got more money than a whorehouse with an oilwell?
Ashkroft: cause Gates has money but we wants access and prestige like everyone else
GWB: ok I'll go with it - how we commin with rounding up the ragheads
Ashkroft: fine, project TexAryan is right on target - all non Christians are being targetted as we speak.
GWB: well shit howdy, get me a drink then.

Qualification?

[pdqlamb]

Maybe if he was chief of the Microsoft PAC, he gets the credit for preventing the breakup of Microsoft. That was a very effective job of security, and so he's therefore highly qualified.

Depends on what you expect from "security," I guess.

Both Good Guys...What's the Problem?

[devost]

Smart move as I see it. Both guys are very capable, so it is nice to see this office start staffing with real professionals rather than just pay lip service.

Community experience

[Stickster]

Mr. Schmidt is fairly well known in the office where I used to work, and in my professional circles. Although I have never met the guy personally, I am familiar with his reputation -- which is not one of being a very knowledgeable individual. I would hope that if his reputation (as I am aware of it) is correct, the White House would not put him in charge of anything mission critical -- especially since "mission critical" at the White House is in many cases somewhat more important than, say, whether some router is down on MSN.

poor slashdot folks

[mrm677]

You are ripping on a man for leaving Microsoft. Do you really think he was responsible for all of Microsoft's security flaws? Do you really think that one man, no matter what level he is at, is capable of turning a corporate culture around? Do you think that one man, whom isn't the CEO, is capable of changing a company's philosophy?

If you do, you've never worked for a large company.

Whether you like them or not, Microsoft has a lot of smart people working for them. Grow up everybody...I'm sure he is very qualified.

Look on the bright side...

[Alsee]

It won't be long before they enable scripting in every existing government service. It would be pretty cool to use the scripting "features" to order a drivers license with Micky Mouse's picture! :)

-

All security is not computer security

[borcharc]

I work as a security manager, and am a part time linux geek. I think what is being overlooked here is that this guy appeard to be incharge of all MS security, computers being a small part of it. And if he was running MS's security operation he is a guy worth haveing in the white house. His information may not be the best on computer security because he knows what he is told by MS's security goonz. Now i dislike MS as much as any penguin loveing american but if your the head of security for a company the size of MS you know your stuff. In the security world computer threats are a concern but very small when compared to all other possable threats.

Influence

[manon]

Does this mean that they'll start dropping packages of Windows XP in Afganistan now?
That will be a bad idea because if you drop the OS, you should drop the security patches too.
And I don't think you can drop stuff for another 5 years... ;)

Exactly

The issue being examined here shouldn't be what bugs Microsoft has. All large software projects have bugs. Windows has bugs, Linux has bugs, games have bugs, I'm willing to bet the backend code /. runs on has bugs.

What we should look at instead is how MS deals with the security bugs and what their consultants do to help clients avoid security holes. In that regard, MS has a pretty good track record fixing most security holes within a week of confirmation.

Comparison

[elbuddha]

Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?

Similarly, putting the Gov. of New Jersey in charge of the Environmental Protection Agency was like putting some Amish guy in charge of the Dept. of Transportation.

The point

[Decimal]

I think we're missing the point here. It's not that the White House is hiring someone from inside a company that has a track record of releasing buggy software, it's that one of the most powerful and malicious companies in the world now has a tangible foothold inside the White House. Remember how Juliani came on stage and thanked Bill Gates for his wonderful contributions to society during the XP launch, how the world was in his debt? Personally I don't doubt that Microsoft's influence is strong enough that Bush might decide to run in 2004 with Bill Gates as his Vice President. It seems far fetched, I know, but then again so did the idea that Microsoft could control the outcome of the court decision against itself through sheer politics.

Plutocracy, here we come!

Germany

[alech]

Well, Germany seems to be better off this time - people are actually thinking of using Linux in the Bundestag (the german parliament) for security reasons.

SuSE has a (german) press release here.

ALeX

Someone who is familiar with 90% (?) of desktops.

Who would know all the potential MS backdoors better?

The more I learn of the policies of this executive administration regarding its lack of concern for personal freedoms, the more concerned I become.

freedom to innovate

[necrognome]

Remember that all of Enron's execs are friends and associates of GW. I hear that company liked to innovate too.

This was posted without sufficient information

[InfoSec]

The truth is that I have met Howard Schmidt, and before he worked for Microsoft, we worked for several gov't agencies and is a wel respected member of the Information Systems Security Assosciation (President In fact). Howard is a very good security admin, and really does know what he is talking about. He would be the first to tell you that he is not the biggest fan of Windows security.

C2 Certification for Windows 98 and ME

You forgot to mention that, under the right conditions, Windows 98 and ME should get C2 certification, also: When there is no power to the computer.

Not quite

[JediTrainer]

More like:

"Howard Schmidt, Microsoft's Chief Security Advisor"

Sure, he gives advise. But nowhere did it say that they actually listen.

Paste PatentDead

That's write, we've taken what matters into our owned hands. You can go ahead & copy all the media on the www, but in order to paste IT anywhere, you'll need to make arrangements with us. Talk about solving the ip problem? We've decided not to enforce our writes on household glue yet, but if you feel uncomfortable using our word (paste), you could just use the g word instead.

Last few days to stake your claim to this descriptive web address. Includes a year's free hosting, in case you need somewhere to hang your hack, whilst the GNU millennium kicks .asp.

Better job

[uslinux.net]

If they'd put him in charge of the IRS network security, maybe we could avoid paying any more taxes

Actually, no...

[Zone5]

It's not really like letting Hazelwood drive an oil tanker, itt's more like letting him fly Air Force One, while there's an open bar and it's bikini day for the stewardesses.

both kinds of OS

[drxyzzy]

Clearly a move to put in place someone who can make our networks safe for all operating systems - W2K and XP, all over the world, from California to New York.

Guess that little thing with the DoJ about monopolistic business practices is all water under the bridge now.

Missing the point

[Snowfox]

The point of hiring him away from Microsoft was to make the nation's computers more secure as a whole. He'll sit in a small office somewhere and harass interns while Microsoft goes to the junior colleges to find a more capable replacement.

Kiss your beloved Linux goodbye.

The day is coming soon that it will be a federal felony to run, write or possess any software, firmware or hardware that is not government certified. Linux will be the first to be outlawed.

Re:Kiss your beloved Linux goodbye.

[ret]

And is on it's way there with some of the bills they're trying to push through congress... I can't remember which one in particular right now, but one actually WOULD make linux illegal, because it requires government certified "security measures" in the software, and linux, being open source, would allow you to get around them, making it illegal, to make a long story short... search old /. articles for more info as I'm too lazy to double check everything right now.
--

Re:Kiss your beloved Linux goodbye.

[HiThere]

SSSL. The first version appearanly died (or was postponed).
(Hollings/Stevens).

An example of how bad Microsoft can be:

[Futurepower(tm)]

In my post above, I was making the point that Microsoft is much worse than people realize. Here is a link to a Microsoft Knowledgebase article that eloquently makes that point: User Accounts That You Create During Setup Are Administrator Account Types (Q293834)

This is not Windows 95 the article is discussing. It is Windows XP. Here is a cut-and-paste quote from that article:

"After you install Windows XP, you have the option to create user accounts. If you create user accounts, by default, they will have an account type of Administrator with no password."

Even someone who knows how bad Microsoft can be would likely not guess that Windows XP would be designed to be completely and utterly not secure by default. So, we will see a lot of stories about compromised Windows XP systems like this: Some poor guy was testing XP and set up an account to begin using it, and was rooted while he was still looking around.

--
Links to respected news sources show how U.S. government policy contributed to terrorism: What should be the Response to Violence?

Re:An example of how bad Microsoft can be:

That sounds like Slackware 3.6 to me.

A friend of mine installed and ran Slack. I had an account on the system and could log in from home if I received a recent email address from her to extract her IP addy from (she was on a dialup account). One day I tried to log in. My account appeard to be gone. I then remembered that she'd had to reinstall since the last time I had logged in. So I typed 'root' at the user: prompt. Wham! I was at the root prompt. Just like anybody, anywhere on the internet who had noticed her IP and system type would have been able to.

So I created my account again, logged back in as myself and used the talk command to raise the issue of security with her.

This was a fairly recent version of Slackware. 3.6 is less than two years old. Lots of the idiot-distros out there are probably still just as bad. And there are tons of people out there running versions of Linux they got out of the cover of a book. My brother in law just reinstalled Red Hat 5.1 for my newphew to fool around with (he was fuggin stubborn about it- I offered him a free copy of my slackware 8.0 CDs.)

Re:An example of how bad Microsoft can be:

[MrSpock]

Check your facts. Windows XP will not authenticate network access attempts by accounts with blank passwords. Blank passwords only work on the console.

Considering how many home users would be dumb enough to use blank passwords despite venomous warnings to the contrary, this is probably a good way to handle things.

No, "C4 Certified" is correct

C4 is an explosive and windows blows up all the time, so I think he's right. "C4" is the more appropriate term.

So...

[SPYvSPY]

...did you fix the cable, or what?

Hi, Slashdot. You're biased and stupid!

Typical of Slashdot to make such witty comments involving Microsoft. You lose, Slashdot.

Check the facts

So far the U.S. Government isn't doing so good with Linux and Apache. Here's an article about some recent hacks on US Gov sites using this software. hack
If you look at the posts here you will see alot critisizm and jokes but no real ideas, solutions, or answers. It's easy to sit in the backseat and knock everyone and everything but if anyone here thinks they can do a better job then why don't you all send in your resumes or volunteer time.

Ah Ha

the old "build a better mou$etrap" phlame. fauxking shills.

Actually he's right.

There's a fair amount of stuff by him on the web, mostly the usual Microsoft line of "it's all your fault, not ours".

He's spot-on correct here. If you're such a dumbass to be using Microsoft stuff in the first place, then you get what you deserve. The security problem *is* your fault for making such a negligent decision for what software to run.

I mean...c'mon...

Yeah - and who do you blame for all the security issues in unix, linux, etc, over the years? With linux, being open, and with so much, by so many people, you can't even point a single finger...so, in a way, I guess distributed development = distributed blame for all security buges found in linux, eh? Sheesh. Shit happens people, it always has, it always will, and everyone piece of software will always have some way of breaking it.

It would be sensible to explain the issues.

[Futurepower(tm)]

It is interesting what you said.

The presumption has been, however, that Unix/Linux would be used by very knowledgeable people. The presumption of Windows is that people with no experience with it will be using it.

Even if Microsoft doesn't change the way Windows XP operates, it would be sensible to explain the issues carefully on-screen. Recent versions of Mandrake and RedHat do this during install, if I recall correctly.

Re:It would be sensible to explain the issues.

[mrseigen]

Yes, but I don't think a company of Microsoft's stature (which is mostly funded by people not knowing/not caring about all the bugs) wants to have their dirty laundry aired during install. The XP install hung three times on my machine (ran out of space with 5gb free!), requiring a boot into DOS to wipe files each time.

Re:Readers often don't have much experience with M

[mrseigen]

We have a problem on Slashdot that many people who read Slashdot don't work with Microsoft products enough to know how bad things really are.
Hopefully, most of us have a small thing called a job, usually at a corporation running on a Microsoft-based foundation. I think we do know, and that's why we use something else at home (except for those of us who still need to keep a windows box around for games..).

I'm getting sick of this sh...

[rzbx]

Stop the BS. MS is infiltrating into our government. That's it, the world is completely f... Bad enough as it is, with all the crap that already goes on. Now completely obvious crap is allowed, and no one is doing anything about it.

half good or half bad advice?

[freaker_TuC]

I hope he gives better advice to the white house,
looking at the bugs with multiplication factor 4 in Microsoft products ...

Oh, so that is how it got started.

[A_Non_Moose]

From one poster:Notice in the 1998 interview that he denies that viruses in mail attachments are a problem.

And from another:He was a security ADVISOR...

He could have given Microsoft all the advice in the world and if they were too lazy to implement the appropriate security measures it's not his fault.

To me this begs the question:
"When he emailed his resume, I assume it was a Wurd Document with the subject 'I send you this file in order to have your advice' "

Do you even know what a C2 certification entails?

[dave-fu]

Here's a starting point for you to consider: "The Orange Book C2 specification is for standalone, nondistributed computing environments and non-networked devices."
There's no security without physical security and a floppy/CD attached to a computer giving you a workaround from the single pathflow of username/password login to an ACL-controlled environment fails the C2 spec by default. No one brags about Orange Book certifications because no one enforces it because it's freaking useless in every conceivable work environment. No network + no disk drives == no sneakernet == why bother?

Re:So you think the White House chose him at rando

"I bet the guy will be working actively on methods to snoop on Windows "

Did you forget to wear your aluminum foil beanie today?

It's all a plot to break TCP/IP (only half joking)

[winterspeak]

:begin conspiracy theory

A report on Cringely claims that the use of raw sockets in XP is just to make network security so bad that Microsoft needs to replace TCP/IP with its own, more secure protocol (part of .NET). This protocol will be part of its .NET secure architecture, which means no unsupported media types allowed (bye bye Quicktime and Real. Also, bye bye MP3 as Windows Media Player doesn't support that).
http://www.pbs.org/cringely/pulpit/pulpit2001081 6. html

Having a security guy in the White House means that the government will hear exactly why the problem is with TCP/IP and the only way to improve on the virus problem is to switch to the secure environment of .NET, which needs Microsoft transport protocols of course (more secure).

:end conspiracy theory

Who are you to talk of security?

In all the years Microsoft has been around, and given the size of the company... We're only aware of one break-in to their corporate network.

Yet even with that one break-in, no secrets were stolen, no source code, no pre-announcements of products, etc. At least not that we've been told, but then you'd think if thise l33t hacker got this stuff it'd have been released, right?

That's what a Security Officer is there to protect. The security and privacy of the internal infrastructure.

On the other hand we have a bunch of kiddies whining about how Microsoft doesn't understand security. Some of these kiddies work for a company(VA Linux) who last year was hacked. Not by sneaking in, but because some moron used the root password in clear text in a telnet account. This resulting in a l33t hacker not just sniffing around but actually 0wning you. Modifying the websites at sourceforge, etc. to show this fact.

Even then, they had no idea what damage had been done.

Re:Readers often don't have much experience with M

"The company is not worrying enough about the quality of its products, in my opinion. "

Did this woman have the latest version of Outlook installed?

If not, then what the fuck are you talking about?

Microsoft *DOES* worry about the quality of its products, and it has *FIXED* many of those products. But we have whiners like you in the world who can't be bothered to take the time to learn about this, to install new versions, etc.

What is it that you want?

Do you want Microsoft to fix their products? They have.

What else do you want? Maybe a new crack pipe for whatever it is you've been smoking?

Misleading header.

[Remote]

MS tools may not be the best, but once that's what the White House has got, then choosing this guy to advise on security seems to me to be a sound decision, no question about that. But I don't think this move has much to do with White House security at all.

Now, call me paranoid if you wish, but when I read this piece of news I can't help but ask myself what is this individual really up to within the government structure. He's supposed to know MS security like very few people in the world. Wouldn't he be of great help for the Bureau in their desire to do funny stuff with everyone's machine? Or something along those lines? Reading the article we see that he's not going to do things like helping beef up thw WH website security, he will be working with a taskforce that has many ramifications, chaired by Richard Clarke.

From the article:

Clarke was named last month to head a new White House Office of Cyberspace Security that is to focus on developing a plan for protecting the nation's critical infrastructure.

That could mean a lot of things.

Qualifications for a national govt. position

[ctimes2]

You have to suck. And suck big time. For example:

Fredrico Pena, former [Mayor, Governer?] of Colorado became Transportation Secretary of the US. How? Two bullets for his res:
Once ran out of money to plow the roads, so he broke out pavement rollers... to "pack it down". Denver shut down for a couple of days while they tried to break up the 3 ft thick ice sheets.
Second bullet: Stapleton International Airport. Need I say more?

Ctimes2

Does he keep his M$ stock options?

[ClarkEvans]

Just wondering. Anyway, I bet he'll go back to work for Microsoft after the exploit.

No Joke

[jjohn]

I actually shrieked out loud in terror when I read this headline. Good lord, I feel like I'm trapped in a bad Dilbert cartoon.

A job?

A job? Isn't that a place where you are expected to work? Ugh. I hate work.

I've told her to be more careful next time.

[Futurepower(tm)]

Her only fault was not to install one of the many security updates. I've told her to be more careful next time.

You seem to be confusing the two of us. She is an acquaintance who does not understand computers.

If Microsoft cared sufficiently, this would not be a tough problem to solve. Just don't give Outlook Express so much power in the default install.

Indelible Stain

[llywrch]

>> Hire someone from a company known for its inability to make secure software, and put him in charge of what his company
>> always did poorly.
>
> Or, even better, people could check what in the hell they are talking about! But then again, this is Slashdot, no fact checking
> [go2vanguard.com] required:

[posts resume]

Yet for many seasoned sysadmins concerned for security, having Microsoft on your resume is what a character in ``Dilbert" once called an indelible stain on your resume: it is going to work against you, rather than for you. And you better be able to do some persuasive talking to explain why under your tenure MS failed implement its own software in a secure manner.

Geoff

Surfin' USA?

[kko]

Everybody's been hacking... hacking USA!

Doesn't anyone here subscribe to bugtraq?

[harlows_monkeys]

Uhm...free software has as many security problems as Windows. The difference is that Windows has 95% of the users, and so is a much bigger target.

No!

[Sax+Maniac]

Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?

No, it would be like making Capt. Hazelwood the Secretary of Transportation.

(Uh, he was in charge of an oil tanker.)

Physical security, not software security

[itwerx]

And MS campus security is half-way decent. Cameras everywhere, little radio-card-readers for everybody and it's all hooked up in one hardened, redundant (and isolated) network. They can pretty much catch anybody slipping in unauthorized and zero in on any MS employee.
Thank goodness I don't work there any more, [shudder]. Though it was the management rather than the work environment that bothered me.

MS has most security problems-so he should be fine

Well, if you look at the security problems - most
of them are from Microsoft so actually he may be usefull. It is like hiring one of Taliban leaders to
have better contact with Taliban. :)

Mcrosoft backdoor coup..

WOW!

This says it all, doesn't it?

Here we have Microsoft being treated with kid gloves after a successful DOJ prosecution and now Howard Schmidt, Microsoft's Chief Security Advisor, is leaving MS to work as a security adviser for the White House.

Microsoft has cut a deal with the Feds in exchange for backdoor access to domestic and foreign networks running the Microsoft Windows operating system.

Imagine, every file and graphic being scrutinized by CIA analysts on nearly every desktop connected to the Internet. Even machines that only connect via conventional telephone lines could easily send text data without causing too much additional traffic.

And if the system is cracked, all Microsoft has to do is wrap themselves in the flag and point to September 11!

What an intellegence coup for law enforcement and US espionage agencies.

You have to hand it to Chairman Bill and the Beast of Redmond, crime does pay!

Just one guy's opinion.

CD

Re:Mcrosoft backdoor coup..

[theolein]

Good thing that some governments in Europe are considering moving over to Linux.

Security bug fixes for SQL Server..

[Weezul]

..reset the admin password. Now you know how stupid script kiddies get hundreds of thousands of CC#s.

Par for the course in DC

[drix]

This is funny because it reminds me of an essay I just read by Andrew Ferguson which is completely, entirely apropos to this story. I quote from his book:

"My interest in [Bob] McNamara is intensified because he exemplifies a peculiar Washington phenomenon. In Washington people fail up. The city is exempt from the laws of professional gravity. No other city is so accommodating to failure, so friendly to the people who fail. Large awards await the bunglers and the bobblers, the has-beens and wannabees-who-never-could. Our present mayor, to cite an obvious example, destroyed the city's finances, smoked crack on TV, went to prison--and then got reelected ... Here's The Iron-Contra bungler, awarded a popular radio show for his work destroying the Reagan administration. Over there is the manager of the 1992 Bush campaign, mulling offers from candidates to work his magic again in 1996. And over here is the chief strategist for Jimmy Carter during the Iranian hostage crisis--why, he's the secretary of state!

"McNamara is the spiritual father of them all. He is the architect of a career breathtaking in the scope of its screwups, a clockwork progression of failure and reward, error and advancement. Imagine a friend who comes to visit. The first night he cooks you dinner and sets fire to the kitchen. The next morning he accidentally electrocutes the cat. He blows his nose in the curtains and never flushes the toilet. He borrows your car and drives through the garage door, then spreads a rare infection to your kids. By the third day you make the decision: You ask him to move in with you.

"This is the pattern of McNamara's career. At Ford Motors, in the late 1950s, he designed the sclerotic top-down management system that almost sank the American automobile industry; for good measure, he oversaw the production of the Edsel. Accordingly, JFK handed him the Pentagon. There McNamara got the idea for the Vietnam war--the Edsel of American foreign policy. So awed was the Washington establishment tthat it placed him at the head of the World Bank, in hopes that he might do for the international economy what he had done for the American military. And he did! Within ten years, he had doubled the amount of money loaned, and lost, to third world kleptocracies like Brazil and the Central African Empire. He was Midas in reverse. Wherever he draped his hand, industries wilted, economies collapsed, corpses piled up."

Looks like Howard Schmidt is the Bob McNamara of our day!

Hanging-head-in-shame

[CaptainZapp]

You're right, of course. I noticed it myself after hitting submit.

Nevertheless: My interpretation of the assessment was: As long as you don't touch it, it's C2.

I didn't intend to spread fud, it was an honest (possibly Freudian ?) error.

Actually

[CaptainZapp]

I think the NT kernel was designed by very competent people (Dave Cutler et al). It probably was a good OS until M$ marketing laid their clutches upon it.

confusion over what is a "security officer"

[Reziac]

I don't know for sure which dept. this guy came from, but could be Our Readers are confusing software security with corporate security , a very different field that has literally nothing to do with whether M$'s record on software security sucks. But you don't hear of any physical breakins on the M$ campus, do you??

See my previous post...

[Puk]

At first, I thought, "eh". But then I remembered this post.

-Puk

Stop Blaming Capt Hazelwood

Stop flaming Howard Schmidt, Microsoft's Chief Security Advisor. I think Microsoft and not Mr. Schmidt is the cause of security problems with Microsoft's software. And at least now he has lots of experience for his new job.

As for Capt Hazelwood? Look to big oil companies in their wishes to save money. We still send oil-filled ships out into one the world's most rough and storm-ridden seas of the world. We build single hull supertankers only to save money, these days many tankers are being built double-hulled for added safety. The oil companies have authority over the Anchorage Port Authority to send oil tankers out into storms. The Exxon Valdex left the port despite objections from the port authority. The oil companies have permission to employ 2nd, no 3rd, no less than 3rd mates to captain a supertanker. Steering a large vessel is difficult, it may take miles to slow down, look at the case of the ship that crashed into the dockside mall in New Orleans. The less experienced person who was steering, not Capt Hazelwood, steered the Exxon Valdez sideways to avoid the reef which was the worse thing to do. It was too late to do this manouver and the tanker hit the reef on it's side, doing the most damage. A more experienced captain might have kept her on course and possibly avoided the reef all together. And what was this oil tanker doing amongst reefs? Apparently, it was advised by the Coast Guard, due to the intense weather conditions, to move to the oncoming shipping lane. By means of navigation possible at the time the tanker was thought to be in the oncoming shipping lane. It was not actually in the shipping lane, it was in an area of reefs in between. Things do improve, today GPS works very well and ships carry more sophisticated onboard navigation equipment with redundancy and at an expense to the shipping company to acquire, maintain and properly use this equipment -- I hope they're not running Windows! ;-)

As for Capt Hazelwood, he was down below at the time before the visible sighting of the reef and wasn't called upon until it was too late. Later, the press reached him in an Anchorage bar, he was off duty and drinking which might account for the stories of his drunkeness. This, however, would well suit the PR for a certain oil company.

And yes, I am an anonymous coward. I learn a lot from making mistakes. We are safe. We are not invulnerable.

Lotus Notes at the White House ?

[Dave21212]

I know for a fact that the United States CIA, NSA, (most)DOD and SSA all use Lotus Notes and I believe that the White House does as well. This is why they weren't hit by LoveBug or several other bad little email virus events when the rest of the online world (eg: Britain's Parliament) was.

It would be interesting to see if they move from the security of Notes to something like Outlook now that a minion of the evil empire is in there.

Microsoft is not handling their issues well.

[Futurepower(tm)]

In my opinion, you are missing the point. They could meet their own needs and the needs of the world at large at the same time, but seem unable to do so.

what is really going on

[ding_jlinx]

this is nothing more or less than politics.

congratulations guys, thanks to the DOJ's retarted anti-trust case against microsuck, the company now has lobbying offices in Washington. Whereas before, they didn't.

Let me repeat this just in case no one got it the first time:

THEY DID NOT HAVE ANY LOBBYING OFFICES IN WASHINGTON UNTIL THE DOJ ANTI-TRUST CRAP.

get it? Now thanks to our idiocy, they will be paying off anyone with a hand out to help them push their crap on us. And to make it harder to promote linux ( like that security update thing I've been hearing about ), and they'll be working hand in hand with our new friends in office (both dems and repubs - Fritz Hollings was one of the bastards sponsering the fascist new laws against free speach).

Lest you folk regard this as paranoia, let me point out that after several major commision - based software companies donated money to the Honorable Sen. Patrick Moynahan, it became practically illegal to work as a freelance programmer. The rational being that freelance programmers will write off personal expenses as business expenses. And yes, a bunch of guys have in fact gotten reamed in some IRS witchhunts.

A lot of us warned everyone else about this - don't get the @#$#@ing government involved. But no, we had to be stupid, and now we will forever pay the price. Here's a tip - once the politicians get their grubby little hands into something, they NEVER let go. Expect to see a lot more government "help" and "regulations" designed to save us all from ourselves.

What did you people think? Did you really believe that turning micro$oft into baby bells would make even the slightest bit of difference? Did it not occur to anyone that once congress has a precedent for screwing around with the biggest fish, that they'll then decide that the little fish (every other company in existence) is fair game?

And please don't kid yourselves that this is about an evil republican administration. Every administration, especially the party-that-loves-to-regulate, will be holding out there hands, or pushing us down.

Great going guys.

Ahem... MS security 'experts' are excellent!

[WowMan]

The White House NEEDS a Micro$oft security expert in order to accomplish one specific goal:
Absolve corporate responsibility for the failures of network security and instead install Government Thugs to enforce network security. The idea here is NOT to develop technology that thwarts miscreants, but instead rely on Society's Thugs to enforce fair play! Hey, the Government always NEEDS new growth and what could be better than to accomplish this by following Micro$oft's lead on security issues and rely on the CyberCops to clean up the mess.

So what if North korea....

[theolein]

drops a nuclear bomb on the US. Will the government pretend it didn't happen or accuse everybody who knew about it beforehand of trying to destabilize the country?

Possibly

[Mustang+Matt]

Maybe he figured out that he would never work in the security industry again if he didn't get out of there quick.

Off-topic, but good reading.

[Futurepower(tm)]

Sometimes I love off-topic posts.

F###head

[theolein]

Some pieces of software have more ways of being broken than others.

Ahmen

F### you too

[theolein]

Serves him right for using telnet. Now bugger off and go back to playing with yourself.

Wrong. They're biased and you're stupid.

[theolein]

Twit

I made a stupid in my pants

[OwnedByTheMan]

whoops... messy...

You're right!

[eshaft]

Yeah, everyone has their flaws. I agree.

But Outlook still sucks, they should still be sued for not making people aware of it's vulnerabilities.

But you're still right.

work experience

[CelestialWizard]

Not knowing much about his role at microsoft, or USAF, but he is the current president of the Information Systems Security Association (www.issa.org).

The ISSA seems to be an interesting and informative organisation. Their monthly magazine has some good articles, but the advertising seems to be mainly interested in selling you products to secure your phone lines and phone systems, than your network, border routers, etc...

Their meetings and presentations are definately worth the yearly charge.

Although I must say that his editorial is mostly waffle than real content.

$0.02

What a security officer does

[phr1]

I think /.'s criticism misses the point of what a corporate security officer does. This guy's job had nothing to do with bugs in Windows. Security officiers are generally not programmers or techies. They don't know anything about elliptic curve encryption or SYN cookies.

Most large companies have security officers. They usually come from a law enforcement or military background. When you see the title "security officer", think Lieutenant Worf, not Wesley Crusher. The security officer is usually in charge of physical plant security, of running background checks on incoming employees, making sure the guards at the parking lot entrance check the right ID's, etc. Their involvement with computers may reach as far as directing that the company firewall filter out incoming .exe email attachments, and that everyone's PC runs a daily virus scan.

As far as I know, Microsoft didn't have serious problems of that nature, and that guy did perfectly well at his job. The pinhead marketroids who put all the vulnerabilities into Outlook were in a completely different jurisdiction, so to speak. So I don't have a problem with his going to work for the white house.

He has some - Re:Job qualifications

Here are his Job Qualifications:
"It's the kind of high-level role Mr Schmidt knows well. Prior to joining Microsoft four years ago, he was director of the US Air Force office investigating computer crime and information warfare, and set up the government's first dedicated computer forensic lab. Before that he was with the FBI's National Drug Intelligence Center, heading its computer forensic team. In his younger days he even served in the elite SWAT team. Currently, he is the international president of the Information Systems Security Association, which has 54 chapters around the world, and sits on several security-related national and international committees."
Source: http://business-times.asia1.com.sg/subcategory/0,2 297,140000-140700,00.html
Other related links:
http://dev.issa.org/howardschmidt.htm
http://www.washingtonpost.com/wp-srv/zforum/nati on al/schmidt080598.htm
http://www.pbs.org/wgbh/pages/frontline/shows/ha ck ers/interviews/schmidt

An attacker would have complete control...

[Futurepower(tm)]

"Windows XP will not authenticate network access attempts by accounts with blank passwords."

The issue is whether an attacker from outside, who gains access to a computer because of some security hole, would have control over that computer. My understanding is that an attacker would have complete control if there were no password.