Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security

Bush Names New Cyber Security Czar 260

Posted by CmdrTaco from the this-oughta-be-good dept.
goombah99 writes "The Washington Post reports that Cybersecurity "czar" Richard Clarke has confirmed widespread reports that he is leaving the White House, to be replaced by former microsoft security chief Howard Schmidt. He was also part of the Air Force's 'Computer Crime and Information Warfare division'. In related news, the National Strategy to Secure Cyberspace has received Bush's signature and will be released to the public in the next few weeks. Clark's blunt staements on the to the need to avoid erosion of privacy rights is rumored to have rubbed the administration the wrong way, prompting his exit. Anyone know how Schmitt will view the relative security of closed versus open source?" Nothing says "Security" better to me than "Former Microsoft Security Chief".
This discussion has been archived. No new comments can be posted.

Bush Names New Cyber Security Czar More

Bush Names New Cyber Security Czar

Comments Filter:
  • Oh shit. We're in trouble.

    • Seriously, folks. It's not MS that is the problem - it is the closed source model. MS just happens to be the biggest player in that world. But if someone else was pumping out software in this sort of closed source way then they too would be stumbling around.
      • I don't buy that for a second. I agree that closed-source software isn't as good as open-source from a security standpoint, but MS takes insecurity to such a ridiculous extreme that it goes beyond this argument. Look at all the other closed-source operating systems still in use today: Solaris, AIX, HP-UX, Irix, Novell, SCO, MacOS X, and even Mac OS 9. Which of these have had remotely near the problems MS has had? None! Because they actually think a little bit about security when they're designing it, instead of thinking "let's auto-execute email attachments that unknown people send our customers!"

  • red, white and blue (Score:5, Funny)

    by Anonymous Coward on Sunday February 02, 2003 @10:13AM (#5209834)
    screen of death

  • And tonight... (Score:5, Funny)

    by James_Duncan8181 ( 588316 ) on Sunday February 02, 2003 @10:13AM (#5209835) Homepage
    Our top story - Previous cyberspace advisor sacked after coming worringly near to sticking up for rights of normal Americans. Now replaced by Microsoft "security" manager in amusing henhouse/fox style situation. Corporations breathe freely again. Film at 11.
    • ...in the light of Slammer, Nimda, CodeRed, the Saint Petersberg crackers, and Microsoft's generally horrific security record, spread out in inglorious array throughout the history of the company.

      He'll probably require Gummint computers to run in 640kB, because nobody could need any more than that.

    • Re:And tonight... (Score:5, Informative)

      by ichimunki ( 194887 ) on Sunday February 02, 2003 @10:32AM (#5209903)
      For those of you not reading the article, it is important to note that Schmidt is already Clarke's deputy. It's not like he's being drafted straight out of Microsoft and into this top post. Besides, do we really think they'd accidentally get someone who was independent thinker in there if they could help it?
    • What makes you think corporations aren't concerned about their own IT security? Why is it that private companies are singled out as a group whose social concerns apparently runs so counter to the ones discussed here?

      Seems to me that this new IT security person appeals to MS and that is it. So, why lump the rest of us into that paradigm?

      Don't get me wrong: I help run a company's IT and whatever pronouncements this new guy will make will have all the impact of a stale cocktail.

      I find jokes like these as funny as the concepts they profess to support.

      • Re:This may be nitpicking but... (Score:5, Insightful)

        by dbrutus ( 71639 ) on Sunday February 02, 2003 @11:24AM (#5210062) Homepage
        Here are a few legitimate concerns in order of importance (in my mind of course).

        1. Blackmail: If this security chief assisted in any of Microsoft's prior bad acts (DR-DOS episode is just one example) and is vulnerable to a criminal charge, he's vulnerable to blackmail. That makes him singularly inappropriate to head a sensitive position such as this one.

        2. Incompetence: He's a former head of MS security. His performance is part of the reason that MS had the trusted computing initiative after he left because security was so screwed up.

        3. Unwillingness to choose honest dealing with the public over self-interest: He never blew the whistle on MS even though security people generally know where all the bodies are buried. A lot of insecure systems are out there on the Internet in part because he didn't want to make waves. That is not necessarily what you want in a govt. job.

        • Re:This may be nitpicking but... (Score:4, Insightful)

          by GreyPoopon ( 411036 ) <gpoopon@gmaOOOil.com minus threevowels> on Sunday February 02, 2003 @12:24PM (#5210287)
          1. Blackmail: If this security chief assisted in any of Microsoft's prior bad acts (DR-DOS episode is just one example) and is vulnerable to a criminal charge, he's vulnerable to blackmail. That makes him singularly inappropriate to head a sensitive position such as this one.

          I think EVERY politician is in some way vulnerable to blackmail. Based on what we now know about Mr. Clinton's weakness for pretty much anything in a skirt, I'd say he was a bad choice for president. In fact, being revealed to the public was probably the BEST thing that could have happened to him, as it eliminates many chances at blackmail. Just because the public is aware of several cases someone may have been involved in doesn't really make blackmail any more likely. It's the stuff you DON'T know about that you should worry most about.

          2. Incompetence: He's a former head of MS security. His performance is part of the reason that MS had the trusted computing initiative after he left because security was so screwed up.

          I'm not sure if you can pin this one on him either. The truth is, Windows needs to be pretty much re-written from the ground up with a focus on security. Would you like to be the one to announce that to the CEO? I missed the article that detailed his departure from Microsoft, but until somebody points me in the right direction, I'd assume it was just as likely he stepped down due to a difference of opinion in how to handle the security problems.

          3. Unwillingness to choose honest dealing with the public over self-interest: He never blew the whistle on MS even though security people generally know where all the bodies are buried. A lot of insecure systems are out there on the Internet in part because he didn't want to make waves. That is not necessarily what you want in a govt. job.

          He wasn't working for the public when he was at Microsoft. It was his job to avoid whistle-blowing on their security holes. Instead, he was expected to focus on quietly plugging those holes before somebody else found out.

          I'm not sure we can truly judge anybody by their performance at another company. Many an underling has been let go because they disagreed with the top brass, and it's really hard to distinguish who the "bad guy" really is. I'd say we should focus more on his track record in his current position to see how he'll pan out. Unfortunately, I don't think there's much information to go on. That in itself may be a better argument against his appointment.

          • Re:This may be nitpicking but... (Score:4, Insightful)

            by arkanes ( 521690 ) <arkanes@NoSPam.gmail.com> on Sunday February 02, 2003 @01:00PM (#5210447) Homepage
            If you don't think it's reasonable to evaluate his past performance, what do you think IS a reasonable way to evaluate him? To be perfectly fair, we'd need to see his job description at Microsoft and compare that to what Microsoft did in the years he was there.

            On the other hand, his job title was "Security Chief". To me, that means that security issues stop at his door, and blaming the windows codebase or the CEO is a smokescreen - it's his job to make the product secure. If he can't convince the CEO that's important, then what makes you think the can convince Bush about anything important?

            I read the article about his departure from MS, it was full of the normal corporate bullshit. So if he was leaving over security issues, he didn't feel strongly enough to go public with them - which is probably politically wise, but still something I'd check off against him.

            • If you don't think it's reasonable to evaluate his past performance, what do you think IS a reasonable way to evaluate him?

              That was my last point -- we don't have a reasonable way to evaluate him.

              To be perfectly fair, we'd need to see his job description at Microsoft and compare that to what Microsoft did in the years he was there.

              Agreed. We'd also need to see all of the decisions he made, whether they were carried out or not.

              To me, that means that security issues stop at his door, and blaming the windows codebase or the CEO is a smokescreen - it's his job to make the product secure.

              Agreed, but I'm sure you're also aware that in a corporation, it rarely works this way. I guess you could say that it may shed some light on his inability to build a compelling argument for the CEO, but my guess is that the financial aspect is alwas speaking in a louder voice.

              If he can't convince the CEO that's important, then what makes you think the can convince Bush about anything important?

              Absolutely nothing. I think there's hardly anyone who would be able to convince Bush of something he didn't want to hear anyway.

              I read the article about his departure from MS, it was full of the normal corporate bullshit.

              Just as a suspected.

              which is probably politically wise, but still something I'd check off against him.

              Isn't it funny how traits that are politically good and are what allow people to obtain and keep positions are the same traits that prevent someone from truly being of good character? It's a real shame. I often wonder what our government would be like it only the most honest and forthright were involved. Afterwards, I usually wake up from falling out of bed. :-)

          • >The truth is, Windows needs to be pretty much re-written from the ground up with a focus on security.

            It was. Its called NT. Didn't work too well did it?
      • What makes you think corporations aren't concerned about their own IT security?

        I have no doubt that most are, though I have severe doubts that most suits really understand the issues involved. I'm a programmer with a strong math background, and half the time, I don't understand the issues (or rather, the complexity boggles my mind).

        Why is it that private companies are singled out as a group whose social concerns apparently runs so counter to the ones discussed here?

        Because we know that to most large, powerful institutions (government or private), "security" really means "control." And control (other than self-control) does not mean liberty or freedom.

        Our current administration's idea of security seems to be to violate any sense of proportionality in punishing a computer crime, and hire experts from the company who has produced some of the world's least secure software. And put together a system that contains every bit of information about you that any private or public entity has.

        Are you feeling more secure? For yourself or our nation?

        (I might add that I don't think much of administrations that champion things like the Clipper chip, just for balance, but fortunately, that's long dead).
    • didn't Europe have a problem with a former MS employee taking a high post there in that same henhouse/fox type of situation?

      This is also a severe slap in the face of the states that are actively prosecuting MS for violations. Was this gentleman a part of the company during that time?

      Heinous. Bush is an equal opportunity offender for sure.
    • You may be more right than you think. According to wired Clark left on a very anti-Microsoft sounding note only to be replaced by an ex-MS crony. Afterall, this is the Bush administration, they're doing a wonderful job proving how unbelievably complacent Americans are.
      [wired.com]
      Clarke, in an e-mail sent overnight Thursday to colleagues, cited damage from the weekend's infection that struck hundreds of thousands of computers worldwide, slowing e-mail and Web surfing and even shutting down some banking systems. He called the attacking software "a dumb worm that was easily and cheaply made."
  • a reality, since he is put incharge, I wonder why he left Microsoft. Why was he picked. How is he going to cope with Linux in the workspace.

  • Can anyone say Fox watching the Henhouse??? (Score:3, Interesting)

    by path_man ( 610677 ) on Sunday February 02, 2003 @10:14AM (#5209843)

    Mod me as a troll, I don't care... this is absurd. Microsoft corporation has proven time and time again that they can't grasp fundamental security practices or concepts. Now, instead of having a boss (BillG) whose motivation is profit, we've got a security chief whose boss (GBush / JAshcroft) who wants to rob us of our civil liberties.

    Bruce Schneier for Security Chief!!!!

    • Bruce Schneier would be an excellent choice. We should make some movement (like the one "Steve Jobs for President", but more successful;-)
    • Bruce Schneier for Security Chief!!!! Bruce would be a lousy choice, there is no way he would toe the administration line. He would say policitally incorrect things like John Ashcroft stinks as AG. He might even beleive in that quaint document called the constitution or due process. He also has quaint ideas about counting the votes in elections.

      Oh you mean Bruce might be good at securing things rather than being a shill for whatever line Karl Rove thinks will play in the opinion polls?

  • 1) Microsoft are getting into bed with government through the back door (no pun intended)
    2) Bush is short-sighted enough to thing that the person who is head of Microsoft security will bring better security than a team of specialists. Oh wait, one person is better because he can call them a czar. Buzzword-me-do [reference.com].
  • ..nothing says I know Windows is insecure like the guy who used to have to smile at the press after that weeks worm...

  • Lol (Score:5, Funny)

    by KDan ( 90353 ) on Sunday February 02, 2003 @10:16AM (#5209849) Homepage
    Next, RIAA advisor appointed as judge in IP case, Disney spokeperson heads the new congressional committee for copyright term balance, and Pakistan appoints Hans Blix's replacement at the head of the UN Arms Inspectors Committee.

    Daniel

  • Not surprising (Score:5, Interesting)

    by 0x0d0a ( 568518 ) on Sunday February 02, 2003 @10:17AM (#5209857) Journal
    Nothing says "Security" better to me than "Former Microsoft Security Chief".

    Look, do you want extensive experience or not? I trust this guy to have run into more security problems than just about anyone else out there.

    I wonder if he leaned more toward engineering (and the godawful CryptoAPI) or policy (and the signing procedures that let Nimda get out)?

    On a more realistic note, in terms of practical security benefit, the recent spending of taxpayer dollars on a set of minimum Windows security standards (the "Gold Standard") is probably one of the most cost-effective things that could have been done for nationwide security. Even if it grates those Linux/Mac OS/etc people among us the wrong way... It beats blowing more money on facial recognition at Super Bowls.

    • Re:Not surprising (Score:5, Insightful)

      by dhuv ( 241988 ) on Sunday February 02, 2003 @10:23AM (#5209878) Homepage
      What you are not look at is this. This person had the same chance to make good security decisions with Microsoft and HE DIDN'T. Thats the point. Taxpayers should have to spend money on something that Microsoft should be paying for. It is their responsibility to make their product secure, why should tax payers pay for that?

    • from the desk of Howard Schmidt

      Subject: Plan for implementing National Cybersecurity Strategy

      1. Make acceptance speech
      2. ????
      3. Profit!!!
    • "Look, do you want extensive experience or not?"

      Experience without learning isn't worth very much. If I have extensive experience stabbing a knife into my finger, it doesn't mean I'm a world class knife expert. It means I didn't learn from prior mistakes.

      "in terms of practical security benefit, the recent spending of taxpayer dollars on a set of minimum Windows security standards"

      Why should the federal government, an agency which really should be dealing with foreign policy, civil defense, interstate commerce, and perhaps judicial matters which supercede the ability of a single state; be spending taxpayer dollars setting "guidlines" or "standards" for a private corporation which should have done that itself, many years ago?

      Microsoft should have cleaned house long ago, and only the fact that they are a monopoly has allowed them to continue selling such a bug-riddled product. Now that some amount of competition is surfacing, we seem them scrambling to tidy up their product before everyone realizes that they don't *really* need it as much as they think.

      I realized about 2 years ago that the ONLY reason I still "need" windows is to play games. I found reasonable (in some cases superior, in others not) alternatives for everything else I do in the linux environment. YMMV.

      My point is, if Microsoft made such a wonderful product, why did it take government intervention to force them to produce quality? Same reason it takes federal laws to keep paper mills from dumping tons of heavy metals into the well-water you drink from, greed and laziness. MS knew perfectly well that their code was bloated, buggy, and full of security holes, but if everyone kept buying it... why fix it?

  • They've finally done it... (Score:1, Insightful)

    by Anonymous Coward
    So, Micro$oft has finally infiltrated the US government.... We're all doomed!
  • Nothing says "Security" better to me than "Former Microsoft Security Chief".

    What about "blinde, cripple, deaf, dumb, and stupid rent-a-cop"?
  • Microsoft Security gets an 'F' [cnn.com]...
    Whats good for the goose is good for the gander, i suppose.
    -v

  • Well, maybe the reason he left Microsoft... (Score:1, Interesting)

    by Anonymous Coward
    Was because he wanted more security and no one else did? Maybe?

  • A security chief from Microsoft.. (Score:1, Funny)

    by Anonymous Coward
    May be White House is using MS products and this is in fact a housecall support. Can you think of anyone to fix White House servers better than the security chief from MS?

  • Um... He's already in the govt. (Score:5, Insightful)

    by Big Sean O ( 317186 ) on Sunday February 02, 2003 @10:26AM (#5209883)
    According to his biography here [infragard-ct.org]. From his bio, it doesn't sound like he's a dyed in the wool microsoftie.

    Instead of making jokes or clamoring about how this is a bad (or good) thing, let's try to figure out what this guy is about.

    Any signal out there?

    • Re:Um... He's already in the govt. (Score:5, Insightful)

      by notaspy ( 457709 ) <imnotaspyNO@SPAMyahoo.com> on Sunday February 02, 2003 @10:50AM (#5209961)
      "Instead of making jokes or clamoring about how this is a bad (or good) thing, let's try to figure out what this guy is about."

      It doesn't matter what HE is about. He'll toe the Bush/Cheney/Ashcroft line or he is GONE. And the Bush/Cheney/Ashcroft line is all about maintaining big business' (particularly oil) stranglehold on power.

      Anyone surprised by Bush's proposal to research hydrogen as a fuel source? Many scientists have suggested that the move to a hydrogen-based economy (replacing the current petroleum-based economy) is inevitable and necessary. So why would Bush propose funding hydrogen research? You can (and will) bet your last dollar that the plan is not to develop a new hydrogen-based industry that would compete with or even replace the oil companies. It's for the oil companies to take over the future hydrogen industry. Completely and irrevocably.

      It's ALL about maintaining power, so don't start thinking that Bush will allow anything contrary thinking (like protecting civil liberties).
  • Clark's blunt staements on the to the need to avoid erosion of privacy rights is rumored to have rubbed the administration the wrong way, prompting his exit.


    ...so his replacement will readily errode everyone's privacy rights...

    Anyone know how Schmitt will view the relative security of closed versus open source?"


    ...he'll view closed source as more secure and do everything he can to erradicate the open source menace, naturally.

    Nothing says "Security" better to me than "Former Microsoft Security Chief".


    ...Amen!

  • Interesting. because (Score:5, Interesting)

    by Sh0t ( 607838 ) on Sunday February 02, 2003 @10:27AM (#5209886) Journal
    I've worked for the Dept of the Navy for 6 years now,4 years as an active marine and 2 for a navy contractor and I've seen a trend in the Navy/MC away from microsoft products and their consultation.

    But then again, it doesn't mean that everything will be MS because he's a former MS officer, but it is more than possible. If anything he may have a VERY humble attitude toward things because I'm sure he's been the brunt of many criticisms from his past post.

    It's no secret MS has had problems with security.

    But I wonder what this will mean for upcoming copyright and piracy issues involving computer software and the like. Since he comes from a company where the doctrine is pretty strict in terms of copyrighting and such, we will see a severe change in the laws?

    "Clark's blunt staements on the to the need to avoid erosion of privacy rights is rumored to have rubbed the administration the wrong way, prompting his exit"

    Well if the previous guy was removed because he was in favor of keeping privacy rights a concern, this may indeed be the case.

    Overall, I can't say this is a good sign.

    Excuse my above ramblings, I have strep throat and it's driving me crazy.
    • ..how does your statement jibe with this, about their intranet, the NMCI:

      http://www.gcn.com/22_2/mgmt_edition/20910-1.htm l

      --partial paste from article---

      By comparison, NMCI officials and EDS are dealing with a filing cabinet full of used carbon paper. When they opened the drawer on the Navy's IT infrastructure, they encountered a veritable junkyard of ancient networks (about 1,000) and legacy systems (about 100,000)--a situation that has caused major delays in the rollout.

      Both Navy officials and EDS managers agree that it would have been better to have had a handle on the scope of the department's legacy IT assets much earlier, but it still might have been impossible to do a thorough inventory.

      "I don't know that anybody could have ever visualized all of that until you actually dug in, especially in an organization that is as diverse as the Navy," said Bill Richard, NMCI program executive for EDS.

      The Navy's Ehrler concurred. "The message we got from industry was when you get into these types of contracts nobody has a clear handle on what exactly they own," he said. "That's just part of the pain you've got to go through in deploying a [managed-services] contract like this."

      "In hindsight it would have been nice to have had a better enterprise, corporate-level view [of the IT environment]," added Rear Adm. Charles L. Munns, NMCI director for the Navy. "I think we got a snapshot of it during year 2000. That was our first real effort to understand what we have. That's what made us understand that we really needed an intranet."

      100,000 legacy applications

      "You can look back at where the hurdles have been and talk about what might have been done differently but I don't know that we could have done it any other way," he said. "We needed a rallying point and that was the intranet. That's what got us to start to think corporatively."

      The department's tangle of 100,000 legacy applications have been the biggest hairball.
      "I don't think we recognized the magnitude of the change we were embarking on," said Rear Adm. Charles L. Munns, the Navy's NMCI director
      To get control of the situation, Munns last summer created a group of 24 functional application managers to make decisions about legacy applications. They quickly began killing apps that wouldn't work in a Microsoft Windows 2000 environment, were redundant or didn't meet NMCI security standards. Richard said this was a crucial step toward getting NMCI back on track.

      --, I see them wanting to intergrate and streamline, that actually makes sense, but it looks to me like a microsoft based across the board move. What am I not reading correctly here?

      --sorry about the step throat. The new wild oregano-based over the counter capsules are supposed to be great on boosting the ole immune system.

  • bureaucrat (Score:3, Interesting)

    by ToastedBagel ( 638204 ) on Sunday February 02, 2003 @10:27AM (#5209887)
    Day by day, MS is becoming more like one of those boring typical corporations in US. Start-up -> make money -> lobbying -> get people inside Washington and build business around bureaucracy. I don't dare call MS an innovator, but come on, it's not even 20 years since MS started their business, and they are already joining the club of boring bureaucrats.

  • Reminds you of the old joke... (Score:5, Funny)

    by bigmouth_strikes ( 224629 ) on Sunday February 02, 2003 @10:27AM (#5209888) Journal
    "In heaven, the Italians do the cooking, the Swiss do the accounting, the German fix the cars, the French are the lovers, and the British are the police.

    In hell, the English do the cooking, the Italians do the accounting, the French fix the cars, the Swiss are the are the lovers, and the Germans are the police".

    I guess we can add something about who's in charge of cyber security in either places... and I'm pretty sure where Microsoft has a bigger footprint.

  • When was the last time microsoft.com was cracked? (Score:5, Interesting)

    by Temporal ( 96070 ) on Sunday February 02, 2003 @10:28AM (#5209894) Journal
    Just to point out... According to the article, this guy was in charge of Microsoft's network's security, not Microsoft's software's security. The fact that he has been able to keep that web site, which runs on NT, from being cracked for so many years must qualify him as some sort of security god.

    (If I am misinformed, and microsoft.com has actually been cracked and defaced at some point in the past, do tell...)
    • Can't remember the details but didn't microsoft have some sort of open redirection script on their site that was used to redirect unsuspecting customers to trojan-providing sites whilst purporting to be coming from microsoft.com? Or was that someone else? Can anyone confirm?

      Daniel
    • Please be serious. He may have instituted the policies to keep the site from being hacked, but certainly was not the man responsible for it. The people who worked under him and that are still working there are the ones who are doing that job.

      Don't forget that the job he now has to do doesn't distinguish between network and software. It wraps them all into one, thowing hardware and various other IT technologies in the pot. So don't put him on a peddistool and call him a god before we've seen what he actually is capable of. Remember that this job involves reigning in his old emploters and convincing them to actually produce secure software that doesn't affect the Internet in general. Need I remind anyone of a certain MS SQL worm that affected everyone, including Microsoft's network last week?
    • I think the concern centers around (or should center around) the intentions of the "czar," and his concept of computer security.

      To some, "computer security" means ensuring that electronic communications are entirely insecure, so they can be intercepted and stored in a database to help make sure the citizens aren't going off the rails.

      To others, "computer security" means restricted hardware that filters the data it will read and write, so IP owners can exert more control.

      Finally, there is the idea that "computer security" means controlling who can access your own computers and information, and how facilitating communication without tampering or snooping. But there seems to be little interest in this one.

    • I wonder if this guy, and his team, felt it necessary to review the source code in order to make their network more secure.

      I mean, did he just accept the binaries as is and curse the fact that he didn't really know what was going on inside.

      Did he give feedback to developers so they could improve exactly the points he was finding most valuable. By this I mean a very closed loop that allowed for much tighter interaction with developers than the Network Administrator at an outside company could ever dream of happening.

      Or, did his guys regularly review software code in order to insure that nothing odd was happening. If so, how valuable was this to making sure the network was secure.

      Point being, if it is te last one, then even Microsoft sees the value of Open Source and many eyes.

    • Nope he was In charge of trsuted computing (Score:4, Informative)

      by goombah99 ( 560566 ) on Sunday February 02, 2003 @11:27AM (#5210072)
      After reading what I thought was an insightful clarification I did some more digging, and now I have to disagree with you.

      According to the schmitt bio [infragard-ct.org]: Prior to joining..., Mr. Schmidt was the Chief Security Officer for Microsoft Corporation, Redmond, WA. While there, he oversaw the Security Strategies group, insuring the development of a trusted computing environment via auditing, policy, best practices and incubation of security products and practices.

      this does not sound like network security per se to me

      We all tend to guilty of going-with-what-we-know. So his past is a relevant to gussing his future policy. Thus his involvement with microsoft and aspects of trusted computing are troubling. Another statement from his bio that i'd like to know more about is

      Mr. Schmitt ....has been instrumental in the creation of public/private partnerships and information sharing iniatives

      what sort of information sharing? Sharing as in the TIA's notion of it? or sharing as government databses need better integration? Given his FBI and Airforce 'crime information warfare' background it is probably safe to assume that he would see lack of integration as an impediment to law enfocement would like better sharing of confidential data amongst law inforcement. Not an entirely bad idea if safe gaurded and until it reaches the TIA sort of level.

      Other than second guessing what I exepct will be the promotion of policy I wont like, the remainder of his Bio plainly says he is technically qualified for both the techincal, policial, manegerial, and policy aspects of cyber security. Few people would be as qualified to adminsitrate the office. I think I would just feel better if he were the deputy and someone else was setting policy.

    • Howard Schmidt's Biography (Score:5, Informative)

      by Reziac ( 43301 ) on Sunday February 02, 2003 @11:30AM (#5210083) Homepage Journal
      excerpted from Howard Schmidt's Biography [infragard-ct.org]

      *****
      Before joining Microsoft, he was a Supervisory Special Agent, Director of the Air Force Office of Special Investigations, Computer Forensic Lab and Computer Crime and Information Warfare. (HQ AFOSI/CCI). Under his direction he established the first dedicated computer forensic lab in the government. The AF specialized in conducting investigations into intrusions in government/military systems by unauthorized persons in counter intelligence and criminal investigations.

      Before AFOSI he was with the FBI at the National Drug Intelligence Center (NDIC) where he headed the Computer Exploitation Team as a Computer Forensic Specialist. As one of the early pioneers in the field of computer forensics and computer evidence collection, he continues to provide training support to an international audience dealing with the new challenges around computer evidence collection and processing.

      He was a City police officer from 1983-1994 with the city of Chandler Police Dept. Arizona. He served on the SWAT team, organized crime and narcotics investigations and field sergeant. While there he was detailed to the FBI academy teaching classes in the use of computers in criminal investigations for approximately 2 years.

      Howard has over 31 years public service having served with the US Air Force in various roles from 1967-1983 both active duty and in the civil service. He has served in the military reserves since 1989 and currently serves as a Credentialed Special Agent, US Army Reserves, Criminal Investigation Division (CID). He has testified as an expert witness in federal and military courts in the areas of computer crime, computer forensics and Internet activity.

      He holds a Bachelors Degree in Business Administration, (BSBA) and a Master of Arts in Organizational Management (MAOM). He also has a Technician class Ham Radio License, and a Single Engine Land pilots license.
      ******

      Hey folks, remember before you kneejerk -- there are more types of security than what programmers think of when they hear the term.

      • He also has a Technician class Ham Radio License

        That right there might be the most impressive qualification in the whole list. :)

        Hey folks, remember before you kneejerk -- there are more types of security than what programmers think of when they hear the term.

        An excellent post. The thuddding sound you hear is of me nailing my knees to the desk.

        • [laughing] At least nailing down your knees will keep them from blowing away :)

          And I got a chuckle out of the way the qualifications list sorta petered out too. Long list of his tech certs in next paragraph (omitted for brevity).

    • The last time Microsoft's networks were attacked was the recent attack of the Slammer worm. It seems they didn't patch all their SQL servers.

      This website [attrition.org] lists 23 defacements of Microsoft web sites since the beginning of 1999.

      One of the most embarrassing attacks was in 2000 when Russian crackers got into the servers that housed Microsoft's source code and waltzed around in there for up to three months!

      Microsoft uses their own products, and thus are subject to the same security holes as their customers. Their network security and the insecurity of their products are pretty much one and the same: a joke. Anyone in charge of Microsoft's non-security has no business being the deputy, let alone the man in charge, of our nation's computer security.

      But then, this isn't an issue of ability. As the article makes clear, the qualifications for the job are more about agreeing with the president than about securing anything.

      "At this moment, it has control of systems all over the world. And...we can't do a damn thing to stop it."
      Miyasaka, "Godzilla 2000 Millennium" (Japanese version)

  • Schmidt's experience with "critical updates" will be handy.
  • Schmidt has been with the government for awhile. Who among us went to the Town Meetings to listen and (somewhat) debate the original document before it was sent to the White House? Any comments on that panel, Schmidt, or the document?

  • United States Upgrade (USSP1) (Score:5, Funny)

    by Anonymous Coward on Sunday February 02, 2003 @10:35AM (#5209915)
    United States SP1

    This service pack addresses the following security holes and bugs found in the current public release of United State version 2003:

    - free speech buffer overruns
    - memory leaks of useless patents
    - higher intelectual property security
    - copyright roll-over
    - civil rights run away processes
    - stronger backdoors for stronger crypto
    - cpu race conditions
    - elimination of privacy APIs
    • No no, that's the updated edition.

      The United States Service Release 2 (or USSR2 for short).
      However it doesn't include patches for:
      memory leaks of useless patents.

      That'll come in a service pack later this year.

  • Alarming related news (Score:5, Interesting)

    by mysticgoat ( 582871 ) on Sunday February 02, 2003 @10:48AM (#5209950) Homepage Journal

    Quoting the last five (short) paragraphs of the story:

    The White House has so far been unable to fill top leadership posts at the Homeland Security department's division charged with protecting the Internet and other communications systems from attacks.

    The administration's first choice to run the Information Analysis and Infrastructure Protection Division was former Defense Intelligence Agency Director James Clapper.

    Clapper, a retired Air Force lieutenant and the head of the National Imagery and Mapping Center, unexpectedly pulled his name from consideration.

    John Tritak, former director of the Critical Infrastructure Assurance Office and pegged as the administration's pick for deputy undersecretary for infrastructure protection at the Homeland Security Department, is still a name under consideration, though he recently left the government.

    Another noted name in online security, Ron Dick, director of the FBI's cyber threat and warning bureau, has also resigned from government service.

    Is anyone else disturbed by the way first choice candidates seem to be running away from any involvement with government internet security?

    • Nothing new here (Score:5, Interesting)

      by jc42 ( 318812 ) on Sunday February 02, 2003 @01:06PM (#5210475) Homepage Journal
      About 15 years ago, I was working on for a consulting firm (which shall remain nameless here ;-) that does mostly government contract work. I was one of a small group that was assigned the task of analyzing and reporting on security issues with the growing collection of commercial networked small computers. My task was mostly collecting and/or writing security-test software.

      After a couple of months, the security guys discovered some of the things that I'd collected (or written). I was summarily fired.

      During the discussions, my boss observed that I was perhaps lucky that they didn't decide to prosecute me. He thought that there were two reasons they merely fired me: 1) I was doing the job that I'd been assigned, and 2) They were afraid that my lawyer would merely demand that all the evidence against me be presented in court.

      Within six months, all the rest of the group had quietly resigned. I'm still in occasional contact with some of them. None of us has ever accepted another security-related job.

      Computer security is of growing importance. But nobody with much experience in it is likely to accept a government job. I wouldn't avise anyone to take such a job, unless you know that you have the power and money to defend yourself when the inevitable happens.

      (It might be interesting to hear from others with similar experiences. Of course, the poster boy for this whole topic is Randal Shwartz. Google him and read all about it.)

      • According to Prof. Gene Spafford in today's San Jose Mercury-News, [bayarea.com], Microsoft "has a problem finding enough people trained in computer security." Muhawhawhaw. You already know MS security sucks and MS is not really interested in fixing the problem. The real wretched, awful truth is, the US Government does security even worse than does MS, and it is even less interested in fixing the problem than is MS. The US Government civil service is too cumbersome and politicized in its hiring process, as well as too low-paying, to attract IT talent; most Government agencies, instead, rely on "disadvantaged small business" contractors to do their IT security. And "doing IT security" means making sure users have 8-character passwords and that they download new virus definition files every day. That, and making the paperwork look good. If you only knew.
  • Another officer in the Bush collective.

    Is it a problem? Do you need eye glasses?

  • On the other hand... (Score:3, Interesting)

    by AdeBaumann ( 126557 ) on Sunday February 02, 2003 @10:57AM (#5209980) Homepage
    ...that will make it easier for us (well, those of us in the States at least) to scream "Biased!" when he comes up with any closed-source/Microsoft advocacy. This could actually help.

  • Slashdot Interview (Score:3, Interesting)

    by Anonymous Coward on Sunday February 02, 2003 @11:00AM (#5209986)
    Perhaps one of the editors could get a Slashdot interview ... i mean .. i think a large number of technical people read this site .. and it would be in his best interest perhaps to have a little Q&A with us
    • Actually, I think that's a wonderful idea, especially since no one around here seems to have the vaguest idea that the guy is actually a career security and computer-related crime specialist, who was only briefly with Micro$oft, and is NOT a programmer. (See the bio info I posted above, which came up even with the most cursory search.) Might be quite enlightening to see computer-related crime from a career cop's POV.

  • Old guy canned beacuse of citizen rights? ? (Score:4, Interesting)

    by nurb432 ( 527695 ) on Sunday February 02, 2003 @11:14AM (#5210028) Homepage Journal
    He was canned because he wanted to protect individual rights, and had limits on how far he'd go against the citizen?

    That alone should scare the hell out of people. Who is taking his place is minor compared to that.

    Or did I mis-read it thru the awful grammar?

  • Hey, he LEFT Microsoft - - what else do you want? (Score:3, Insightful)

    by LazloToth ( 623604 ) on Sunday February 02, 2003 @11:33AM (#5210095)
    For all the people whose blood boils at the mere mention of Microsoft's name: give this man some credit for leaving the company. And, as others here have pointed out, what better laboratory for the study of cyber warfare than MS? Could YOU have handled that heat as long as he did?

  • Schmidt Slammed sysadmins For Slammer SQL Virus (Score:3, Informative)

    by theodp ( 442580 ) on Sunday February 02, 2003 @11:50AM (#5210149)
    According to this story [star-techcentral.com], '...the attack "was 100% preventable." This view was shared Howard Schmidt, cyber security adviser to US President George W. Bush, who on Monday suggested that six months was more than enough time for systems administrators to plug the hole.'

  • Yeah, yeah. . . (Score:4, Funny)

    by Fantastic Lad ( 198284 ) on Sunday February 02, 2003 @11:59AM (#5210183)
    And the beat moves on.

    It's all about Fear.

    What? People thinking and exchanging news and information on the web? Horrors! They might all be saying bad things about us, (the Powers That Be)! We must put a stop to this!

    The best part is that, after all is said and done, after all the fire works and torture and human carnage, the bastards will lose. You cannot channel that much destructive force without being destroyed. Such minds deteriorate as they cling to their nice comfy illusions of grandeur, (and they are illusions. Everybody knows that Bush is a coke-snorting moron, no matter how hard he tries to pretend otherwise, no matter what sly tricks he participates in, his brain remains a piece of cheese. And he continues to rot.)

    In the end, the darkness is self-consuming. It's like a black hole; that's the perfect metaphor, actually. The perfect symbol. Selfishness wants and takes and takes until it collapses under its own weight. Selfishness is the frightened child which wants to cling to (and control) its mother, and damn it, climb back into the womb if at all possible. Because the bright and beautiful world is just too damned frightening. (Beware the clingy child.)

    Beauty and the Unknown are for the strong and bright-eyed children, who grow accordingly, and seek outwards; never to control, but to test themselves against the world and grow stronger and more capable of participating in the wonders they seek.

    Selfishness and Fearfulness, by contrast, seek ultimately, to return to the dark warmth of sleep, and there disintegrate into dream and into nothingness. --And that's fine, (Let 'em vanish!). The only problem being that they can't bear to think there is a bright and beautiful world out there populated with heros and the brave. --Simply, because the contrast between the worms and the brave is a painful one! Nobody wants to be a fearful worm; especially not the worms; especially not the worms! --They have the least ability of all in dealing with hard truths. They are not about growing or changing; they are about warm illusions and control. A brave man winces at his faults but then sets about the task of fixing them. While, a coward cringes in horror at his faults, and seeks to tell himself stories where really, he, is the hero, and then he goes about trying to enforce this image upon all those around him; to maintain the illusion. And all the while, in reality, he degenerates further while the Brave Man grows ever stronger.

    Like I have said many times before, Good Guys Always Win. Always. Always. (Despite the millions of messages to the opposite we are bombarded with daily by the Fear-controlled media! Despite the deep cultural programming which begs women to seek 'bad' boys while in the same stroke, casts a homosexual in the role of Smallville's 'Superman') But you watch. You'll see. It all pans out in the end. There will be carnage and there will be blood, but in the end, the worms will turn to mud and vanish, and the heros and the brave will remain. --I firmly believe in reincarnation and in many lives, and that the Heros and the Brave will continue; that Death is just a train station platform. I also believe that the worms will return as well, although in a reduced form, (thanks to Karma). The only way to destroy a soul is for it to continually participate in debauchery and petty fear, until it regresses, finally, into primal matter. Let 'em regress. Let 'em go. Let the little worm people try to control the world and the internet, let them try to control thought itself. (And if it's an MS clone who'll be running things over at the White House, then you can bet they'll keep a thumb on the pulse of such net indicators as Slashdot; Are you listening, you chumps? I am talking about YOU.)

    The forces of Fear will cause friction for a time, and they can influence thought, even to a large degree. But only for a time. And not the minds of the strong, who will only shake their heads. And then, finally, they will pass. Good riddance.

    Chumps.


    -Fantastic Lad

  • "He has one particularly valuable characteristic that no other federal security leader has in that he has actually fought the bad guys both in defending the networks at Microsoft..."

    Obviously, this should read: "He has one particularly valuable characteristic that no other federal security leader has in that he has actually fought [for] the bad guys both in defending the networks at Microsoft and within the government"

  • Talk about a lot of FUD... (Score:3, Interesting)

    by MyNameIsFred ( 543994 ) on Sunday February 02, 2003 @12:27PM (#5210302)
    So much fear and uncertainty because this man once worked for Microsoft. Tell me, does Microsoft implant microchips in all employee brains to control them? Is the U.S. government suppose to automatically prevent all former Microsoft employees from ever holding a government job? Are we to eliminate the tens of thousands of former Microsoft employees from the job pool? What about fomer Sun employees? Apple? Redhat? So many people accuse Microsoft of FUD regarding Linux. From where I sit, this is a little like the pot calling the kettle black.

  • Two things (Score:5, Insightful)

    by Derkec ( 463377 ) on Sunday February 02, 2003 @12:37PM (#5210347)
    First, just because the guy once worked for Microsoft does not mean that he is stilled owned by Microsoft and only sees their side of things. He may or may not be a fan of open source and he may or may not be a fan of his former employer. I have former employers I would probably be prejudice against if in a gov't position.


    Second, if he was ever head of MS security, he is used to dealing with extremely difficult situations and has handled his share of disasters. Overall, that job would provide great experiance understanding the tradeoffs made between functionality, ease of use and security. Also, a good understanding of how some software companies resolve security issues and how to lead an effort to address security flaws in software. Probably an ideal background overall.

  • That's too bad (Score:5, Interesting)

    by drix ( 4602 ) on Sunday February 02, 2003 @12:38PM (#5210349) Homepage
    I had the opportunity to meet and interview Clarke when he came to my school last year to give a speech as part of a post-9/11 outreach program to CS faculties around the nation. (In fact, I wrote an article [dailycal.org] about it for our school newspaper, if you're interested.) He really handled himself well. The crowd was more or less 100% engineering and CS faculty, grad students, and the type of smart undergrads that would actually care about such a thing, in other words a tough crowd to play to. And I think everyone was a pretty skeptical at the outset that any government official would know his ass from a hole in the ground when it comes to IT policy, so-called "cybersecurity" (blech), and such. But he did! After he spoke he gave about a 40 minute Q&A where people asked him all sorts of tough and sometimes really esoteric questions concerning software patents, the DMCA, network security, hell, something about quantum computing even came up. His knowledge was impressive and, even more heartening, when he didn't know the answer he just said so rather than bullshitting. All in all I left with a good feeling that this guy was the White House's go-to man for IT policy and would be protecting our computers from the terrorists. Now it sounds like he got fired because he wasn't quite fascist enough for the Bushies, which is really depressing. Guess I should have seen it coming all along.

  • Richard Clarke (Score:2, Interesting)

    by tycheung ( 635707 )
    Wasn't Richard Clarke the guy who predicted the Al Qaeda threat to the Bush team when Clinton left office, and had an aggressive roll-back plan ready, but was basically ignored by Bush, Condi and everyone else? If they had listened to him, they might have averted 9/11...

  • We don't need an "anything" Czar. (Score:5, Insightful)

    by Maul ( 83993 ) on Sunday February 02, 2003 @01:24PM (#5210551) Journal
    When I hear about a the "Drug Czar" I am reminded about the "war on drugs" that has already cost us plenty of civil liberties and caused a violent and expensive black market for drugs.

    The idea of a "Cyber Security Czar" frightens me even more, especially given the fact that the Bush Administration doesn't seem to care jack squat for the rights and privacy of American citizens.

    The fact that it seems they dismissed the old Cyber Security Czar because he was actually sticking up for the privacy of citizens (and thus not working towards Bush's vision of a facist-style government in which citizens are reduced to flag-waving serfs with no actual rights) scares me quite a bit.

    • Doesn't anyone in the news media and the general public understand that the label "Czar" is not a compliment? The original Czars were ruthless tyrants whose treatment of the average Russian was so bad that it made Communism look attractive. While this may be an accurate assessment of the role played by our current crop of "Czars", the concept of having more of them seems like it ought to be self-criticizing to me.

      Then again, if the U.S. had an Education Czar, maybe more Americans would know some history...

  • It bothers me a lot that we accept the term "czar" as applied to American leadership.
    The leaders upon whom we bestow the appellation
    "Czar" are not even elected. What's next? The Shah of Agriculture? The Reichsfuhrer of commerce? The Emperor of the Interior? Grand Poobah of Energy?

  • So what was so great about Clarke? goombah99 says Clarke made "blunt staements on the to the need to avoid erosion of privacy rights" and that's all fine and good, I suppose.

    However, everyone here seems entirely unaware that Clarke is the same dumbass that tried to warn everyone of the prospect of a digital Perl Harbor [vmyths.com]. In this keynote adddress [microsoft.com], Clarke exploits the 9/11 tragedy to stir up peoples' fears by saying that the U.S. is vulnerable to the "functional [electronic or Internet based] equivalent of four 767s crashing into buildings, not the little car bomb." To me, he just seems like a big time fearmonger.

    Apparently, the only kind of statement Clarke knows how to make is the blunt kind. I'm not surprised he's leaving.

  • VMyths rantings [vmyths.com] often discuss this fellow.
  • "Ladies and Gentlemen of the United States, let me just say this: If you are running any Microsoft products... and I mean any, a mouse, a keyboard, Map, Notepad -- ANYTHING! Stop! Wipe your harddrives clean. Destroy the hardware. I used to work there and the stuff really sucks. It is poorly designed, has massive security holes and listen I know this will sound crazy, but it all reports to a central MySQL Database! And listen this whole Linux thing, it's a ruse! It's just more MS crap they are beta testing. Now listen, everyone just go buy a Mac and a copy of Lotus Notes and everything will be OK. Thank you and good night."
  • I saw Clarke speak on Tuesday- I was encouraged by his statement on privacy rights, as well as his assertion that we (consumers and the federal government) shouldn't buy crappy software. I think he actually used the word "crappy", and he was definitely referring to MS (this was like 2 days after Slammer). He called for microsoft to actually demonstrate some improvement in security from that PR stunt last Feb.
    But alas.
    I wish I colud say I was surprised...
  • Yeah, we've gone from a long-time, brilliant, and completely ignored proponent of better security against terrorism, information warfare and other means of asymmetric warfare to an arguably incompetent defender of infrastructure who will be listened to. Great.
  • A chief of security job is about ***MAKING SURE THE COMPANY IS SECURE***. First and formost, in a physical sense. These days, also in computer sense. It was ***NOT*** in any way, shape or form his job to ensure the product that the company makes has no security code. (Also, in case of M$, his job was made more difficult in that there was obviously company internal pressure to use their own products to perform his job, which - how should I put it mildly - may not have been the optimal choice :)

    Therefore, his competence should have been evaluated solely on the amount of SECURITY FAILURES that M$ as a company had, both physical (someone broke in and stole Gates' favourite chair :) and cyber (someone broke into their network and stole beta code for Windows), and how he dealt with resultant issues. (I.E., not only whether someone could break in, but how was he able to make sure the method could not be repeated). Again, additional adjustement needs to be made due to pressure on M$ security to use in-house developed software which sux.

    Before all of "bush bad, MS bad, Marx good" slashdotniks start yelling about "he was a security chief for M$ and the holes in Windoze mean that he is not good at his job", please use your brains for a change!!! (And no, I have no great love for M$, I just use my brains from time to time :)

    -DVK

Slashdot Top Deals

Work without a vision is slavery, Vision without work is a pipe dream, But vision with work is the hope of the world.

Close