Slashdot Mirror
Howard Schmidt Resigns As Cybersecurity Advisor
scubacuda writes "CNN and others report that former Microsoft chief of security Howard Schmidt has resigned as White House cybersecurity adviser. 'With the historic creation of the Department of Homeland Security, the transfer of many of the responsibilities from the Critical Infrastructure Protection Board and the release of the strategy, I have decided to retire after approximately 31 years of public service and return to the private sector,' Schmidt said in his April 21 e-mail."
I mean, I know we saw plenty of "What's good for Microsoft is good for America" rhetoric during the anti-trust trial, but that would be a bit over the top.
I might be way off here, but didn't he just recently ACCEPT this position and he's already resigning?
...a Beowulf cluster of these resignations!
2 whole months!
I wonder what really made him quit?
"Howard has over 31 years public service having served with the US Air Force in various roles from 1967-1983 both active duty and in the civil service. He has served in the military reserves since 1989 and currently serves as a Credentialed Special Agent, US Army Reserves, Criminal Investigation Division (CID). He has testified as an expert witness in federal and military courts in the areas of computer crime, computer forensics and Internet activity."
Good Job. We all know how secure Microsft products are.
/troll
/sarcasm
I nominate Hillary Rosen to be the next Cybersecurity advisor
I can just imagine the look on their faces...
"Wait a minute...this guy was the Chief of Security for who?!?"
the security advisor resigns via e-mail? doesn't anyone find this a little bit ironic? :)
I smell a sequel ...
About Schmidt 2: Cyber Patrol
WASHINGTON (AP) -- White House cybersecurity adviser Howard Schmidt announced his resignation Monday, the second person to leave the post in three months.
Schmidt was the former chief of security at Microsoft Corp. before taking the post in February. He succeeded Richard Clarke, who had spent 11 years in the White House across three administrations, and was the president's counterterror coordinator at the time of the September 11, 2001, attacks.
The White House confirmed Monday that Schmidt would leave at the end of the month to pursue private sector opportunities.
In an e-mail sent to staff and industry officials, Schmidt noted that many of his responsibilities had been transferred to the new Homeland Security Department.
"While significant progress has been made, there still is much to do," Schmidt said in the e-mail. "The nation as a whole is much better at responding to cyberattacks then at any time in the past, but cybersecurity cannot now be reduced to a 'second tier' issue. It is not sufficient to just respond to attacks, but rather proactive measures must also be implemented to reduce vulnerabilities and prevent future attacks."
When Clarke announced his resignation, he also warned of future attacks on the Internet. "As long as we have vulnerabilities in cyberspace, and as long as America has enemies, we are at risk of the two coming together to severely damage our great country," he wrote.
The trade group representing high-technology companies such as Microsoft and Intel said President Bush still needed a high-profile adviser at the White House.
"We are concerned that the cybersecurity issue is losing visibility inside the White House," said Harris Miller, president of the Information Technology Association of America. "In this case, the 'bully pulpit' opportunity to influence the development of a truly secure cyber infrastructure and associated best practices will be lost."
Schmidt failed to return several phone calls seeking comment Monday.
This guy reportedly held every gun toting postion out there, short of bounty hunter for Santa Clara County. SWAT teams...CID...FBI, etc. MS appears to have been the least of it. I imagine he will spend his time cleaning his guns, now that he's retired.
WTF? He's only been there for like 2 months. Why was he fired? This is truly disapointing for the welfare of our government's computer systems. Who else could possibly be more qualified than the former Chief Security Officer for Microsoft Corporation?
Apparently his suggestion to replace Dr. Pepper with Code Red in all the vending machines was the final straw.
Freedom Is Universal
Linux-Universe
Having worked with Howard during his time with the Air Force, and having followed his career in the private sector and post-Air Force public service, this is really too bad.
For those who don't know (which I assume is most of you), Howard was a pioneer in the area of computer evidence analysis, first as a 'local' police officer, and then as a federal Special Agent. It's important to note that his time at Microsoft had nothing to do with their products (this in response to all those "we all know how secure Microsoft products are" trolls out there).
He and his wife are avid computer users, and Howard was one of the few people I've ever encountered at his level in Government service that could talk to you about technology and computers with any degree of real understanding. He built his own machines (at least when I was working with him) and was taught classes on low-level file system internals and disk layouts.
He became involved with computer crime at a time when only hard-core hackers (not crackers) were really playing around with computers, and paved the way for many others who are themselves pioneers in the information security community, both in the public and private sectors. The atmosphere created and fostered during his time at the Air Force allowed many people to grow and learn, and many of them are not only members of the InfoSec community, but the open-source community as well.
I'd better quit before this turns into blatant fanboyism, if it hasn't already. My intent is not to deify him, I just want all of you who've only heard him give nicely formatted press conferences or canned interviews to know that there's more to him than that. I'm not sure if you could really find someone better to be involved with the goings-on at that level, but I'm absolutely certain that you can find many many worse.
---
In other news, Microsoft announced that they had just been awarded a number of new Homeland Secuirity contracts.
Lacking <sarcasm> tags,
That reads like he's been working in the public sector all that time. But, I'm sure he hasn't divided his attention when working in the public sector ... unless it really turns out that Microsoft has been around longer than we all thought and the rise of Microsoft, Gates, et al, has been part of a massive plot!
No... I wouldn't even consider that... well, probably not anyway.
A feeling of having made the same mistake before: Deja Foobar
He didn't do the Austin Powers double quote thing with his fingers each time he said 'cyber'
I really need some work.
For example, Microsoft was notified of the issues, concerning only Microsoft implementation of its JVM, on September 2nd 2002 and after SEVEN MONTHS on April 9th 2003, Microsoft have issued an update to fix the problem.
Such a delay with such a serious vulnerability is so abysmal that it borders on the absurd.
Quality and security are measures which only mean something when compared relatively to another.
There is no absolutely secure, therefore you must expect, that once a vulnerability is made known to the vendor, the vendor should do their utmost to close the Window of Exposure ( http://www.counterpane.com/window.html ) as soon as possible.
For example, with the lastest SAMBA vulnerability, once notified, the SAMBA developer owned up to the mistake and the SAMBA project released a patch within 48 hours. Within aother 24hrs, redhat had already backported the patch into their distributions RPMs. Similarly any major security issues in Mozilla and Netscape browser are also fixed and updateable within a couple of days
Meanwhile, there are currently 13 KNOWN unpatched vulnerabilities in Microsoft's Internet Explorer ( http://www.pivx.com/larholm/unpatched/ ).
Some DANGEROUSLY EXPLOITABLE have not been fixed in over a year ( http://security.greymagic.com/adv/gm002-ie/ ). That Microsoft has not rewritten the scripting system embedded with IE so that it is sandboxed by default is bad enough, but to have such major unpatched vulnerabilities exposed for months is abysmal.
Other inherent vulnerabilities, such as the Shatter attack ( http://security.tombom.co.uk/moreshatter.html ), Microsoft has known about since 1994!
Even if the API/call flaw is inherently unfixable, that is plenty of time for Microsoft to implement a safer methord/systemcall/API, adapt it's own applications to use the safer methord and depreciate the unsafe API.
It also appears that Microsoft 's own implementation of SMB is vulnerable and Microsoft has known about it for over eight years ( http://developers.slashdot.org/comments.pl?sid=599 60&cid=5681769 ), but Microsoft either choose not to, or cannot fix the problem themselves.
Microsoft is clearly not closing the vulnerabilities they are aware that exist in their products and services.
A year after after Bill Gate's Email promoting securtiy over functionality, Microsoft by choice, remains neither secure or trustworthy.
Microsoft's attitude towards the security of it's products, service and customers is abysmal.
From Jason Coombs' A response to Bruce Schneier on MS patch management and Sapphire ( http://www.securityfocus.com/archive/1/315158 )
Isn't it odd that despite spending billions on DEFENCE for decades, none of that investment supplied _any_ defence that mattered on the day.
Should this new entity be renamed dept. of Real Defence or should the dept. of Defence be renamed Dept. of Offence? who deserves the name most?
As evidenced by the fact that this: "We are concerned that the cybersecurity issue is losing visibility inside the White House," said Harris Miller, president of the Information Technology Association of America. "In this case, the 'bully pulpit' opportunity to influence the development of a truly secure cyber infrastructure and associated best practices will be lost." is one of the main opinions expressed in this article. We've elevated commerce to such a position that the perspective of a trade group is of primary importance when reporting on government and security. I know this isn't new. Business has played a large role in politics and civics (if the two can be separated) for at least the last 2000 years, but it seems especially egregious when Miller laments the loss of the "bully pulpit" as if he just got outpid for a Super Bowl commercial slot.
That's a very good point.
/me wants PKI with whitelists to be universal...
Business email authentication is frequently piss-poor, and the names and information on top-level execs is publically available.
You probably wouldn't get someone fired, but you could cause absolute mayhem spoofing mail to lots of companies from various execs to other execs saying that an exec is resigning. Do so over Christmas, or some other time when people aren't immediately reachable for confirmation, and the impact could be quite nasty.
May we never see th
Yeah, about that Windows update service, when it got compromised Mr. Schmidt did...? What exactly? Was that "product security" or "infrastructure security"? Or was the actual buffer overflow a product-level security issue, but the unpatched servers a corporate security issue? I wonder which one would have been easier to prevent... Hmmm...
When Microsoft started distributing the NIMDA worm was that the application group's screw-up? Did Mr. Schmidt's security policies extend to internal processes like QA? Surely when they release software internally, Mr. Schmidt's group had to make sure that it was safe, right? Why not give the rest of the world the same courtesy? Does MS have separate internal and external QA groups? If not, do their internal SQL, web, etc servers have holes? Is MS's security policy therefore "crunchy on the outside, soft in the middle"? That's not very reassuring.
I could go on, but rather than be labeled a "troll" for simply pointing out facts and asking rhetorical questions, I'd just like to offer that perhaps, just perhaps, there might be some merit to the whole "security is a process, not a product" idea. Put another way, I for one would feel better if the U.S. Cybersecurity Advisor didn't have a "that's not my department" precedent coloring his judgement. Or maybe I'm taking your statement out of context and unfairly judging Mr. Schmidt for being asleep at the wheel when he was merely in the passenger seat inert, in which case I apologize.
While I certainly have nothing personal against Mr. Schmidt, like it or not he was the front man for Microsoft's "security". If MS gets a bad rap on security issues, for whatever reason, then Mr. Schmidt takes the heat on it -- if only for being the most visible target. And honestly, you can't really say with a straight face that MS's products have nothing to do with its corporate security. Microsoft's products have everything to do with many thousands of other corporations' security. If those products had built with security in mind, maybe there wouldn't need to be this big, mystical demarcation between the security inherent in MS's products and its corporate computing infrastructure. In the public's eye, anyway, there isn't any difference. Microsoft is its products -- and its products have a really appalling track record with regard to security.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
It's easy to sit on the sidelines and snipe, but the fact of the matter is you've done nothing to address my original post. Instead of nitpicking my statement about his position not being related to products, it would be nice if you had addressed my point, which is simply that during the time that I worked with him, he was significantly more clueful than the other administrators I've interacted with at his level.
Since it's doubtful you were employed at Microsoft during his tenure there, and even less likely to have been privy to any policy or other decisions he made while there, its fairly disingenuous for you to now judge him on the content of a few news stories. I suppose that's always the problem with any position related to security, people never hear about the incidents that DIDN'T happen.
Regardless, I'm not here to defend Howard's performance per se just to give my opinion, having worked directly with him (unlike you?) that there are certainly worse people they could tap for the job (see post below re: Hillary Rosen).
---
I suspect that the parent was referring to the email potentially being spoofed, which may be considered ironic if the Security advisor appears to have resigned because of a security breach.
It would be even FUNNIER if the resignation was a forgery - but then he had to resign over it, making it a self-fulfilling forgery. B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I used the term "snipe" specifically because you're pointing out facts. The problem is your facts have little or nothing to do with the thrust of my original post. The best trolls are always the ones based in the truth.
Listen, if you want to start your own thread attacking Howard for his lousy public performance during his tenure at Microsoft, or his willingness to attend press conferences and praise Microsoft's (fabricated?) single-minded focus on security I promise I'll have little or nothing to say in response. I consider those critisisms valid, if somewhat shortsighted. My intent in stating his job was unrelated to products was nothing more than an attempt to defuse the more obvious trolls that did nothing but scream that flaws in IIS were somehow directly traceable back to his desk. If I take a slightly longer view, as you've advocated, perhaps at least some of those flaws could be traced there, at least indirectly. I agree that security is a mindset and a process, and the responsability can't all be placed on the shoulders of the developers. It cannot, however, be placed soley at Howard's feet by the very same token. Please take a few minutes and re-read my original post. No time? Too lazy? Ok, I'll quote it here:
"I just want all of you who've only heard him give nicely formatted press conferences or canned interviews to know that there's more to him than that."
You ask me to step back and take the outsider's perspective. You complain that "Not everyone has the luxury to know him personally". The WHOLE POINT of my original post was to give you an "insider's" perspective on him. I very specifically did not speak to his performance in his position at Microsoft or the position he has just resigned for the very reasons you've cited: all I have to go on, really, is public information and in my opinion that's not enough. That's the reason that I posted initially, to attempt to give others the benefit of my perspective. And I still stand by my original conclusion. Someone like Howard, with at least a background in hands-on computer hacking (again, not cracking) is relatively difficult to find at that level, and is very possibly a better choice than whoever gets tapped to replace him. That's not to say that if they were to bring in someone with an unimpeachable record of attacking and solving larger-than-enterprise-level security problems, that I would still feel the same. The bottom line is that right now, at this moment, I see that as extremely unlikely. Again, to quote myself:
"I'm not sure if you could really find someone better to be involved with the goings-on at that level, but I'm absolutely certain that you can find many many worse."
Right now, until we learn who they select, it's my feeling that they will find someone worse, especially if you're correct and they're just looking for a fall guy.
---