MS Chief Security Officer to work for White House

NerveGas writes "An Interesting People message reports that Howard Schmidt, Microsoft's Chief Security Advisor, will be leaving MS to work as a security adviser for the White House. With the track record that Microsoft has in the area of computer security, this strikes me as a very bad move." CD: you'd think people would examine the job someone did at thier previous job before offering them a new one. Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?

responsibility

[vscjoe]

Was he responsible for all the holes in Microsoft code over the years?

As security advisor at Microsoft, his job presumably was to define policies that keep those holes from getting into the software and/or to keep Microsoft's sites secure. Microsoft's products are full of holes and their services have suffered major security compromises, so he can't have been very effective.

Since his new role will be similar in nature, it seems reasonable to suspect that he will be equally ineffective at defining national policies to protect our national security infrastructure.

/. home of the stupid anology

[Suppafly]

CD: you'd think people would examine the job someone did at thier previous job before offering them a new one. Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?

First off, being the white house I'm sure they throughly examined everything about him.. I had a friend apply for a fairly low position with the DoD and they interviewed his friends and family as well as giving him a lie detector test.

Secondly, this is hardly compareable to the Exxon Valdez thing..

Third who are you to say he did a bad job at MS?
Other then just taking at cheap shot as MS, you have no info about his job performance or even what he specifically did while working at "The Great Evil"

Maybe its just me, or maybe theres a reason you dont see chrisd listed in the hof anywhere..

Re:It's all part of the same kind of thinking.

[b0r1s]

Hire someone from a company known for its inability to make secure software, and put him in charge of what his company always did poorly.


Who would you prefer?

1. Someone from openssh, which just released a new version to correct a remote exploit?
2. A linux hacker who cant figure out how to handle syn cookies?
3. Someone from lotus, who cant protect their documents
4. A webalizer coder who cant remember to filter out cross site scripting?
5. Maybe an IBM coder?
6. Cisco is flawless, right? nope
7. Redhat must be perfect, they make linux! oh wait
8. SGI/IRIX is flawless, they never have security proble... oh, nevermind
9. How about a linux kernel hacker, they sure must be perfect! They'd never allow a root exploit into a stable kernel!

Getting the point yet? Everyone has holes. Everyone releases patches. It just happens that microsoft designs their code for ease of use, and because of that there happen to be a lot of unqualified microsoft admins. This isnt a MS problem. This is a side effect of their popularity.

You're missing the point, as well as OpenBSD

I think you're missing the point. Microsoft consistently releases buggy software and they publicly admit that yes, the UI experience comes before security. Sorry, but that's not for me. In addition, you've forgotten to list OpenBSD. Four years without remote hole in default install.

Readers often don't have much experience with MS.

[Futurepower(tm)]

1. unauthorized user can autheticate.
2. denial-of-service attack
3. unauthorized user can read files
4. Inject HTML tags into the generated reports.
5. gain root access.
6. denial-of-service attack
7. execute arbitrary code when accessing RPM from untrustworthy source.
8. denial-of-service attack
9. gain root access

Every one of 1 through 9 above are stories about people who made mistakes.

The security problems in Microsoft products, are, in my opinion, not mistakes. They are the result of policies: 1) Only money matters. If you can make more money by being sloppy, then do it. 2) Release software with lots of known shortcomings so that people will want to pay for upgrades later. 3) Relate to your employees by pushing them.

Items 2, 3, 4, 6, and 8, more than half of those you mentioned, do not allow destruction to the system itself. One or more Microsoft security bugs that allow destruction to the system are announced on the average of every month, if I recall correctly.

I am not anti-Microsoft. I am more pro-Microsoft than Bill Gates. Microsoft is a company that has $30,000,000,000 dollars in the bank, instead of being used to clear up the problems in their products.

Today I spent about an hour of my Sunday helping a woman in Brazil clear her computer of the Badtrans worm. Billions of dollars are being wasted by very serious Microsoft bugs. The company is not worrying enough about the quality of its products, in my opinion.

I installed a security bug fix supplied by Microsoft to Internet Explorer on someone's computer last week, and the security bug fix put all the network settings back to least security. This has been going on for years. Microsoft knows this happens. It is a result of policy, not mistake. Why they do that, I don't know. Maybe it has been dictated by the U.S. government that Microsoft will make their systems insecure.

We have a problem on Slashdot that many people who read Slashdot don't work with Microsoft products enough to know how bad things really are.

Re:It's all part of the same kind of thinking.

[Floris]

Nice argument, but let's not forget microsoft themselves have been compromised multiple times over the course of the last few months:

1) Remember that incident where someone inside microsoft got hit by a macro virus that allowed remote (apparently russian) script kiddies to access their internal network?

2) How code red hit www.microsoft.com and hotmail?

3) Same thing happened with nimda.

3) there were more but this was off the top of my head.

Of course, bad programming practices happen everywhere but this could be accounted to a) running unpatched boxes and b) microsoft employees opening infected attachments. Both of which were his direct responsibility to prevent.

A side effect of popularity?

[erroneus]

First, I'd like to comment that I'm posting this using AT&T Broadband... They didn't pay me to say this, but I expected to be net-less for a week, so I'm happy.

Second, MS's infmaous security record doesn't stem from "mishaps." It stems from their insistance on a very flawed set of models. "Drivers at Ring-0" and all that. Among the more popular flaws is in their VBA/VBS integration. Bad enough that These languages have access to the whole machine indescriminantly, but docments from untrusted sources now have access to your whole machine? How many times has this happened? It's not something that requires a patch, it requires a rewrite or complete removal as a feature.

Javascripting? Why are so many MSIE flaws handled best by disabling client-side scripting? Think about it -- same problem.

How about their insistance on installing "everything, even if you don't need it?" How many "Nimda" hosts are out there on machines where the owner didn't even know IIS was there? My brother said it best when he said that it was the equivalant of shipping a loaded pistol. It's not dangerous if you know how to use it and if you knew it was loaded, but then again anyone with a finger thinks they can handle a gun... ring true enough?

It's not that the company's popularity makes a common problem seem worse, it's the company's problem of prioritizing "cool stuff" over "secure stuff."