MS Chief Security Officer to work for White House

NerveGas writes "An Interesting People message reports that Howard Schmidt, Microsoft's Chief Security Advisor, will be leaving MS to work as a security adviser for the White House. With the track record that Microsoft has in the area of computer security, this strikes me as a very bad move." CD: you'd think people would examine the job someone did at thier previous job before offering them a new one. Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?

Job qualifications

[shlong]

you'd think people would examine the job someone did at thier previous job before offering them a new one.

What you mean like the job GW did in Texas? This guy should fit right in.

Who better to help you implement Magic Lantern

[Chuck+Chunder]

than one of the people involved in allowing the very exploits you want to exploit to exist in the first place?

;)

Huh?

[Anonymous+DWord]

Was he responsible for all the holes in Microsoft code over the years? No? But you're going to hold him to that because... Or was that just another random MS flame? How do you figure you know anything about what this guy can or cannot do?

Re:Huh?

[bribecka]

I don't know what this guy's job was, but I don't think he had the responsibility of making all the software secure.

First off, not to single you out, but this is so friggin typical of slashdot. Everyone (including chrisd from ./) is posting all this stuff, taking their shots, and not having a clue who the guy is and what he does. Second, it is pretty damn irresponsible of slashdot to post an article based off a message on a mailing list.

Finally, apparently this guy knows his shit. From this PBS interview

He is Chief of Information Security for the Microsoft Corporation. Prior to this he was a Supervisory Special Agent, Director of the Air Force Office of Special Investigations, Computer Forensic Lab and Computer Crime and Information Warfare.

Now, does it seem like a mistake to hire him? After all, he is *leaving* MSFT to go back to the government. Enjoy your crow, everyone!

MS Security Guy probably didn't write code...

[abh]

I know how we all love to flame Microsoft, but if the guy was the head of MS Security, odds are he was an executive who never wrote a line of code.

He's guaranteed not to have anything to do with holes in MS products.

A better thing to look at would be how often was Microsoft's network hacked.

Reminds me of star trek TNG.

[nuintari]

No one would think a kligon would make a good ship's counseler, and I don't think that an android would make a very good captain.

So you think the White House chose him at random ?

[Rosco+P.+Coltrane]

I submit that Schmidt is in fact very very well placed to know about most if not all vulnerabilities and (possibly) backdoors in Micro$oft products. I bet the guy will be working actively on methods to snoop on Windows users, extract their data and intall trojans in their systems (Magic Lantern anyone ?).

Here's a guy who was working for the largest software monopoly in history and now works as security honcho for the most powerful government in history, with people like Ashcroft in it. Makes my nose bleed just thinking about it. The more I see what's happening in Micro$oft's giant sphere of influence, the more I'm glad to be a Linux user, that's for damn sure.

Checking on someone's previous work.

[Chuck+Chunder]

CD: you'd think people would examine the job someone did at thier previous job before offering them a new one.

<cheap shot> Yeah, you might.</cheap shot>

more info on Schmidt

[Pinball+Wizard]

Here is some info on Schmidt at microsoft.com. Looks like he has an admin-level job rather than a software engineering job. So I wouldn't blame him for how poorly coded Microsoft products are. He's involved with best practices on setting things up securely, not watching over programers making sure there's no buffer overruns in the code. Although administration and programming must overlap when it comes to real security there's only so much you can do if you're not deeply involved with the code.

pretty unfortunate

[vscjoe]

Well, maybe he quit Microsoft in disgust and is trying to do the right thing: push for open source, peer-reviewed, secure systems. But, more likely, he has been imbued with Microsoft corporate policy, still has a financial and personal interest in the company, and has never known another way of doing things besides the Microsoft way.

If the latter is the case, there is a good chance that this guy will follow the easy and obvious (to laymen) path and push Windows. After all, NT was created by someone with decades of experience and it is 'C4' certified (or whatever). It has zillions of security features, even more so than VMS, so how could it not be secure? And it is used by some of the most security conscious companies in the world. And what's good for Microsoft is good for America anyway. At least those will be the arguments that will likely be heard around the White House when issues about what software infrastructure the armed services and US government should use.

This will be followed by calls for keeping source code for criticial infrastructure under wraps, "like Microsoft is already doing", because "we don't want to give the terrorists the blueprints to our advanced technology". He'll probably preach the Microsoft mantra that open source is dangerous, unsafe, and un-American. And he'll likely conflate "security" RIAA style (fair use hijacking) with national security and point to how badly the RIAA and MPAA has been "hurt" by "security problems" resulting from "open source hackers" and how Microsoft, in contrast, keeps content "secure" and protects copyright holder's rights.

Altogether, this appointment is likely going to hurt open source efforts, as well as national information security.

This guy is clueless

[Animats]

Here's a 1998 interview with the guy. He's not a technical guy. He used to be a computer crime investigator with the USAF. There's a fair amount of stuff by him on the web, mostly the usual Microsoft line of "it's all your fault, not ours".

Notice in the 1998 interview that he denies that viruses in mail attachments are a problem.

Easy on him guys...

[Mustang+Matt]

He was a security ADVISOR...

He could have given Microsoft all the advice in the world and if they were too lazy to implement the appropriate security measures it's not his fault.

Maybe the position at the government was his oppourtunity to get to a better place that would actually listen to him.

responsibility

[vscjoe]

Was he responsible for all the holes in Microsoft code over the years?

As security advisor at Microsoft, his job presumably was to define policies that keep those holes from getting into the software and/or to keep Microsoft's sites secure. Microsoft's products are full of holes and their services have suffered major security compromises, so he can't have been very effective.

Since his new role will be similar in nature, it seems reasonable to suspect that he will be equally ineffective at defining national policies to protect our national security infrastructure.

Re:responsibility

I don't think there's any way to know how effective he is as an individual without reading his resume, interviewing him, and talking to a number of his associates. This is something which the government has most likely done, whereas most Slashdot readers simply read the word "Microsoft" and conclude that the man is incompetent, evil, or both.

In a company that large, there will be both fuck-ups and genuinely good workers. I know some extremely talented people working at Microsoft. I also know some losers there. I don't know which side of things this guy is on, but you have to figure that only a few companies have people with enough experience with huge, varied networks to take on this role for the federal government. And Microsoft it very likely to be one of them.

Re:responsibility

[Paul+Komarek]

While most of what you say sounds reasonable, one thing really caught my eye: "only a few companies have people with enough experience with huge, varied networks". The problem with Microsoft is that they only have experience with huge, homogenous networks; they were blindsided by the internet; they thought remote admin was a bad idea until recently; their network hacks (netbios, for instance) stink on large networks.

I think Microsoft is very *unlikely* to have much useful exerperience with "huge, varied networks". What really gets me is that they seem to *like it this way*.

-Paul Komarek

Re:responsibility

[mshomphe]

But, this is part of a general 'revolving door' phenomenon between business and government: work in one area of the private sector, retire, join the government, work on legislation for that area. This is problematic because it leads to the legislation being skewed towards that business (and away from the consumer), and makes the government appear more insular.

One has to wonder what effect this person's tenure with Microsoft will have on his job performance; much in the same way that we had to wonder about Dick Cheney's Haliburton/Enron/oil industry ties when he was coming up with the administration's energy policy. It's a valid concern and one that should be raised.

Not really.

[ChrisBennett]

Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?

Actually, no. Captain Hazelwood was drunk at the wheel before the accident. Apparently he was a fine captain when sober. Microsoft has bad security whether or not you consider them to be drunk.

Re:Not really.

There is plenty of blame to go around for the Exxon Valdez oil spill.

Capt. Hazelwood was not at the wheel, or even on the bridge, when the Exxon Valdez struck the reef outside Port Valdez. Contrary to popular opinion ship Captains are not required to be "at the wheel" all the time. The ship was in what the USCG had declared was "outside pilotage" waters and a licensed USCG Merchant Marine Officer (the 3rd Mate) and a compliment of documented seamen were on watch - and at the wheel. Some seamen testified to telling the Officer on watch that the red buoy marking the limit of Bligh Reef was on their starboard side. For whatever reasons, he chose to ignore them.

Capt. Hazelwood had to go down to his office to prepare the flurry of reports that Exxon's yuppie management required every one of their Captains to prepare and send in after loading and as soon as the pilot departs the ship. Prior to leaving the bridge he instructed the Officer on Watch to return to the sea lanes (marked clearly on a radar system on the bridge) after clearing the ice. For whatever reason, this officer declined to follow those instructions.

The USCG officers who claimed he had alcohol on his breath were in an environment of heavy concentration of evaporating chemicals that was so bad that the Chief Mate (whose watch the 3rd mate was taking because the Ch. Mate had been working 36 hours straight loading the ship) testified that he had considered going back and getting a Scott Air Pack to get up the stairway to the bridge. (Compare to trying to detect alcohol on the breath of a friend while putting your nose next to the fill pipe of your car while fueling at at your corner service station.) (Hazelwood was never convicted nor was his USCG license revoked, btw.)

The USCG radar observers in Port Valdez did not make any attempt to follow the ship after the pilot disembarked at the west end of the Valdez Narrows despite warning the ship of pack ice and authorizing the ship to divert from the navigation channel to avoid the ice.

The Exxon Valdez hit Bligh Reef because the ship was undermanned (it was 900 feet long and carried a crew compliment of less than 25 people!), the crew was overworked and exhausted (and many say inexperienced), and Exxon management in Houston was micro-managing the ship with petty requirements, plus the USCG in Port Valdez did not do their jobs.

One of the after effects of this incident was that the USCG returned to the policy of requiring ships to carry an extra officer to help with navigation and loading due to the heavy burden. A policy abandoned by Exxon and the other oil companies several years prior to the accident. A further after effect was a requirement that tankers entering sensitive waters be double-hulled.

Another after effect is that the radar observers in Port Valdez now monitor the ships until they depart Cape Hinchinbrook and enter the open Pacific.

A final after effect is that Port Valdez now allows tanker Captains to return to the Port and tie up in dangerous weather. Prior to the Valdez incident they refused re-entry and required loaded tankers to either stay inside Prince William Sound and motor back and forth in the traffic lanes or depart and suffer damage (and loss of life).

The oil spill would have never caused as much pollution as it did if British Petroleum hadn't allowed the management of the Valdez terminal to decommission the recovery equipment they had promised the State of Alaska they'd keep on hand for the life of the project. They have recommissioned the oil spill equipment since the incident.

Re:What type of work?

[Ridge2001]

He's going to be working with Richard Clarke, which probably means he's going to make a lot of dramatic speeches about how "cyberattacks" could cause economic damage that is the "functional equivalent of 767's crashing into buildings".

See here for the kind of stuff this guy's going to be working on.

Corporate security != electronic security

[Xeger]

I haven't done any digging yet, but it is my assumption that as head of security he will be in charge of physical security policy at Microsoft installations: who has access to which rooms, and at what times of day. How many cameras to put in the bathroom stalls. How many parabolic surveilance microphones to hide in the trees. How many pits full of punji stakes, vipers and bear traps to place around the Redmond campus.

In other words, Big Brother stuff. Spook stuff.

That is what a chief security officer does in the traditional corporate environment. He will have an underling (or several) who handle electronic security for him. If he knows what's good for him he'll realize that he shouldn't try and play a game he knows nothing about, and he'll let his underlings have free reign.

Not that it will do any good, of course. As long as Microsoft uses its own software, it will always be vulnerable to the same exploits with which it burdens the rest of the world.

Re:So you think the White House chose him at rando

[doodleboy]

Among other things, the EULA at passport.com/Consumer/PrivacyPolicy.asp?lc=1033.NE T says: Passport will disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to... Act under exigent circumstances to protect the personal safety of users of Microsoft, the .NET Passport Web Site, or the public.

How interestingly broad, given that in light of recent terrorist activities any "exigent circumstances" could be said to be met as a matter of course. And there is no doubt that all the information that's bound to be stored on .Net servers could be sifted and profiled in many fascinating ways by the intelligence community.

Kinda makes you wonder how it all fits together, given the walk Microsoft got on the anti-trust case.

/. home of the stupid anology

[Suppafly]

CD: you'd think people would examine the job someone did at thier previous job before offering them a new one. Isn't this is like putting Capt. Hazelwood in charge of an oil tanker?

First off, being the white house I'm sure they throughly examined everything about him.. I had a friend apply for a fairly low position with the DoD and they interviewed his friends and family as well as giving him a lie detector test.

Secondly, this is hardly compareable to the Exxon Valdez thing..

Third who are you to say he did a bad job at MS?
Other then just taking at cheap shot as MS, you have no info about his job performance or even what he specifically did while working at "The Great Evil"

Maybe its just me, or maybe theres a reason you dont see chrisd listed in the hof anywhere..

It's all part of the same kind of thinking.

[Futurepower(tm)]

"CD: You'd think people would examine what someone did at his previous job before offering him a new one." [Corrections to grammar and spelling added.]

It's all part of the same kind of thinking. Bomb Afghanistan to save it. (I'm talking about the first bombing by the U.S. government [1983], not the second and third.)

Hire someone from a company known for its inability to make secure software, and put him in charge of what his company always did poorly.

But, of course, maybe he is not really leaving Microsoft, but just working with a government that doesn't believe in privacy to assure that Microsoft software will always be compromised by the government.

Look on the bright side. With Microsoft in the White House, no one who truly wants software security will be running Microsoft products.

--
Links to respected news sources show how U.S. government policy contributed to terrorism: What should be the Response to Violence?

Re:It's all part of the same kind of thinking.

[b0r1s]

Hire someone from a company known for its inability to make secure software, and put him in charge of what his company always did poorly.


Who would you prefer?

1. Someone from openssh, which just released a new version to correct a remote exploit?
2. A linux hacker who cant figure out how to handle syn cookies?
3. Someone from lotus, who cant protect their documents
4. A webalizer coder who cant remember to filter out cross site scripting?
5. Maybe an IBM coder?
6. Cisco is flawless, right? nope
7. Redhat must be perfect, they make linux! oh wait
8. SGI/IRIX is flawless, they never have security proble... oh, nevermind
9. How about a linux kernel hacker, they sure must be perfect! They'd never allow a root exploit into a stable kernel!

Getting the point yet? Everyone has holes. Everyone releases patches. It just happens that microsoft designs their code for ease of use, and because of that there happen to be a lot of unqualified microsoft admins. This isnt a MS problem. This is a side effect of their popularity.

Re:It's all part of the same kind of thinking.

[Floris]

Nice argument, but let's not forget microsoft themselves have been compromised multiple times over the course of the last few months:

1) Remember that incident where someone inside microsoft got hit by a macro virus that allowed remote (apparently russian) script kiddies to access their internal network?

2) How code red hit www.microsoft.com and hotmail?

3) Same thing happened with nimda.

3) there were more but this was off the top of my head.

Of course, bad programming practices happen everywhere but this could be accounted to a) running unpatched boxes and b) microsoft employees opening infected attachments. Both of which were his direct responsibility to prevent.

Re:It's all part of the same kind of thinking.

[bribecka]

Hire someone from a company known for its inability to make secure software, and put him in charge of what his company always did poorly.

Or, even better, people could check what in the hell they are talking about! But then again, this is Slashdot, no fact checking required:

Mr. Schmidt currently is the Corporate Security Officer for Microsoft Corporation, Redmond, WA. In that capacity he directs the activity of those responsible for security of Microsoft?s Information, personnel and facilities Worldwide.

Prior to coming to Microsoft, he was a Supervisory Special Agent, Director of the Air Force Office of Special Investigations, Computer Forensic Lab and Computer Crime and Information Warfare. (HQ AFOSI/CCI). Under his direction he established the first dedicated computer forensic lab in the government. The AF specialized in conducting investigations into intrusions in government/military systems by unauthorized persons in counter intelligence and criminal investigations.

Before AFOSI he was with the FBI at the National Drug Intelligence Center (NDIC) where he headed the Computer Exploitation Team as a Computer Forensic Specialist. As one of the early pioneers in the field of computer forensics and computer evidence collection, he continues to provide training support to an international audience dealing with the new challenges around computer evidence collection and processing.

He was a City police officer from 1983-1994 with the city of Chandler Police Dept. Arizona. While there he was detailed to the FBI academy teaching classes in the use of computers in criminal investigations for approximately 2 years.

Mr. Schmidt served with the US Air Force in various roles from 1967-1983 both active duty and in the civil service. He has served in the military reserves since 1989 and currently serves as a Credentialed Special Agent, US Army Reserves, Criminal Investigation Division (CID). He has testified as an expert witness in federal and military courts in the areas of computer crime, computer forensics and Internet activity.

He holds a Bachelors Degree in Business Administration, (BSBA) and a Master of Arts in Organizational Management (MAOM). He also has a Technician class Ham Radio License, and a Single Engine Land pilots license.

Mr. Schmidt currently is the International president of the Information Systems Security Association (ISSA) and the recently formed IT-ISAC. He is a former executive board member of the International Organization of Computer Evidence (IOCE), served as the co-chairman of the Federal Computer Investigations Committee (FCIC). He is a member of the American Academy of Forensic Scientist (AAFS). He is an advisory board member for the Technical Research Institute of the National White Collar Crime Center. (NWCCC) and he is a distinguished special lecturer at the University of New Haven, CT teaching a graduate certificate course in Forensic Computing. He served as an augmented member to the President's Committee of Advisors on Science and Technology (PCAST) in the formation of an Institute for Information Infrastructure Protection (I3P) He is a regular international speaker in the fields of computer forensics and information assurance.

Mr. Schmidt was one of 29 industry leaders called to the White House to meet with President Clinton on cyber security and has testified before a joint committee on Computer Security and has been instrumental in the creation of public/private partnerships and information sharing iniatives.

C2 Certification

[CaptainZapp]

NT was created by someone with decades of experience and it is 'C4' certified

To the best of my knowledge, NT got a C2 certification umpteen years ago. But (and I'm not making this up), It only achieved C2 when the disk drive was removed and the machine was not attached to any network

I don't think Microsoft attempted to brag about orange book certification since then.

You're missing the point, as well as OpenBSD

I think you're missing the point. Microsoft consistently releases buggy software and they publicly admit that yes, the UI experience comes before security. Sorry, but that's not for me. In addition, you've forgotten to list OpenBSD. Four years without remote hole in default install.

Readers often don't have much experience with MS.

[Futurepower(tm)]

1. unauthorized user can autheticate.
2. denial-of-service attack
3. unauthorized user can read files
4. Inject HTML tags into the generated reports.
5. gain root access.
6. denial-of-service attack
7. execute arbitrary code when accessing RPM from untrustworthy source.
8. denial-of-service attack
9. gain root access

Every one of 1 through 9 above are stories about people who made mistakes.

The security problems in Microsoft products, are, in my opinion, not mistakes. They are the result of policies: 1) Only money matters. If you can make more money by being sloppy, then do it. 2) Release software with lots of known shortcomings so that people will want to pay for upgrades later. 3) Relate to your employees by pushing them.

Items 2, 3, 4, 6, and 8, more than half of those you mentioned, do not allow destruction to the system itself. One or more Microsoft security bugs that allow destruction to the system are announced on the average of every month, if I recall correctly.

I am not anti-Microsoft. I am more pro-Microsoft than Bill Gates. Microsoft is a company that has $30,000,000,000 dollars in the bank, instead of being used to clear up the problems in their products.

Today I spent about an hour of my Sunday helping a woman in Brazil clear her computer of the Badtrans worm. Billions of dollars are being wasted by very serious Microsoft bugs. The company is not worrying enough about the quality of its products, in my opinion.

I installed a security bug fix supplied by Microsoft to Internet Explorer on someone's computer last week, and the security bug fix put all the network settings back to least security. This has been going on for years. Microsoft knows this happens. It is a result of policy, not mistake. Why they do that, I don't know. Maybe it has been dictated by the U.S. government that Microsoft will make their systems insecure.

We have a problem on Slashdot that many people who read Slashdot don't work with Microsoft products enough to know how bad things really are.

it seems to me

[fyonn]

that he's not so much leaving microsoft as merely changing departments. it's all the same company isn't it?

dave

A side effect of popularity?

[erroneus]

First, I'd like to comment that I'm posting this using AT&T Broadband... They didn't pay me to say this, but I expected to be net-less for a week, so I'm happy.

Second, MS's infmaous security record doesn't stem from "mishaps." It stems from their insistance on a very flawed set of models. "Drivers at Ring-0" and all that. Among the more popular flaws is in their VBA/VBS integration. Bad enough that These languages have access to the whole machine indescriminantly, but docments from untrusted sources now have access to your whole machine? How many times has this happened? It's not something that requires a patch, it requires a rewrite or complete removal as a feature.

Javascripting? Why are so many MSIE flaws handled best by disabling client-side scripting? Think about it -- same problem.

How about their insistance on installing "everything, even if you don't need it?" How many "Nimda" hosts are out there on machines where the owner didn't even know IIS was there? My brother said it best when he said that it was the equivalant of shipping a loaded pistol. It's not dangerous if you know how to use it and if you knew it was loaded, but then again anyone with a finger thinks they can handle a gun... ring true enough?

It's not that the company's popularity makes a common problem seem worse, it's the company's problem of prioritizing "cool stuff" over "secure stuff."

The Problem With Microsoft

[Greyfox]

Microsoft has always put user friendliness first. User friendliness and security are usually directly at odds with each other. For instance, if I go over to /boot and try to rm bzImage, Linux won't let me do that (Unless I'm running as root, but we all know you should never run as root, right?) That's not very user friendly. It's my computer after all. Why shouldn't I be allowed to delete any file on the system? Well, we all know why.

Microsoft's product line evolved from a single user application. Programmers on their product line are still in the mentality that if you're sitting at the console, their programs have sole access to the full resources of the computer. How many Windows application installs demand that you close down all other programs and reboot the system when you're done? How many of them actually need you to do that? How many times has some Windows program opened a modal dialog (Which in the historical past prevents the program from being minimized until you acknowledge the dialog) or worse, a system dialog? When was the last time you saw one on Linux? Completely different programmer mentality.

Sure Microsoft's been kludgeing user support into Windows for a while now, but they don't enforce its use. It'd take too long for them to explain to every user out there why they should have to log out and log in as the administrator in order to install that new game or those scanner drivers. Most Windows users are perpetually stuck in the running as root mode, despite years of sysadmin experience that dictates that you should never run as root. And Microsoft will never force them to create a user and use it because that would make them a little less user friendly and a little more like UNIX and that's not the direction they've taken.

BTW: Most Linux dists don't force you to create and use a user ID either, and it's a very common thing to see newbies running as root. They usually stop after the first or second time they manage to trash their entire damn filesystem. And you can never just tell them "Don't run as root -- 30 years of UNIX sysadmin experience can't be wrong!" They seem to have to learn by hard experience.

Not quite

[JediTrainer]

More like:

"Howard Schmidt, Microsoft's Chief Security Advisor"

Sure, he gives advise. But nowhere did it say that they actually listen.

Do you even know what a C2 certification entails?

[dave-fu]

Here's a starting point for you to consider: "The Orange Book C2 specification is for standalone, nondistributed computing environments and non-networked devices."
There's no security without physical security and a floppy/CD attached to a computer giving you a workaround from the single pathflow of username/password login to an ACL-controlled environment fails the C2 spec by default. No one brags about Orange Book certifications because no one enforces it because it's freaking useless in every conceivable work environment. No network + no disk drives == no sneakernet == why bother?

Misleading header.

[Remote]

MS tools may not be the best, but once that's what the White House has got, then choosing this guy to advise on security seems to me to be a sound decision, no question about that. But I don't think this move has much to do with White House security at all.

Now, call me paranoid if you wish, but when I read this piece of news I can't help but ask myself what is this individual really up to within the government structure. He's supposed to know MS security like very few people in the world. Wouldn't he be of great help for the Bureau in their desire to do funny stuff with everyone's machine? Or something along those lines? Reading the article we see that he's not going to do things like helping beef up thw WH website security, he will be working with a taskforce that has many ramifications, chaired by Richard Clarke.

From the article:

Clarke was named last month to head a new White House Office of Cyberspace Security that is to focus on developing a plan for protecting the nation's critical infrastructure.

That could mean a lot of things.

Doesn't anyone here subscribe to bugtraq?

[harlows_monkeys]

Uhm...free software has as many security problems as Windows. The difference is that Windows has 95% of the users, and so is a much bigger target.

What a security officer does

[phr1]

I think /.'s criticism misses the point of what a corporate security officer does. This guy's job had nothing to do with bugs in Windows. Security officiers are generally not programmers or techies. They don't know anything about elliptic curve encryption or SYN cookies.

Most large companies have security officers. They usually come from a law enforcement or military background. When you see the title "security officer", think Lieutenant Worf, not Wesley Crusher. The security officer is usually in charge of physical plant security, of running background checks on incoming employees, making sure the guards at the parking lot entrance check the right ID's, etc. Their involvement with computers may reach as far as directing that the company firewall filter out incoming .exe email attachments, and that everyone's PC runs a daily virus scan.

As far as I know, Microsoft didn't have serious problems of that nature, and that guy did perfectly well at his job. The pinhead marketroids who put all the vulnerabilities into Outlook were in a completely different jurisdiction, so to speak. So I don't have a problem with his going to work for the white house.