MS Chief Security Officer to work for White House

NerveGas writes "An Interesting People message reports that Howard Schmidt, Microsoft's Chief Security Advisor, will be leaving MS to work as a security adviser for the White House. With the track record that Microsoft has in the area of computer security, this strikes me as a very bad move." CD: you'd think people would examine the job someone did at thier previous job before offering them a new one. Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?

So you think the White House chose him at random ?

[Rosco+P.+Coltrane]

I submit that Schmidt is in fact very very well placed to know about most if not all vulnerabilities and (possibly) backdoors in Micro$oft products. I bet the guy will be working actively on methods to snoop on Windows users, extract their data and intall trojans in their systems (Magic Lantern anyone ?).

Here's a guy who was working for the largest software monopoly in history and now works as security honcho for the most powerful government in history, with people like Ashcroft in it. Makes my nose bleed just thinking about it. The more I see what's happening in Micro$oft's giant sphere of influence, the more I'm glad to be a Linux user, that's for damn sure.

What type of work?

[pjbass]

So it's easy to flame this guy because of working for the Evil Empire and have been related to things like Code Red and Nimda. But what is his real function going to be? Sure, the article mentions he will be on the cyber-security team for Pentagon global network security, but that is a really broad statement. Is he going to be in charge of firewalls, access lists, high-level network security checks, or making sure that each government employee's Outlook doesn't flood the Pentagon's network (sorry, had to insert a flame...)? I think it would be interesting to find what his specific function is, then allow the flames to burn.

pretty unfortunate

[vscjoe]

Well, maybe he quit Microsoft in disgust and is trying to do the right thing: push for open source, peer-reviewed, secure systems. But, more likely, he has been imbued with Microsoft corporate policy, still has a financial and personal interest in the company, and has never known another way of doing things besides the Microsoft way.

If the latter is the case, there is a good chance that this guy will follow the easy and obvious (to laymen) path and push Windows. After all, NT was created by someone with decades of experience and it is 'C4' certified (or whatever). It has zillions of security features, even more so than VMS, so how could it not be secure? And it is used by some of the most security conscious companies in the world. And what's good for Microsoft is good for America anyway. At least those will be the arguments that will likely be heard around the White House when issues about what software infrastructure the armed services and US government should use.

This will be followed by calls for keeping source code for criticial infrastructure under wraps, "like Microsoft is already doing", because "we don't want to give the terrorists the blueprints to our advanced technology". He'll probably preach the Microsoft mantra that open source is dangerous, unsafe, and un-American. And he'll likely conflate "security" RIAA style (fair use hijacking) with national security and point to how badly the RIAA and MPAA has been "hurt" by "security problems" resulting from "open source hackers" and how Microsoft, in contrast, keeps content "secure" and protects copyright holder's rights.

Altogether, this appointment is likely going to hurt open source efforts, as well as national information security.

Re:responsibility

I don't think there's any way to know how effective he is as an individual without reading his resume, interviewing him, and talking to a number of his associates. This is something which the government has most likely done, whereas most Slashdot readers simply read the word "Microsoft" and conclude that the man is incompetent, evil, or both.

In a company that large, there will be both fuck-ups and genuinely good workers. I know some extremely talented people working at Microsoft. I also know some losers there. I don't know which side of things this guy is on, but you have to figure that only a few companies have people with enough experience with huge, varied networks to take on this role for the federal government. And Microsoft it very likely to be one of them.

Corporate security != electronic security

[Xeger]

I haven't done any digging yet, but it is my assumption that as head of security he will be in charge of physical security policy at Microsoft installations: who has access to which rooms, and at what times of day. How many cameras to put in the bathroom stalls. How many parabolic surveilance microphones to hide in the trees. How many pits full of punji stakes, vipers and bear traps to place around the Redmond campus.

In other words, Big Brother stuff. Spook stuff.

That is what a chief security officer does in the traditional corporate environment. He will have an underling (or several) who handle electronic security for him. If he knows what's good for him he'll realize that he shouldn't try and play a game he knows nothing about, and he'll let his underlings have free reign.

Not that it will do any good, of course. As long as Microsoft uses its own software, it will always be vulnerable to the same exploits with which it burdens the rest of the world.

It's all part of the same kind of thinking.

[Futurepower(tm)]

"CD: You'd think people would examine what someone did at his previous job before offering him a new one." [Corrections to grammar and spelling added.]

It's all part of the same kind of thinking. Bomb Afghanistan to save it. (I'm talking about the first bombing by the U.S. government [1983], not the second and third.)

Hire someone from a company known for its inability to make secure software, and put him in charge of what his company always did poorly.

But, of course, maybe he is not really leaving Microsoft, but just working with a government that doesn't believe in privacy to assure that Microsoft software will always be compromised by the government.

Look on the bright side. With Microsoft in the White House, no one who truly wants software security will be running Microsoft products.

--
Links to respected news sources show how U.S. government policy contributed to terrorism: What should be the Response to Violence?

Re:It's all part of the same kind of thinking.

Perhaps your confused on the concepts of oversights and inability. I can tell by your post your confused on Linux which RedHat doesn't make btw, but that's another class.

We are talking the difference between a multi billion dollar Organization that doesn't just have a few glitches. But millions of lines of poorly written code that lead to exploits that make little script kiddies jizz their shorts.

By your justification if you were running a soup kitchen and you had 1 person that was on payroll. You paid them every week for their services. And you had 4 other people who were volunteering. The one person your paying never seems to doing anything right. They are always half assing everything you ask them to do. Very rarely do they get it right on the first time. Then you have the 4 people who are volunteering their time who occasionally have issues they don't get it right. But they are self starters who don't always wait to be told and sometimes they just surprise you with what they have done.

Now your ass would fire the 4 volunteers and keep the idiot on payroll wouldn't you. Hell you might be that idiot.

BTW Most people are asking the right questions what are his qualifications. He worked at Microsoft as head of security doesn't say much. Defending Ms here shows you really don't understand what the underlying conundrum is. Also I gotta ask do you work for MS cause the releasing a patch thing is sorta for the birds. Commercial products shouldn't be works in progress.

Re:huh?

Yeah, 8 years of experience letting Osama bin Laden blow up whatever he wanted. 8 years of experience passing the DMCA.

Gore's pretty much publicly agreed with everything Bush has done about 9/11 so far, so Gore voters don't have much room to complain that their guy would do any better.

C2 Certification

[CaptainZapp]

NT was created by someone with decades of experience and it is 'C4' certified

To the best of my knowledge, NT got a C2 certification umpteen years ago. But (and I'm not making this up), It only achieved C2 when the disk drive was removed and the machine was not attached to any network

I don't think Microsoft attempted to brag about orange book certification since then.

Use ya head!

[Boiling_point_]

Your president and government realise how dependent their economy is on M$ products. Of course, they can't just ask Microsoft what the terrorist-exploitable holes in the code are, because the company is big enough to hang on to their corp. secrets from even the US government.

So they employ the guy and put him in a safehouse where they can have a long chat, Dubwya gets a clearer picture of what he's up against.

The Problem With Microsoft

[Greyfox]

Microsoft has always put user friendliness first. User friendliness and security are usually directly at odds with each other. For instance, if I go over to /boot and try to rm bzImage, Linux won't let me do that (Unless I'm running as root, but we all know you should never run as root, right?) That's not very user friendly. It's my computer after all. Why shouldn't I be allowed to delete any file on the system? Well, we all know why.

Microsoft's product line evolved from a single user application. Programmers on their product line are still in the mentality that if you're sitting at the console, their programs have sole access to the full resources of the computer. How many Windows application installs demand that you close down all other programs and reboot the system when you're done? How many of them actually need you to do that? How many times has some Windows program opened a modal dialog (Which in the historical past prevents the program from being minimized until you acknowledge the dialog) or worse, a system dialog? When was the last time you saw one on Linux? Completely different programmer mentality.

Sure Microsoft's been kludgeing user support into Windows for a while now, but they don't enforce its use. It'd take too long for them to explain to every user out there why they should have to log out and log in as the administrator in order to install that new game or those scanner drivers. Most Windows users are perpetually stuck in the running as root mode, despite years of sysadmin experience that dictates that you should never run as root. And Microsoft will never force them to create a user and use it because that would make them a little less user friendly and a little more like UNIX and that's not the direction they've taken.

BTW: Most Linux dists don't force you to create and use a user ID either, and it's a very common thing to see newbies running as root. They usually stop after the first or second time they manage to trash their entire damn filesystem. And you can never just tell them "Don't run as root -- 30 years of UNIX sysadmin experience can't be wrong!" They seem to have to learn by hard experience.

Re:Huh?

[bribecka]

I don't know what this guy's job was, but I don't think he had the responsibility of making all the software secure.

First off, not to single you out, but this is so friggin typical of slashdot. Everyone (including chrisd from ./) is posting all this stuff, taking their shots, and not having a clue who the guy is and what he does. Second, it is pretty damn irresponsible of slashdot to post an article based off a message on a mailing list.

Finally, apparently this guy knows his shit. From this PBS interview

He is Chief of Information Security for the Microsoft Corporation. Prior to this he was a Supervisory Special Agent, Director of the Air Force Office of Special Investigations, Computer Forensic Lab and Computer Crime and Information Warfare.

Now, does it seem like a mistake to hire him? After all, he is *leaving* MSFT to go back to the government. Enjoy your crow, everyone!

Doesn't anyone here subscribe to bugtraq?

[harlows_monkeys]

Uhm...free software has as many security problems as Windows. The difference is that Windows has 95% of the users, and so is a much bigger target.

What a security officer does

[phr1]

I think /.'s criticism misses the point of what a corporate security officer does. This guy's job had nothing to do with bugs in Windows. Security officiers are generally not programmers or techies. They don't know anything about elliptic curve encryption or SYN cookies.

Most large companies have security officers. They usually come from a law enforcement or military background. When you see the title "security officer", think Lieutenant Worf, not Wesley Crusher. The security officer is usually in charge of physical plant security, of running background checks on incoming employees, making sure the guards at the parking lot entrance check the right ID's, etc. Their involvement with computers may reach as far as directing that the company firewall filter out incoming .exe email attachments, and that everyone's PC runs a daily virus scan.

As far as I know, Microsoft didn't have serious problems of that nature, and that guy did perfectly well at his job. The pinhead marketroids who put all the vulnerabilities into Outlook were in a completely different jurisdiction, so to speak. So I don't have a problem with his going to work for the white house.