Slashdot Mirror
MS Chief Security Officer to work for White House
NerveGas writes "An Interesting People message reports that Howard Schmidt, Microsoft's Chief Security Advisor, will be leaving MS to work as a security adviser for the White House. With the track record that Microsoft has in the area of computer security, this strikes me as a very bad move." CD: you'd think people would examine the job someone did at thier previous job before offering them a new one. Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?
you'd think people would examine the job someone did at thier previous job before offering them a new one.
What you mean like the job GW did in Texas? This guy should fit right in.
Cat, the other, tastier white meat.
than one of the people involved in allowing the very exploits you want to exploit to exist in the first place?
;)
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Was he responsible for all the holes in Microsoft code over the years? No? But you're going to hold him to that because... Or was that just another random MS flame? How do you figure you know anything about what this guy can or cannot do?
"If he thinks he can hide and run from the United States and our allies, he's sorely mistaken." Bush on bin Laden
I know how we all love to flame Microsoft, but if the guy was the head of MS Security, odds are he was an executive who never wrote a line of code.
He's guaranteed not to have anything to do with holes in MS products.
A better thing to look at would be how often was Microsoft's network hacked.
No one would think a kligon would make a good ship's counseler, and I don't think that an android would make a very good captain.
--Nuintari
slashdot : where an opinion can be wrong.
Here's a guy who was working for the largest software monopoly in history and now works as security honcho for the most powerful government in history, with people like Ashcroft in it. Makes my nose bleed just thinking about it. The more I see what's happening in Micro$oft's giant sphere of influence, the more I'm glad to be a Linux user, that's for damn sure.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Boffoonery - downloadable Comedy Benefit for Bletchley Park
So it's easy to flame this guy because of working for the Evil Empire and have been related to things like Code Red and Nimda. But what is his real function going to be? Sure, the article mentions he will be on the cyber-security team for Pentagon global network security, but that is a really broad statement. Is he going to be in charge of firewalls, access lists, high-level network security checks, or making sure that each government employee's Outlook doesn't flood the Pentagon's network (sorry, had to insert a flame...)? I think it would be interesting to find what his specific function is, then allow the flames to burn.
Here is some info on Schmidt at microsoft.com. Looks like he has an admin-level job rather than a software engineering job. So I wouldn't blame him for how poorly coded Microsoft products are. He's involved with best practices on setting things up securely, not watching over programers making sure there's no buffer overruns in the code. Although administration and programming must overlap when it comes to real security there's only so much you can do if you're not deeply involved with the code.
No, Thursday's out. How about never - is never good for you?
I think the guy was not in charge of MS security in terms of software development, but IT infrastructure. And in that case it was a really good find. This guy managed fort Microsoft and MS knew how to keep its internal network in pretty good shape... Even with all of the gadgets and VPN's that they have.
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
Given how badly the government did on its last security evaluation they are hiring the company with about the worse security track record ever to help them? Isn't this like the blind leading the blind? Well I guess this gives a good indication as to what kind of "penalty" MS will get from the trial since it looks like they have managed to buy off the current administration.
;)
This just seems like one of the most phenomenolly stupid ideas the government could make with respect to computers though given the current adminstration I am sure they could figure out some way to outdo themselves. Though I really don't want to see what they do to outdo themselves.
Hmm I heard Mars is nice this time of year
Computer modeling for biotech drug manufacturing is HARD!
If the latter is the case, there is a good chance that this guy will follow the easy and obvious (to laymen) path and push Windows. After all, NT was created by someone with decades of experience and it is 'C4' certified (or whatever). It has zillions of security features, even more so than VMS, so how could it not be secure? And it is used by some of the most security conscious companies in the world. And what's good for Microsoft is good for America anyway. At least those will be the arguments that will likely be heard around the White House when issues about what software infrastructure the armed services and US government should use.
This will be followed by calls for keeping source code for criticial infrastructure under wraps, "like Microsoft is already doing", because "we don't want to give the terrorists the blueprints to our advanced technology". He'll probably preach the Microsoft mantra that open source is dangerous, unsafe, and un-American. And he'll likely conflate "security" RIAA style (fair use hijacking) with national security and point to how badly the RIAA and MPAA has been "hurt" by "security problems" resulting from "open source hackers" and how Microsoft, in contrast, keeps content "secure" and protects copyright holder's rights.
Altogether, this appointment is likely going to hurt open source efforts, as well as national information security.
Notice in the 1998 interview that he denies that viruses in mail attachments are a problem.
He was a security ADVISOR...
He could have given Microsoft all the advice in the world and if they were too lazy to implement the appropriate security measures it's not his fault.
Maybe the position at the government was his oppourtunity to get to a better place that would actually listen to him.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
As security advisor at Microsoft, his job presumably was to define policies that keep those holes from getting into the software and/or to keep Microsoft's sites secure. Microsoft's products are full of holes and their services have suffered major security compromises, so he can't have been very effective.
Since his new role will be similar in nature, it seems reasonable to suspect that he will be equally ineffective at defining national policies to protect our national security infrastructure.
Actually, no. Captain Hazelwood was drunk at the wheel before the accident. Apparently he was a fine captain when sober. Microsoft has bad security whether or not you consider them to be drunk.
Oh, and for those that claim that this guy isn't responsible for the holes in Microsoft software, and that thus this guy is actually pretty good at his job of protecting MS's network: You're half right. He DOESN'T have anything to do with the Microsoft software security holes. However, he was the one in charge of protecting Microsoft's network during the incident six months to a year ago when a hacker group hacked into Microsoft's network, completely 0wning the whole thing, and Microsoft didn't find out about it until the group had already been making regular visits to the network for three months, downloading the majority of the network (possibly the entire thing, I don't think anyone's really sure) during that time. And while some may wave that off as "one intrusion in X amount of time", remember that these guys got in and then kept making REGULAR VISITS to the Microsoft network without anyone noticing for three months. So while only one group managed to do it, it sounds like they managed to keep doing it on an almost daily basis. That makes for a pretty bad security record, and it would've been a huge fucking disaster if this had been done during the upcoming era of widespread .NET and Passport services, or only a "somewhat large fucking disaster" during the current era of consumer and business consumer information being regularly logged through XP's activation madness.
I guess this proves that from now on, the government will be too busy looking at our computers to even take a passing glance at the situation of their own.
I haven't done any digging yet, but it is my assumption that as head of security he will be in charge of physical security policy at Microsoft installations: who has access to which rooms, and at what times of day. How many cameras to put in the bathroom stalls. How many parabolic surveilance microphones to hide in the trees. How many pits full of punji stakes, vipers and bear traps to place around the Redmond campus.
In other words, Big Brother stuff. Spook stuff.
That is what a chief security officer does in the traditional corporate environment. He will have an underling (or several) who handle electronic security for him. If he knows what's good for him he'll realize that he shouldn't try and play a game he knows nothing about, and he'll let his underlings have free reign.
Not that it will do any good, of course. As long as Microsoft uses its own software, it will always be vulnerable to the same exploits with which it burdens the rest of the world.
Among other things, the EULA at passport.com/Consumer/PrivacyPolicy.asp?lc=1033.NE T says: Passport will disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to... Act under exigent circumstances to protect the personal safety of users of Microsoft, the .NET Passport Web Site, or the public.
.Net servers could be sifted and profiled in many fascinating ways by the intelligence community.
How interestingly broad, given that in light of recent terrorist activities any "exigent circumstances" could be said to be met as a matter of course. And there is no doubt that all the information that's bound to be stored on
Kinda makes you wonder how it all fits together, given the walk Microsoft got on the anti-trust case.
First off, being the white house I'm sure they throughly examined everything about him.. I had a friend apply for a fairly low position with the DoD and they interviewed his friends and family as well as giving him a lie detector test.
Secondly, this is hardly compareable to the Exxon Valdez thing..
Third who are you to say he did a bad job at MS?
Other then just taking at cheap shot as MS, you have no info about his job performance or even what he specifically did while working at "The Great Evil"
Maybe its just me, or maybe theres a reason you dont see chrisd listed in the hof anywhere..
"CD: You'd think people would examine what someone did at his previous job before offering him a new one." [Corrections to grammar and spelling added.]
It's all part of the same kind of thinking. Bomb Afghanistan to save it. (I'm talking about the first bombing by the U.S. government [1983], not the second and third.)
Hire someone from a company known for its inability to make secure software, and put him in charge of what his company always did poorly.
But, of course, maybe he is not really leaving Microsoft, but just working with a government that doesn't believe in privacy to assure that Microsoft software will always be compromised by the government.
Look on the bright side. With Microsoft in the White House, no one who truly wants software security will be running Microsoft products.
--
Links to respected news sources show how U.S. government policy contributed to terrorism: What should be the Response to Violence?
Bush's education improvements were
hahahahahhahahahahaha!!!
Seriously though, this is rather ominous.
Take MS's awesome track record and keep it in mind, this isn't going to be a MS flame on their fucked security though. He was an advisor, which meant people didn't necessairly listen to him.
Now, we all know that the new guy will be completely impartial? Right?
Bullshit, not only does the DOJ let MS go damn near scott free, but now the white house appoints a former employee to tell them how to work security.
Great, name him "Director of Computer Honesty" too, rename the DOJ to "The Ministry of Peace" to keep with the theme (or was it truth, it's been a while since I read the book).
You know, this might not be that bad - if sysadmins can't patch their servers because the government doesn't allow publication of exploits, it will make hackers / skript kiddies jobs easier. It will escalate to a point where there will be so much bullshit, that sysadmins will all just post their shit anyways, consequences be damned - or just host exploits in Rwanda, Iraq, or some other nation.
This is not to say that his experience will be a total fuckup - he does have a few interesting ideas, and I think that he realizes that what is under his control can never be broken into, which is nice (a realist, instead of some bitch from marketing).
His administration will be a mix of good and bad things, though his support of ammending the freedom of information act certainly makes my worried.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
I suppose we can hope for the best. We know this guy wasn't responsible for the code itself, but rather M$'s IT infrastructure. And Microsoft's has been pretty good at not being hacked, (or at least having their websites defaced) Although one intrusion did take place (and it was major)
Aside from that, though, what bothers me is the security ideology espoused by Microsoft (and as others mentioned, this guy), the whole 'security-through-obscurity' thing. These people seem to think that building software is like building a house, it can't really be secure, just tight enough so that you don't have to worry, but we know that isn't the case. I mean, Microsoft is a successful company, but they're security is just crap. And when they're called on it they blame others. This is not the kind of attitude that we need to manage a secure government system. I mean we can't just send the FBI in to confiscate the computers of 'suspected' hackers if they're funded by another country.
Bleh, this government sucks. 9/11 has just made them more paranoid and retarded.
autopr0n is like, down and stuff.
What does have a person in charge of internal IT infrastructure have to do with security holes in IIS and Outlook?
Ultimately, he's one of the people that dictates where they will draw their balance between cost and security. Sure, they could spend time and money educating their programmers about security concepts, and sure, they could spend a lot of time and money doing code reviews - but do they? Only a little. And he's one of the people that make those decisions.
Is that who you want handling national security policies? "Well, yeah, there's a pretty big hole there, but we don't think that most people will find out about it, especially if we don't tell them about it."
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
/. will no longer be regarded as an major anti-MS. Now they will also call us anti-Government!
Wait a minute...
I heard he's going to be in charge of the MS Supreme Court 2002 installation. And there are also rumors of a switch to MS Advanced Senate. Unfortunately, the upgrade to MS President Express has been postponed because it kept dying.
Need Free Juniper/NetScreen Support? JuniperForum
Likewise, it is not a security advisor's job to fix security issues. It is his job to advise people on ways of preventing security problems. Just like a QA tester, he has no control over whether people actually heed his advice.
that we won't have to go on tours to see the whitehouse anymore?
... the backdoor's open
... it is a secure facility
... ok
tourist> yay
tourist> common guys lets go
security officer> um sir please don't tell too many people about this
tourist> er
*walks inside*
**AA: a bunch of mindless jerks who'll be the first against the wall when the revolution comes
To the best of my knowledge, NT got a C2 certification umpteen years ago. But (and I'm not making this up), It only achieved C2 when the disk drive was removed and the machine was not attached to any network
I don't think Microsoft attempted to brag about orange book certification since then.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
While this may seem a strange move, it is a case of Security Through Obscurity ;)
Any technology distinguishable from magic, is insufficiently advanced.
I think you're missing the point. Microsoft consistently releases buggy software and they publicly admit that yes, the UI experience comes before security. Sorry, but that's not for me. In addition, you've forgotten to list OpenBSD. Four years without remote hole in default install.
yes, it's the typical /. behaviour when it comes comes down to jobs/functions/code/etc from/by/at microsoft.
This kind of bashing is definitely not ok. You know NOTHING about this guy, I'm sure he is VERY high qualified and he is not to blame for the philosophy of a company.
Hey chrisd, do you have any idea which education you must have to become a Chief Security Advisor at Microsoft? Do you?
Demonizing Microsoft, that is what the script kiddies, crackers, etc do. It should not be commited by a sane, open minded community.
For example I know a guy who teaches ppl how to pass the mcse certificates. I once asked him why he is doing this microsoft stuff. He told me that he no fan of Microsoft itself as a company, but it's good money, a nice job.
In his free time he is a sun/java developer and truly fan of linux.
Maybe we shouldn't categorize people because of their jobs. And believe me, Mr. Schmidt knows more OS than win98...
Saying "w1nd0wz sux0rZ, h4X0r1ng m$ r00lez" is just embarassing...
1. unauthorized user can autheticate.
2. denial-of-service attack
3. unauthorized user can read files
4. Inject HTML tags into the generated reports.
5. gain root access.
6. denial-of-service attack
7. execute arbitrary code when accessing RPM from untrustworthy source.
8. denial-of-service attack
9. gain root access
Every one of 1 through 9 above are stories about people who made mistakes.
The security problems in Microsoft products, are, in my opinion, not mistakes. They are the result of policies: 1) Only money matters. If you can make more money by being sloppy, then do it. 2) Release software with lots of known shortcomings so that people will want to pay for upgrades later. 3) Relate to your employees by pushing them.
Items 2, 3, 4, 6, and 8, more than half of those you mentioned, do not allow destruction to the system itself. One or more Microsoft security bugs that allow destruction to the system are announced on the average of every month, if I recall correctly.
I am not anti-Microsoft. I am more pro-Microsoft than Bill Gates. Microsoft is a company that has $30,000,000,000 dollars in the bank, instead of being used to clear up the problems in their products.
Today I spent about an hour of my Sunday helping a woman in Brazil clear her computer of the Badtrans worm. Billions of dollars are being wasted by very serious Microsoft bugs. The company is not worrying enough about the quality of its products, in my opinion.
I installed a security bug fix supplied by Microsoft to Internet Explorer on someone's computer last week, and the security bug fix put all the network settings back to least security. This has been going on for years. Microsoft knows this happens. It is a result of policy, not mistake. Why they do that, I don't know. Maybe it has been dictated by the U.S. government that Microsoft will make their systems insecure.
We have a problem on Slashdot that many people who read Slashdot don't work with Microsoft products enough to know how bad things really are.
Bush's education improvements were
that he's not so much leaving microsoft as merely changing departments. it's all the same company isn't it?
dave
... but he was their security officer, not a product designer. What difference does it make that he worked for MS? Other than that consequentially he worked for a huge, high-profile MS shop that everyone wants to crack and not many have managed.
The job'll be easier, I'd imagine, since the White House is a smaller and less ambitious (but equally high profile) MS shop and while he now isn't down the hall from the developers (which is not all it's cracked up to be) he is down the hall from the NSA.
I mean really. If you've got to secure an important *MS* shop, who do you think would be better?
~~~~~ BigLig2? You mean there's another one of me?
First, I'd like to comment that I'm posting this using AT&T Broadband... They didn't pay me to say this, but I expected to be net-less for a week, so I'm happy.
Second, MS's infmaous security record doesn't stem from "mishaps." It stems from their insistance on a very flawed set of models. "Drivers at Ring-0" and all that. Among the more popular flaws is in their VBA/VBS integration. Bad enough that These languages have access to the whole machine indescriminantly, but docments from untrusted sources now have access to your whole machine? How many times has this happened? It's not something that requires a patch, it requires a rewrite or complete removal as a feature.
Javascripting? Why are so many MSIE flaws handled best by disabling client-side scripting? Think about it -- same problem.
How about their insistance on installing "everything, even if you don't need it?" How many "Nimda" hosts are out there on machines where the owner didn't even know IIS was there? My brother said it best when he said that it was the equivalant of shipping a loaded pistol. It's not dangerous if you know how to use it and if you knew it was loaded, but then again anyone with a finger thinks they can handle a gun... ring true enough?
It's not that the company's popularity makes a common problem seem worse, it's the company's problem of prioritizing "cool stuff" over "secure stuff."
Your president and government realise how dependent their economy is on M$ products. Of course, they can't just ask Microsoft what the terrorist-exploitable holes in the code are, because the company is big enough to hang on to their corp. secrets from even the US government.
So they employ the guy and put him in a safehouse where they can have a long chat, Dubwya gets a clearer picture of what he's up against.
"If you create user accounts, by default, they will have an account type of Administrator with no password." KB Q293834
I'd say this was closer to putting bin Laden in charge of American Home Security.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Microsoft's product line evolved from a single user application. Programmers on their product line are still in the mentality that if you're sitting at the console, their programs have sole access to the full resources of the computer. How many Windows application installs demand that you close down all other programs and reboot the system when you're done? How many of them actually need you to do that? How many times has some Windows program opened a modal dialog (Which in the historical past prevents the program from being minimized until you acknowledge the dialog) or worse, a system dialog? When was the last time you saw one on Linux? Completely different programmer mentality.
Sure Microsoft's been kludgeing user support into Windows for a while now, but they don't enforce its use. It'd take too long for them to explain to every user out there why they should have to log out and log in as the administrator in order to install that new game or those scanner drivers. Most Windows users are perpetually stuck in the running as root mode, despite years of sysadmin experience that dictates that you should never run as root. And Microsoft will never force them to create a user and use it because that would make them a little less user friendly and a little more like UNIX and that's not the direction they've taken.
BTW: Most Linux dists don't force you to create and use a user ID either, and it's a very common thing to see newbies running as root. They usually stop after the first or second time they manage to trash their entire damn filesystem. And you can never just tell them "Don't run as root -- 30 years of UNIX sysadmin experience can't be wrong!" They seem to have to learn by hard experience.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I didn't need that functionality anyway -- there are other ways to move files around. But what about a server that I really need? Well I don't trust bind farther than I can spit a rat but I run the damn thing. I compiled it statically and run it chrooted as a user other than root. Although a previous release of the kernel would still have allowed a compromise of my system, I'm not running that kernel and so I'm willing to trust bind nominally in that configuration. I was able to secure it although I don't trust it.
Windows evolved from a single user operating system and those roots are still very much evident in every application for it that I've ever seen. It is highly in need of clueful administrative staff in order to keep a user base secure, but the lack of a need for a really clueful administrative staff is one of the selling points of Windows -- we were supposed to be able to install NT on all our servers, 95/98 on all our desktops and fire all those high paid UNIX sysadmins, replacing them with chimpanzees. And somehow the CIO doesn't take any flak for this when the company spends a billion dollars trying to clear code red out of the network. The attitudes are more flawed than anything else and that is why I don't trust Windows.
For the record I don't trust Linux or BSD either, but I trust them a lot more. I'd be much happier if the various servers I used were coded in some language where it was harder to make such fatal mistakes, such as Java, Haskell or LISP, but I expect we'll get there eventually.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
GWB: what's this computer security stuff?
Ashcroft: that's computer survellience.
GWB: well this Texan don't know the difference so why doncha tell me.
Ashkroft: we need to spy on people to make sure they're not terrorists or having abortions or being queer.
GWB: so this guy from MS can help us with that
Ashkroft: yeah he can get MS to put whatever backdoors in so we can spy on whomever we want.
GWB: backdoors? sounds kinda queer.
Ashkroft: those nerds are all kinda queer anyway - so here's the deal. we hire this guy and then tell him what to tell Gates to do.
GWB: why should Gates do what we say - that nerds's got more money than a whorehouse with an oilwell?
Ashkroft: cause Gates has money but we wants access and prestige like everyone else
GWB: ok I'll go with it - how we commin with rounding up the ragheads
Ashkroft: fine, project TexAryan is right on target - all non Christians are being targetted as we speak.
GWB: well shit howdy, get me a drink then.
From DEFCON.org
DEF CON 10 will be August 2nd-4th, 2002 in Las Vegas. More details soon.
Depends on what you expect from "security," I guess.
It won't be long before they enable scripting in every existing government service. It would be pretty cool to use the scripting "features" to order a drivers license with Micky Mouse's picture! :)
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
More like:
"Howard Schmidt, Microsoft's Chief Security Advisor"
Sure, he gives advise. But nowhere did it say that they actually listen.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
If they'd put him in charge of the IRS network security, maybe we could avoid paying any more taxes
The point of hiring him away from Microsoft was to make the nation's computers more secure as a whole. He'll sit in a small office somewhere and harass interns while Microsoft goes to the junior colleges to find a more capable replacement.
In my post above, I was making the point that Microsoft is much worse than people realize. Here is a link to a Microsoft Knowledgebase article that eloquently makes that point: User Accounts That You Create During Setup Are Administrator Account Types (Q293834)
This is not Windows 95 the article is discussing. It is Windows XP. Here is a cut-and-paste quote from that article:
"After you install Windows XP, you have the option to create user accounts. If you create user accounts, by default, they will have an account type of Administrator with no password."
Even someone who knows how bad Microsoft can be would likely not guess that Windows XP would be designed to be completely and utterly not secure by default. So, we will see a lot of stories about compromised Windows XP systems like this: Some poor guy was testing XP and set up an account to begin using it, and was rooted while he was still looking around.
--
Links to respected news sources show how U.S. government policy contributed to terrorism: What should be the Response to Violence?
Bush's education improvements were
No.
The biggest targets for those cracking computers are banks and telcos. Increasing your bank account and getting free long distance/cellphones, that's what phreakers and other crackers want.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
It is interesting what you said.
The presumption has been, however, that Unix/Linux would be used by very knowledgeable people. The presumption of Windows is that people with no experience with it will be using it.
Even if Microsoft doesn't change the way Windows XP operates, it would be sensible to explain the issues carefully on-screen. Recent versions of Mandrake and RedHat do this during install, if I recall correctly.
Bush's education improvements were
Here's a starting point for you to consider: "The Orange Book C2 specification is for standalone, nondistributed computing environments and non-networked devices."
There's no security without physical security and a floppy/CD attached to a computer giving you a workaround from the single pathflow of username/password login to an ACL-controlled environment fails the C2 spec by default. No one brags about Orange Book certifications because no one enforces it because it's freaking useless in every conceivable work environment. No network + no disk drives == no sneakernet == why bother?
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
MS tools may not be the best, but once that's what the White House has got, then choosing this guy to advise on security seems to me to be a sound decision, no question about that. But I don't think this move has much to do with White House security at all.
Now, call me paranoid if you wish, but when I read this piece of news I can't help but ask myself what is this individual really up to within the government structure. He's supposed to know MS security like very few people in the world. Wouldn't he be of great help for the Bureau in their desire to do funny stuff with everyone's machine? Or something along those lines? Reading the article we see that he's not going to do things like helping beef up thw WH website security, he will be working with a taskforce that has many ramifications, chaired by Richard Clarke.
From the article:
Clarke was named last month to head a new White House Office of Cyberspace Security that is to focus on developing a plan for protecting the nation's critical infrastructure.
That could mean a lot of things.
I actually shrieked out loud in terror when I read this headline. Good lord, I feel like I'm trapped in a bad Dilbert cartoon.
Her only fault was not to install one of the many security updates. I've told her to be more careful next time.
You seem to be confusing the two of us. She is an acquaintance who does not understand computers.
If Microsoft cared sufficiently, this would not be a tough problem to solve. Just don't give Outlook Express so much power in the default install.
Bush's education improvements were
>> Hire someone from a company known for its inability to make secure software, and put him in charge of what his company
>> always did poorly.
>
> Or, even better, people could check what in the hell they are talking about! But then again, this is Slashdot, no fact checking
> [go2vanguard.com] required:
[posts resume]
Yet for many seasoned sysadmins concerned for security, having Microsoft on your resume is what a character in ``Dilbert" once called an indelible stain on your resume: it is going to work against you, rather than for you. And you better be able to do some persuasive talking to explain why under your tenure MS failed implement its own software in a secure manner.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
Uhm...free software has as many security problems as Windows. The difference is that Windows has 95% of the users, and so is a much bigger target.
No, it would be like making Capt. Hazelwood the Secretary of Transportation.
(Uh, he was in charge of an oil tanker.)
I can explanate how to administrate your network. You must configurate and segmentate it, so it can computate.
I think there is a world market for maybe five personal web logs.
SSSL. The first version appearanly died (or was postponed).
(Hollings/Stevens).
I think we've pushed this "anyone can grow up to be president" thing too far.
At first, I thought, "eh". But then I remembered this post.
-Puk
Ticketmaster -- agreed! My knowledge of Microsoft networking comes mainly down to my experience, and various whitepapers at Carnegie Mellon University about why they disallow several Microsoft network services. Active Directory is a new thing for MS, and you're right that I'm ignorant on that account. But I have good reason to "think so little of Microsoft's accumen". They've stunk up networking for years.
As for being one of the most targetted networks, I'd agree. However, I'm not so sure they're number 2. I expect that other governments, Yahoo, and places like CERT (hosted by Carnegie Mellon) are also big targets.
As for Adam Smith, he *was* wrong. That's why the US (and every other 'capitalist' economy) uses a regulated implementation of capitalism. The free market makes its decisions based on marketing. If it made decisions based on research and development, then R&D would get 50% of revenues and marketing would get the 5% that R&D gets now.
Where is Microsoft today? Using hundreds of programmers to slowly reinvent unix networking. Why slowly? Because they're waiting for people to forget all the FUD they've put out about how bad unix networking is.
And I don't care about Microsoft's 2 million object directory. Why? Because I can piss farther than you!
-Paul Komarek
Naturally I don't have any proof their number 2, just a guess. Between people exploiting their sites, and their products, they're a huge worldwide target. Ammusingly enough some of the Nimda stuff I've seen comes from small buisness owners who know essentially nothing about computers setting up small networks and leaving them wide open on DSL. Then the stuff some of the users would do.... I hardly can blame Microsoft when they make a fairly complex family of products that are so intuitive that people can make small networks without really knowing anything about what they're doing.
I would also make the observation that marketing serves an important purpose. It helps keep the public informed about their dazzeling array of choices. It's even ok that most of it is bullshit, because the intent of the advertisement is clear, we can usually fillter out what the truth is. But it helps the market more quickly sort out where the money should go. Course, that's just how I see the world.
You might be surprised to learn under some circumstances DNS replication under windows can be more secure that its UNIX kin, and in software so early in its life too. I suspect UNIX will be better for a couple more years, though MS does have an advantage or two, but everyone who has had a head start on MS has fallen by the wayside when MS decided to compete with them. But with all things it's never about how bad or how good something is. It's whether it's good enough and how popular, something MS seems to understand better than anyone else.
I don't know who told you I squat to pee, but they were lying.
And to the moderators: "Feel free to mod me down, it's going to take a while to get rid of my +1 bonus, cheers."
--Jimmy has fancy plans; and pants to match.
In my opinion, you are missing the point. They could meet their own needs and the needs of the world at large at the same time, but seem unable to do so.
Bush's education improvements were
Maybe he figured out that he would never work in the security industry again if he didn't get out of there quick.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Sometimes I love off-topic posts.
Bush's education improvements were
I think /.'s criticism misses the point of what a corporate security officer does. This guy's job had nothing to do with bugs in Windows. Security officiers are generally not programmers or techies. They don't know anything about elliptic curve encryption or SYN cookies.
.exe email attachments, and that everyone's PC runs a daily virus scan.
Most large companies have security officers. They usually come from a law enforcement or military background. When you see the title "security officer", think Lieutenant Worf, not Wesley Crusher. The security officer is usually in charge of physical plant security, of running background checks on incoming employees, making sure the guards at the parking lot entrance check the right ID's, etc. Their involvement with computers may reach as far as directing that the company firewall filter out incoming
As far as I know, Microsoft didn't have serious problems of that nature, and that guy did perfectly well at his job. The pinhead marketroids who put all the vulnerabilities into Outlook were in a completely different jurisdiction, so to speak. So I don't have a problem with his going to work for the white house.
"Windows XP will not authenticate network access attempts by accounts with blank passwords."
The issue is whether an attacker from outside, who gains access to a computer because of some security hole, would have control over that computer. My understanding is that an attacker would have complete control if there were no password.
Bush's education improvements were