Howard Schmidt Resigns As Cybersecurity Advisor

scubacuda writes "CNN and others report that former Microsoft chief of security Howard Schmidt has resigned as White House cybersecurity adviser. 'With the historic creation of the Department of Homeland Security, the transfer of many of the responsibilities from the Critical Infrastructure Protection Board and the release of the strategy, I have decided to retire after approximately 31 years of public service and return to the private sector,' Schmidt said in his April 21 e-mail."

Cumulative

"Howard has over 31 years public service having served with the US Air Force in various roles from 1967-1983 both active duty and in the civil service. He has served in the military reserves since 1989 and currently serves as a Credentialed Special Agent, US Army Reserves, Criminal Investigation Division (CID). He has testified as an expert witness in federal and military courts in the areas of computer crime, computer forensics and Internet activity."

Did Schmidt resign due to Microsoft's failure?

[NZheretic]

The endemic failure of Microsoft toward the security of it's own products, services and customers is reason enough to bring Howard Schmidt's leadership in the area of cyber-security into question.

For example, Microsoft was notified of the issues, concerning only Microsoft implementation of its JVM, on September 2nd 2002 and after SEVEN MONTHS on April 9th 2003, Microsoft have issued an update to fix the problem.

Such a delay with such a serious vulnerability is so abysmal that it borders on the absurd.

Quality and security are measures which only mean something when compared relatively to another.

There is no absolutely secure, therefore you must expect, that once a vulnerability is made known to the vendor, the vendor should do their utmost to close the Window of Exposure ( http://www.counterpane.com/window.html ) as soon as possible.

For example, with the lastest SAMBA vulnerability, once notified, the SAMBA developer owned up to the mistake and the SAMBA project released a patch within 48 hours. Within aother 24hrs, redhat had already backported the patch into their distributions RPMs. Similarly any major security issues in Mozilla and Netscape browser are also fixed and updateable within a couple of days

Meanwhile, there are currently 13 KNOWN unpatched vulnerabilities in Microsoft's Internet Explorer ( http://www.pivx.com/larholm/unpatched/ ).
Some DANGEROUSLY EXPLOITABLE have not been fixed in over a year ( http://security.greymagic.com/adv/gm002-ie/ ). That Microsoft has not rewritten the scripting system embedded with IE so that it is sandboxed by default is bad enough, but to have such major unpatched vulnerabilities exposed for months is abysmal.

Other inherent vulnerabilities, such as the Shatter attack ( http://security.tombom.co.uk/moreshatter.html ), Microsoft has known about since 1994!

Even if the API/call flaw is inherently unfixable, that is plenty of time for Microsoft to implement a safer methord/systemcall/API, adapt it's own applications to use the safer methord and depreciate the unsafe API.

It also appears that Microsoft 's own implementation of SMB is vulnerable and Microsoft has known about it for over eight years ( http://developers.slashdot.org/comments.pl?sid=599 60&cid=5681769 ), but Microsoft either choose not to, or cannot fix the problem themselves.

Microsoft is clearly not closing the vulnerabilities they are aware that exist in their products and services.

A year after after Bill Gate's Email promoting securtiy over functionality, Microsoft by choice, remains neither secure or trustworthy.

Microsoft's attitude towards the security of it's products, service and customers is abysmal.

From Jason Coombs' A response to Bruce Schneier on MS patch management and Sapphire ( http://www.securityfocus.com/archive/1/315158 )

Microsoft Baseline Security Analyzer (MBSA) and Microsoft's version of HFNetChk both failed to detect the presence of the well-known vulnerability in SQL Server exploited by Sapphire, which is one of the reasons so many admins (both inside and outside MS) had failed to install the necessary hotfix. MBSA and HFNetChk are Microsoft's official patch status verification tools meant to be used by all owners of Windows server boxes ...

......In addition to designing MBSA to avoid scanning for SQL Server vulnerabilities, failing to update mssecure.xml reliably and in a timely manner, deprecating HFNetChk by pushing the MBSA GUI as its preferred replacement, and hiding the details of the technical limitations

Re:Actually a loss to the Government

[D3TH]

Since it's obvious from your reply that you didn't bother to read my entire post, I'm going to guess you're a troll. But since you're getting modded up, I figured I'd better point out why you're wrong. From my original post, to which you replied:

"It's important to note that his time at Microsoft had nothing to do with their products"

While Microsoft has it's share of problems with network and internal security, the problems that you CAN'T lay at his feet, if I understand his position there correctly, are those that relate to IIS etc.

Secondly, I didn't comment as to his performance in his last position, or even at Microsoft. I spoke just to his background and suitability based on my experience. I never said he was a nice guy, or that he was smart, just that when I worked directly with him, he was significantly more clueful than the majority of the other people I've interacted with at his level. Since I haven't been interacting with his most recent office, I can't comment as to whether or not he did or didn't do a good job. But you know what, I doubt you're qualified to do so either. If you are, let me know why and I'll be glad to apologize.

You're not sorry to see him go, eh? I'm sure that will break his heart. Maybe you'll get lucky and the predication further down in this thread will come true, and Hillary Rosen will be tapped as his replacement.