Slashdot Mirror
Howard Schmidt Resigns As Cybersecurity Advisor
scubacuda writes "CNN and others report that former Microsoft chief of security Howard Schmidt has resigned as White House cybersecurity adviser. 'With the historic creation of the Department of Homeland Security, the transfer of many of the responsibilities from the Critical Infrastructure Protection Board and the release of the strategy, I have decided to retire after approximately 31 years of public service and return to the private sector,' Schmidt said in his April 21 e-mail."
"Howard has over 31 years public service having served with the US Air Force in various roles from 1967-1983 both active duty and in the civil service. He has served in the military reserves since 1989 and currently serves as a Credentialed Special Agent, US Army Reserves, Criminal Investigation Division (CID). He has testified as an expert witness in federal and military courts in the areas of computer crime, computer forensics and Internet activity."
WASHINGTON (AP) -- White House cybersecurity adviser Howard Schmidt announced his resignation Monday, the second person to leave the post in three months.
Schmidt was the former chief of security at Microsoft Corp. before taking the post in February. He succeeded Richard Clarke, who had spent 11 years in the White House across three administrations, and was the president's counterterror coordinator at the time of the September 11, 2001, attacks.
The White House confirmed Monday that Schmidt would leave at the end of the month to pursue private sector opportunities.
In an e-mail sent to staff and industry officials, Schmidt noted that many of his responsibilities had been transferred to the new Homeland Security Department.
"While significant progress has been made, there still is much to do," Schmidt said in the e-mail. "The nation as a whole is much better at responding to cyberattacks then at any time in the past, but cybersecurity cannot now be reduced to a 'second tier' issue. It is not sufficient to just respond to attacks, but rather proactive measures must also be implemented to reduce vulnerabilities and prevent future attacks."
When Clarke announced his resignation, he also warned of future attacks on the Internet. "As long as we have vulnerabilities in cyberspace, and as long as America has enemies, we are at risk of the two coming together to severely damage our great country," he wrote.
The trade group representing high-technology companies such as Microsoft and Intel said President Bush still needed a high-profile adviser at the White House.
"We are concerned that the cybersecurity issue is losing visibility inside the White House," said Harris Miller, president of the Information Technology Association of America. "In this case, the 'bully pulpit' opportunity to influence the development of a truly secure cyber infrastructure and associated best practices will be lost."
Schmidt failed to return several phone calls seeking comment Monday.
This guy reportedly held every gun toting postion out there, short of bounty hunter for Santa Clara County. SWAT teams...CID...FBI, etc. MS appears to have been the least of it. I imagine he will spend his time cleaning his guns, now that he's retired.
For example, Microsoft was notified of the issues, concerning only Microsoft implementation of its JVM, on September 2nd 2002 and after SEVEN MONTHS on April 9th 2003, Microsoft have issued an update to fix the problem.
Such a delay with such a serious vulnerability is so abysmal that it borders on the absurd.
Quality and security are measures which only mean something when compared relatively to another.
There is no absolutely secure, therefore you must expect, that once a vulnerability is made known to the vendor, the vendor should do their utmost to close the Window of Exposure ( http://www.counterpane.com/window.html ) as soon as possible.
For example, with the lastest SAMBA vulnerability, once notified, the SAMBA developer owned up to the mistake and the SAMBA project released a patch within 48 hours. Within aother 24hrs, redhat had already backported the patch into their distributions RPMs. Similarly any major security issues in Mozilla and Netscape browser are also fixed and updateable within a couple of days
Meanwhile, there are currently 13 KNOWN unpatched vulnerabilities in Microsoft's Internet Explorer ( http://www.pivx.com/larholm/unpatched/ ).
Some DANGEROUSLY EXPLOITABLE have not been fixed in over a year ( http://security.greymagic.com/adv/gm002-ie/ ). That Microsoft has not rewritten the scripting system embedded with IE so that it is sandboxed by default is bad enough, but to have such major unpatched vulnerabilities exposed for months is abysmal.
Other inherent vulnerabilities, such as the Shatter attack ( http://security.tombom.co.uk/moreshatter.html ), Microsoft has known about since 1994!
Even if the API/call flaw is inherently unfixable, that is plenty of time for Microsoft to implement a safer methord/systemcall/API, adapt it's own applications to use the safer methord and depreciate the unsafe API.
It also appears that Microsoft 's own implementation of SMB is vulnerable and Microsoft has known about it for over eight years ( http://developers.slashdot.org/comments.pl?sid=599 60&cid=5681769 ), but Microsoft either choose not to, or cannot fix the problem themselves.
Microsoft is clearly not closing the vulnerabilities they are aware that exist in their products and services.
A year after after Bill Gate's Email promoting securtiy over functionality, Microsoft by choice, remains neither secure or trustworthy.
Microsoft's attitude towards the security of it's products, service and customers is abysmal.
From Jason Coombs' A response to Bruce Schneier on MS patch management and Sapphire ( http://www.securityfocus.com/archive/1/315158 )
Nope, atleast according to this slashdot article: Bush Names New Cyber Security Czar.
And this appears to be the dupe: MS Chief Security Officer to work for White House.
Since it's obvious from your reply that you didn't bother to read my entire post, I'm going to guess you're a troll. But since you're getting modded up, I figured I'd better point out why you're wrong. From my original post, to which you replied:
"It's important to note that his time at Microsoft had nothing to do with their products"
While Microsoft has it's share of problems with network and internal security, the problems that you CAN'T lay at his feet, if I understand his position there correctly, are those that relate to IIS etc.
Secondly, I didn't comment as to his performance in his last position, or even at Microsoft. I spoke just to his background and suitability based on my experience. I never said he was a nice guy, or that he was smart, just that when I worked directly with him, he was significantly more clueful than the majority of the other people I've interacted with at his level. Since I haven't been interacting with his most recent office, I can't comment as to whether or not he did or didn't do a good job. But you know what, I doubt you're qualified to do so either. If you are, let me know why and I'll be glad to apologize.
You're not sorry to see him go, eh? I'm sure that will break his heart. Maybe you'll get lucky and the predication further down in this thread will come true, and Hillary Rosen will be tapped as his replacement.
---